This Metasploit module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected to SolMan as a user from which the SMDAgent service starts, usually the daaadm.
d3cd670695bc394e4f3ed861de2d7c717dac789ada16fbb0c7c9e1612d66ab86
This Metasploit module enables the execution of a single command as System by exploiting a remote code execution vulnerability in Ciscos WebEx client software.
ff7ba8eee04116c187733d871f1d2cdcba7bf879d893d5749316164a92cbcb78
This Metasploit module tests for directory traversal vulnerability in the UpdateAgent function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM via dot dot sequences in an HTTP request.
f9f4a1cffb076eaa8de5b999f9dcbffa5aea4de87901e76b8a98aeaadfed7549
This Metasploit module can be used to help capture or relay the LM/NTLM credentials of the account running the remote SQL Server service. The module will use the supplied credentials to connect to the target SQL Server instance and execute the native "xp_dirtree" or "xp_fileexist" stored procedure. The stored procedures will then force the service account to authenticate to the system defined in the SMBProxy option. In order for the attack to be successful, the SMB capture or relay module must be running on the system defined as the SMBProxy. The database account used to connect to the database should only require the "PUBLIC" role to execute. Successful execution of this attack usually results in local administrative access to the Windows system. Specifically, this works great for relaying credentials between two SQL Servers using a shared service account to get shells. However, if the relay fails, then the LM hash can be reversed using the Halflm rainbow tables and john the ripper. Thanks to "Sh2kerr" who wrote the ora_ntlm_stealer for the inspiration.
81b720701c4c84c8a82d86441f0a1e83afb72be7237f8d733a14565354c12a53
This Metasploit module can be used to help capture or relay the LM/NTLM credentials of the account running the remote SQL Server service. The module will use the SQL injection from GET_PATH to connect to the target SQL Server instance and execute the native "xp_dirtree" or stored procedure. The stored procedures will then force the service account to authenticate to the system defined in the SMBProxy option. In order for the attack to be successful, the SMB capture or relay module must be running on the system defined as the SMBProxy. The database account used to connect to the database should only require the "PUBLIC" role to execute. Successful execution of this attack usually results in local administrative access to the Windows system. Specifically, this works great for relaying credentials between two SQL Servers using a shared service account to get shells. However, if the relay fails, then the LM hash can be reversed using the Halflm rainbow tables and john the ripper.
07d8028c67f4c74422fce026d3e4f7c8c01787a332652cb8847f7c5bc5571deb
This Metasploit module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Androids open source stock browser (the AOSP Browser) prior to 4.4. Second, the Google Play stores web interface fails to enforce a X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Plays remote installation feature, as any application available on the Google Play store can be installed and launched on the users device. This Metasploit module requires that the user is logged into Google with a vulnerable browser. To list the activities in an APK, you can use aapt dump badging /path/to/app.apk.
328d1360b3bebdb1d86c00098a6491927d2bd65f1172897b674f5d8cc7695731
The Schneider Modicon with Unity series of PLCs use Modbus function code 90 (0x5a) to perform administrative commands without authentication. This Metasploit module allows a remote user to change the state of the PLC between STOP and RUN, allowing an attacker to end process control by the PLC. This Metasploit module is based on the original modiconstop.rb Basecamp module from DigitalBond.
b1ab2b6cc51066fbc4e2694146c089e9ffe0bd212d9fdf2475b47cf4afabb543
PhoenixContact Programmable Logic Controllers are built upon a variant of ProConOS. Communicating using a proprietary protocol over ports TCP/1962 and TCP/41100 or TCP/20547. It allows a remote user to read out the PLC Type, Firmware and Build number on port TCP/1962. And also to read out the CPU State (Running or Stopped) AND start or stop the CPU on port TCP/41100 (confirmed ILC 15x and 17x series) or on port TCP/20547 (confirmed ILC 39x series).
121da6ea0c1ed5792460a8fc75979c956e19cb91d2f862453bd1833c0c4711f2
This Metasploit module exploits a vulnerability in the Remote Command Server component in IBMs DB2 Universal Database 8.1. An authenticated attacker can send arbitrary commands to the DB2REMOTECMD named pipe which could lead to administrator privileges.
478193d2580253a2f66c4e73298df32bcc3e7667b42fee08c31d7762a5f91cfc
SAP MaxDB is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.
0f0e0a18de2600d553a92c2cbf013099ea676612defd9a621268fe33532cc601
This Metasploit module exploits an unsafe intent URI scheme and directory traversal found in Android Mercury Browser version 3.2.3. The intent allows the attacker to invoke a private wifi manager activity, which starts a web server for Mercury on port 8888. The webserver also suffers a directory traversal that allows remote access to sensitive files. By default, this module will go after webviewCookiesChromium.db, webviewCookiesChromiumPrivate.db, webview.db, and bookmarks.db. But if this isnt enough, you can also specify the ADDITIONAL_FILES datastore option to collect more files.
42c6caf8a1093e6428f263ebc0ed216930afb756d1796e8f552f46a3d7e1ee90
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM) 10 does not properly implement access control, which allows remote attackers to modify user information. This Metasploit module exploits the vulnerability to configure unauthorized call forwarding.
