Browse Exploit & Auxiliary Modules
The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.
Search for modules
Module Browser
2Wire Cross-Site Request Forgery Password Reset Vulnerability
This module will reset the admin password on a 2Wire wireless router. This is done by using the /xslt page where authentication is not required, thus allowing configuration changes (such as resetting the password) as administrators.
Veritas Backup Exec Windows Remote File Access
This module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program listed in the references section. To transfer an entire directory, specify a path that includes a trailing backslash.
Veritas Backup Exec Server Registry Access
This modules exploits a remote registry access flaw in the BackupExec Windows Server RPC service. This vulnerability was discovered by Pedram Amini and is based on the NDR stub information information posted to openrce.org. Please see the action list for the different attack modes.
Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access
This module tests for a logic vulnerability in the Cisco VPN Concentrator 3000 series. It is possible to execute some FTP statements without authentication (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs when working with CWD commands. This module simply creates an arbitrary directory, verifies that the directory has been created, then deletes it and verifies deletion to confirm the bug.
IBM DB2 db2rcmd.exe Command Execution Vulnerability
This module exploits a vulnerability in the Remote Command Server component in IBM's DB2 Universal Database 8.1. An authenticated attacker can send arbitrary commands to the DB2REMOTECMD named pipe which could lead to administrator privileges.
Novell eDirectory DHOST Predictable Session Cookie
This module is able to predict the next session cookie value issued by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run this module, wait until the real administrator logs in, then specify the predicted cookie value to hijack their session.
Novell eDirectory eMBox Unauthenticated File Access
This module will access Novell eDirectory's eMBox service and can run the following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES, STOP_SERVICE, START_SERVICE, SET_LOGFILE.
EMC AlphaStor Device Manager Arbitrary Command Execution
EMC AlphaStor Device Manager is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.
EMC AlphaStor Library Manager Arbitrary Command Execution
EMC AlphaStor Library Manager is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.
Titan FTP XCRC Directory Traversal Information Disclosure
This module exploits a directory traversal vulnreability in the XCRC command implemented in versions of Titan FTP up to and including 8.10.1125. By making sending multiple XCRC command, it is possible to disclose the contents of any file on the drive with a simple CRC "brute force" attack. Although the daemon runs with SYSTEM privileges, access is limited to files that reside on the same drive as the FTP server's root directory.
ContentKeeper Web Appliance mimencode File Access
This module abuses the 'mimencode' binary present within ContentKeeper Web filtering appliances to retrieve arbitrary files outside of the webroot.
HP Web JetAdmin 6.5 Server Arbitrary Command Execution
This module abuses a command execution vulnerability within the web based management console of the Hewlett-Packard Web JetAdmin network printer tool v6.2 - v6.5. It is possible to execute commands as SYSTEM without authentication. The vulnerability also affects POSIX systems, however at this stage the module only works against Windows. This module does not apply to HP printers.
Iomega StorCenter Pro NAS Web Authentication Bypass
The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs, allowing for simple brute force attacks to bypass authentication and gain administrative access.
JBoss Seam 2 Remote Command Execution
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.
Tomcat Administration Tool Default Access
Detect the Tomcat administration interface.
Tomcat UTF-8 Directory Traversal Vulnerability
This module tests whether a directory traversal vulnerablity is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 - 6.0.16 under specific and non-default installations. The connector must have allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the vulnerability actually occurs within Java and not Tomcat; the server must use Java versions prior to Sun 1.4.2_19, 1.5.0_17, 6u11 - or prior IBM Java 5.0 SR9, 1.4.2 SR13, SE 6 SR4 releases. This module has only been tested against RedHat 9 running Tomcat 6.0.16 and Sun JRE 1.5.0-05. You may wish to change FILE (hosts,sensitive files), MAXDIRS and RPORT depending on your environment.
TrendMicro Data Loss Prevention 5.5 Directory Traversal
This module tests whether a directory traversal vulnerablity is present in Trend Micro DLP (Data Loss Prevention) Appliance v5.5 build <= 1294. The vulnerability appears to be actually caused by the Tomcat UTF-8 bug which is implemented in module tomcat_utf8_traversal CVE 2008-2938. This module simply tests for the same bug with Trend Micro specific settings. Note that in the Trend Micro appliance, /etc/shadow is not used and therefore password hashes are stored and anonymously accessible in the passwd file.
TYPO3 sa-2009-001 Weak Encryption Key File Disclosure
This module exploits a flaw in TYPO3 encryption ey creation process to allow for file disclosure in the jumpUrl mechanism. This flaw can be used to read any file that the web server user account has access to view.
Typo3 sa-2009-002 File Disclosure
This module exploits a file disclosure vulnerability in the jumpUrl mechanism of Typo3. This flaw can be used to read any file that the web server user account has access to.
TYPO3 sa-2010-020 Remote File Disclosure
This module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes. Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0. This flaw can be used to read any file that the web server user account has access to view.
TYPO3 Winstaller default Encryption Keys
This module exploits known default encryption keys found in the TYPO3 Winstaller. This flaw allows for file disclosure in the jumpUrl mechanism. This issue can be used to read any file that the web server user account has access to view. The method used to create the juhash (short MD5 hash) was altered in later versions of Typo3. Use the show actions command to display and select the version of TYPO3 in use (defaults to the older method of juhash creation).
SAP MaxDB cons.exe Remote Command Injection
SAP MaxDB is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.
Motorola WR850G v4.03 Credentials
Login credentials to the Motorola WR850G router with firmware v4.03 can be obtained via a simple GET request if issued while the administrator is logged in. A lot more information is available through this request, but you can get it all and more after logging in.
Microsoft Host Integration Server 2006 Command Execution Vulnerability
This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006.
Microsoft SQL Server Configuration Enumerator
This module will perform a series of configuration audits and security checks against a Microsoft SQL Server database. For this module to work, valid administrative user credentials must be supplied.
Microsoft SQL Server xp_cmdshell Command Execution
This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell procedure. A valid username and password is required to use this module
Microsoft SQL Server - Interesting Data Finder
This module will search the specified MSSQL server for 'interesting' columns and data. The module has been tested against SQL Server 2005 but it should also work on SQL Server 2008. The module will not work against SQL Server 2000 at this time, if you are interested in supporting this platform, please contact the author.
Microsoft SQL Server Generic Query
This module will allow for simple SQL statements to be executed against a MSSQL/MSDE instance given the appropiate credentials.
MySQL Enumeration Module
This module allows for simple enumeration of MySQL Database Server provided proper credentials to connect remotely.
MySQL SQL Generic Query
This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials.
TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access
This module tests for directory traversal vulnerability in the UpdateAgent function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM via dot dot sequences in an HTTP request.
Oracle SMB Relay Code Execution
This module will help you to get Administrator access to OS using an unprivileged Oracle database user (you need only CONNECT and RESOURCE privileges). To do this you must firstly run smb_sniffer or smb_relay module on your sever. Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb which will connect to your SMB sever with credentials of Oracle RDBMS. So if smb_relay is working, you will get Administrator access to server which runs Oracle. If not than you can decrypt HALFLM hash.
Oracle Account Discovery
This module uses a list of well known default authentication credentials to discover easily guessed accounts.
Oracle SQL Generic Query
This module allows for simple SQL statements to be executed against a Oracle instance given the appropriate credentials and sid.
Oracle Database Enumeration
This module provides a simple way to scan an Oracle database server for configuration parameters that may be useful during a penetration test. Valid database credentials must be provided for this module to run.
Oracle Secure Backup exec_qr() Command Injection Vulnerability
This module exploits a command injection vulnerablility in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2.
Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
This module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).
Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
This module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).
Oracle Java execCommand (Win32)
This module will create a java class which enables the execution of OS commands.
Oracle URL Download
This module will create a java class which enables the download of a binary from a webserver to the oracle filesystem.
Oracle TNS Listener SID Brute Forcer
This module simply attempts to discover the protected SID.
Oracle TNS Listener Command Issuer
This module allows for the sending of arbitrary TNS commands in order to gather information. Inspired from tnscmd.pl from www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd
UoW pop2d Remote File Retrieval Vulnerability
This module exploits a vulnerability in the FOLD command of the University of Washington ipop2d service. By specifying an arbitrary folder name it is possible to retrieve any file which is world or group readable by the user ID of the POP account. This vulnerability can only be exploited with a valid username and password. The From address is the file owner.
