Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)

This module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which allows for code execution in the context of the root user. Module Options msf use exploit/linux/http/ivantisentrymisclogservice msf exploitivantisentrymisclogservice show targets ...targets... msf...

Windows Interactive Powershell Session, Reverse TCP SSL

Interacts with a powershell session on an established SSL socket connection Module Options msf use payload/cmd/windows/powershellreversetcpssl msf payloadpowershellreversetcpssl show actions ...actions... msf payloadpowershellreversetcpssl set ACTION msf payloadpowershellreversetcpssl show option...

HTTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager

Fetch and execute an ARMLE payload from an HTTP server. dup2 socket in r12, then execve. Connect back to the attacker Module Options msf use payload/cmd/linux/http/armle/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show...

Softing Secure Integration Server v1.22 Remote Code Execution

This module chains two vulnerabilities CVE-2022-1373 and CVE-2022-2334 to achieve authenticated remote code execution against Softing Secure Integration Server v1.22. In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerablity when processing zip files...

FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE

An SQLi injection vulnerability exists in FortiNet FortiClient EMS Endpoint Management Server. FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller...

ownCloud Phpinfo Reader

Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app graph installed contain a test file which prints phpinfo to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter. Docker m...

HTTP Fetch, Bind TCP Stager with UUID Support (Linux x86)

Fetch and execute a x86 payload from an HTTP server. Listen for a connection with UUID Support Linux x86 Module Options msf use payload/cmd/linux/http/x86/meterpreter/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid show option...

HTTP Fetch, Linux Execute Command

Fetch and execute an x64 payload from an HTTP server. Execute an arbitrary command or just a /bin/sh shell Module Options msf use payload/cmd/linux/http/x64/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf...

Microsoft Office Word Malicious Hta Execution

This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a olelink object can make a https request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in...

MS16-032 Secondary Logon Handle Privilege Escalation

This module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems wi...

HTTPS Fetch, Linux Chmod

Fetch and execute an ARMLE payload from an HTTPS server. Runs chmod on the specified file with specified mode. Module Options msf use payload/cmd/linux/https/armle/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set options...

HTTP Fetch

Fetch and execute an MIPSLE payload from an HTTP server. Module Options msf use payload/cmd/linux/http/mipsle/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...show...

HTTPS Fetch, Reverse TCP Stager

Fetch and execute an MIPSLE payload from an HTTPS server. Connect back to the attacker Module Options msf use payload/cmd/linux/https/mipsle/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...

Selenium arbitrary file read

If there is an open selenium web driver, a remote attacker can send requests to the victims browser. In certain cases this can be used to access to the remote file system. Module Options msf use auxiliary/gather/seleniumfileread msf auxiliaryseleniumfileread show actions ...actions... msf...

Progress MOVEit SFTP Authentication Bypass for Arbitrary File Read

This module exploits CVE-2024-5806, an authentication bypass vulnerability in the MOVEit Transfer SFTP service. The following version are affected: MOVEit Transfer 2023.0.x Fixed in 2023.0.11 MOVEit Transfer 2023.1.x Fixed in 2023.1.6 MOVEit Transfer 2024.0.x Fixed in 2024.0.2 The module can...

Drupal Drupalgeddon 2 Forms API Property Injection

This module exploits a Drupal property injection in the Forms API. Drupal 6.x, 'Drupal Drupalgeddon 2 Forms API Property Injection', 'Description' = %q This module exploits a Drupal property injection in the Forms API. Drupal 6.x, 'Jasper Mattsson', Vulnerability discovery 'a2u', Proof of concept...

ChurchCRM Database Restore RCE 6.2.0

This module exploits a Remote Code Execution RCE vulnerability in ChurchCRM versions prior to 6.2.0. The vulnerability resides in the Database Restore functionality, which allows an authenticated user with administrative privileges to upload a malicious backup file. By bypassing upload restrictio...

HTTP Fetch, Linux Command Shell, Reverse TCP Inline

Fetch and execute an PPC payload from an HTTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/http/ppc/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp show...

Ivanti Cloud Services Appliance (CSA) Command Injection

This module exploits a command injection vulnerability in the Ivanti Cloud Services Appliance CSA for Ivanti Endpoint Manager. A cookie based code injection vulnerability in the Cloud Services Appliance before 4.6.0-512 allows an unauthenticated user to execute arbitrary code with limited...

