This Metasploit module has been tested on a Wemo-enabled Crock-Pot, but other Wemo devices are known to be affected, albeit on a different RPORT (49153).
313030894a5a2f95690cc02bc8dcac3485b44c43cb7d61a2f727c2e2876c4867
This Metasploit module exploits a SUID installation of the Emacs movemail utility to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local. The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.
9a45ef7c2c0d7e05f3ad54afa5cf8a4f5e411cdd781a161604fbfb0258e39186
This Metasploit module exploits sendmail's well-known historical debug mode to escape to a shell and execute commands in the SMTP RCPT TO command. This vulnerability was exploited by the Morris worm in 1988-11-02. Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg. Currently only cmd/unix/reverse and cmd/unix/generic are supported.
1a4e5d53d0016bdb16eb6f683c07b76aba09a90bfa3bac11eb076eeaae1e53ef
This Metasploit module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File Upload widget in versions 9.22.0 and below. Due to a default configuration in Apache 2.3.9+, the widget's .htaccess file may be disabled, enabling exploitation of this vulnerability. This vulnerability has been exploited in the wild since at least 2015 and was publicly disclosed to the vendor in 2018. It has been present since the .htaccess change in Apache 2.3.9. This Metasploit module provides a generic exploit against the jQuery widget.
d34fb14aa9b4338617c18788b969d61c2e2bb73edfa259074f37f0336142d5c4
This Metasploit module exploits a stack buffer overflow in fingerd on 4.3BSD. This vulnerability was exploited by the Morris worm in 1988-11-02. Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.
5f407350c1d9280dd4c5077754d558bd32be9404ebe5f76676b4a472abb2658d
This Metasploit module exploits a remote code execution vulnerability in Apache Struts versions 2.3 through 2.3.4, and 2.5 through 2.5.16. Remote code execution can be performed via an endpoint that makes use of a redirect action. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.
d4db47de622ab194cae5e05a485e3f4743601277e19a6aa2f5275bcad5350dab
This Metasploit module exploits a -dSAFER bypass in Ghostscript to execute arbitrary commands by handling a failed restore (grestore) in PostScript to disable LockSafetyParams and avoid invalidaccess. This vulnerability is reachable via libraries such as ImageMagick, and this module provides the latest vector for Ghostscript.
9a18d75e03ae94b3478787aa8898389327fe3597f03bcf6872c9a239283731ae
This Metasploit module exploits an authentication bypass in .srv functionality and a command injection in parhand to execute code as the root user.
c10f9b22f833b812b5b5320ea587dedf77fe8a60a4a58ddec5548a2ea5fb202d
This Metasploit module exploits a hardcoded service token or default credentials in HPE VAN SDN Controller versions 2.7.18.0503 and below to execute a payload as root. A root command injection was discovered in the uninstall action's name parameter, obviating the need to use sudo for privilege escalation. If the service token option TOKEN is blank, USERNAME and PASSWORD will be used for authentication. An additional login request will be sent.
eea257b390a3b287d462cce58af78297233c499f3594b67b9e26d2aa119c09e9
This Metasploit module exploits a Drupal property injection in the Forms API. Drupal versions 6.x, less than 7.58, 8.2.x, less than 8.3.9, less than 8.4.6, and less than 8.5.1 are vulnerable.
d8e06fe66e7a7c70257d472a150741719f1392fb6c548c25bee9d61d4f3a78cd
This Metasploit module sends a magic packet to a NETGEAR device to enable telnetd. Upon successful connect, a root shell should be presented to the user.
de8e2ae5d297bdf918fd4c07ca565a83780eb63b8a40981c118b61d29c59187c
This Metasploit module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource. If tnftp is executed without the -o command-line option, it will resolve the output filename from the last component of the requested resource. If the output filename begins with a "|" character, tnftp will pass the fetched resource's output to the command directly following the "|" character through the use of the popen() function.
cb3ce61975554a3297a24930dd020c04ec845fcbd5d8eef10ec56929627059be
Apache Struts versions 2.5 through 2.5.12 using the REST plugin are vulnerable to a Java deserialization attack in the XStream library.