PostgreSQL Server Generic Query
This module imports a file local on the PostgreSQL Server into a temporary table, reads it, and then drops the temporary table. It requires PostgreSQL credentials with table CREATE privileges as well as read privileges to the target file.
PostgreSQL Server Generic Query
This module will allow for simple SQL statements to be executed against a PostgreSQL instance given the appropiate credentials.
SAP Management Console OSExecute
This module allows execution of operating system commands through the SAP Management Console SOAP Interface. A valid username and password must be provided.
Interactive Graphical SCADA System Remote Command Injection
This module abuses a directory traversal flaw in Interactive Graphical SCADA System v9.00. In conjunction with the traversal flaw, if opcode 0x17 is sent to the dc.exe process, an attacker may be able to execute arbitrary system commands.
TrendMicro ServerProtect File Access
This modules exploits a remote file access flaw in the ServerProtect Windows Server RPC service. Please see the action list (or the help output) for more information.
SMB Scanner Check File/Directory Utility
This module is useful when checking an entire network of SMB hosts for the presence of a known file or directory. An example would be to scan all systems for the presence of antivirus or known malware outbreak. Typically you must set RPATH, SMBUser, SMBDomain and SMBPass to operate correctly.
Samba Symlink Directory Traversal
This module exploits a directory traversal flaw in the Samba CIFS server. To exploit this flaw, a writeable share must be specified. The newly created directory will link to the root filesystem.
SMB File Upload Utility
This module uploads a file to a target share and path. The only reason to use this module is if your existing SMB client is not able to support the features of the Metasploit Framework that you need, like pass-the-hash authentication.
Solaris KCMS + TTDB Arbitrary File Read
This module targets a directory traversal vulnerability in the kcms_server component from the Kodak Color Management System. By utilizing the ToolTalk Database Server\'s TT_ISBUILD procedure, an attacker can bypass existing directory traversal validation and read arbitrary files. Vulnerable systems include Solaris 2.5 - 9 SPARC and x86. Both kcms_server and rpc.ttdbserverd must be running on the target host.
TFTP File Transfer Utility
This module will transfer a file to or from a remote TFTP server. Note that the target must be able to connect back to the Metasploit system, and NAT traversal for TFTP is often unsupported. Two actions are supported: "Upload" and "Download," which behave as one might expect -- use 'set action Actionname' to use either mode of operation. If "Download" is selected, at least one of FILENAME or REMOTE_FILENAME must be set. If "Upload" is selected, either FILENAME must be set to a valid path to a source file, or FILEDATA must be populated. FILENAME may be a fully qualified path, or the name of a file in the Msf::Config.local_directory or Msf::Config.data_directory.
TikiWiki information disclosure
A vulnerability has been reported in Tikiwiki, which can be exploited by a anonymous user to dump the MySQL user & passwd just by creating a mysql error with the "sort_mode" var. The vulnerability was reported in Tikiwiki version 1.9.5.
RealVNC NULL Authentication Mode Bypass
This module exploits an Authentication bypass Vulnerability in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy listener on LPORT and proxies to the target server The AUTOVNC option requires that vncviewer be installed on the attacking machine.
Apple Airport Extreme Password Extraction (WDBRPC)
This module can be used to read the stored password of a vulnerable Apple Airport Extreme access point. Only a small number of firmware versions have the WDBRPC service running, however the factory configuration was vulnerable. It appears that firmware versions 5.0.x as well as 5.1.x are susceptible to this issue. Once the password is obtained, the access point can be managed using the Apple AirPort utility.
D-Link i2eye Video Conference AutoAnswer (WDBRPC)
This module can be used to enable auto-answer mode for the D-Link i2eye video conferencing system. Once this setting has been flipped, the device will accept incoming video calls without acknowledgement. The NetMeeting software included in Windows XP can be used to connect to this device. The i2eye product is no longer supported by the vendor and all models have reached their end of life (EOL).
VxWorks WDB Agent Remote Memory Dump
This module provides the ability to dump the system memory of a VxWorks target through WDBRPC
VxWorks WDB Agent Remote Reboot
This module provides the ability to reboot a VxWorks target through WDBRPC
Webmin file disclosure
A vulnerability has been reported in Webmin and Usermin, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of an URL. This can be exploited to read the contents of any files on the server via a specially crafted URL, without requiring a valid login. The vulnerability has been reported in Webmin (versions prior to 1.290) and Usermin (versions prior to 1.220).
Zend Server Java Bridge Design Flaw Remote Code Execution
This module abuses a flaw in the Zend Java Bridge Component of the Zend Server Framework. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. NOTE: This module has only been tested with the Win32 build of the software.
John the Ripper AIX Password Cracker
This module uses John the Ripper to identify weak passwords that have been acquired from passwd files on AIX systems.
John the Ripper Password Cracker (Fast Mode)
This module uses John the Ripper to identify weak passwords that have been acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal of this module is to find trivial passwords in a short amount of time. To crack complex passwords or use large wordlists, John the Ripper should be used outside of Metasploit. This initial version just handles LM/NTLM credentials from hashdump and uses the standard wordlist and rules.
John the Ripper Linux Password Cracker
This module uses John the Ripper to identify weak passwords that have been acquired from unshadowed passwd files from Unix systems. The module will only crack MD5 and DES implementations by default. Set Crypt to true to also try to crack Blowfish and SHA implementations. Warning: This is much slower.
John the Ripper MS SQL Password Cracker (Fast Mode)
This module uses John the Ripper to identify weak passwords that have been acquired from the mssql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials
John the Ripper MySQL Password Cracker (Fast Mode)
This module uses John the Ripper to identify weak passwords that have been acquired from the mysql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials
John the Ripper Oracle Password Cracker (Fast Mode)
This module uses John the Ripper to identify weak passwords that have been acquired from the oracle_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials
Unix Unshadow Utility
This module takes a passwd and shadow file and 'unshadows' them and saves them as linux.hashes loot.
Postgres SQL md5 Password Cracker
This module attempts to crack Postgres SQL md5 password hashes. It creates hashes based on information saved in the MSF Database such as hostnames, usernames, passwords, and database schema information. The user can also supply an additional external wordlist if they wish.
BNAT Router
This module will properly route BNAT traffic and allow for connections to be established to machines on ports which might not otherwise be accessible.
BNAT Scanner
This module is a scanner which can detect Broken NAT (network address translation) implementations, which could result in a inability to reach ports on remote machines. Typically, these ports will appear in nmap scans as 'filtered'/'closed'.
Generic Emailer (SMTP)
This module can be used to automate email delivery. This code is based on Joshua Abraham's email script for social engineering.
Metasploit Web Crawler
This auxiliary module is a modular web crawler, to be used in conjuntion with wmap (someday) or standalone.
Cisco IOS HTTP GET /%% request Denial of Service
This module triggers a Denial of Service condition in the Cisco IOS HTTP server. By sending a GET request for "/%%", the device becomes unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.2(18)P.
ISC DHCP Zero Length ClientID Denial of Service Module
This module performs a Denial of Service Attack against the ISC DHCP server, versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request message with a 0-length client_id option for an IP address on the appropriate range for the dhcp server. When ISC DHCP Server tries to hash this value it exits abnormally.
FreeBSD Remote NFS RPC Request Denial of Service
This module sends a specially-crafted NFS Mount request causing a kernel panic on host running FreeBSD 6.0.
HP Data Protector Manager RDS DOS
This module causes a remote DOS on HP Data Protector's RDS service. By sending a malformed packet to port 1530, _rm32.dll causes RDS to crash due to an enormous size for malloc().
3Com SuperStack Switch Denial of Service
This module causes a temporary denial of service condition against 3Com SuperStack switches. By sending excessive data to the HTTP Management interface, the switch stops responding temporarily. The device does not reset. Tested successfully against a 3300SM firmware v2.66. Reported to affect versions prior to v2.72.
Apache mod_isapi <= 2.2.14 Dangling Pointer
This module triggers a use-after-free vulnerability in the Apache Software Foundation mod_isapi extension. In order to reach the vulnerable code, the target server must have an ISAPI module installed and configured. By making a request that terminates abnormally (either an aborted TCP connection or an unsatisfied chunked request), mod_isapi will unload the ISAPI extension. Later, if another request comes for that ISAPI module, previously obtained pointers will be used resulting in an access violation or potentially arbitrary code execution. Although arbitrary code execution is theoretically possible, a real-world method of invoking this consequence has not been proven. In order to do so, one would need to find a situation where a particular ISAPI module loads at an image base address that can be re-allocated by a remote attacker. Limited success was encountered using two separate ISAPI modules. In this scenario, a second ISAPI module was loaded into the same memory area as the previously unloaded module.
