Metasploit

1,875 exploits Active since Aug 1990
EIP-2026-103174 EXPLOITDB ruby WORKING POC
Nagios XI Chained - Remote Code Execution (Metasploit)
CVE-2018-15710 EXPLOITDB HIGH ruby WORKING POC
Nagios XI 5.5.6 - Authenticated Privilege Escalation via Autodiscover_new.php
Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.
CVSS 7.8
CVE-2018-8736 EXPLOITDB HIGH ruby WORKING POC
Nagios XI <5.4.13 - Privilege Escalation
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.
CVSS 8.8
CVE-2019-15949 EXPLOITDB HIGH ruby WORKING POC
Nagios XI < 5.6.6 - Authenticated Remote Command Execution via getprofile.sh
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.
CVSS 8.8
CVE-2013-1362 EXPLOITDB ruby WORKING POC
Opensuse < 2.13 - Improper Input Validation
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.
CVE-2008-0226 EXPLOITDB ruby WORKING POC
Oracle Mysql < 1.7.5 - Memory Corruption
Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.
CVE-2009-4484 EXPLOITDB ruby WORKING POC
MySQL 5.0.0-5.0.89 - Remote Code Execution via X.509 Certificate Name Field Overflow
Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.
CVE-2013-0136 EXPLOITDB ruby WORKING POC
Mutiny < 5.0-1.11 - Authenticated Path Traversal and Arbitrary File Write via EditDocument Servlet
Multiple directory traversal vulnerabilities in the EditDocument servlet in the Frontend in Mutiny before 5.0-1.11 allow remote authenticated users to upload and execute arbitrary programs, read arbitrary files, or cause a denial of service (file deletion or renaming) via (1) the uploadPath parameter in an UPLOAD operation; the paths[] parameter in a (2) DELETE, (3) CUT, or (4) COPY operation; or the newPath parameter in a (5) CUT or (6) COPY operation.
CVE-2012-3001 EXPLOITDB ruby WORKING POC
Mutiny Standard <4.5-1.12 - Command Injection
Mutiny Standard before 4.5-1.12 allows remote attackers to execute arbitrary commands via the network-interface menu, related to a "command injection vulnerability."
CVE-2013-3630 EXPLOITDB ruby WORKING POC
Moodle SpellChecker Path Authenticated Remote Command Execution
Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor.
CVE-2013-1892 EXPLOITDB ruby WORKING POC
MongoDB < 2.0.9 and 2.2.x < 2.2.4 - Authenticated Remote Code Execution via nativeHelper Function
MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument.
CVE-2012-6495 EXPLOITDB ruby WORKING POC
MoinMoin < 1.9.6 - Authenticated Path Traversal and Arbitrary File Write via Twikidraw and Anywikidraw Actions
Multiple directory traversal vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to overwrite arbitrary files via unspecified vectors. NOTE: this can be leveraged with CVE-2012-6081 to execute arbitrary code.
EIP-2026-103167 EXPLOITDB ruby WORKING POC
Mitel Audio and Web Conferencing - Command Injection (Metasploit)
CVE-2013-0230 EXPLOITDB ruby WORKING POC
miniupnpd 1.0 - Remote Code Execution via Long Quoted Method in SOAPAction Handler
Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to execute arbitrary code via a long quoted method.
CVE-2006-6332 EXPLOITDB ruby WORKING POC
MadWifi - Stack-Based Buffer Overflow in IEEE80211 Wireless Component
Stack-based buffer overflow in net80211/ieee80211_wireless.c in MadWifi before 0.9.2.1 allows remote attackers to execute arbitrary code via unspecified vectors, related to the encode_ie and giwscan_cb functions.
CVE-2000-0917 EXPLOITDB ruby WORKING POC
LPRng 3.6.24 - Remote Code Execution
Format string vulnerability in use_syslog() function in LPRng 3.6.24 allows remote attackers to execute arbitrary commands.
CVE-2011-4862 EXPLOITDB ruby WORKING POC
GNU inetutils < 1.9 - Remote Code Execution via Long Encryption Key
Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.
CVE-2019-10669 EXPLOITDB HIGH ruby WORKING POC
LibreNMS < 1.47 - OS Command Injection via collectd.inc.php
An issue was discovered in LibreNMS through 1.47. There is a command injection vulnerability in html/includes/graphs/device/collectd.inc.php where user supplied parameters are filtered with the mysqli_escape_real_string function. This function is not the appropriate function to sanitize command arguments as it does not escape a number of command line syntax characters such as ` (backtick), allowing an attacker to inject commands into the variable $rrd_cmd, which gets executed via passthru().
CVSS 7.2
CVE-2018-20434 EXPLOITDB CRITICAL ruby WORKING POC
LibreNMS 1.46 - OS Command Injection via $_POST['community'] Parameter
LibreNMS 1.46 allows remote attackers to execute arbitrary OS commands by using the $_POST['community'] parameter to html/pages/addhost.inc.php during creation of a new device, and then making a /ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhost request that triggers html/includes/output/capture.inc.php command mishandling.
CVSS 9.8
CVE-2013-2143 EXPLOITDB ruby WORKING POC
Red Hat Satellite and Katello < 1.5.0-14 - Authenticated Privilege Escalation via users/update_roles
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.
CVE-2016-9299 EXPLOITDB CRITICAL ruby WORKING POC
Jenkins < 2.32 and LTS < 2.19.3 - Remote Code Execution via LDAP Query Injection
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
CVSS 9.8
EIP-2026-103146 EXPLOITDB ruby WORKING POC
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
EIP-2026-103145 EXPLOITDB ruby WORKING POC
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
CVE-2007-5208 EXPLOITDB ruby WORKING POC
HP Linux Imaging and Printing Project < 2.7.10 - OS Command Injection via Sendmail From Address
hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a from address, which is not properly handled when invoking sendmail.
EIP-2026-103142 EXPLOITDB ruby WORKING POC
HP VAN SDN Controller - Root Command Injection (Metasploit)