Metasploit

1,875 exploits Active since Aug 1990
EIP-2026-114782 EXPLOITDB ruby WORKING POC
D-Link Devices - UPnP SOAP TelnetD Command Execution (Metasploit)
CVE-2019-1935 EXPLOITDB CRITICAL ruby WORKING POC
Cisco IMC Supervisor, UCS Director, and UCS Director Express for Big Data - Use of Hard-coded Credentials
A vulnerability in Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to log in to the CLI of an affected system by using the SCP User account (scpuser), which has default user credentials. The vulnerability is due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account. Changing the default password for this account is not enforced during the installation of the product. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the scpuser account. This includes full read and write access to the system's database.
CVSS 9.8
CVE-2014-3828 EXPLOITDB ruby WORKING POC
Centreon 2.5.1 and Centreon Enterprise Server 2.2 - SQL Injection via Multiple Parameters
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id parameter to views/graphs/graphStatus/displayServiceStatus.php, (4) the mnftr_id parameter to configuration/configObject/traps/GetXMLTrapsForVendor.php, or (5) the index parameter to common/javascript/commandGetArgs/cmdGetExample.php in include/.
EIP-2026-114781 EXPLOITDB ruby WORKING POC
Cambium ePMP1000 - 'ping' Shell via Command Injection (Metasploit)
CVE-2006-0848 EXPLOITDB ruby WORKING POC
macOS X - Remote Code Execution via Safari Safe Files Download Feature
The "Open 'safe' files after downloading" option in Safari on Apple Mac OS X allows remote user-assisted attackers to execute arbitrary commands by tricking a user into downloading a __MACOSX folder that contains metadata (resource fork) that invokes the Terminal, which automatically interprets the script using bash, as demonstrated using a ZIP file that contains a script with a safe file extension.
CVE-2014-5470 EXPLOITDB CRITICAL ruby WORKING POC
Actual Analyzer <2014-08-29 - Code Injection
Actual Analyzer through 2014-08-29 allows code execution via shell metacharacters because untrusted input is used for part of the input data passed to an eval operation.
CVSS 9.8
EIP-2026-114778 EXPLOITDB ruby WORKING POC
Accellion File Transfer Appliance MPIPE2 - Command Execution (Metasploit)
CVE-2012-5975 EXPLOITDB ruby WORKING POC
SSH Tectia Server 6.0.4-6.3.2 - Authentication Bypass via Blank Password
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, when old-style password authentication is enabled, allows remote attackers to bypass authentication via a crafted session involving entry of blank passwords, as demonstrated by a root login session from a modified OpenSSH client with an added input_userauth_passwd_changereq call in sshconnect2.c.
CVE-2018-14665 EXPLOITDB MEDIUM ruby WORKING POC
xorg-x11-server <1.20.3 - Privilege Escalation
A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.
CVSS 6.6
EIP-2026-114766 EXPLOITDB ruby WORKING POC
Emacs - movemail Privilege Escalation (Metasploit)
CVE-2004-0397 EXPLOITDB ruby WORKING POC
Subversion <= 1.0.2 - Remote Code Execution via DAV2 REPORT Query or get-dated-rev Command
Stack-based buffer overflow during the apr_time_t data conversion in Subversion 1.0.2 and earlier allows remote attackers to execute arbitrary code via a (1) DAV2 REPORT query or (2) get-dated-rev svn-protocol command.
CVE-2001-0803 EXPLOITDB ruby WORKING POC
CDE Common Desktop Environment - Remote Code Execution via Buffer Overflow in dtspcd Client Connection Routine
Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands.
CVE-2003-0201 EXPLOITDB ruby WORKING POC
Samba < 2.2.8a and 2.0.10 - Remote Code Execution via call_trans2open Buffer Overflow
Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.
CVE-2007-0882 EXPLOITDB ruby WORKING POC
Solaris 10 and 11 - Unauthenticated Argument Injection in telnetd via -f Sequence
Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account.
CVE-2008-4556 EXPLOITDB ruby WORKING POC
Sun Solaris 8 and 9 - Stack-Based Buffer Overflow in adm_build_path Function
Stack-based buffer overflow in the adm_build_path function in sadmind in Sun Solstice AdminSuite on Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted request.
CVE-2001-0797 EXPLOITDB ruby WORKING POC
SGI IRIX - Buffer Overflow in Login via Telnet/Rlogin Arguments
Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin.
CVE-2001-1583 EXPLOITDB ruby WORKING POC
Solaris 8 - Remote Code Execution
lpd daemon (in.lpd) in Solaris 8 and earlier allows remote attackers to execute arbitrary commands via a job request with a crafted control file that is not properly handled when lpd invokes a mail program. NOTE: this might be the same vulnerability as CVE-2000-1220.
CVE-1999-0209 EXPLOITDB ruby WORKING POC
SunOS - Unauthenticated Arbitrary File Read via SunView Selection Service
The SunView (SunTools) selection_svc facility allows remote users to read files.
CVE-2007-2446 EXPLOITDB ruby WORKING POC
Samba 3.0.0-3.0.25rc3 - Buffer Overflow
Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).
CVE-2017-3630 EXPLOITDB MEDIUM ruby WORKING POC
Solaris RSH Stack Clash Privilege Escalation
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data as well as unauthorized read access to a subset of Solaris accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Solaris. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
CVSS 5.3
CVE-2006-4842 EXPLOITDB ruby WORKING POC
Netscape Portable Runtime (NSPR) API <4.6.3 - Local File Creation
The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even when running from setuid programs, which allows local users to create or overwrite arbitrary files.
CVE-2017-3622 EXPLOITDB HIGH ruby WORKING POC
Oracle Sun Systems Products Suite <10 - RCE
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Common Desktop Environment (CDE)). The supported version that is affected is 10. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris. Note: CVE-2017-3622 is assigned for the "Extremeparr". CVSS 3.0 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
CVSS 7.8
CVE-2016-2098 EXPLOITDB HIGH ruby WORKING POC
Debian Linux < 3.2.22.1 - Improper Input Validation
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
CVSS 7.3
EIP-2026-114692 EXPLOITDB ruby WORKING POC
Ruby on Rails - Development Web Console (v2) Code Execution (Metasploit)
EIP-2026-114691 EXPLOITDB ruby WORKING POC
Metasploit Framework - 'msfd' Remote Code Execution (via Browser) (Metasploit)