Apache Range header DoS (Apache Killer)
The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, exploit called "Apache Killer"
Apache Tomcat Transfer-Encoding Information Disclosure and DoS
Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."
Dell OpenManage POST Request Heap Overflow (win32)
This module exploits a heap overflow in the Dell OpenManage Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability exists due to a boundary error within the handling of POST requests, where the application input is set to an overly long file name. This module will crash the web server, however it is likely exploitable under certain conditions.
SonicWALL SSL-VPN Format String Vulnerability
There is a format string vulnerability within the SonicWALL SSL-VPN Appliance - 200, 2000 and 4000 series. Arbitrary memory can be read or written to, depending on the format string used. There appears to be a length limit of 127 characters of format string data. With physical access to the device and debugging, this module may be able to be used to execute arbitrary code remotely.
Ruby WEBrick::HTTP::DefaultFileHandler DoS
The WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 1.8.7 to 1.8.7-p71, and 1.9 to r18423 allows for a DoS (CPU consumption) via a crafted HTTP request.
Avahi < 0.6.24 Source Port 0 DoS
Avahi-daemon versions prior to 0.6.24 can be DoS'd with an mDNS packet with a source port of 0
NTP.org ntpd Reserved Mode Denial of Service
This module exploits a denial of service vulnerability within the NTP (network time protocol) demon. By sending a single packet to a vulnerable ntpd server (Victim A), spoofed from the IP address of another vulnerable ntpd server (Victim B), both victims will enter an infinite response loop. Note, unless you control the spoofed source host or the real remote host(s), you will not be able to halt the DoS condition once begun!
MS02-063 PPTP Malformed Control Data Kernel Denial of Service
This module exploits a kernel based overflow when sending abnormal PPTP Control Data packets to Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers (Remote Access Services). Kernel memory is overwritten resulting in a BSOD. Code execution may be possible however this module is only a DoS.
Samba lsa_io_privilege_set Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon.
Samba lsa_io_trans_names Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon.
Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS
The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending a crafted UDP packet to port 48899 (TCATSysSrv.exe).
7-Technologies IGSS 9 IGSSdataServer.exe DoS
The 7-Technologies SCADA IGSS Data Server (IGSSdataServer.exe) <= 9.0.0.10306 can be brought down by sending a crafted TCP packet to port 12401. This should also work for version <= 9.0.0.1120, but that version hasn't been tested.
Sendmail SMTP Address prescan <= 8.12.8 Memory Corruption
This is a proof of concept denial of service module for Sendmail versions 8.12.8 and earlier. The vulnerability is within the prescan() method when parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00 bytes can be used, limiting the likelihood for arbitrary code execution.
Solaris LPD Arbitrary File Delete
This module uses a vulnerability in the Solaris line printer daemon to delete arbitrary files on an affected system. This can be used to exploit the rpc.walld format string flaw, the missing krb5.conf authentication bypass, or simply delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS Exploit
This module performs a Denial of Service Attack against Datagram TLS in OpenSSL version 0.9.8i and earlier. OpenSSL crashes under these versions when it recieves a ChangeCipherspec Datagram before a ClientHello.
rsyslog Long Tag Off-By-Two DoS
This module triggers an off-by-two overflow in the rsyslog daemon. This flaw is unlikely to yield code execution but is effective at shutting down a remote log daemon. This bug was introduced in version 4.6.0 and corrected in 4.6.8/5.8.5. Compiler differences may prevent this bug from causing any noticeable result on many systems (RHEL6 is affected).
Juniper JunOS Malformed TCP Option
This module exploits a denial of service vulnerability in Juniper Network's JunOS router operating system. By sending a TCP packet with TCP option 101 set, an attacker can cause an affected router to reboot.
Apple Airport 802.11 Probe Response Kernel Memory Corruption
The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution. This vulnerability is triggered when a probe response frame is received that does not contain valid information element (IE) fields after the fixed-length header. The data following the fixed-length header is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values.
Wireless CTS/RTS Flooder
This module sends 802.11 CTS/RTS requests to a specific wireless peer, using the specified source address,
Wireless DEAUTH Flooder
This module sends 802.11 DEAUTH requests to a specific wireless peer, using the specified source address and source BSSID.
Wireless Fake Access Point Beacon Flood
This module can advertise thousands of fake access points, using random SSIDs and BSSID addresses. Inspired by Black Alchemy's fakeap tool.
Wireless Frame (File) Injector
Inspired by Josh Wright's file2air, this module writes wireless frames from a binary file to the air, allowing you to substitute some addresses before it gets sent. Unlike the original file2air (currently v1.1), this module *does* take into account the ToDS and FromDS flags in the frame when replacing any specified addresses.
NetGear MA521 Wireless Driver Long Rates Overflow
This module exploits a buffer overflow in the NetGear MA521 wireless device driver under Windows XP. When a specific malformed frame (beacon or probe response) is received by the wireless interface under active scanning mode, the MA521nd5.SYS driver attempts to write to an attacker-controlled memory location. The vulnerability is triggered by an invalid supported rates information element. This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a NetGear MA521 Cardbus adapter. A remote code execution module is also in development. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
NetGear WG311v1 Wireless Driver Long SSID Overflow
This module exploits a buffer overflow in the NetGear WG311v1 wireless device driver under Windows XP and 2000. A kernel-mode heap overflow occurs when malformed probe response frame is received that contains a long SSID field This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a NetGear WG311v1 PCI card. A remote code execution module is also in development. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
Multiple Wireless Vendor NULL SSID Probe Response
This module exploits a firmware-level vulnerability in a variety of 802.11b devices. This attack works by sending a probe response frame containing a NULL SSID information element to an affected device. This flaw affects many cards based on the Choice MAC (Intersil, Lucent, Agere, Orinoco, and the first generation of Airport cards).
Wireless Beacon SSID Emulator
This module sends out beacon frames using SSID's identified in a specified file and randomly selected BSSID's. This is useful when combined with a Karmetasploit attack to get clients configured to not probe for networks in their PNL to start probing when they see a matching SSID in from this script. For a list of common SSID's to use with this script, check http://www.wigle.net/gps/gps/main/ssidstats. If a file of SSID's is not specified, a default list of 20 SSID's will be used. This script will run indefinitely until interrupted.
Wireless Test Module
This module is a test of the wireless packet injection system. Please see external/ruby-lorcon/README for more information.
Appian Enterprise Business Suite 5.6 SP1 DoS
This module exploits a denial of service flaw in the Appian Enterprise Business Suite service.
Microsoft Windows EOT Font Table Directory Integer Overflow
This module exploits an integer overflow flaw in the Microsoft Windows Embedded OpenType font parsing code located in win32k.sys. Since the kernel itself parses embedded web fonts, it is possible to trigger a BSoD from a normal web page when viewed with Internet Explorer.
FileZilla FTP Server Admin Interface Denial of Service
This module triggers a Denial of Service condition in the FileZilla FTP Server Administration Interface in versions 0.9.4d and earlier. By sending a procession of excessively long USER commands to the FTP Server, the Administration Interface (FileZilla Server Interface.exe) when running, will overwrite the stack with our string and generate an exception. The FileZilla FTP Server itself will continue functioning.
FileZilla FTP Server <=0.9.21 Malformed PORT Denial of Service
This module triggers a Denial of Service condition in the FileZilla FTP Server versions 0.9.21 and earlier. By sending a malformed PORT command then LIST command, the server attempts to write to a NULL pointer.
Guild FTPd 0.999.8.11/0.999.14 Heap Corruption
Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable to heap corruption. You need to have a valid login so you can run CWD and LIST.
Microsoft IIS FTP Server Encoded Response Overflow Trigger
This module triggers a heap overflow when processing a specially crafted FTP request containing Telnet IAC (0xff) bytes. When constructing the response, the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes. This issue can be triggered pre-auth and may in fact be explotiable for remote code execution.
Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion
This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the "FTP Publishing" must be configured as "manual" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.
Solar FTP Server <= 2.1.1 Malformed (User) Denial of Service
This module will send a format string as USER to Solar FTP, causing a READ violation in function "__output_1()" found in "sfsservice.exe" while trying to calculate the length of the string.
Titan FTP Server 6.26.630 SITE WHO DoS
The Titan FTP server v6.26 build 630 can be DoS'd by issuing "SITE WHO". You need a valid login so you can send this command.
