SMB Fetch

Fetch and execute an x64 payload from an SMB server. Module Options msf use payload/cmd/windows/smb/x64/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options ...show and set options... msf payloaddownloadexec run Th...

Xorcom CompletePBX Arbitrary File Read and Deletion via systemDataFileName

This module exploits an authenticated path traversal vulnerability in Xorcom CompletePBX use auxiliary/scanner/http/xorcomcompletepbxdiagnosticsfileread msf auxiliaryxorcomcompletepbxdiagnosticsfileread show actions ...actions... msf auxiliaryxorcomcompletepbxdiagnosticsfileread set ACTION msf...

ThinManager Path Traversal (CVE-2023-2917) Arbitrary File Upload

This module exploits a path traversal vulnerability CVE-2023-2917 in ThinManager use auxiliary/admin/networking/thinmanagertraversalupload2 msf auxiliarythinmanagertraversalupload2 show actions ...actions... msf auxiliarythinmanagertraversalupload2 set ACTION msf...

Windows Gather WinSCP Saved Password Extraction

This module extracts weakly encrypted saved passwords from WinSCP. It searches for saved sessions in the Windows Registry and the WinSCP.ini file. It cannot decrypt passwords if a master password is used. This module requires Metasploit: https://metasploit.com/download Current source:...

TFTP Fetch

Fetch and execute an MIPSLE payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/mipsle/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and set...

Fortinet FortiWeb create new local admin

This auxiliary module exploits an authentication bypass via path traversal vulnerability in the Fortinet FortiWeb management interface to create a new local administrator user account. This vulnerability affects the following versions: FortiWeb 8.0.0 through 8.0.1 Patched in 8.0.2 and above...

Progress Software WS_FTP Unauthenticated Remote Code Execution

This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code execution against a vulnerable WSFTP server running the Ad Hoc Transfer module. All versions of WSFTP Server prior to 2020.0.4 version 8.7.4 and 2022.0.2 version 8.8.2 are vulnerable to this...

OS Command Exec, Unix Command Shell, Bind TCP (via perl) IPv6

Execute an OS command from PHP. Listen for a connection and spawn a command shell via perl Module Options msf use payload/php/unix/cmd/bindperlipv6 msf payloadbindperlipv6 show actions ...actions... msf payloadbindperlipv6 set ACTION msf payloadbindperlipv6 show options ...show and set options...

HTTP Fetch, Reverse TCP Stager

Fetch and execute an MIPSBE payload from an HTTP server. Connect back to the attacker Module Options msf use payload/cmd/linux/http/mipsbe/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...

OS Command Exec, Unix Command Shell, Reverse TCP (via Zsh)

Execute an OS command from PHP. Connect back and create a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn't usually installed by default. Module Options msf use payload/php/unix/cmd/reversezsh msf payloadreversezsh show actions ...actions... msf...

Windows Pulse Secure Connect Client Saved Password Extractor

This module extracts and decrypts saved Pulse Secure Connect Client passwords from the Windows Registry. This module can only access credentials created by the user that the Meterpreter session is running as. Note that this module cannot link the password to a username unless the Meterpreter...

Windows Persistent Startup Folder

This module establishes persistence by creating a payload in the user or system startup folder. Works on Vista and newer systems. Module Options msf use exploit/windows/persistence/startupfolder msf exploitstartupfolder show targets ...targets... msf exploitstartupfolder set TARGET msf...

DHCP Client Command Injection (DynoRoot)

This module exploits the DynoRoot vulnerability, a flaw in how the NetworkManager integration script included in the DHCP client in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier processes DHCP options. A malicious DHCP server, or an attacker on the local network able to spoof DHCP...

WordPress Simple Backup File Read Vulnerability

This module exploits a directory traversal vulnerability in WordPress Plugin "Simple Backup" version 2.7.10, allowing to read arbitrary files with the web server privileges. This module requires Metasploit: https://metasploit.com/download Current source:...

TFTP Fetch

Fetch and execute an x64 payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/x64/sethostname msf payloadsethostname show actions ...actions... msf payloadsethostname set ACTION msf payloadsethostname show options ...show and set options... msf payloadsethostname run This...

OS Command Exec, Unix Command Shell, Reverse TCP (via Python)

Execute an OS command from PHP. Connect back and create a command shell via Python Module Options msf use payload/php/unix/cmd/reversepython msf payloadreversepython show actions ...actions... msf payloadreversepython set ACTION msf payloadreversepython show options ...show and set options... msf...

