Exploit Database

The Rapid7 Exploit Database is an archive of Metasploit modules for publicly known exploits, 0days, remote exploits, shellcode, and more for researches and penetration testers to review. 3,000 plus modules are all available with relevant links to other technical documentation and source code. All of the modules included in the Exploit Database are also included in the Metasploit framework and utilized by our penetration testing tool, Metasploit Pro.

Displaying module details 1 - 10 of 3797 in total

Mailcleaner Remote Code Execution Exploit

Disclosed: December 19, 2018

This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an operating system command under the context of the web server user which is root. /admin/managetracing/search/search endpoint takes several user inputs and then pass them to the internal service ...

Linux Nested User Namespace idmap Limit Local Privilege Escalation Exploit

Disclosed: November 15, 2018

This module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidm...

WordPress WP GDPR Compliance Plugin Privilege Escalation Exploit

Disclosed: November 08, 2018

The Wordpress GDPR Compliance plugin <= v1.4.2 allows unauthenticated users to set wordpress administration options by overwriting values within the database. The vulnerability is present in WordPress’s admin-ajax.php, which allows unauthorized users to trigger handlers and make configuration changes because of a failure...

Xorg X11 Server SUID privilege escalation Exploit

Disclosed: October 25, 2018

This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 < 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root ...

WebExec Authenticated User Code Execution Exploit

Disclosed: October 24, 2018

This module uses a valid username and password of any level (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" module, except allows any non-guest account by default.

php imap_open Remote Code Execution Exploit

Disclosed: October 23, 2018

The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use i...

libssh Authentication Bypass Scanner Exploit

Disclosed: October 16, 2018

This module exploits an authentication bypass in libssh server code where a USERAUTH_SUCCESS message is sent in place of the expected USERAUTH_REQUEST message. libssh versions 0.6.0 through 0.7.5 and 0.8.0 through 0.8.3 are vulnerable. Note that this module's success depends on whether the server code can...

WebEx Local Service Permissions Exploit Exploit

Disclosed: October 09, 2018

This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM, can be used to run arbitrary commands locally, and can be started by limited users in default installations.

blueimp's jQuery (Arbitrary) File Upload Exploit

Disclosed: October 09, 2018

This module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File Upload widget in versions <= 9.22.0. Due to a default configuration in Apache 2.3.9+, the widget's .htaccess file may be disabled, enabling exploitation of this vulnerability. This vulnerability has been expl...

Malicious Git HTTP Server For CVE-2018-17456 Exploit

Disclosed: October 05, 2018

This module exploits CVE-2018-17456, which affects Git versions 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1 and lower. When a submodule url which starts with a dash e.g "-u./payload" is passed as an argument to git clone, the file "payload" inside the repository is executed. This module ...