Wordpress Plugin Elementor Authenticated Upload Remote Code Execution

The WordPress plugin Elementor versions 3.6.0 - 3.6.2, inclusive have a vulnerability that allows any authenticated user to upload and execute any PHP file. This is achieved by sending a request to install Elementor Pro from a user supplied zip file. Any user with Subscriber or more permissions i...

Citrix ADC (NetScaler) Directory Traversal RCE

This module exploits a directory traversal in Citrix Application Delivery Controller ADC, aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload. Module Options msf use exploit/freebsd/http/citrixdirtraversalrce msf exploitcitrixdirtraversalrce show...

Windows Gather PL/SQL Developer Connection Credentials

This module can decrypt the histories and connection credentials of PL/SQL Developer, and passwords are available if the user chooses to remember. Module Options msf use post/windows/gather/credentials/plsqldeveloper msf postplsqldeveloper show actions ...actions... msf postplsqldeveloper set...

LeakIX Search

This module uses the LeakIX API to search for exposed services and data leaks. LeakIX is a search engine focused on indexing internet-exposed services and leaked credentials/databases. An API key is required free at https://leakix.net. Actions: SEARCH - Query LeakIX with a search string and scope...

Linux Chmod

Runs chmod on the specified file with specified mode. Module Options msf use payload/linux/armle/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set options... msf payloadchmod run This module requires Metasploit:...

TFTP Fetch, Linux Chmod

Fetch and execute an RISC-V 32-bit payload from a TFTP server. Runs chmod on the specified file with specified mode. Module Options msf use payload/cmd/linux/tftp/riscv32le/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set...

HTTP Fetch, Linux Command Shell, Find Port Inline

Fetch and execute an PPC payload from an HTTP server. Spawn a shell on an established connection Module Options msf use payload/cmd/linux/http/ppc/shellfindport msf payloadshellfindport show actions ...actions... msf payloadshellfindport set ACTION msf payloadshellfindport show options ...show an...

VSCode ipynb Remote Development RCE

VSCode when opening an Jupyter notebook .ipynb file bypasses the trust model. On versions v1.4.0 - v1.71.1, its possible for the Jupyter notebook to embed HTML and javascript, which can then open new terminal windows within VSCode. Each of these new windows can then execute arbitrary code at...

LG Simple Editor Remote Code Execution

This Metasploit module exploits broken access control and directory traversal vulnerabilities in LG Simple Editor software for gaining code execution. The vulnerabilities exist in versions of LG Simple Editor prior to v3.21. By exploiting this flaw, an attacker can upload and execute a malicious...

Monitorr unauthenticated Remote Code Execution (RCE)

This module exploits an arbitrary file upload vulnerability and achieving an RCE in the Monitorr application. Using a specially crafted request, custom PHP code can be uploaded and injected through endpoint upload.php because of missing input validation. Any user privileges can exploit this...

Android Janus APK Signature bypass

This module exploits CVE-2017-13156 in Android to install a payload into another application. The payload APK will have the same signature and can be installed as an update, preserving the existing data. The vulnerability was fixed in the 5th December 2017 security patch, and was additionally fix...

Apache NiFi Version Scanner

This module identifies Apache NiFi websites and reports their version number. Tested against NiFi major releases 1.14.0 - 1.21.0, and 1.11.0-1.13.0 Also works against NiFi use auxiliary/scanner/http/apachenifiversion msf auxiliaryapachenifiversion show actions ...actions... msf...

HTTPS Fetch, Windows Encrypted Reverse Shell

Fetch and execute an x64 payload from an HTTPS server. Connect back to attacker and spawn an encrypted command shell Module Options msf use payload/cmd/windows/https/x64/encryptedshellreversetcp msf payloadencryptedshellreversetcp show actions ...actions... msf payloadencryptedshellreversetcp set...

Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload

This module exploits an unauthenticated arbitrary file upload vulnerability in Oracle Web Applications Desktop Integrator, as shipped with Oracle EBS versions 12.2.3 through to 12.2.11, in order to gain remote code execution as the oracle user. Module Options msf use...