ThinManager Path Traversal (CVE-2023-27856) Arbitrary File Download

This module exploits a path traversal vulnerability CVE-2023-27856 in ThinManager use auxiliary/gather/thinmanagertraversaldownload msf auxiliarythinmanagertraversaldownload show actions ...actions... msf auxiliarythinmanagertraversaldownload set ACTION msf auxiliarythinmanagertraversaldownload...

Apache NiFi API Remote Code Execution

This module uses the NiFi API to create an ExecuteProcess processor that will execute OS commands. The API must be unsecured or credentials provided and the ExecuteProcess processor must be available. An ExecuteProcessor processor is created then is configured with the payload and started. The...

WMI Event Subscription Logon Timer Persistence

This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter that will trigger the payload after the system has a certain uptime. Payloads will trigger every minute until the set end time. Additionally a custom command can be specified to run...

Linear eMerge E3-Series Access Controller Command Injection

This module exploits a command injection vulnerability in the Linear eMerge E3-Series Access Controller. The Linear eMerge E3 versions 1.00-06 and below are vulnerable to unauthenticated command injection in cardscandecoder.php via the No and door HTTP GET parameter. Successful exploitation resul...

Apache Optionsbleed Scanner

This module scans for the Apache optionsbleed vulnerability where the Allow response header returned from an OPTIONS request may bleed memory if the server has a .htaccess file with an invalid Limit method defined. This module requires Metasploit: https://metasploit.com/download Current source:...

Spring Framework Class property RCE (Spring4Shell)

Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an objec...

HTTP Fetch

Fetch and execute an MIPSLE payload from an HTTP server. Module Options msf use payload/cmd/linux/http/mipsle/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show and...

Periodic Script Persistence

This module will achieve persistence by writing a script to the /etc/periodic directory. According to The Art of Mac Malware no such malware species persist in this manner 2024. This payload requires root privileges to run. This module can be run on BSD, OSX or Arch Linux. Module Options msf use...

HTTPS Fetch, Linux Command Shell, Reverse TCP Stager

Fetch and execute an MIPSLE payload from an HTTPS server. Spawn a command shell staged. Connect back to the attacker Module Options msf use payload/cmd/linux/https/mipsle/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show...

Eramba (up to 3.19.1) Authenticated Remote Code Execution Module

This module exploits a remote code execution vulnerability in Eramba. An authenticated user can execute arbitrary commands on the server by exploiting the path parameter in the download-test-pdf endpoint. Eramba debug mode has to be enabled. Module Options msf use exploit/linux/http/erambarce msf...

Copy Fail AF_ALG + authencesn Page-Cache Write

CVE-2026-31431 is a logic flaw in the Linux kernel's authencesn AEAD template that, when reached via the AFALG socket interface combined with splice, allows an unprivileged local user to perform a controlled 4-byte write into the page cache of any readable file. Because the corrupted pages are...

WMI Event Subscription Interval Persistence

This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter that triggers the payload after the specified CALLBACKINTERVAL. If the persistence is not installed, it will keep triggering payloads to spawn. Additionally a custom command can be...

HTTPS Fetch, Linux Command Shell, Bind TCP Inline

Fetch and execute an MIPSBE payload from an HTTPS server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/https/mipsbe/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options...

Advanced Browser Data Extraction for Chromium and Gecko Browsers

This post-exploitation module extracts sensitive browser data from both Chromium-based and Gecko-based browsers on the target system. It supports the decryption of passwords and cookies using Windows Data Protection API DPAPI and can extract additional data such as browsing history, keyword searc...

MyBB Admin Control Code Injection RCE

This exploit module leverages an improper input validation vulnerability in MyBB prior to 1.8.30 to execute arbitrary code in the context of the user running the application. MyBB Admin Control setting page calls PHP eval function with an unsanitized user input. The exploit adds a new setting,...

TFTP Fetch, Linux Command Shell, Find Port Inline

Fetch and execute an PPC payload from an TFTP server. Spawn a shell on an established connection Module Options msf use payload/cmd/linux/tftp/ppc/shellfindport msf payloadshellfindport show actions ...actions... msf payloadshellfindport set ACTION msf payloadshellfindport show options ...show an...

HTTPS Fetch, Linux Command Shell, Find Port Inline

Fetch and execute an MIPSLE payload from an HTTPS server. Spawn a shell on an established connection Module Options msf use payload/cmd/linux/https/ppc/shellfindport msf payloadshellfindport show actions ...actions... msf payloadshellfindport set ACTION msf payloadshellfindport show options ...sh...