733707ff1693492ed26a3fc45635dfec661cbb6f0cba034160e94e43f171f6b9
This Metasploit module exploits a command injection vulnerability in WordPress version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer, a mail-sending library that is bundled with WordPress. A valid WordPress username is required to exploit the vulnerability. Additionally, due to the altered Host header, exploitation is limited to the default virtual host, assuming the header isn't mangled in transit. If the target is running Apache 2.2.32 or 2.4.24 and later, the server may have HttpProtocolOptions set to Strict, preventing a Host header containing parens from passing through, making exploitation unlikely.
928eb6125df4b025be7b68270b411eb5dfb58e8b71a32b25b6ed380ce5e0f241
This Metasploit module exploits an SQL injection, auth bypass, file upload, command injection, and privilege escalation in Nagios XI <= 5.2.7 to pop a root shell.
7b076eb4c293543ed664b1e38b4942197ec5fe84ee01dda8591020258e48df90
This Metasploit module exploits a command injection in Apache Continuum versions 1.4.2 and below. By injecting a command into the installation.varValue POST parameter to /continuum/saveInstallation.action, a shell can be spawned.
cf845d6fbc3b09514ed47ba1ed811ff6c6d343b0941a626f3ff4522492ad83c7
This Metasploit module exploits an authentication bypass and arbitrary file upload in Oracle Application Testing Suite (OATS), version 12.4.0.2.0 and unknown earlier versions, to upload and execute a JSP shell.
472df2245622a97749e8706f2ba968606decb46822546f51bf7cc6c5391ad65f
This Metasploit module exploits a pre-auth file upload to install a new root user to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys. FYI, /etc/{passwd,dropbear/authorized_keys} will be overwritten. /etc/persistent/rc.poststart will be overwritten if PERSIST_ETC is true. This method is used by the "mf" malware infecting these devices.
bb35dd847b4006bfddf6670aa0099dfa601022d89cda1ae234b032fd32276366
This Metasploit module exploits a shell command injection in the way "delegates" (commands for converting files) are processed in ImageMagick versions <= 7.0.1-0 and <= 6.9.3-9 (legacy). Since ImageMagick uses file magic to detect file format, you can create a .png (for example) which is actually a crafted SVG (for example) that triggers the command injection. Tested on Linux, BSD, and OS X. You'll want to choose your payload carefully due to portability concerns. Use cmd/unix/generic if need be.
b4c6b0e7acc235fa1688e82fff7eedb021357977c009bfb8d3faf0171a733bf1
This Metasploit module exploits a Perl injection vulnerability in Exim versions prior to 4.86.2 given the presence of the "perl_startup" configuration parameter.
9244d1a56ca1a0b4187fc7d9232dd5485fbbf380c0bdb9f35ea79df0019c335a
This Metasploit module exploits the unsecured User Manager REST API and a ZIP file path traversal in Apache Jetspeed-2, versions 2.3.0 and unknown earlier versions, to upload and execute a shell. Note: this exploit will create, use, and then delete a new admin user. Warning: in testing, exploiting the file upload clobbered the web interface beyond repair. No workaround has been found yet. Use this module at your own risk. No check will be implemented.
f98ee50658aec27fea6e1325e83c5d9c0afefcbe8bf5d2b5dab9fa93e03887b6
This Metasploit module exploits a null pointer dereference in XNU to escalate privileges to root. Tested on 10.10.4 and 10.10.5.
96d3d170f08479ec6482a4d97b2fb1ead038f68c3dbe1ed44950f74067f7c452
This Metasploit module exploits a hidden backdoor API in Apple's Admin framework on Mac OS X to escalate privileges to root, dubbed Rootpipe. Tested on Yosemite 10.10.2 and should work on previous versions. The patch for this issue was not backported to older releases. Note: you must run this exploit as an admin user to escalate to root.
6e27a1e1f2bcf759b740ad9887024027c9c87f0045ced259f32d35e3a7522fe1
This Metasploit module exploits a code injection in specially crafted environment variables in Bash, specifically targeting Apache mod_cgi scripts through the HTTP_USER_AGENT variable.
bddccc35d3cda611c86307a7ce0074fc7d74f100f9a6dea0b6e39a478138e054
This Metasploit module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable.
81d080e43dc83f3e3ee46722a1679f1f403475e40beef0b849082092202ffa5c