6847 matches found
Citrix ADC (NetScaler) Forms SSO Target RCE
A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root. Module Options msf use...
Powershell Exec, Windows Meterpreter Shell, Bind Named Pipe Inline
Execute an x86 payload from a command via PowerShell. Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. Module Options msf use payload/cmd/windows/powershell/meterpreterbindnamedpipe msf payloadmeterpreterbindnamedpipe show actions ...actions... msf...
Windows Telemetry Persistence
This persistence mechanism installs a new telemetry provider for windows. If telemetry is turned on, when the scheduled task launches, it will execute the telemetry provider and execute our payload with system permissions. Module Options msf use exploit/windows/persistence/telemetry msf...
Authenticated RCE in Splunk (splunk_archiver app)
This Metasploit module exploits a Remote Code Execution RCE vulnerability in Splunk Enterprise splunkarchiver application. The flaw is rooted in the unsafe use of a Splunk lookup function, specifically | copybuckets, within the splunkarchiver application, which ultimately leads to the execution o...
HTTP Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an RISC-V 32-bit payload from an HTTP server. Connect back to attacker and spawn a command shell. Module Options msf use payload/cmd/linux/http/riscv32le/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf...
HTTPS Fetch, Linux dup2 Command Shell, Reverse TCP Stager
Fetch and execute an AARCH64 payload from an HTTPS server. dup2 socket in x12, then execve. Connect back to the attacker Module Options msf use payload/cmd/linux/https/aarch64/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp...
TFTP Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an PPC64 payload from a TFTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/tftp/ppc64/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp show...
Linux Execute Command
Execute an arbitrary command Module Options msf use payload/linux/riscv64le/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run This module requires Metasploit: https://metasploit.com/download Curre...
HTTPS Fetch
Fetch and execute an x64 payload from an HTTPS server. Module Options msf use payload/cmd/windows/https/x64/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run This module requires Metasploit:...
TFTP Fetch, Linux Execute Command
Fetch and execute an ARMLE payload from a TFTP server. Execute an arbitrary command or just a /bin/sh shell Module Options msf use payload/cmd/linux/tftp/armle/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf...
TFTP Fetch, Reverse TCP Stager
Fetch and execute an AARCH64 payload from a TFTP server. Connect back to the attacker Module Options msf use payload/cmd/linux/tftp/aarch64/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...
HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)
Fetch and execute an x64 payload from an HTTP server. Custom shellcode stage. Tunnel communication over HTTP Windows x64 winhttp Module Options msf use payload/cmd/windows/http/x64/custom/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf...
HTTP Fetch, Windows x64 Reverse HTTP Stager (winhttp)
Fetch and execute an x64 payload from an HTTP server. Tunnel communication over HTTP Windows x64 winhttp Module Options msf use payload/cmd/windows/http/x64/meterpreter/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf payloadreversewinht...
HTTP Fetch, Windows x64 Reverse HTTPS Stager (winhttp)
Fetch and execute an x64 payload from an HTTP server. Tunnel communication over HTTPS Windows x64 winhttp Module Options msf use payload/cmd/windows/http/x64/meterpreter/reversewinhttps msf payloadreversewinhttps show actions ...actions... msf payloadreversewinhttps set ACTION msf...
Bitbucket Environment Variable RCE
For various versions of Bitbucket, there is an authenticated command injection vulnerability that can be exploited by injecting environment variables into a user name. This module achieves remote code execution as the atlbitbucket user by injecting the GITEXTERNALDIFF environment variable, a null...
HTTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager
Fetch and execute an AARCH64 payload from an HTTP server. dup2 socket in x12, then execve. Connect back to the attacker Module Options msf use payload/cmd/linux/http/aarch64/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp sh...
HTTP Fetch
Fetch and execute an PPC payload from an HTTP server. Module Options msf use payload/cmd/linux/http/ppc/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and set...
OSX aarch64 Shell Reverse TCP
Connect back to attacker and spawn a command shell Module Options msf use payload/osx/aarch64/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp show options ...show and set options... msf payloadshellreversetcp r...
OS Command Exec, Unix Command Shell, Bind TCP (stub)
Execute an OS command from PHP. Listen for a connection and spawn a command shell stub only, no payload Module Options msf use payload/php/unix/cmd/bindstub msf payloadbindstub show actions ...actions... msf payloadbindstub set ACTION msf payloadbindstub show options ...show and set options... ms...
PHP Exec, PHP Meterpreter, Bind TCP Stager with UUID Support
Execute a PHP payload as an OS command from a Posix-compatible shell. Run a meterpreter server in PHP. Listen for a connection with UUID Support Module Options msf use payload/cmd/unix/php/meterpreter/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION...
TFTP Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an AARCH64 payload from a TFTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/tftp/aarch64/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp...
Win32k NtGdiResetDC Use After Free Local Privilege Elevation
A use after free vulnerability exists in the NtGdiResetDC function of Win32k which can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists due to the fact that this function calls hdcOpenDCW, which performs a user mode callback. During this callback...
Telegram Message Client
This module can be used to send a document and/or message to multiple chats on telegram. Please refer to the module documentation for info on how to retrieve the bot token and corresponding chat ID values. Module Options msf use auxiliary/client/telegram/sendmessage msf auxiliarysendmessage show...
HTTPS Fetch, Linux Execute Command
Fetch and execute an RISC-V 32-bit payload from an HTTPS server. Execute an arbitrary command Module Options msf use payload/cmd/linux/https/riscv32le/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec...
HTTP Fetch, Linux Command Shell, Bind TCP Inline
Fetch and execute an PPC payload from an HTTP server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/http/ppc/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options ...show...
