6848 matches found
HTTPS Fetch
Fetch and execute an MIPSLE payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/mipsle/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and s...
VMware vCenter vScalation Priv Esc
This module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the /usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the cis group to write to the file, which will execute as root on vmware-vmon service restart or host reboot. This module was...
WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)
Exploits two distinct authorization bypasses in SureTriggers/OttoKit plugin: - CVE-2025-3102: admin creation via St-Authorization Bearer empty - CVE-2025-27007: reset access key via connection endpoint & admin creation with Bearer header Module Options msf use...
HTTP Fetch
Fetch and execute an ARMBE payload from an HTTP server. Module Options msf use payload/cmd/linux/http/armbe/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show and s...
Remote Control Collection RCE
This module utilizes the Remote Control Server's, part of the Remote Control Collection by Steppschuh, protocol to deploy a payload and run it from the server. This module will only deploy a payload if the server is set without a password default. Tested against 3.1.1.12, current at the time of...
Selenium Grid/Selenoid Unauthenticated RCE
Selenium Grid and Selenoid expose a WebDriver API that allows creating browser sessions with arbitrary capabilities. When deployed without authentication the default for both, an attacker can achieve remote code execution through two browser-specific techniques: For Chrome, the goog:chromeOptions...
IGEL OS Privilege Escalation (via systemd service)
Escalate privileges for IGEL OS Workspace Edition sessions, by modifying network-manager.service using setupcmd SUID and network, then restarting the service. Module Options msf use exploit/linux/local/igelnetworkprivesc msf exploitigelnetworkprivesc show targets ...targets... msf...
OS Command Exec, Unix Command Shell, Reverse UDP (/dev/udp)
Execute an OS command from PHP. Creates an interactive shell via bash's builtin /dev/udp. This will not work on circa 2009 and older Debian-based Linux distributions including Ubuntu because they compile bash without the /dev/udp feature. Module Options msf use payload/php/unix/cmd/reversebashudp...
HTTPS Fetch, Linux Reboot
Fetch and execute an MIPSBE payload from an HTTPS server. A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes or executing other payloads that rely on initial startup procedures. Requires CAPSYSBOOT privileges. Module Options msf use...
HTTP Fetch, Linux Add User
Fetch and execute an ARMLE payload from an HTTP server. Create a new user with UID 0 Module Options msf use payload/cmd/linux/http/armle/adduser msf payloadadduser show actions ...actions... msf payloadadduser set ACTION msf payloadadduser show options ...show and set options... msf payloadadduse...
TFM MMPlayer (m3u/ppl File) Buffer Overflow
This module exploits a buffer overflow in MMPlayer 2.2 The vulnerability is triggered when opening a malformed M3U/PPL file that contains an overly long string, which results in overwriting a SEH record, thus allowing arbitrary code execution under the context of the user. This module requires...
OS Command Exec, Unix Command, Interact with Established Connection
Execute an OS command from PHP. Interacts with a shell on an established socket connection Module Options msf use payload/php/unix/cmd/interact msf payloadinteract show actions ...actions... msf payloadinteract set ACTION msf payloadinteract show options ...show and set options... msf...
LDAP Query and Enumeration Module
This module allows users to query an LDAP server using either a custom LDAP query, or a set of LDAP queries under a specific category. Users can also specify a JSON or YAML file containing custom queries to be executed using the RUNQUERYFILE action. If this action is specified, then QUERYFILEPATH...
WMI Event Subscription Event Log Persistence
This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter that will query the event log for an EVENTIDTRIGGER default: failed logon request id 4625 that also contains a specified USERNAMETRIGGER note: failed logon auditing must be enabled on...
Control Web Panel /admin/index.php Unauthenticated RCE
Control Web Panel CWP versions use exploit/linux/http/controlwebpanelapicmdexec msf exploitcontrolwebpanelapicmdexec show targets ...targets... msf exploitcontrolwebpanelapicmdexec set TARGET msf exploitcontrolwebpanelapicmdexec show options ...show and set options... msf...
Windows Registry Only Persistence
This module will install a payload that is executed during boot. It will be executed either at user logon or system startup via the registry value in "CurrentVersion\Run" or "RunOnce" depending on privilege and selected method. The payload will be installed completely in registry. Module Options...
Periodic Script Persistence
This module will achieve persistence by writing a script to the /etc/periodic directory. According to The Art of Mac Malware no such malware species persist in this manner 2024. This payload requires root privileges to run. This module can be run on BSD, OSX or Arch Linux. Module Options msf use...