Victory FTP Server 5.0 LIST DoS
The Victory FTP Server v5.0 can be brought down by sending a very simple LIST command
WinFTP 2.3.0 NLST Denial of Service
This module is a very rough port of Julien Bedard's PoC. You need a valid login, but even anonymous can do it if it has permission to call NLST.
XM Easy Personal FTP Server 5.6.0 NLST DoS
This module is a port of shinnai's script. You need a valid login, but even anonymous can do it as long as it has permission to call NLST.
XM Easy Personal FTP Server 5.7.0 NLST DoS
You need a valid login to DoS this FTP server, but even anonymous can do it as long as it has permission to call NLST.
Kaillera 0.86 Server Denial of Service
The Kaillera 0.86 server can be shut down by sending any malformed packet after the intial "hello" packet.
Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service
The vulnerability allows remote unauthenticated attackers to force the IIS server to become unresponsive until the IIS service is restarted manually by the administrator. Required is that Active Server Pages are hosted by the IIS and that an ASP script reads out a Post Form value.
Pi3Web <=2.0.13 ISAPI DoS
The Pi3Web HTTP server crashes when a request is made for an invalid DLL file in /isapi. By default, the non-DLLs in this directory after installation are users.txt, install.daf and readme.daf.
Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll as distributed with Windows Vista and later without KB2509553. By sending a specially crafted LLMNR query, containing a leading '.' character, an attacker can trigger stack exhaustion or potentially cause stack memory corruption. Although this vulnerability may lead to code execution, it has not been proven to be possible at the time of this writing. NOTE: In some circumstances, a '.' may be found before the top of the stack is reached. In these cases, this module may not be able to cause a crash.
Microsoft Windows NAT Helper Denial of Service
This module exploits a denial of service vulnerability within the Internet Connection Sharing service in Windows XP.
Microsoft Plug and Play Service Registry Overflow
This module triggers a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, this module will result in a forced reboot on Windows 2000. Obtaining code execution is possible if user-controlled memory can be placed at 0x00000030, 0x0030005C, or 0x005C005C.
Microsoft SRV.SYS Mailslot Write Corruption
This module triggers a kernel pool corruption bug in SRV.SYS. Each call to the mailslot write function results in a two byte return value being written into the response packet. The code which creates this packet fails to consider these two bytes in the allocation routine, resulting in a slow corruption of the kernel memory pool. These two bytes are almost always set to "\xff\xff" (a short integer with value of -1).
Microsoft SRV.SYS Pipe Transaction No Null
This module exploits a NULL pointer dereference flaw in the SRV.SYS driver of the Windows operating system. This bug was independently discovered by CORE Security and ISS.
Microsoft SRV.SYS WriteAndX Invalid DataOffset
This module exploits a denial of service vulnerability in the SRV.SYS driver of the Windows operating system. This module has been tested successfully against Windows Vista.
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.
Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD. Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.
Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop
This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerabile client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer, or a Word document otherwise.
Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS
This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows prior to the August 2010 Patch Tuesday. To trigger this bug, you must be able to access a share with at least read privileges. That generally means you will need authentication. However, if a system has a guest accessible share, you can trigger it without any authentication.
Microsoft Windows Browser Pool DoS
This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows Server 2003 that have been configured as a domain controller. By sending a specially crafted election request, an attacker can cause a pool overflow. The vulnerability appears to be due to an error handling a length value while calculating the amount of memory to copy to a buffer. When there are zero bytes left in the buffer, the length value is improperly decremented and an integer underflow occurs. The resulting value is used in several calculations and is then passed as the length value to an inline memcpy operation. Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and causes considerable damage to kernel heap memory. While theoretically possible, it does not appear to be trivial to turn this vulnerability into remote (or even local) code execution.
Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference
This module triggers a NULL dereference in svchost.exe on all current versions of Windows that run the RRAS service. This service is only accessible without authentication on Windows XP SP1 (using the SRVSVC pipe).
Microsoft Vista SP0 SMB Negotiate Protocol DoS
This module exploits a flaw in Windows Vista that allows a remote unauthenticated attacker to disable the SMB service. This vulnerability was silently fixed in Microsoft Vista Service Pack 1.
MS06-019 Exchange MODPROP Heap Overflow
This module triggers a heap overflow vulnerability in MS Exchange that occurs when multiple malformed MODPROP values occur in a VCAL request.
PacketTrap TFTP Server 2.2.5459.0 DoS
The PacketTrap TFTP server version 2.2.5459.0 can be brought down by sending a special write request.
SolarWinds TFTP Server 10.4.0.10 Denial of Service
The SolarWinds TFTP server can be shut down by sending a 'netascii' read request with a specially crafted file name.
Wireshark chunked_encoding_dissector function DOS
Wireshark crash when dissecting an HTTP chunked response. Versions affected: 0.99.5 (Bug 1394)
Wireshark CLDAP Dissector DOS
This module causes infinite recursion to occur within the CLDAP dissector by sending a specially crafted UDP packet.
Wireshark LDAP dissector DOS
The LDAP dissector in Wireshark 0.99.2 through 0.99.8 allows remote attackers to cause a denial of service (application crash) via a malformed packet.
DNS and DNSSEC fuzzer
This module will connect to a DNS server and perform DNS and DNSSEC protocol-level fuzzing. Note that this module may inadvertently crash the target server.
Simple FTP Client Fuzzer
This module will serve an FTP server and perform FTP client interaction fuzzing
Simple FTP Fuzzer
This module will connect to a FTP server and perform pre- and post-authentication fuzzing
HTTP Form Field Fuzzer
This module will grab all fields from a form, and launch a series of POST actions, fuzzing the contents of the form fields. You can optionally fuzz headers too (option is enabled by default)
HTTP GET Request URI Fuzzer (Incrementing Lengths)
This module sends a series of HTTP GET request with incrementing URL lengths.
HTTP GET Request URI Fuzzer (Fuzzer Strings)
This module sends a series of HTTP GET request with malicious URIs.
SMB Negotiate SMB2 Dialect Corruption
This module sends a series of SMB negiotiate requests that advertise a SMB2 dialect with corrupted bytes.
SMB Create Pipe Request Fuzzer
This module sends a series of SMB create pipe requests using malicious strings.
SMB Create Pipe Request Corruption
This module sends a series of SMB create pipe requests with corrupted bytes.
SMB Negotiate Dialect Corruption
This module sends a series of SMB negiotiate requests with corrupted bytes
SMB NTLMv1 Login Request Corruption
This module sends a series of SMB login requests using the NTLMv1 protocol with corrupted bytes.
SMB Tree Connect Request Fuzzer
This module sends a series of SMB tree connect requests using malicious strings.
SMB Tree Connect Request Corruption
This module sends a series of SMB tree connect requests with corrupted bytes.
SSH Key Exchange Init Corruption
This module sends a series of SSH requests with a corrupted initial key exchange payload.
SSH 1.5 Version Fuzzer
This module sends a series of SSH requests with malicious version strings.
SSH 2.0 Version Fuzzer
This module sends a series of SSH requests with malicious version strings.
SSH Version Corruption
This module sends a series of SSH requests with a corrupted version string
TDS Protocol Login Request Corruption Fuzzer
This module sends a series of malformed TDS login requests.
TDS Protocol Login Request Username Fuzzer
This module sends a series of malformed TDS login requests.
Wireless Probe Response Frame Fuzzer
This module sends out corrupted probe response frames.
Android Content Provider File Disclosure
This module exploits a cross-domain issue within the Android web browser to exfiltrate files from a vulnerable device.
CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure
This module sends a query to the port 264/TCP on CheckPoint Firewall-1 firewalls to obtain the firewall name and management station (such as SmartCenter) name via a pre-authentication topology request. Note that the SecuriTeam reference listed here is not the same vulnerabilty, but it does discus the same protocol and is somewhat related to this information disclosure.
Citrix MetaFrame ICA Published Applications Scanner
This module attempts to query Citrix Metaframe ICA server to obtain a published list of applications.
Citrix MetaFrame ICA Published Applications Bruteforcer
This module attempts to brute force program names within the Citrix Metaframe ICA server.
CorpWatch Company ID Information Search
This module interfaces with the CorpWatch API to get publicly available info for a given CorpWatch ID of the company. If you don't know the CorpWatch ID, please use the corpwatch_lookup_name module first.