762f21e6a5fbd5bc2b2530185a86b5249202eda276e8221ef037a769fc47d618
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM), before version 10, doesn't implement access control properly, which allows remote attackers to modify user information. This Metasploit module exploits the vulnerability to make unauthorized speed dial entity manipulations.
a29708e3220657b7459cd2f5c8e3e1289481738bbee9189c1a1060eacd56bd6b
This Metasploit module gathers information from an RMI endpoint running an RMI registry interface. It enumerates the names bound in a registry and looks up each remote reference.
f622e943187d30330e9cc0618caace1cafb414ae300f57c1786d7e281a8a1511
This Metasploit module will extract Domain Controller credentials from vulnerable installations of HP SNAC as distributed with HP ProCurve 4.00 and 3.20. The authentication bypass vulnerability has been used to exploit remote file uploads. This vulnerability can be used to gather important information handled by the vulnerable application, like plain text domain controller credentials. This Metasploit module has been tested successfully with HP SNAC included with ProCurve Manager 4.0.
aed454bc14ce73f32076d32a64079806c8be0da490907a6f04fd8ad00e038838
This Metasploit module will enumerate the process list of a remote machine by abusing HP Operation Managers unauthenticated perfd daemon.
48743288737e4fbe8b23b6415022b845900894d016893aeebdbd614a86291a45
Dumps SAM hashes and LSA secrets (including cached creds) from the remote Windows target without executing any agent locally. This is done by remotely updating the registry key security descriptor, taking advantage of the WriteDACL privileges held by local administrators to set temporary read permissions. This can be disabled by setting the INLINE option to false and the module will fallback to the original implementation, which consists in saving the registry hives locally on the target (%SYSTEMROOT%\Temp\<random>.tmp), downloading the temporary hive files and reading the data from it. This temporary files are removed when its done. On domain controllers, secrets from Active Directory is extracted using [MS-DRDS] DRSGetNCChanges(), replicating the attributes we need to get SIDs, NTLM hashes, groups, password history, Kerberos keys and other interesting data. Note that the actual NTDS.dit file is not downloaded. Instead, the Directory Replication Service directly asks Active Directory through RPC requests. This Metasploit modules takes care of starting or enabling the Remote Registry service if needed. It will restore the service to its original state when its done. This is a port of the great Impacket secretsdump.py code written by Alberto Solino.
2c2374c930c873d22b4c85b045bb0508b32f1c378ce30ec41a5db088c7033190
This Metasploit module will use the Microsoft XMLDOM object to enumerate a remote machines filenames. It will try to do so against Internet Explorer 8 and Internet Explorer 9. To use it, you must supply your own list of file paths. Each file path should look like this: c:\\\\windows\\\\system32\\\\calc.exe.
c954ae2d29b081470b554c9f8c12ad7049c63dccc594927203b359634db62c4c
This Metasploit module will search remote file shares for unattended installation files that may contain domain credentials. This is often used after discovering domain credentials with the auxiliary/scanner/dcerpc/windows_deployment_services module or in cases where you already have domain credentials. This Metasploit module will connect to the RemInst share and any Microsoft Deployment Toolkit shares indicated by the share name comments.
a8922994530f36b9a0330bad4526173ba5b06c6d7826f747b774c31f20810f33
This Metasploit module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to read an arbitrary file from the server. To run this module you must provide a valid ColdFusion Component (CFC) endpoint via the CFC_ENDPOINT option, and a valid remote method name from that endpoint via the CFC_METHOD option. By default an endpoint in the ColdFusion Administrator (CFIDE) is provided. If the CFIDE is not accessible you will need to choose a different CFC endpoint, method and parameters.
de661edb8896e72bade0f7599cfd12c9bedfd968ff8993ef271deae86817594a
This Metasploit module exploits combined heap and stack buffer overflows for QNAP NAS and NVR devices to dump the admin (root) shadow hash from memory via an overwrite of __libc_argv[0] in the HTTP-header-bound glibc backtrace. A binary search is performed to find the correct offset for the BOFs. Since the server forks, blind remote exploitation is possible, provided the heap does not have ASLR.
95c0e11fc546ab62299c2204c0f7af71c9e0fb6c816a661a92afe279a76f00e3
This Metasploit module exploits a vulnerability in Oracle Application Testing Suite (OATS). In the Load Testing interface, a remote user can abuse the custom report template selector, and cause the DownloadServlet class to read any file on the server as SYSTEM. Since the Oracle application contains multiple configuration files that include encrypted credentials, and that there are public resources for decryption, it is actually possible to gain remote code execution by leveraging this directory traversal attack. Please note that authentication is required. By default, OATS has two built-in accounts: default and administrator. You could try to target those first.
6768bb30a4e171d5b23ae9e466794b809255fbc336984aad796d15fe8f495a0b
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.
ae43a8160ec3b8d1f33b4bc9d020eb6ea0ce8e6b3ec100f14fa67f439395f1a7
This Metasploit module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and < 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without authentication. When attacker payloads are reflected in the servers responses, the payloads are evaluated. The primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).
060ed45f18a940bd2cb20db82dafffe7261720b5012750515c313f3b78cd0cde
This Metasploit module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not work. Verified to work with Microsoft Word 2003, 2007, 2010, and 2013. In order to get the hashes the auxiliary/server/capture/smb module can be used.
898db9627d5fe0a60eb2c43c9ba3c13690b02c22026bd42660cce6d96a78a01b