• Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE
    Disclosure Date: 2021-04-13
    First seen: 2021-05-01
    exploit/multi/browser/chrome_cve_2021_21220_v8_insufficient_validation
    This module exploits an issue in the V8 engine on x86_x64 builds of Google Chrome before 89.0.4389.128/90.0.4430.72 when handling XOR operations in JIT'd JavaScript code. Successful exploitation allows an attacker to execute arbitrary code within the context of the V8 process. As the V8 process is normally sandboxed in the default configuration of Google Chrome, the browser must be run with the --no-sandbox option for the payload to work correctly. Authors: - Bruno Keith (bkth_) - Niklas Baumstark (_niklasb) - Rajvardhan Agarwal (r4j0x00) - Grant Willcox (tekwizz123)
  • Google Chrome versions before 87.0.4280.88 integer overflow during SimplfiedLowering phase
    Disclosure Date: 2020-11-19
    First seen: 2021-04-08
    exploit/multi/browser/chrome_simplifiedlowering_overflow
    This module exploits an issue in Google Chrome versions before 87.0.4280.88 (64 bit). The exploit makes use of an integer overflow in the SimplifiedLowering phase in turbofan. It is used along with a type hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1. This is abused to gain arbitrary read/write into the isolate region. Then an ArrayBuffer can be used to achieve absolute arbitrary read/write. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, the browser must be run with the --no-sandbox option for the payload to work correctly. Authors: - Rajvardhan Agarwal (r4j)
  • Google Chrome 80 JSCreate side-effect type confusion exploit
    Disclosure Date: 2020-02-19
    First seen: 2020-04-26
    exploit/multi/browser/chrome_jscreate_sideeffect
    This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.
  • Android Binder Use-After-Free Exploit
    Disclosure Date: 2019-09-26
    First seen: 2020-04-26
    exploit/android/local/binder_uaf
    This module exploits CVE-2019-2215, which is a use-after-free in Binder in the Android kernel. The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If chained with a browser renderer exploit, this bug could fully compromise a device through a malicious website. The freed memory is replaced with an iovec structure in order to leak a pointer to the task_struct. Finally the bug is triggered again in order to overwrite the addr_limit, making all memory (including kernel memory) accessible as part of the user-space memory range in our process and allowing arbitrary reading and writing of kernel memory. Authors: - Jann Horn - Maddie Stone - grant-h - timwr
  • Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86
    Disclosure Date: 2019-03-21
    First seen: 2020-04-26
    exploit/windows/browser/chrome_filereader_uaf
    This exploit takes advantage of a use after free vulnerability in Google Chrome 72.0.3626.119 running on Windows 7 x86. The FileReader.readAsArrayBuffer function can return multiple references to the same ArrayBuffer object, which can be freed and overwritten with sprayed objects. The dangling ArrayBuffer reference can be used to access the sprayed objects, allowing arbitrary memory access from Javascript. This is used to write and execute shellcode in a WebAssembly object. The shellcode is executed within the Chrome sandbox, so you must explicitly disable the sandbox for the payload to be successful.
  • Google Chrome 72 and 73 Array.map exploit
    Disclosure Date: 2019-03-07
    First seen: 2020-04-26
    exploit/multi/browser/chrome_array_map
    This module exploits an issue in Chrome 73.0.3683.86 (64 bit). The exploit corrupts the length of a float in order to modify the backing store of a typed array. The typed array can then be used to read and write arbitrary memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.
  • Docker Container Escape Via runC Overwrite
    Disclosure Date: 2019-01-01
    First seen: 2021-06-30
    exploit/linux/local/docker_runc_escape
    This module leverages a flaw in `runc` to escape a Docker container and get command execution on the host as root. This vulnerability is identified as CVE-2019-5736. It overwrites the `runc` binary with the payload and wait for someone to use `docker exec` to get into the container. This will trigger the payload execution. Note that executing this exploit carries important risks regarding the Docker installation integrity on the target and inside the container ('Side Effects' section in the documentation).