CorpWatch Company Name Information Search
This module interfaces with the CorpWatch API to get publicly available info for a given company name. Please note that by using CorpWatch API, you acknolwdge the limitations of the data CorpWatch provides, and should always verify the information with the official SEC filings before taking any action.
General Electric D20 Password Recovery
The General Electric D20ME and possibly other units (D200?) feature TFTP readable configurations with plaintext passwords. This module retrieves the username, password, and authentication level list.
DNS Enumeration Module
This module can be used to enumerate various types of information about a domain from a specific DNS server.
NAT-PMP External address scanner
Scan NAT devices for their external address using NAT-PMP
Search Engine Domain Email Address Collector
This module uses Google, Bing and Yahoo to create a list of valid email addresses for the target domain.
Shodan Search
This module uses the SHODAN API to query the database and returns the first 50 IPs. SHODAN accounts are free & output can be sent to a file for use by another program. Results can also populated into the services table in the database. NOTE: SHODAN filters (port, hostname, os, geo, city) can be used in queries, but the free API does not allow net, country, before, and after filters. An unlimited API key can be purchased from the Shodan site to use those queries. The 50 result limit can also be raised to 10,000 for a small fee. API: http://www.shodanhq.com/api_doc FILTERS: http://www.shodanhq.com/help/filters
Foxit Reader Authorization Bypass
This module exploits a authorization bypass vulnerability in Foxit Reader build 1120. When a attacker creates a specially crafted pdf file containing a Open/Execute action, arbitrary commands can be executed without confirmation from the victim.
Energizer DUO Trojan Scanner
Detect instances of the Energizer DUO trojan horse software on port 7777
DB2 Authentication Brute Force Utility
This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
DB2 Discovery Service Detection
This module simply queries the DB2 discovery service for information.
Endpoint Mapper Service Discovery
This module can be used to obtain information from the Endpoint Mapper service.
Hidden DCERPC Service Discovery
This module will query the endpoint mapper and make a list of all ncacn_tcp RPC services. It will then connect to each of these services and use the management API to list all other RPC services accessible on this port. Any RPC service found attached to a TCP port, but not listed in the endpoint mapper, will be displayed and analyzed to see whether anonymous access is permitted.
Remote Management Interface Discovery
This module can be used to obtain information from the Remote Management Interface DCERPC service.
DCERPC TCP Service Auditor
Determine what DCERPC services are accessible over a TCP port
DECT Base Station Scanner
This module scans for DECT base stations
ARP Sweep Local Network Discovery
Enumerate alive Hosts in local network using ARP requests.
IPv6 Link Local/Node Local Ping Discovery
Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds.
IPv6 Local Neighbor Discovery
Enumerate local IPv6 hosts which respond to Neighbor Solicitations with a link-local address. Note, that like ARP scanning, this usually cannot be performed beyond the local broadcast network.
IPv6 Local Neighbor Discovery Using Router Advertisement
Send a spoofed router advertisement with high priority to force hosts to start the IPv6 address auto-config. Monitor for IPv6 host advertisements, and try to guess the link-local address by concatinating the prefix, and the host portion of the IPv6 address. Use NDP host solicitation to determine if the IP address is valid'
EMC AlphaStor Device Manager Service
This module querys the remote host for the EMC Alphastor Device Management Service.
EMC AlphaStor Library Manager Service
This module querys the remote host for the EMC Alphastor Library Management Service.
Finger Service User Enumerator
Identify valid users through the finger service using a variety of tricks
Anonymous FTP Access Detection
Detect anonymous (read/write) FTP server access.
FTP Authentication Scanner
This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
Adobe XML External Entity Injection
Multiple Adobe Products -- XML External Entity Injection. Affected Sofware: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2
Apache "mod_userdir" User Enumeration
Apache with the UserDir directive enabled generates different error codes when a username exists and there is no public_html directory and when the username does not exist, which could allow remote attackers to determine valid usernames on the server.
Apache Axis2 v1.4.1 Local File Inclusion
This module exploits an Apache Axis2 v1.4.1 local file inclusion (LFI) vulnerability. By loading a local XML file which contains a cleartext username and password, attackers can trivially recover authentication credentials to Axis services.
Apache Axis2 v1.4.1 Brute Force Utility
This module attempts to login to an Apache Axis2 v1.4.1 instance using username and password combindations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
HTTP Backup File Scanner
This module identifies the existence of possible copies of a specific file in a given path.
Barracuda Multiple Product "locale" Directory Traversal
This module exploits a directory traversal vulnerability present in serveral Barracuda products, including the Barracuda Spam and Virus Firewall, Barracuda SSL VPN, and the Barracuda Web Application Firewall. By default, this module will attempt to download the Barracuda configuration file.
HTTP Blind SQL Injection GET QUERY Scanner
This module identifies the existence of Blind SQL injection issues in GET Query parameters values.
HTTP Directory Brute Force Scanner
This module identifies the existence of interesting directories by brute forcing the name in a given directory path.
HTTP SSL Certificate Checker
This module will check the certificate of the specified web servers to ensure the subject and issuer match the supplied pattern and that the certificate is not expired. Note: Be sure to check your expression if using msfcli, shells tend to not like certain things and will strip/interpret them (= is a perfect example). It is better to use in console.
Cisco Device HTTP Device Manager Access
This module gathers data from a Cisco device (router or switch) with the device manager web interface exposed. The BasicAuthUser and BasicAuthPass options can be used to specify authentication.
Cisco IOS HTTP Unauthorized Administrative Access
This module exploits a vulnerability in the Cisco IOS HTTP Server. By sending a GET request for "/level/num/exec/..", where num is between 16 and 99, it is possible to bypass authentication and obtain full system control. IOS 11.3 -> 12.2 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.3(11d).
Cisco Network Access Manager Directory Traversal Vulnerability
This module tests whether a directory traversal vulnerablity is present in versions of Cisco Network Access Manager 4.8.x You may wish to change FILE (e.g. passwd or hosts), MAXDIRS and RPORT depending on your environment.
ColdFusion Version Scanner
This module attempts identify various flavors of ColdFusion as well as the underlying OS
ColdFusion Server Check
This module attempts to exploit the directory traversal in the 'locale' attribute. According to the advisory the following versions are vulnerable: ColdFusion MX6 6.1 base patches, ColdFusion MX7 7,0,0,91690 base patches, ColdFusion MX8 8,0,1,195765 base patches, ColdFusion MX8 8,0,1,195765 with Hotfix4. Adobe released patches for ColdFusion 8.0, 8.0.1, and 9 but ColdFusion 9 is reported to have directory traversal protections in place, subsequently this module does NOT work against ColdFusion 9. Adobe did not release patches for ColdFusion 6.1 or ColdFusion 7.
HTTP Copy File Scanner
This module identifies the existence of possible copies of a specific file in a given path.
HTTP Directory Listing Scanner
This module identifies directory listing vulnerabilities in a given directory path.
HTTP Directory Scanner
This module identifies the existence of interesting directories in a given directory path.
MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner
This module is based on et's HTTP Directory Scanner module, with one exception. Where authentication is required, it attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication.
Drupal Views Module Users Enumeration
This module exploits an information disclosure vulnerability in the 'Views' module of Drupal, brute-forcing the first 10 usernames from 'a' to 'z'
Ektron CMS400.NET Default Password Scanner
Ektron CMS400.NET is a web content management system based on .NET. This module tests for installations that are utilizing default passwords set by the vendor. Additionally, it has the ability to brute force user accounts. Note that Ektron CMS400.NET, by default, enforces account lockouts for regular user account after a number of failed attempts.
Pull Del.icio.us Links (URLs) for a domain
This module pulls and parses the URLs stored by Del.icio.us users for the purpose of replaying during a web assessment. Finding unlinked and old pages.
Pull Archive.org stored URLs for a domain
This module pulls and parses the URLs stored by Archive.org for the purpose of replaying during a web assessment. Finding unlinked and old pages.
HTTP Error Based SQL Injection Scanner
This module identifies the existence of Error Based SQL injection issues. Still requires alot of work
HTTP File Same Name Directory Scanner
This module identifies the existence of files in a given directory path named as the same name of the directory. Only works if PATH is differenet than '/'.
HTTP Interesting File Scanner
This module identifies the existence of interesting files in a given directory path.
FrontPage Server Extensions Login Utility
This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.
GlassFish Brute Force Utility
This module attempts to login to GlassFish instance using username and password combindations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
HTTP Login Utility
This module attempts to authenticate to an HTTP service.