HTTPS Fetch, Linux Command Shell, Reverse TCP Inline

Fetch and execute an RISC-V 32-bit payload from an HTTPS server. Connect back to attacker and spawn a command shell. Module Options msf use payload/cmd/linux/https/riscv32le/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf...

mySCADA myPRO Manager Unauthenticated Command Injection (CVE-2024-47407)

Unauthenticated Command Injection in MyPRO Manager use exploit/windows/scada/mypromgrcmd msf exploitmypromgrcmd show targets ...targets... msf exploitmypromgrcmd set TARGET msf exploitmypromgrcmd show options ...show and set options... msf exploitmypromgrcmd exploit class MetasploitModule 'mySCAD...

PaperCut PaperCutNG Authentication Bypass

This module leverages an authentication bypass in PaperCut NG. If necessary it updates Papercut configuration options, specifically the 'print-and-device.script.enabled' and 'print.script.sandboxed' options to allow for arbitrary code execution running in the builtin RhinoJS engine. This module...

HTTP Fetch, Windows x64 Reverse HTTP Stager (wininet)

Fetch and execute an x64 payload from an HTTP server. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/http/x64/meterpreter/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf payloadreversehttp show...

Ivanti Avalanche FileStoreConfig File Upload

Ivanti Avalanche prior to v6.4.0.186 permits MS-DOS style short names in the configuration path for the Central FileStore. Because of this, an administrator can change the default path to the web root of the applications, upload a JSP file, and achieve RCE as NT AUTHORITY\SYSTEM. Module Options m...

Git Remote Code Execution via git-lfs (CVE-2020-27955)

A critical vulnerability CVE-2020-27955 in Git Large File Storage Git LFS, an open source Git extension for versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker's malicious repository using a vulnerable Git...

TFTP Fetch, Linux Chmod

Fetch and execute an ARMLE payload from a TFTP server. Runs chmod on the specified file with specified mode. Module Options msf use payload/cmd/linux/tftp/armle/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set options... m...

HTTPS Fetch

Fetch and execute an MIPSBE payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/mipsbe/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and s...

HTTPS Fetch

Fetch and execute an ARMLE payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/armle/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show and...

ESC8 Relay: SMB to HTTP(S)

This module creates an SMB server and then relays the credentials passed to it to an HTTP server to gain an authenticated connection. Once that connection is established, the module makes an authenticated request for a certificate based on a given template. Module Options msf use...

TOTOLINK Wireless Routers unauthenticated remote command execution vulnerability.

Multiple TOTOLINK network products contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter. After exploitation, an attacker will have full access with the same user privileges under...

WinRAR CVE-2023-38831 Exploit

This module exploits a vulnerability in WinRAR CVE-2023-38831. When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution. Module Options msf use exploit/windows/fileformat/winrarcve202338831 msf exploitwinrarcve202338831 show targets...

TerraMaster TOS 4.2.15 or lower - RCE chain from unauthenticated to root via session crafting.

Terramaster chained exploit that performs session crafting to achieve escalated privileges that allows an attacker to access vulnerable code execution flaws. TOS versions 4.2.15 and below are affected. CVE-2021-45839 is exploited to obtain the first administrator's hash set up on the system as we...

ChurchCRM Unauthenticated RCE via Setup Page

ChurchCRM use exploit/multi/http/churchcrminstallunauthrce msf exploitchurchcrminstallunauthrce show targets ...targets... msf exploitchurchcrminstallunauthrce set TARGET msf exploitchurchcrminstallunauthrce show options ...show and set options... msf exploitchurchcrminstallunauthrce exploit This...

HTTP Fetch, Linux Reboot

Fetch and execute an MIPSLE payload from an HTTP server. A very small shellcode for rebooting the system using the reboot syscall. This payload is sometimes helpful for testing purposes. Requires CAPSYSBOOT privileges. Module Options msf use payload/cmd/linux/http/mipsle/reboot msf payloadreboot...

OSX aarch64 Execute Command

Execute an arbitrary command Module Options msf use payload/osx/aarch64/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run This module requires Metasploit: https://metasploit.com/download Current...

GitLab Tags RSS feed email disclosure

An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It is possible to read the user email address via tags feed although the visibility in the user profile has been disabled. Module Options msf use...