  • Google Chrome 67, 68 and 69 Object.create exploit
    Disclosure Date: 2018-09-25
    First seen: 2020-04-26
    exploit/multi/browser/chrome_object_create
    This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process. This module can target the renderer process (target 0), but Google Chrome must be launched with the --no-sandbox flag for the payload to execute successfully. Alternatively, this module can use CVE-2019-1458 to escape the renderer sandbox (target 1). This will only work on vulnerable versions of Windows (e.g Windows 7) and the exploit can only be triggered once. Additionally the exploit can cause the target machine to restart when the session is terminated. A BSOD is also likely to occur when the system is shut down or rebooted. Authors: - saelo - timwr - sf <stephen_fewer@harmonysecurity.com>
  • Android Janus APK Signature bypass
    Disclosure Date: 2017-07-31
    First seen: 2020-04-26
    exploit/android/local/janus
    This module exploits CVE-2017-13156 in Android to install a payload into another application. The payload APK will have the same signature and can be installed as an update, preserving the existing data. The vulnerability was fixed in the 5th December 2017 security patch, and was additionally fixed by the APK Signature scheme v2, so only APKs signed with the v1 scheme are vulnerable. Payload handler is disabled, and a multi/handler must be started first. Authors: - GuardSquare - V-E-O - timwr - h00die
  • Android Stagefright MP4 tx3g Integer Overflow
    Disclosure Date: 2015-08-13
    First seen: 2020-04-26
    exploit/android/browser/stagefright_mp4_tx3g_64bit
    This module exploits an integer overflow vulnerability in the Stagefright Library (libstagefright.so). The vulnerability occurs when parsing specially crafted MP4 files. While a wide variety of remote attack vectors exist, this particular exploit is designed to work within an HTML5 compliant browser. Exploitation is done by supplying a specially crafted MP4 file with two tx3g atoms that, when their sizes are summed, cause an integer overflow when processing the second atom. As a result, a temporary buffer is allocated with insufficient size and a memcpy call leads to a heap overflow. This version of the exploit uses a two-stage information leak based on corrupting the MetaData that the browser reads from mediaserver. This method is based on a technique published in NorthBit's Metaphor paper. First, we use a variant of their technique to read the address of a heap buffer located adjacent to a SampleIterator object as the video HTML element's videoHeight. Next, we read the vtable pointer from an empty Vector within the SampleIterator object using the video element's duration. This gives us a code address that we can use to determine the base address of libstagefright and construct a ROP chain dynamically. NOTE: the mediaserver process on many Android devices (Nexus, for example) is constrained by SELinux and thus cannot use the execve system call. To avoid this problem, the original exploit uses a kernel exploit payload that disables SELinux and spawns a shell as root. Work is underway to make the framework more amenable to these types of situations. Until that work is complete, this exploit will only yield a shell on devices without SELinux or with SELinux in permissive mode. Authors: - jduck <jduck@metasploit.com> - NorthBit
  • Adobe Flash Player Drawing Fill Shader Memory Corruption
    Disclosure Date: 2015-05-12
    First seen: 2020-04-26
    exploit/multi/browser/adobe_flash_shader_drawing_fill
    This module exploits a memory corruption happening when applying a Shader as a drawing fill as exploited in the wild on June 2015. This module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188, Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188, and Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460. Authors: - Chris Evans - Unknown - juan vazquez <juan.vazquez@metasploit.com>
  • SSL/TLS Version Detection
    Disclosure Date: 2014-10-14
    First seen: 2022-12-23
    auxiliary/scanner/ssl/ssl_version
    Check if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST. Authors: - todb <todb@metasploit.com> - et <et@metasploit.com> - Chris John Riley - Veit Hailperin <hailperv@gmail.com> - h00die
  • SSL/TLS Version Detection
    Disclosure Date: 2014-10-14
    First seen: 2022-12-23
    auxiliary/scanner/ssl/ssl_version
    Check if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST. Authors: - todb <todb@metasploit.com> - et <et@metasploit.com> - Chris John Riley - Veit Hailperin <hailperv@gmail.com> - h00die
  • Android Browser and WebView addJavascriptInterface Code Execution
    Disclosure Date: 2012-12-21
    First seen: 2020-04-26
    exploit/android/browser/webview_addjavascriptinterface
    This module exploits a privilege escalation issue in Android < 4.2's WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript (no HTML markup). Authors: - jduck <jduck@metasploit.com> - joev <joev@metasploit.com>
  • Android Browser and WebView addJavascriptInterface Code Execution
    Disclosure Date: 2012-12-21
    First seen: 2020-04-26
    exploit/android/browser/webview_addjavascriptinterface
    This module exploits a privilege escalation issue in Android < 4.2's WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript (no HTML markup). Authors: - jduck <jduck@metasploit.com> - joev <joev@metasploit.com>
  • Android Stock Browser Iframe DOS
    Disclosure Date: 2012-12-01
    First seen: 2020-04-26
    auxiliary/dos/android/android_stock_browser_iframe
    This module exploits a vulnerability in the native browser that comes with Android 4.0.3. If successful, the browser will crash after viewing the webpage. Authors: - Jean Pascal Pereira - Jonathan Waggoner
  • Setuid Tunnelblick Privilege Escalation
    Disclosure Date: 2012-08-11
    First seen: 2020-04-26
    exploit/osx/local/setuid_tunnelblick
    This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The vulnerability exists in the setuid openvpnstart, where an insufficient validation of path names allows execution of arbitrary shell scripts as root. This module has been tested successfully on Tunnelblick 3.2.8 build 2891.3099 over Mac OS X 10.7.5. Authors: - Jason A. Donenfeld - juan vazquez <juan.vazquez@metasploit.com>
  • Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability
    Disclosure Date: 2011-04-11
    First seen: 2020-04-26
    exploit/windows/browser/adobe_flashplayer_flash10o
    This module exploits a vulnerability in Adobe Flash Player that was discovered, and has been exploited actively in the wild. By embedding a specially crafted .swf file, Adobe Flash crashes due to an invalid use of an object type, which allows attackers to overwrite a pointer in memory, and results arbitrary code execution. Please note for IE 8 targets, Java Runtime Environment must be available on the victim machine in order to work properly. Authors: - sinn3r <sinn3r@metasploit.com>
  • Google Appliance ProxyStyleSheet Command Execution
    Disclosure Date: 2005-08-16
    First seen: 2020-04-26
    exploit/unix/webapp/google_proxystylesheet_exec
    This module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance. This feature allows for arbitrary java methods to be called. Google released a patch and advisory to their client base in August of 2005 (GA-2005-08-m). The target appliance must be able to connect back to your machine for this exploit to work. Authors: - hdm <x@hdm.io>
  • Android Open Source Platform (AOSP) Browser UXSS
    First seen: 2020-04-26
    auxiliary/gather/android_stock_browser_uxss
    This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. If your target URLs use X-Frame-Options, you can enable the "BYPASS_XFO" option, which will cause a popup window to be used. This requires a click from the user and is much less stealthy, but is generally harmless-looking. By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this module also allows running arbitrary javascript in the context of the targeted URL. Some sample UXSS scripts are provided in data/exploits/uxss. Authors: - Rafay Baloch - joev <joev@metasploit.com>
22 metasploit modules found
1 2
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!