HTTP Writable Path PUT/DELETE File Access
This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE. PUT is the default. If filename isn't specified, the module will generate a random string for you as a .txt file. If DELETE is used, a filename is required.
Http:BL lookup
This module can be used to enumerate information about an IP addresses from Project HoneyPot's HTTP Block List.
HTTP SSL Certificate Impersonation
This module request a copy of the remote SSL certificate and creates a local (self.signed) version using the information from the remote version. The module then Outputs (PEM|DER) format private key / certificate and a combined version for use in Apache or other Metasploit modules requiring SSLCert Inputs for private key / CA cert have been provided for those with diginator certs hanging about!
JBoss Vulnerability Scanner
This module scans a JBoss instance for a few vulnerablities.
LiteSpeed Source Code Disclosure/Download
This module exploits a source code disclosure/download vulnerability in versions 4.0.14 and prior of LiteSpeed.
HTTP Microsoft SQL Injection Table XSS Infection
This module implements the mass SQL injection attack in use lately by concatenation of HTML string that forces a persistant XSS attack to redirect user browser to a attacker controller website.
Majordomo2 _list_file_get() Directory Traversal
This module exploits a directory traversal vulnerability present in the _list_file_get() function of Majordomo2 (help function). By default, this module will attempt to download the Majordomo config.pl file.
Apache HTTPD mod_negotiation Filename Bruter
This module performs a brute force attack in order to discover existing files on a server which uses mod_negotiation. If the filename is found, the IP address and the files found will be displayed.
Apache HTTPD mod_negotiation scanner
This module scans the webserver of the given host(s) for the existence of mod_negotiate. If the webserver has mod_negotiation enabled, the IP address will be displayed.
MS09-020 IIS6 WebDAV Unicode Auth Bypass
Simplified version of MS09-020 IIS6 WebDAV Unicode Auth Bypass scanner. It attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication.
Nginx Source Code Disclosure/Download
This module exploits a source code disclosure/download vulnerability in versions 0.7 and 0.8 of the nginx web server. Versions 0.7.66 and 0.8.40 correct this vulnerability.
HTTP Open Proxy Detection
Checks if an HTTP proxy is open. False positive are avoided verifing the HTTP return code and matching a pattern.
HTTP Options Detection
Display available HTTP options for each system
Outlook Web App (OWA) Brute Force Utility
This module tests credentials on OWA 2003, 2007 and 2010 servers. The default action is set to OWA 2010.
HTTP Previous Directory File Scanner
This module identifies files in the first parent directory with same name as the given directory path. Example: Test /backup/files/ will look for the following files /backup/files.ext .
HTTP File Extension Scanner
This module identifies the existence of additional files by modifying the extension of an existing file.
Reverse Proxy Bypass Scanner
Scan for poorly configured reverse proxy servers. By default, this module attempts to force the server to make a request with an invalid domain name. Then, if the bypass is successful, the server will look it up and of course fail, then responding with a status code 502. A baseline status code is always established and if that baseline matches your test status code, the injection attempt does not occur. "set VERBOSE true" if you are paranoid and want to catch potential false negatives. Works best against Apache and mod_rewrite
SAP BusinessObjects User Bruteforcer
This module attempts to bruteforce SAP BusinessObjects users. The dswsbobje interface is only used to verify valid credentials for CmcApp. Therefore, any valid credentials that have been identified can be leveraged by logging into CmcApp.
SAP BusinessObjects Web User Bruteforcer
This module simply attempts to bruteforce SAP BusinessObjects users by using CmcApp.
SAP BusinessObjects User Enumeration
This module simply attempts to enumerate SAP BusinessObjects users.The dswsbobje interface is only used to verify valid users for CmcApp. Therefore, any valid users that have been identified can be leveraged by logging into CmcApp.
SAP BusinessObjects Version Detection
This module simply attempts to identify the version of SAP BusinessObjects.
HTTP Page Scraper
Scrap defined data from a specific web page based on a regular expresion
HTTP SOAP Verb/Noun Brute Force Scanner
This module attempts to brute force SOAP/XML requests to uncover hidden methods.
SQLMAP SQL Injection External Module
This module launch a sqlmap session. sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.
Squiz Matrix User Enumeration Scanner
This module attempts to enumernate remote users that exist within the Squiz Matrix and MySource Matrix CMS by sending GET requests for asset IDs e.g. ?a=14 and searching for a valid username eg "~root" or "~test" which is prefixed by a "~" in the response. It will also try to GET the users full name or description, or other information. You may wish to modify ASSETBEGIN and ASSETEND values for greater results, or set VERBOSE. Information gathered may be used for later bruteforce attacks.
HTTP SSL Certificate Information
Parse the server SSL certificate to obtain the common name and signature algorithm
HTTP Subversion Scanner
Detect subversion directories and files and analize its content. Only SVN Version > 7 supported
Sybase Easerver 6.3 Directory Traversal
This module exploits a directory traversal vulnerability found in Sybase EAserver's Jetty webserver on port 8000. Code execution seems unlikely with EAserver's default configuration unless the web server allows WRITE permission.
Apache Tomcat User Enumeration
Apache Tomcat user enumeration utility, for Apache Tomcat servers prior to version 6.0.20, 5.5.28, and 4.1.40.
Tomcat Application Manager Login Utility
This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass.
- MODULE USAGE
- CVE-2009-3843
- OSVDB-60317
- BID-37086
- CVE-2009-4189
- OSVDB-60670
- http://www.harmonysecurity.co...
- http://www.zerodayinitiative....
- CVE-2009-4188
- BID-38084
- CVE-2010-0557
- http://www-01.ibm.com/support...
- CVE-2010-4094
- http://www.zerodayinitiative....
- CVE-2009-3548
- OSVDB-60176
- BID-36954
- http://tomcat.apache.org/
- CVE-1999-0502
HTTP TRACE Detection
Test if TRACE is actually enabled. 405 (Apache) 501(IIS) if its disabled, 200 if it is
HTTP Verb Authentication Bypass Scanner
This module test for authentication bypass using different HTTP verbs.
HTTP Virtual Host Brute Force Scanner
This module tries to identify unique virtual hosts hosted by the target web server.
VMware Server Directory Transversal Vulnerability
This modules exploits the VMware Server Directory traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files. Common VMware server ports 80/8222 and 443/8333 SSL. If you want to download the entire VM, check out the gueststealer tool.
HTTP WebDAV Website Content Scanner
Detect webservers disclosing its content though WebDAV
Wordpress Brute Force and User Enumeration Utility
Wordpress Authentication Brute Force and User Enumeration Utility
HTTP Blind XPATH 1.0 Injector
This module exploits blind XPATH 1.0 injections over HTTP GET requests.
Yaws Web Server Directory Traversal
This module exploits a directory traversal bug in Yaws v1.9.1 or less. The module can only be used to retrieve files. However, code execution might be possible. Because when the malicious user sends a PUT request, a file is actually created, except no content is written.
IPID Sequence Scanner
This module will probe hosts' IPID sequences and classify them using the same method Nmap uses when it's performing its IPID Idle Scan (-sI) and OS Detection (-O). Nmap's probes are SYN/ACKs while this module's are SYNs. While this does not change the underlying functionality, it does change the chance of whether or not the probe will be stopped by a firewall. Nmap's Idle Scan can use hosts whose IPID sequences are classified as "Incremental" or "Broken little-endian incremental".
Borland InterBase Services Manager Information
This module retrieves version of the services manager, version and implementation of the InterBase server from InterBase Services Manager.
OKI Printer Default Login Credential Scanner
This module scans for OKI printers via SNMP, then tries to connect to found devices with vendor default administrator credentials via HTTP authentication. By default, OKI network printers use the last six digits of the MAC as admin password.
Redis-server Scanner
This module scans for Redis server. By default Redis has no auth. If auth (password only) is used, it is then possible to execute a brute force attack on the server. This scanner will find open or password protected Redis servers and report back the server information
Rosewill RXS-3211 IP Camera Password Retriever
This module takes advantage of a protocol design issue with the Rosewill admin executable in order to retrieve passwords, allowing remote attackers to take administrative control over the device. Other similar IP Cameras such as Edimax, Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested. The protocol deisgn issue also allows attackers to reset passwords on the device.
SunRPC Portmap Program Enumerator
This module calls the target portmap service and enumerates all program entries and their running port numbers.
Motorola Timbuktu Service Detection
This module simply sends a packet to the Motorola Timbuktu service for detection.
