Browse Exploit & Auxiliary Modules
The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.
Search for modules
Module Browser
Firefox 3.5 escape() Return Value Memory Corruption
This module exploits a memory corruption vulnerability in the Mozilla Firefox browser. This flaw occurs when a bug in the javascript interpreter fails to preserve the return value of the escape() function and results in uninitialized memory being used instead. This module has only been tested on Windows, but should work on other platforms as well with the current targets.
Firefox location.QueryInterface() Code Execution
This module exploits a code execution vulnerability in the Mozilla Firefox browser. To reliably exploit this vulnerability, we need to fill almost a gigabyte of memory with our nop sled and payload. This module has been tested on OS X 10.3 with the stock Firefox 1.5.0 package.
Apple OS X iTunes 8.1.1 ITMS Overflow
This modules exploits a stack-based buffer overflow in iTunes itms:// URL parsing. It is accessible from the browser and in Safari, itms urls will be opened in iTunes automatically. Because iTunes is multithreaded, only vfork-based payloads should be used.
Sun Java Calendar Deserialization Exploit
This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).
Sun Java JRE getSoundbank file:// URI Buffer Overflow
This module exploits a flaw in the getSoundbank function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
Java Applet Rhino Script Engine Remote Code Execution
This module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java (for example: IE, Firefox, Google Chrome, etc)
Java RMIConnectionImpl Deserialization Privilege Escalation Exploit
This module exploits a vulnerability in the Java Runtime Environment that allows to deserialize a MarshalledObject containing a custom classloader under a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.
Sun Java JRE AWT setDiffICM Buffer Overflow
This module exploits a flaw in the setDiffICM function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
Java Signed Applet Social Engineering Code Execution
This exploit dynamically creates a .jar file via the Msf::Exploit::Java mixin, then signs the it. The resulting signed applet is presented to the victim via a web page with an applet tag. The victim's JVM will pop a dialog asking if they trust the signed applet. On older versions the dialog will display the value of CERTCN in the "Publisher" line. Newer JVMs display "UNKNOWN" when the signature is not trusted (i.e., it's not signed by a trusted CA). The SigningCert option allows you to provide a trusted code signing cert, the values in which will override CERTCN. If SigningCert is not given, a randomly generated self-signed cert will be used. Either way, once the user clicks "run", the applet executes with full user permissions.
Java Statement.invoke() Trusted Method Chain Exploit
This module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.
Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution
This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit module is a direct port of Aviv Raff's HTML PoC.
Mozilla Suite/Firefox Navigator Object Code Execution
This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit requires the Java plugin to be installed.
Opera 9 Configuration Overwrite
Opera web browser in versions <= 9.10 allows unrestricted script access to its configuration page, opera:config, allowing an attacker to change settings and potentially execute arbitrary code.
Opera historysearch XSS
Certain constructs are not escaped correctly by Opera's History Search results. These can be used to inject scripts into the page, which can then be used to modify configuration settings and execute arbitrary commands. Affects Opera versions between 9.50 and 9.61.
Apple QTJava toQTPointer() Arbitrary Memory Access
This module exploits an arbitrary memory access vulnerability in the Quicktime for Java API provided with Quicktime 7.
Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.4, < 8.1.7, and < 9.2. By creating a specially crafted pdf that a contains malformed U3D data, an attacker may be able to execute arbitrary code.
Maple Maplet File Creation and Command Execution
This module harnesses Maple's ability to create files and execute commands automatically when opening a Maplet. All versions up to 13 are suspected vulnerable. Testing was conducted with version 13 on Windows. Standard security settings prevent code from running in a normal maple worksheet without user interaction, but those setting do not prevent code in a Maplet from running. In order for the payload to be executed, an attacker must convince someone to open a specially modified .maplet file with Maple. By doing so, an attacker can execute arbitrary code as the victim user.
PeaZip <= 2.6.1 Zip Processing Command Injection
This module exploits a command injection vulnerability in PeaZip. All versions prior to 2.6.2 are suspected vulnerable. Testing was conducted with version 2.6.1 on Windows. In order for the command to be executed, an attacker must convince someone to open a specially crafted zip file with PeaZip, and access the specially file via double-clicking it. By doing so, an attacker can execute arbitrary commands as the victim user.
wu-ftpd SITE EXEC/INDEX Format String Vulnerability
This module exploits a format string vulnerability in versions of the Washington University FTP server older than 2.6.1. By executing specially crafted SITE EXEC or SITE INDEX commands containing format specifiers, an attacker can corrupt memory and execute arbitrary code.
Generic Payload Handler
This module is a stub that provides all of the features of the Metasploit payload system to exploits that have been launched outside of the framework.
Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)
This module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.
Family Connections less.php Remote Command Execution
This module exploits an arbitrary command execution vulnerability in Family Connections 2.7.1. It's in the dev/less.php script and is due to an insecure use of system(). Authentication isn't required to exploit the vulnerability but register_globals must be set to On.
