This Metasploit module logs in to SNMP devices using common community names.
c3b32da7b3f73a2695ea0071176d4548e0e31cb363a8d8f25ea7e5071d7511bf
This Metasploit module will copy file to a Cisco IOS device using SNMP and TFTP. The action Override_Config will override the running config of the Cisco device. A read-write SNMP community is required. The SNMP community scanner module can assist in identifying a read-write community. The target must be able to connect back to the Metasploit system and the use of NAT will cause the TFTP transfer to fail.
7eeeea39495bb0506e8dd6737a909256f8635d57c2d508f012028d9e06b615e2
This Metasploit module will extract WEP keys and WPA preshared keys from Arris DG950A cable modems.
d80318ca2507c71cc45d58033d00078c59228b758e111efc783c4836018dedeb
Cambium devices (ePMP, PMP, Force, and others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information. This Metasploit module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation. The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication. The module has been tested on Cambium ePMP versions 3.5 and prior.
e423c9814a9582bc78a26bab817bae130b1ae20bb6195afb5cb32be7f3d2bbf4
This Metasploit module will extract WEP keys and WPA preshared keys from certain Ubee cable modems.
b468ec7bc878a4710e4135434c674ab12603c0d49237572791b6910de5a8924c
This Metasploit module extracts WEP keys and WPA preshared keys from certain Netopia cable modems.
4b56eb0f0a739ad79361497f2955ef03bd26935c14ab3002cd743d29cbe2c57f
This Metasploit module uses the A2S_INFO request to obtain information from a Steam server.
89416cc9f5e46168342e202b91b47b3ba9094801247b2522d376fc12181782f1
This Metasploit module uses the getstatus or getinfo request to obtain information from a Quakeserver.
fd233ad07c22d603334cbcada818c4cd262bc96c7e0eafee383c9bd9e61e7adf
This Metasploit module uses the Kademlia BOOTSTRAP and PING messages to identify and extract information from Kademlia speaking UDP endpoints, typically belonging to eMule/eDonkey/BitTorrent servers or other P2P applications.
eba8248b7c5e0ccdd26ca05535b352545a47360c55fc0541e56ac36a0e461848
This Metasploit module enumerates databases on CouchDB using the REST API (without authentication by default).
2942d69e8cd376e67d7cb3531714d06e9b22d6dd3d9fe3f3f432e8930a09dad3
This Metasploit module provides a Rex based DNS service to resolve queries intercepted via the capture mixin. Configure STATIC_ENTRIES to contain host-name mappings desired for spoofing using a hostsfile or space/semicolon separated entries. In the default configuration, the service operates as a normal native DNS server with the exception of consuming from and writing to the wire as opposed to a listening socket. Best when compromising routers or spoofing L2 in order to prevent return of the real reply which causes a race condition. The method by which replies are filtered is up to the user (though iptables works fine).
71e4d2818ec569938e36585e1b0d07898002ea3f2dff530fe215ae9b8a7dabc6
This Metasploit module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnets broadcast address and spoof a response, redirecting the querying machine to an IP of the attackers choosing. Combined with auxiliary/server/capture/smb or auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This Metasploit module must be run as root and will bind to udp/137 on all interfaces.
ff6e3182c34b77e4130a88264f526ca39f573748ca673f54fe46407ea6bf712a
This Metasploit module acts as a simple remote control for the Amazon Fire TVs YouTube app. Tested on the Amazon Fire TV Stick.
69fb41ab585fc6b28e37188b07a1a70fbaf2484bcbddc9b47819529c298b422e
This Metasploit module exploits HP Data Protectors omniinet process, specifically against a Windows setup. When an EXEC_CMD packet is sent, omniinet.exe will attempt to look for that user-supplied filename with kernel32!FindFirstFileW(). If the file is found, the process will then go ahead execute it with CreateProcess() under a new thread. If the filename isnt found, FindFirstFileW() will throw an error (0x03), and then bails early without triggering CreateProcess(). Because of these behaviors, if you try to supply an argument, FindFirstFileW() will look at that as part of the filename, and then bail. Please note that when you specify the CMD option, the base path begins under C:\.
d60f9ecfdd7e75b911a02d2e3e9f7e6e28eb00b4db11022e93bc1c7e16bb9722
This Metasploit module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer overflow in the Connection HTTP header handling by the web server. Exploiting this vulnerability gives full access to the REST API, allowing arbitrary accounts creation.