HTTP Fetch, Linux Command Shell, Bind TCP Inline
Fetch and execute an MIPSBE payload from an HTTP server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/http/mipsbe/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options...
CUPS 1.6.1 Root File Read
This module exploits a vulnerability in CUPS 'CUPS 1.6.1 Root File Read', 'Description' = %q This module exploits a vulnerability in CUPS 1.6.2, an open source printing system. CUPS allows members of the lpadmin group to make changes to the cupsd.conf configuration, which can specify an Error Log...
Microsoft Office Word MSDTJS
This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template feature to fetch an HTML document and then use the ms-msdt scheme to execute PowerShell code. Module Options msf use exploit/windows/fileformat/wordmsdtjsrce msf exploitwordmsdtjsrce show...
HTTP Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an RISC-V 64-bit payload from an HTTP server. Connect back to attacker and spawn a command shell. Module Options msf use payload/cmd/linux/http/riscv64le/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf...
HTTP Fetch, Linux dup2 Command Shell, Bind TCP Stager
Fetch and execute an ARMLE payload from an HTTP server. dup2 socket in r12, then execve. Listen for a connection Module Options msf use payload/cmd/linux/http/armle/shell/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show an...
Selenium geckodriver RCE
Selenium Server Grid use exploit/linux/http/seleniumgreedfirefoxrcecve202228108 msf exploitseleniumgreedfirefoxrcecve202228108 show targets ...targets... msf exploitseleniumgreedfirefoxrcecve202228108 set TARGET msf exploitseleniumgreedfirefoxrcecve202228108 show options ...show and set options...
Gather Ticket Granting Service (TGS) tickets for User Service Principal Names (SPN)
This module will try to find Service Principal Names that are associated with normal user accounts. Since normal accounts' passwords tend to be shorter than machine accounts, and knowing that a TGS request will encrypt the ticket with the account the SPN is running under, this could be used for a...
Microsoft Windows SMB to LDAP Relay
This module supports running an SMB server which validates credentials, and then attempts to execute a relay attack against an LDAP server on the configured RHOSTS hosts. It is not possible to relay NTLMv2 to LDAP due to the Message Integrity Check MIC. As a result, this will only work with NTLMv...
GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061
The telnetd service from GNU InetUtils is vulnerable to authentication-bypass, tracked as CVE-2026-24061, in versions up to version 2.7. During Telnet authentication the SB byte can be sent to indicate sub-negotiation which allows for the exchange of sub-option parameters after both parties have...
HTTP Fetch
Fetch and execute an ARMBE payload from an HTTP server. Module Options msf use payload/cmd/linux/http/armbe/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and set...
HTTPS Fetch, Linux Execute Command
Fetch and execute an MIPSLE payload from an HTTPS server. A very small shellcode for executing commands. This module is sometimes helpful for testing purposes as well as on targets with extremely limited buffer space. Module Options msf use payload/cmd/linux/https/mipsle/exec msf payloadexec show...
OS Command Exec, Unix Command Shell, Bind TCP (via netcat)
Execute an OS command from PHP. Listen for a connection and spawn a command shell via netcat Module Options msf use payload/php/unix/cmd/bindnetcat msf payloadbindnetcat show actions ...actions... msf payloadbindnetcat set ACTION msf payloadbindnetcat show options ...show and set options... msf...
BYOB Unauthenticated RCE via Arbitrary File Write and Command Injection (CVE-2024-45256, CVE-2024-45257)
This module exploits two vulnerabilities in the BYOB Build Your Own Botnet web GUI: 1. CVE-2024-45256: Unauthenticated arbitrary file write that allows modification of the SQLite database, adding a new admin user. 2. CVE-2024-45257: Authenticated command injection in the payload generation page...
SSH Key Persistence
This module will add an SSH key to a specified user or all, to allow remote login via SSH at any time. No payload is required for this module to work. If an SSH key is not provided, a new 4096 bit RSA keypair will be generated. The private key will be stored as loot for later use. Module Options...
GeoServer WMS GetMap XXE Arbitrary File Read
This module exploits an XML External Entity XXE vulnerability in GeoServer via the WMS GetMap operation. The vulnerability allows reading arbitrary files from the server's file system by injecting an XXE entity in the SLD Styled Layer Descriptor. Affected versions: - GeoServer = 2.26.0, use...