FreeNAS exec_raw.php Arbitrary Command Execution
This module exploits an arbitrary command execution flaw in FreeNAS 0.7.2 < rev.5543. When passing a specially formatted URL to the exec_raw.php page, an attacker may be able to execute arbitrary commands. NOTE: This module works best with php/meterpreter payloads.
Gitorious Arbitrary Command Execution
This module exploits an arbitrary command execution vulnerability in the in gitorious. Unvalidated input is send to the shell allowing command execution.
Sun/Oracle GlassFish Server Authenticated Code Execution
This module logs in to an GlassFish Server 3.1 (Open Source or Commercial) instance using a default credential, uploads, and executes commands via deploying a malicious WAR. On Glassfish 2.x, 3.0 and Sun Java System Application Server 9.x this module will try to bypass authentication instead by sending lowercase HTTP verbs.
JBoss JMX Console Beanshell Deployer WAR upload and deployment
This module can be used to install a WAR file payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:BSHDeployer\'s createScriptDeployment() method.
JBoss Java Class DeploymentFileRepository WAR deployment
This module uses the DeploymentFileRepository class in JBoss Application Server (jbossas) to deploy a JSP file in a minimal WAR context.
JBoss JMX Console Deployer Upload and Execute
This module can be used to execute a payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:MainDeployer functionality. To accomplish this, a temporary HTTP server is created to serve a WAR archive containing our payload. This method will only work if the target server allows outbound connections to us.
OP5 license.php Remote Command Execution
This module exploits an arbitrary root command execution vulnerability in the OP5 Monitor license.php. Ekelow has confirmed that OP5 Monitor versions 5.3.5, 5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.
OP5 welcome Remote Command Execution
This module exploits an arbitrary root command execution vulnerability in OP5 Monitor welcome. Ekelow AB has confirmed that OP5 Monitor versions 5.3.5, 5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.
phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection
This module exploits a vulnerability in the lib/functions.php that allows attackers input parsed directly to the create_function() php function. A patch was issued that uses a whitelist regex expression to check the user supplied input before being parsed to the create_function() call.
phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection
This module exploits an arbitrary PHP code execution flaw in the phpScheduleIt software. This vulnerability is only exploitable when the magic_quotes_gpc PHP option is 'off'. Authentication is not required to exploit the bug. Version 1.2.10 and earlier of phpScheduleIt are affected.
Plone and Zope Remote CMD Injection Exploit
Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.
PmWiki <= 2.2.34 (pagelist) Remote PHP Code Injection Exploit
This module exploits an arbitrary command execution vulnerability in PmWiki from 2.0.0 to 2.2.34. The vulnerable function is inside /scripts/pagelist.php.
Support Incident Tracker <= 3.65 Remote Command Execution
This module combines two separate issues within Support Incident Tracker (<= 3.65) application to upload arbitrary data and thus execute a shell. The two issues exist in ftp_upload_file.php. The first vulnerability exposes the upload dir used to store attachments. The second vulnerability allows arbitrary file upload since there is no validation function to prevent from uploading any file type. Authentication is required to exploit both vulnerabilities.
Snortreport nmap.php/nbtscan.php Remote Command Execution
This module exploits an arbitrary command execution vulnerability in nmap.php and nbtscan.php scripts.
Splunk Search Remote Code Execution
This module abuses a command execution vulnerability in the web based interface of Splunk 4.2 to 4.2.4. The vulnerability exists in the 'mappy' search command which allows attackers to run Python code. To exploit this vulnerability, a valid Splunk user with the admin role is required. By default, this module uses the credential of "admin:changeme", the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows and as root on Linux by default.
Spreecommerce 0.60.1 Arbitrary Command Execution
This module exploits an arbitrary command execution vulnerability in the Spreecommerce search. Unvalidated input is called via the Ruby send method allowing command execution.
Spreecommerce < 0.50.0 Arbitrary Command Execution
This module exploits an arbitrary command execution vulnerability in the Spreecommerce API searchlogic. Unvalidated input is called via the Ruby send method allowing command execution.
Apache Struts < 2.2.0 Remote Command Execution
This module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.0. This issue is caused by a failure to properly handle unicode characters in OGNL extensive expressions passed to the web server. By sending a specially crafted request to the Struts application it is possible to bypass the "#" restriction on ParameterInterceptors by using OGNL context variables. Bypassing this restriction allows for the execution of arbitrary Java code.
Sun Java System Web Server WebDAV OPTIONS Buffer Overflow
This module exploits a buffer overflow in Sun Java Web Server prior to version 7 Update 8. By sending an "OPTIONS" request with an overly long path, attackers can execute arbitrary code. In order to reach the vulnerable code, the attacker must also specify the path to a directory with WebDAV enabled. This exploit was tested and confirmed to work on Windows XP SP3 without DEP. Versions for other platforms are vulnerable as well. The vulnerability was originally discovered and disclosed by Evgeny Legerov of Intevydis.