MSSQL Password Hashdump
This module extracts the usernames and encrypted password hashes from a MSSQL server and stores them for later cracking. This module also saves information about the server version and table names, which can be used to seed the wordlist.
MSSQL Login Utility
This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).
MSSQL Schema Dump
This module attempts to extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such as master,model,msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading.
MYSQL Password Hashdump
This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking.
MySQL Login Utility
This module simply queries the MySQL instance for a specific user/pass (default is root with blank).
NAT-PMP External port scanner
Scan NAT devices for their external listening ports using NAT-PMP
NetBIOS Information Discovery Prober
Discover host information using sequential NetBIOS Probes
NFS Mount Scanner
This module scans NFS mounts and their permissions.
Oracle Enterprise Manager Control SID Discovery
This module makes a request to the Oracle Enterprise Manager Control Console in an attempt to discover the SID.
Oracle iSQL*Plus Login Utility
This module attempts to authenticate against an Oracle ISQL*Plus administration web site using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE. This module does not require a valid SID, but if one is defined, it will be used. Works against Oracle 9.2, 10.1 & 10.2 iSQL*Plus. This module will attempt to fingerprint the version and automatically select the correct POST request.
Oracle isqlplus SID Check
This module attempts to bruteforce the SID on the Oracle application server iSQL*Plus login pages. It does this by testing Oracle error responses returned in the HTTP response. Incorrect username/pass with a correct SID will produce an Oracle ORA-01017 error. Works against Oracle 9.2, 10.1 & 10.2 iSQL*Plus. This module will attempt to fingerprint the version and automatically select the correct POST request.
Oracle Password Hashdump
This module dumps the usernames and password hashes from Oracle given the proper Credentials and SID. These are then stored as loot for later cracking.
Oracle RDBMS Login Utility
This module attempts to authenticate against an Oracle RDBMS instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
Oracle TNS Listener SID Bruteforce
This module queries the TNS listner for a valid Oracle database instance name (also known as a SID). Any response other than a "reject" will be considered a success. If a specific SID is provided, that SID will be attempted. Otherwise, SIDs read from the named file will be attempted in sequence instead.
Oracle TNS Listener SID Enumeration
This module simply queries the TNS listner for the Oracle SID. With Oracle 9.2.0.8 and above the listener will be protected and the SID will have to be bruteforced or guessed.
Oracle Application Server Spy Servlet SID Enumeration
This module makes a request to the Oracle Application Server in an attempt to discover the SID.
Oracle TNS Listener Service Version Query
This module simply queries the tnslsnr service for the Oracle build.
Oracle XML DB SID Discovery
This module simply makes a authenticated request to retrieve the sid from the Oracle XML DB httpd server.
Oracle XML DB SID Discovery via Brute Force
This module attempts to retrieve the sid from the Oracle XML DB httpd server, utilizing Pete Finnigan's default oracle password list.
pcAnywhere UDP Service Discovery
Discover active pcAnywhere services through UDP
POP3 Login Utility
This module attempts to authenticate to an POP3 service.
TCP ACK Firewall Scanner
Map out firewall rulesets with a raw ACK scan. Any unfiltered ports found means a stateful firewall is not in place for them.
FTP Bounce Port Scanner
Enumerate TCP services via the FTP bounce PORT/LIST method, which can still come in handy every once in a while (I know of a server that still allows this just fine...).
TCP "XMas" Port Scanner
Enumerate open|filtered TCP services using a raw "XMas" scan; this sends probes containing the FIN, PSH and URG flags.
Postgres Password Hashdump
This module extracts the usernames and encrypted password hashes from a Postgres server and stores them for later cracking.
PostgreSQL Login Utility
This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
Postgres Schema Dump
This module extracts the schema information from a Postgres server.
PostgreSQL Version Probe
Enumerates the verion of PostgreSQL servers.
Rogue Gateway Detection: Receiver
This module listens for replies to the requests sent by the rogue_send module. The RPORT, CPORT, and ECHOID values must match the rogue_send parameters used exactly.
Rogue Gateway Detection: Sender
This module send a series of TCP SYN and ICMP ECHO requests to each internal target host, spoofing the source address of an external system running the rogue_recv module. This allows the system running the rogue_recv module to determine what external IP a given internal system is using as its default route.
rexec Authentication Scanner
This module will test an rexec service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024).
rlogin Authentication Scanner
This module will test an rlogin service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024).
rsh Authentication Scanner
This module will test a shell (rsh) service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024).
SAP URL Scanner
This module scans for commonly found SAP Internet Communication Manager URLs and outputs return codes for the user.
SAP Management Console ABAP syslog
This module simply attempts to extract the ABAP syslog through the SAP Management Console SOAP Interface.
SAP Management Console Brute Force
This module simply attempts to brute force the username | password for the SAP Management Console SOAP Interface. By setting the SAP SID value, a list of default SAP users can be tested without needing to set a USERNAME or USER_FILE value. The default usernames are stored in ./data/wordlists/sap_common.txt (the value of SAP SID is automatically inserted into the username to replce <SAPSID>).
SAP Management Console Extract Users
This module simply attempts to extract SAP users from the ABAP Syslog through the SAP Management Console SOAP Interface.
SAP Management Console Get Access Points
This module simply attempts to output a list of SAP access points through the SAP Management Console SOAP Interface.
SAP Management Console getEnvironment
This module simply attempts to identify SAP Environment settings through the SAP Management Console SOAP Interface.
SAP Management Console Get Logfile
This module simply attempts to download available logfiles and developer tracefiles through the SAP Management Console SOAP Interface. Please use the sap_manamgenet_console_listlogfiles extension to view a list of availble files.
SAP Management Console Get Process Parameters
This module simply attempts to output a SAP process parameters and configuration settings through the SAP Management Console SOAP Interface.
SAP Management Console Instance Properties
This module simply attempts to identify the instance properties through the SAP Management Console SOAP Interface.
SAP Management Console List Logfiles
This module simply attempts to output a list of available logfiles and developer tracefiles through the SAP Management Console SOAP Interface.
SAP Management Console getStartProfile
This module simply attempts to acces the SAP startup profile through the SAP Management Console SOAP Interface.
SAP Management Console Version Detection
This module simply attempts to identify the version of SAP through the SAP Management Console SOAP Interface.
SIP Username Enumerator (UDP)
Scan for numeric username/extensions using OPTIONS/REGISTER requests
SIP Username Enumerator (TCP)
Scan for numeric username/extensions using OPTIONS/REGISTER requests
SIPDroid Extension Grabber
This module exploits a leak of extension/SIP Gateway on SIPDroid 1.6.1 beta, 2.0.1 beta, 2.2 beta (tested in Android 2.1 and 2.2 - official Motorola release) (other versions may be affected).
SMB Session Pipe DCERPC Auditor
Determine what DCERPC services are accessible over a SMB pipe
SMB User Enumeration (SAM EnumUsers)
Determine what local users exist via the SAM RPC service
SMB Domain User Enumeration
Determine what domain users are logged into a remote system via a DCERPC to NetWkstaUserEnum.
SMB Login Check Scanner
This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
SMB Local User Enumeration (LookupSid)
Determine what local users exist via brute force SID lookups
SMTP User Enumeration Utility
The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of users aliases and lists of e-mail (mailing lists)). Through the implementation of these SMTP commands can reveal a list of valid users.
Cisco IOS SNMP Configuration Grabber (TFTP)
This module will download the startup or running configuration from a Cisco IOS device using SNMP and TFTP. A read-write SNMP community is required. The SNMP community scanner module can assist in identifying a read-write community. The target must be able to connect back to the Metasploit system and the use of NAT will cause the TFTP transfer to fail.
Cisco IOS SNMP File Upload (TFTP)
This module will copy file to a Cisco IOS device using SNMP and TFTP. A read-write SNMP community is required. The SNMP community scanner module can assist in identifying a read-write community. The target must be able to connect back to the Metasploit system and the use of NAT will cause the TFTP transfer to fail.
SNMP Enumeration Module
This module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is "public".
SNMP Windows SMB Share Enumeration
This module will use LanManager OID values to enumerate SMB shares on a Windows system via SNMP
SNMP Windows Username Enumeration
This module will use LanManager OID values to enumerate local user accounts on a Windows system via SNMP
SNMP Community Scanner
Scan for SNMP devices using common community names
SNMP Set Module
This module, similar to snmpset tool, uses the SNMP SET request to set information on a network entity. A OID (numeric notation) and a value are required. Target device must permit write access.