OS Command Exec, Unix Command Shell, Reverse TCP (via Tclsh)
Execute an OS command from PHP. Creates an interactive shell via Tclsh Module Options msf use payload/php/unix/cmd/reversetclsh msf payloadreversetclsh show actions ...actions... msf payloadreversetclsh set ACTION msf payloadreversetclsh show options ...show and set options... msf...
OS Command Exec, Unix Command Shell, Reverse TCP (stub)
Execute an OS command from PHP. Creates an interactive shell through an inbound connection stub only, no payload Module Options msf use payload/php/unix/cmd/reversestub msf payloadreversestub show actions ...actions... msf payloadreversestub set ACTION msf payloadreversestub show options ...show...
HTTPS Fetch
Fetch and execute an ARMBE payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/armbe/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...show...
TFTP Fetch, Linux Reboot
Fetch and execute an MIPSBE payload from a TFTP server. A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes or executing other payloads that rely on initial startup procedures. Requires CAPSYSBOOT privileges. Module Options msf use...
OpenTSDB 2.4.1 unauthenticated command injection
This module exploits an unauthenticated command injection vulnerability in the key parameter in OpenTSDB through 2.4.1 CVE-2023-36812/CVE-2023-25826 in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If...
Win32k ConsoleControl Offset Confusion
A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This...
Apple_iOS Meterpreter, Reverse TCP Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 643824 include...
OS Command Exec, Unix Command Shell, Reverse SCTP (via socat)
Execute an OS command from PHP. Creates an interactive shell via socat Module Options msf use payload/php/unix/cmd/reversesocatsctp msf payloadreversesocatsctp show actions ...actions... msf payloadreversesocatsctp set ACTION msf payloadreversesocatsctp show options ...show and set options... msf...
Dolibarr 16 pre-auth contact database dump
Dolibarr version 16 use auxiliary/scanner/http/dolibarr16contactdump msf auxiliarydolibarr16contactdump show actions ...actions... msf auxiliarydolibarr16contactdump set ACTION msf auxiliarydolibarr16contactdump show options ...show and set options... msf auxiliarydolibarr16contactdump run This...
Cacti 1.2.22 unauthenticated command injection
This module exploits an unauthenticated command injection vulnerability in Cacti through 1.2.22 CVE-2022-46169 in order to achieve unauthenticated remote code execution as the www-data user. The module first attempts to obtain the Cacti version to see if the target is affected. If LOCALDATAID...
phpMyAdmin Authenticated Remote Code Execution
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the pregreplace aka eval modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table...
TFTP Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an PPC payload from an TFTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/tftp/ppc/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp show...
Microsoft Windows SMB to MSSQL Relay
This module supports running an SMB server which validates credentials, and then attempts to execute a relay attack against an MSSQL server on the configured RHOSTS hosts. If the relay succeeds, an MSSQL session to the target will be created. This can be used by any modules that support MSSQL...
PHP Exec, PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
Execute a PHP payload as an OS command from a Posix-compatible shell. Run a meterpreter server in PHP. Listen for a connection over IPv6 with UUID Support Module Options msf use payload/cmd/unix/php/meterpreter/bindtcpipv6uuid msf payloadbindtcpipv6uuid show actions ...actions... msf...
Linux Execute Command
Execute an arbitrary command Module Options msf use payload/linux/riscv32le/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run This module requires Metasploit: https://metasploit.com/download Curre...
SMB Fetch, Windows Meterpreter Shell, Reverse TCP Inline x64
Fetch and execute an x64 payload from an SMB server. Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. Module Options msf use payload/cmd/windows/smb/x64/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf...
ZoneMinder Snapshots Command Injection
This module exploits an unauthenticated command injection in zoneminder that can be exploited by appending a command to the "create monitor ids"-action of the snapshot view. Affected versions: use exploit/unix/webapp/zonemindersnapshots msf exploitzonemindersnapshots show targets ...targets... ms...
invscout RPM Privilege Escalation
This module exploits a command injection vulnerability in IBM AIX invscout set-uid root utility present in AIX 7.2 and earlier. The undocumented -rpm argument can be used to install an RPM file; and the undocumented -o argument passes arguments to the rpm utility without validation, leading to...
BentoML's runner server RCE
There was an insecure deserialization in BentoML's runner server prior to version 1.4.8. By setting specific headers and parameters in the POST request, it is possible to execute unauthorized arbitrary code in the context of the user running the server, which will grant initial access and...
Ollama Model Registry Path Traversal RCE
Ollama before 0.1.34 is vulnerable to a path traversal attack via the model pull mechanism CVE-2024-37032. When pulling a model, the digest field in OCI manifests is not validated, allowing an attacker to inject path traversal sequences to write arbitrary files on the server. This module starts a...
Linux Chmod
Runs chmod on the specified file with specified mode. Module Options msf use payload/linux/riscv32le/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set options... msf payloadchmod run This module requires Metasploit:...
HTTP Fetch, Linux Execute Command
Fetch and execute an ARMLE payload from an HTTP server. Execute an arbitrary command or just a /bin/sh shell Module Options msf use payload/cmd/linux/http/armle/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf...
HTTP Fetch
Fetch and execute an ARMLE payload from an HTTP server. Module Options msf use payload/cmd/linux/http/armle/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show and s...
Wowza Streaming Engine Manager Login Utility
This module will attempt to authenticate to Wowza Streaming Engine via Wowza Streaming Engine Manager web interface. Module Options msf use auxiliary/scanner/http/wowzastreamingenginemanagerlogin msf auxiliarywowzastreamingenginemanagerlogin show actions ...actions... msf...
TFTP Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an MIPSLE payload from a TFTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/tftp/mipsle/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp sh...