307468ecf285c6317f2e172728ad61a604fe9d31aa424fe525723ac69384bc9e
This Metasploit module exploits a lack of authentication and access control in HP Intelligent Management, specifically in the AccountService RpcServiceServlet from the SOM component, in order to create a SOM account with Account Management permissions. This Metasploit module has been tested successfully on HP Intelligent Management Center 5.2 E0401 and 5.1 E202 with SOM 5.2 E0401 and SOM 5.1 E0201 over Windows 2003 SP2.
f80f182bd3efcc931cc161e517ad609080f18fbbea524563033651e7394cda0f
This Metasploit module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in MTF format, which can be extracted by the NTKBUp program listed in the references section. To transfer an entire directory, specify a path that includes a trailing backslash.
226940d66a9c4cacaf0a73b81c75fdaea375765b84cbee186b391bbf5c6295da
This Metasploit modules exploits a remote registry access flaw in the BackupExec Windows Server RPC service. This vulnerability was discovered by Pedram Amini and is based on the NDR stub information posted to openrce.org. Please see the action list for the different attack modes.
2138587ae325bae6523fe264b536da7ed9c42e45e7490c135d46a8a92061e574
This Metasploit module will dump the configuration of several SerComm devices. These devices typically include routers from NetGear and Linksys. This Metasploit module was tested successfully against the NetGear DG834 series ADSL modem router.
25a4eddb35b4a76fb51f6bd4a6423eea5144ca5cf055ff014cfd5dbb69591022
This Metasploit module continuously spams NetBIOS responses to a target for given hostname, causing the target to cache a malicious address for this name. On high-speed local networks, the PPSRATE value should be increased to speed up this attack. As an example, a value of around 30,000 is almost 100% successful when spoofing a response for a WPAD lookup. Distant targets may require more time and lower rates for a successful attack.
4c46a17b6b28a0831bd545f008514748b910a2c34d2ae38a4055e1330ff321bc
This Metasploit module will access Novell eDirectorys eMBox service and can run the following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES, STOP_SERVICE, START_SERVICE, SET_LOGFILE.
6f3159d4e22911966229228c779f6b480d4899bc7ad4b88645ca6777cfbc71f7
This Metasploit module is able to predict the next session cookie value issued by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run this module, wait until the real administrator logs in, then specify the predicted cookie value to hijack their session.
28766d01f38ae419f2e9cd76f297d8ac56df2a94fb287f8aae22c02263aa6efa
This Metasploit module exploits a flaw in TYPO3 encryption ey creation process to allow for file disclosure in the jumpUrl mechanism. This flaw can be used to read any file that the web server user account has access to view.
46f4945dc23426c604a5c5f50f175eb456147c30dcc824a0e732f945e0b7b55f
This Metasploit module exploits the EditDocument servlet from the frontend on the Mutiny 5 appliance. The EditDocument servlet provides file operations, such as copy and delete, which are affected by a directory traversal vulnerability. Because of this, any authenticated frontend user can read and delete arbitrary files from the system with root privileges. In order to exploit the vulnerability a valid user (any role) in the web frontend is required. The module has been tested successfully on the Mutiny 5.0-1.07 appliance.
d3b96cef983073a378f5d44a96a275b1a30b7aaa70f28edd1fb2d4b093beab71
Netgears ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file download vulnerability that can be exploited by an authenticated remote attacker to download any file in the system. This Metasploit module has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.
7b6ab6ffa9844979171a203a6fb43f5906cc96114b0f4b811979aee8938f1df6