Xerox WorkCentre User Enumeration (SNMP)
This module will do user enumeration based on the Xerox WorkCentre present on the network. SNMP is used to extract the usernames.
SSH Public Key Acceptance Scanner
This module can determine what public keys are configured for key-based authentication across a range of machines, users, and sets of known keys. The SSH protocol indicates whether a particular key is accepted prior to the client performing the actual signed authentication request. To use this module, a text file containing one or more SSH keys should be provided. These can be private or public, so long as no passphrase is set on the private keys. If you have loaded a database plugin and connected to a database this module will record authorized public keys and hosts so you can track your process. Key files may be a single public (unencrypted) key, or several public keys concatenated together as an ASCII text file. Non-key data should be silently ignored. Private keys will only utilize the public key component stored within the key file.
SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
SSH Public Key Login Scanner
This module will test ssh logins on a range of machines using a defined private key file, and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Note that password-protected key files will not function with this module -- it is designed specifically for unencrypted (passwordless) keys. Key files may be a single private (unencrypted) key, or several private keys concatenated together as an ASCII text file. Non-key data should be silently ignored.
Wardialer
Scan for dial-up systems that are connected to modems and answer telephony indials.
Telnet Service Encyption Key ID Overflow Detection
Detect telnet services vulnerable to the encrypt option Key ID overflow (BSD-derived telnetd)
Telnet Login Check Scanner
This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
IpSwitch WhatsUp Gold TFTP Directory Traversal
This modules exploits a directory traversal vulnerability in IpSwitch WhatsUp Gold's TFTP service.
TFTP Brute Forcer
This module uses a dictionary to brute force valid TFTP image names from a TFTP server.
SSDP M-SEARCH Gateway Information Discovery
Discover information about the local gateway via UPnP
VMWare Authentication Daemon Login Scanner
This module will test vmauthd logins on a range of machines and report successful logins.
VMWare Web Login Scanner
This module attempts to authenticate to the VMWare HTTP service for VMWare Server, ESX, and ESXi
VNC Authentication Scanner
This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, and 3.8 using the VNC challenge response authentication method.
VNC Authentication None Detection
Detect VNC servers that support the "None" authentication method.
Telephone Line Voice Scanner
This module dials a range of phone numbers and records audio from each answered call
VxWorks WDB Agent Boot Parameter Scanner
Scan for exposed VxWorks wdbrpc daemons and dump the boot parameters from memory
VxWorks WDB Agent Version Scanner
Scan for exposed VxWorks wdbrpc daemons
X11 No-Auth Scanner
This module scans for X11 servers that allow anyone to connect without authentication.
HTTP Client Automatic Exploiter
This module has three actions. The first (and the default) is 'WebServer' which uses a combination of client-side and server-side techniques to fingerprint HTTP clients and then automatically exploit them. Next is 'DefangedDetection' which does only the fingerprinting part. Lastly, 'list' simply prints the names of all exploit modules that would be used by the WebServer action given the current MATCH and EXCLUDE options. Also adds a 'list' command which is the same as running with ACTION=list.
Authentication Capture: FTP
This module provides a fake FTP service that is designed to capture authentication credentials.
Authentication Capture: HTTP
This module provides a fake HTTP service that is designed to capture authentication credentials.
HTTP Client MS Credential Catcher
This module attempts to quietly catch NTLM/LM Challenge hashes.
Authentication Capture: IMAP
This module provides a fake IMAP service that is designed to capture authentication credentials.
Authentication Capture: POP3
This module provides a fake POP3 service that is designed to capture authentication credentials.
Authentication Capture: SMB
This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate.
Authentication Capture: SMTP
This module provides a fake SMTP service that is designed to capture authentication credentials.
Authentication Capture: Telnet
This module provides a fake Telnet service that is designed to capture authentication credentials. DONTs and WONTs are sent to the client for all option negotiations, except for ECHO at the time of the password prompt since the server controls that for a bit more realism.
DNS Spoofing Helper Service
This module provides a DNS service that returns TXT records indicating information about the querying service. Based on Dino Dai Zovi DNS code from Karma.
Fake DNS Service
This module provides a DNS service that redirects all queries to a particular address.
PXE Boot Exploit Server
This module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing a payload to install metsvc, disable the firewall, and add a new user metasploit on any Windows partition seen, and add a uid 0 user with username and password metasploit to any linux partition seen. The windows user will have the password p@SSw0rd!123456 (in case of complexity requirements) and will be added to the administrators group. Note: the displayed IP address of a target is the address this DHCP server handed out, not the "normal" IP address the host uses.
Socks4a Proxy Server
This module provides a socks4a proxy server that uses the builtin Metasploit routing to relay connections.
SOCKS Proxy UNC Path Redirection
This module provides a Socks proxy service that redirects all HTTP requests to a web page that loads a UNC path.
Cross Platform Webkit File Dropper
This module exploits a XSLT vulnerability in Webkit to drop ASCII or UTF-8 files to the target file-system. By default, the file will be dropped in C:\Program Files\
ARP Spoof
Spoof ARP replies and poison remote ARP caches to conduct IP address spoofing or a denial of service.
DNS BailiWicked Domain Attack
This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target domains nameserver entries in a vulnerable DNS cache server. This attack works by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and the nameserver entries for the target domain will be replaced by the server specified in the NEWDNS option of this exploit.
DNS BailiWicked Host Attack
This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single malicious host entry into the target nameserver by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and due to the additional hostname entry being within bailiwick constraints of the original request the malicious host entry will get cached.
DNS Lookup Result Comparison
This module can be used to determine differences in the cache entries between two DNS servers. This is primarily useful for detecting cache poisoning attacks, but can also be used to detect geo-location loadbalancing.
NetBIOS Name Service Spoofer
This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnet's broadcast address and spoof a response, redirecting the querying machine to an IP of the attacker's choosing. Combined with auxiliary/capture/server/smb or capture/server/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This module must be run as root and will bind to tcp/137 on all interfaces.
Airpwn TCP hijack
TCP streams are 'protected' only in so much as the sequence number is not guessable. Wifi is shared media. Got your nose. Responses which do not begin with Header: Value assumed to be HTML only and will have Header:Value data prepended. Responses which do not include a Content-Length header will have one generated.
Oracle DB SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE
The module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.
Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE
The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.
Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE
The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege.
Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET
The module exploits an sql injection flaw in the CREATE_CHANGE_SET procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege.
Oracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package/function. This vulnerability affects to Oracle Database Server 9i up to 9.2.0.5 and 10g up to 10.1.0.4.
Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package. Note: This module has been tested against 9i, 10gR1 and 10gR2.
Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function.
Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_XML
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.GET_XML package/function.
Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.OPEN package/function.
Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger
This module will escalate a Oracle DB user to MDSYS by exploiting an sql injection bug in the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege given to MDSYS user by creating evil trigger in system scheme (2-stage attack).
Oracle DB 10gR2, 11gR1/R2 DBMS_JVM_EXP_PERMS OS Command Execution
This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 10g R2, 11g R1 and R2 (Windows only)
Oracle DB 11g R1/R2 DBMS_JVM_EXP_PERMS OS Code Execution
This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 11g R1 and R2 (Windows only).
Oracle DB SQL Injection via SYS.LT.COMPRESSWORKSPACE
This module exploits an sql injection flaw in the COMPRESSWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.LT.FINDRICSET package via Evil Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007.
Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE
This module exploits an sql injection flaw in the MERGEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
Oracle DB SQL Injection via SYS.LT.REMOVEWORKSPACE
This module exploits an sql injection flaw in the REMOVEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
Oracle DB SQL Injection via SYS.LT.ROLLBACKWORKSPACE
This module exploits an sql injection flaw in the ROLLBACKWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
Asterisk Manager Login Utility
This module attempts to authenticate to an Asterisk Manager service. Please note that by default, Asterisk Call Management (port 5038) only listens locally, but this can be manually configured in file /etc/asterisk/manager.conf by the admin on the victim machine.
SIP Invite Spoof
This module will create a fake SIP invite request making the targeted device ring and display fake caller id information.
VSploit Mariposa DNS Query Module
This module queries known Mariposa Botnet DNS records.
VSploit DNS Beaconing Emulation
This module takes a list and emulates malicious DNS beaconing.
VSploit Zeus DNS Query Module
This module queries known Zeus Botnet DNS records.
VSploit Email PII
This auxiliary reads from a file and sends data which should be flagged via an internal or external SMTP server.
VSploit Web PII
This module emulates a webserver leaking PII data