HTTPS Fetch
Fetch and execute an x64 payload from an HTTPS server. Module Options msf use payload/cmd/windows/https/x64/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options ...show and set options... msf payloaddownloadexec ru...
OS Command Exec, Unix Command Shell, Double Reverse TCP (telnet)
Execute an OS command from PHP. Creates an interactive shell through two inbound connections Module Options msf use payload/php/unix/cmd/reverse msf payloadreverse show actions ...actions... msf payloadreverse set ACTION msf payloadreverse show options ...show and set options... msf payloadrevers...
OS Command Exec, Unix Command Shell, Reverse TCP (via Ruby)
Execute an OS command from PHP. Connect back and create a command shell via Ruby Module Options msf use payload/php/unix/cmd/reverseruby msf payloadreverseruby show actions ...actions... msf payloadreverseruby set ACTION msf payloadreverseruby show options ...show and set options... msf...
Craft CMS Twig Template Injection RCE via FTP Templates Path
This module exploits a Twig template injection vulnerability in Craft CMS by abusing the --templatesPath argument. The vulnerability allows arbitrary template loading via FTP, leading to Remote Code Execution RCE. Module Options msf use exploit/linux/http/craftcmsftptemplate msf...
Python Exec, Python Meterpreter Shell, Reverse HTTP Inline
Execute a Python payload from a command. Connect back to the attacker and spawn a Meterpreter shell Module Options msf use payload/cmd/windows/python/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf...
HTTPS Fetch
Fetch and execute an ARMBE payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/armbe/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show and...
Atlassian Confluence Unauthenticated Remote Code Execution
This module exploits an improper input validation issue in Atlassian Confluence, allowing arbitrary HTTP parameters to be translated into getter/setter sequences via the XWorks2 middleware and in turn allows for Java objects to be modified at run time. The exploit will create a new administrator...
Windows Shortcut (LNK) Padding
This module generates Windows LNK shortcut file that can execute arbitrary commands. The LNK file uses environment variables and execute its arguments from COMMANDLINEARGUMENTS with extra juicy whitespace character padding bytes and concatenates the actual payload. Module Options msf use...
OS Command Exec, Add user with useradd
Execute an OS command from PHP. Creates a new user. By default the new user is set with sudo but other options exist to make the new user automatically root but this is not automatically set since the new user will be treated as root and login may be difficult. The new user can also be set as jus...
HTTP Fetch
Fetch and execute an ARMBE payload from an HTTP server. Module Options msf use payload/cmd/linux/http/armbe/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...show a...
VMware vRealize Log Insight Unauthenticated RCE
VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as directory traversal, broken access control, deserialization, and information disclosure. When chained together, these vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands on the...
ElasticSearch Search Groovy Sandbox Bypass
This module exploits a remote command execution RCE vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox can be bypass...
openDCIM install.php SQL Injection to RCE
This module exploits a SQL injection vulnerability in openDCIM's install.php endpoint CVE-2026-28515 to achieve remote code execution. The install.php script remains accessible after installation and processes LDAP configuration parameters via UpdateParameter without authentication or input...
HTTP Fetch, Linux Reboot
Fetch and execute an RISC-V 32-bit payload from an HTTP server. A very small shellcode for rebooting the system using the reboot syscall. This payload is sometimes helpful for testing purposes. Requires CAPSYSBOOT privileges. Module Options msf use payload/cmd/linux/http/riscv32le/reboot msf...
Execute .net Assembly (x64 only)
This module executes a .NET assembly in memory. It reflectively loads a dll that will host CLR, then it copies the assembly to be executed into memory. Credits for AMSI bypass to Rastamouse @RastaMouse This module requires Metasploit: https://metasploit.com/download Current source:...
HTTP Fetch, Linux Chmod
Fetch and execute an RISC-V 32-bit payload from an HTTP server. Runs chmod on the specified file with specified mode. Module Options msf use payload/cmd/linux/http/riscv32le/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set...
Service System V Persistence
This module will create a service via System V on the box, and mark it for auto-restart. We need enough access to write service files and potentially restart services. Some systems include backwards compatibility, such as Ubuntu up to about 16.04. Targets: CentOS use...
HTTP Fetch, Linux Command Shell, Bind TCP Inline
Fetch and execute an RISC-V 64-bit payload from an HTTP server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/http/riscv64le/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show...