MongoDB Ops Manager Diagnostic Archive Sensitive Information Retriever

MongoDB Ops Manager Diagnostics Archive does not redact SAML SSL Pem Key File Password field mms.saml.ssl.PEMKeyFilePassword within app settings. Archives do not include the PEM files themselves. This module extracts that unredacted password and stores the diagnostic archive for additional manual...

Windows Service for User (S4U) Scheduled Task Persistence - Logon Trigger

Creates a scheduled task that will run using service-for-user S4U. This allows the scheduled task to run even as an unprivileged user that is not logged into the device. This will result in lower security context, allowing access to local resources only. The module requires 'Logon as a batch job'...

Cacti Graph Template authenticated RCE versions prior to 1.2.29

This module exploits an authenticated remote code execution vulnerability in Cacti versions prior to 1.2.29. Authenticated users can upload a graph template through the /graphtemplates.php endpoint. The rightaxislabel parameter is vulnerable to code injection, allowing attackers to execute...

Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation

Druva inSync client for Windows exposes a network service on TCP port 6064 on the local network interface. inSync versions 6.6.3 and prior do not properly validate user-supplied program paths in RPC type 5 messages, allowing execution of arbitrary commands as SYSTEM. This module has been tested...

OS Command Exec, Unix Command Shell, Double Reverse TCP SSL (openssl)

Execute an OS command from PHP. Creates an interactive shell through two inbound connections Module Options msf use payload/php/unix/cmd/reverseopenssl msf payloadreverseopenssl show actions ...actions... msf payloadreverseopenssl set ACTION msf payloadreverseopenssl show options ...show and set...

Powershell Exec, Windows Meterpreter Shell, Reverse TCP Inline

Execute an x86 payload from a command via PowerShell. Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. Module Options msf use payload/cmd/windows/powershell/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf...

LDAP Update Object

This module allows creating, reading, updating and deleting attributes of LDAP objects. Users can specify the object and must specify a corresponding attribute. Module Options msf use auxiliary/admin/ldap/ldapobjectattribute msf auxiliaryldapobjectattribute show actions ...actions... msf...

TFTP Fetch, Linux Command Shell, Reverse TCP Stager

Fetch and execute an MIPSLE payload from a TFTP server. Spawn a command shell staged. Connect back to the attacker Module Options msf use payload/cmd/linux/tftp/mipsle/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show...

CmsMadeSimple Authenticated File Manager RCE

CMS Made Simple use exploit/multi/http/cmsmsfilemanagerauthrce msf exploitcmsmsfilemanagerauthrce show targets ...targets... msf exploitcmsmsfilemanagerauthrce set TARGET msf exploitcmsmsfilemanagerauthrce show options ...show and set options... msf exploitcmsmsfilemanagerauthrce exploit This...

HTTPS Fetch, Linux Command Shell, Reverse TCP Inline

Fetch and execute an MIPSLE payload from an HTTPS server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/https/mipsle/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp...

Piwigo CVE-2023-26876 Gather Credentials via SQL Injection

This module allows an authenticated user to retrieve the usernames and encrypted passwords of other users in Piwigo through SQL injection using the filteruserid parameter. Module Options msf use auxiliary/gather/piwigocve202326876 msf auxiliarypiwigocve202326876 show actions ...actions... msf...

Gather Wowza Streaming Engine Credentials

This module collects Wowza Streaming Engine user credentials. Module Options msf use post/multi/gather/wowzastreamingenginecreds msf postwowzastreamingenginecreds show actions ...actions... msf postwowzastreamingenginecreds set ACTION msf postwowzastreamingenginecreds show options ...show and set...

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

An app may be able to execute arbitrary code with kernel privileges Module Options msf use exploit/osx/local/macdirtycow msf exploitmacdirtycow show targets ...targets... msf exploitmacdirtycow set TARGET msf exploitmacdirtycow show options ...show and set options... msf exploitmacdirtycow exploi...

HTTP Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline

Fetch and execute an ARMBE payload from an HTTP server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/http/armbe/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options...

Acronis Cyber Protect/Backup machine info disclosure

Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all, compute, storage and application resources. Businesses and Service Providers are using it to protect and backup all IT assets in their IT environment. This module exploits an authentication bypass vulnerability at...

HTTPS Fetch

Fetch and execute an MIPSLE payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/mipsle/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and s...

VMware vCenter vScalation Priv Esc

This module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the /usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the cis group to write to the file, which will execute as root on vmware-vmon service restart or host reboot. This module was...