Apache Tomcat Manager Application Deployer Authenticated Code Execution
This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.
Traq <= 2.3 Authentication Bypass / Remote Code Execution Exploit
This module exploits an arbitrary command execution vulnerability in Traq 2.0 to 2.3. It's in the admincp/common.php script. This function is called in each script located into /admicp/ directory to make sure the user has admin rights, but this is a broken authorization schema due to the header() function doesn't stop the execution flow. This can be exploited by malicious users to execute admin functionality resulting for e.g. in execution of arbitrary PHP code leveraging of plugins.php functionality.
vBSEO <= 3.6.0 "proc_deutf()" Remote PHP Code Injection
This module exploits a vulnerability in the 'proc_deutf()' function defined in /includes/functions_vbseocp_abstract.php. User input passed through 'char_repl' POST parameter isn't properly sanitized before being used in a call to preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary code leveraging the PHP's complex curly syntax.
Java RMI Server Insecure Default Configuration Java Code Execution
This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.
HP OpenView OmniBack II Command Execution
This module uses a vulnerability in the OpenView Omniback II service to execute arbitrary commands. This vulnerability was discovered by DiGiT and his code was used as the basis for this module. For Microsoft Windows targets, due to module limitations, use the "unix/cmd/generic" payload and set CMD to your command. You can only pass a small amount of characters (4) to the command line on Windows.
VERITAS NetBackup Remote Command Execution
This module allows arbitrary command execution on an ephemeral port opened by Veritas NetBackup, whilst an administrator is authenticated. The port is opened and allows direct console access as root or SYSTEM from any source address.
Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the packet dissection is rendered. If the packet is fragmented, all fragments must be captured and reassembled to exploit this issue.
Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the packet dissection is rendered. If the packet is fragmented, all fragments must be captured and reassembled to exploit this issue. This version loops, sending the packet every X seconds until the job is killed.
Zend Server Java Bridge Arbitrary Java Code Execution
This module takes advantage of a trust relationship issue within the Zend Server Java Bridge. The Java Bridge is responsible for handling interactions between PHP and Java code within Zend Server. When Java code is encountered Zend Server communicates with the Java Bridge. The Java Bridge then handles the java code and creates the objects within the Java Virtual Machine. This interaction however, does not require any sort of authentication. This leaves the JVM wide open to remote attackers. Sending specially crafted data to the Java Bridge results in the execution of arbitrary java code.
NTP daemon readvar Buffer Overflow
This module exploits a stack based buffer overflow in the ntpd and xntpd service. By sending an overly long 'readvar' request it is possible to execute code remotely. As the stack is corrupted, this module uses the Egghunter technique.
PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)
This module exploits an integer overflow vulnerability in the unserialize() function of the PHP web server extension. This vulnerability was patched by Stefan in version 4.5.0 and applies all previous versions supporting this function. This particular module targets numerous web applications and is based on the proof of concept provided by Stefan Esser. This vulnerability requires approximately 900k of data to trigger due the multiple Cookie headers requirement. Since we are already assuming a fast network connection, we use a 2Mb block of shellcode for the brute force, allowing quick exploitation for those with fast networks. One of the neat things about this vulnerability is that on x86 systems, the EDI register points into the beginning of the hashtable string. This can be used with an egghunter to quickly exploit systems where the location of a valid "jmp EDI" or "call EDI" instruction is known. The EDI method is faster, but the bandwidth-intensive brute force used by this module is more reliable across a wider range of systems.
RealServer Describe Buffer Overflow
This module exploits a buffer overflow in RealServer 7/8/9 and was based on Johnny Cyberpunk's THCrealbad exploit. This code should reliably exploit Linux, BSD, and Windows-based servers.
Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
This module attempts to exploit a buffer overflow vulnerability present in versions 2.2.2 through 2.2.6 of Samba. The Samba developers report this as: "Bug in the length checking for encrypted password change requests from clients." The bug was discovered and reported by the Debian Samba Maintainers.
Samba "username map script" Command Execution
This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!
Subversion Date Svnserve
This is an exploit for the Subversion date parsing overflow. This exploit is for the svnserve daemon (svn:// protocol) and will not work for Subversion over webdav (http[s]://). This exploit should never crash the daemon, and should be safe to do multi-hits. **WARNING** This exploit seems to (not very often, I've only seen it during testing) corrupt the subversion database, so be careful!
Wyse Rapport Hagent Fake Hserver Command Execution
This module exploits the Wyse Rapport Hagent service by pretending to be a legitimate server. This process involves starting both HTTP and FTP services on the attacker side, then contacting the Hagent service of the target and indicating that an update is available. The target will then download the payload wrapped in an executable from the FTP service.