TFTP Fetch, Windows MessageBox x64

Fetch and execute an x64 payload from a TFTP server. Spawn a dialog via MessageBox using a customizable title, text & icon Module Options msf use payload/cmd/windows/tftp/x64/messagebox msf payloadmessagebox show actions ...actions... msf payloadmessagebox set ACTION msf payloadmessagebox show...

TFTP Fetch, Windows x64 Reverse HTTP Stager (winhttp)

Fetch and execute an x64 payload from a TFTP server. Tunnel communication over HTTP Windows x64 winhttp Module Options msf use payload/cmd/windows/tftp/x64/vncinject/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf payloadreversewinhttp...

TFTP Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support

Fetch and execute an x64 payload from a TFTP server. Spawn a piped command shell Windows x64 staged. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/tftp/x64/shell/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf...

TFTP Fetch, Windows x64 Reverse HTTP Stager (wininet)

Fetch and execute an x64 payload from a TFTP server. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/tftp/x64/meterpreter/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttps set ACTION msf payloadreversehttps show...

TFTP Fetch, Windows x64 LoadLibrary Path

Fetch and execute an x64 payload from a TFTP server. Load an arbitrary x64 library path Module Options msf use payload/cmd/windows/tftp/x64/loadlibrary msf payloadloadlibrary show actions ...actions... msf payloadloadlibrary set ACTION msf payloadloadlibrary show options ...show and set options...

HTTP Fetch, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager

Fetch and execute an x64 payload from an HTTP server. Spawn a piped command shell Windows x64 staged. Listen for a pipe connection Windows x64 Module Options msf use payload/cmd/windows/http/x64/shell/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set...

HTTP Fetch, Windows shellcode stage, Windows x64 Bind TCP Stager

Fetch and execute an x64 payload from an HTTP server. Custom shellcode stage. Listen for a connection Windows x64 Module Options msf use payload/cmd/windows/http/x64/custom/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show...

HTTP Fetch, Windows x64 Bind TCP Stager

Fetch and execute an x64 payload from an HTTP server. Listen for a connection Windows x64 Module Options msf use payload/cmd/windows/http/x64/peinject/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options... msf...

HTTP Fetch, Bind TCP Stager with UUID Support (Windows x64)

Fetch and execute an x64 payload from an HTTP server. Listen for a connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/http/x64/vncinject/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid show...

HTTP Fetch, Windows x64 Command Shell, Windows x64 Bind TCP Stager

Fetch and execute an x64 payload from an HTTP server. Spawn a piped command shell Windows x64 staged. Listen for a connection Windows x64 Module Options msf use payload/cmd/windows/http/x64/shell/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtc...

Mobile Mouse 3.6.0.4 Remote Code Execution Exploit

This Metasploit module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol to deploy a payload and run it from the server. This module will only deploy a payload if the server is set without a password default. Tested against 3.6.0.4, the current version at the time of module...

Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager

Custom shellcode stage. Connect back to the attacker via a named pipe pivot Module Options msf use payload/windows/x64/custom/reversenamedpipe msf payloadreversenamedpipe show actions ...actions... msf payloadreversenamedpipe set ACTION msf payloadreversenamedpipe show options ...show and set...

Powershell Exec, Windows x64 Pingback, Reverse TCP Inline

Execute an x64 payload from a command via PowerShell. Connect back to attacker and report UUID Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/pingbackreversetcp msf payloadpingbackreversetcp show actions ...actions... msf payloadpingbackreversetcp set ACTION msf...

Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)

Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/powershell/x64/vncinject/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttps set ACTION msf payloadreversehttps...

Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)

Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/powershell/x64/meterpreter/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf payloadreversehttp sho...

Local Privilege Escalation in polkits pkexec

A bug exists in the polkit pkexec binary in how it processes arguments. If the binary is provided with no arguments, it will continue to process environment variables as argument variables, but without any security checking. By using the execve call we can specify a null argument list and populat...

NSClient++ 0.5.2.35 Remote Code Execution Exploit

This Metasploit module allows an attacker with knowledge of the admin password of NSClient++ to start a privileged shell. For this module to work, both web interface of NSClient++ and ExternalScripts feature should be enabled. This module requires Metasploit: https://metasploit.com/download Curre...

Microsoft Spooler Local Privilege Elevation Vulnerability

This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds...

Oracle WebLogic Server Administration Console Handle RCE

This module exploits a path traversal and a Java class instantiation in the handle implementation of WebLogic's Administration Console to execute code as the WebLogic user. Versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 are known to be affected. Tested against 12.2.1.3.0...

Jenkins 2.56 CLI Deserialization / Code Execution Exploit

An unauthenticated Java object deserialization vulnerability exists in the CLI component for Jenkins versions 2.56 and below. The readFrom method within the Command class in the Jenkins CLI remoting component deserializes objects received from clients without first checking / sanitizing the data...