6847 matches found
HTTP Fetch, Linux Reboot
Fetch and execute an MIPSBE payload from an HTTP server. A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes or executing other payloads that rely on initial startup procedures. Requires CAPSYSBOOT privileges. Module Options msf use...
Python Exec, Python Meterpreter Shell, Reverse TCP Inline
Execute a Python payload as an OS command from a Posix-compatible shell. Connect back to the attacker and spawn a Meterpreter shell Module Options msf use payload/cmd/unix/python/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set...
TFTP Fetch, Linux Execute Command
Fetch and execute an RISC-V 32-bit payload from a TFTP server. Execute an arbitrary command Module Options msf use payload/cmd/linux/tftp/riscv32le/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec ru...
HTTPS Fetch, Reverse TCP Stager
Fetch and execute an AARCH64 payload from an HTTPS server. Connect back to the attacker Module Options msf use payload/cmd/linux/https/aarch64/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and se...
OSX aarch64 Execute Command
Execute an arbitrary command Module Options msf use payload/osx/aarch64/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run This module requires Metasploit: https://metasploit.com/download Current...
Symmetricom SyncServer Unauthenticated Remote Command Execution
This module exploits an unauthenticated command injection vulnerability in /controller/ping.php. The S100 through S350 End of Life models should be vulnerable to unauthenticated exploitation due to a session handling vulnerability. Later models require authentication which is not provided in this...
HTTP Fetch, Windows x64 LoadLibrary Path
Fetch and execute an x64 payload from an HTTP server. Load an arbitrary x64 library path Module Options msf use payload/cmd/windows/http/x64/loadlibrary msf payloadloadlibrary show actions ...actions... msf payloadloadlibrary set ACTION msf payloadloadlibrary show options ...show and set options...
HTTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
Fetch and execute an x64 payload from an HTTP server. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x64/meterpreter/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show options ...show an...
HTTP Fetch, Windows x64 Command Shell, Windows x64 Reverse TCP Stager
Fetch and execute an x64 payload from an HTTP server. Spawn a piped command shell Windows x64 staged. Connect back to the attacker Windows x64 Module Options msf use payload/cmd/windows/http/x64/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf...
Apache Tomcat AJP File Read
When using the Apache JServ Protocol AJP, care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that...
Oracle WebLogic Server Administration Console Handle RCE
This module exploits a path traversal and a Java class instantiation in the handle implementation of WebLogic's Administration Console to execute code as the WebLogic user. Versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 are known to be affected. Tested against 12.2.1.3.0...
HTTP Fetch
Fetch and execute a PPC64LE payload from an HTTP server. Module Options msf use payload/cmd/linux/http/ppc64le/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show an...
HTTPS Fetch, Windows x64 Command Shell, Reverse TCP Inline
Fetch and execute an x64 payload from an HTTPS server. Connect back to attacker and spawn a command shell Windows x64 Module Options msf use payload/cmd/windows/https/x64/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf...
HTTP Fetch, Windows Encrypted Reverse Shell
Fetch and execute an x64 payload from an HTTP server. Connect back to attacker and spawn an encrypted command shell Module Options msf use payload/cmd/windows/http/x64/encryptedshellreversetcp msf payloadencryptedshellreversetcp show actions ...actions... msf payloadencryptedshellreversetcp set...
Avast AV Memory Dumping Utility
This module leverages an Avast Anti-Virus memory dump utility that is shipped by default with Avast Anti-Virus Home software suite. Module Options msf use post/windows/gather/avastmemorydump msf postavastmemorydump show actions ...actions... msf postavastmemorydump set ACTION msf...
HTTP Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an MIPSLE payload from an HTTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/http/mipsle/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp...
HTTP Fetch, Windows x64 Bind Named Pipe Stager
Fetch and execute an x64 payload from an HTTP server. Listen for a pipe connection Windows x64 Module Options msf use payload/cmd/windows/http/x64/peinject/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf payloadbindnamedpipe show options...
AD/CS Authenticated Web Enrollment Services Module
Authenticates to the AD/CS Web enrollment service and allows the user to query templates and create certificates based on available templates. Module Options msf use auxiliary/admin/http/webenrollmentcert msf auxiliarywebenrollmentcert show actions ...actions... msf auxiliarywebenrollmentcert set...
HTTP Fetch, Linux Chmod
Fetch and execute an AARCH64 payload from an HTTP server. Runs chmod on the specified file with specified mode. Module Options msf use payload/cmd/linux/http/aarch64/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set...
TFTP Fetch, Linux Reboot
Fetch and execute an RISC-V 64-bit payload from a TFTP server. A very small shellcode for rebooting the system using the reboot syscall. This payload is sometimes helpful for testing purposes. Requires CAPSYSBOOT privileges. Module Options msf use payload/cmd/linux/tftp/riscv64le/reboot msf...
Jasmin Ransomware Web Server Unauthenticated SQL Injection
The Jasmin Ransomware web server contains an unauthenticated SQL injection vulnerability within the login functionality. As of April 15, 2024 this was still unpatched, so all versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched. Retrieving the victim's data m...
HTTP Fetch, Windows x64 Bind TCP Stager
Fetch and execute an x64 payload from an HTTP server. Listen for a connection Windows x64 Module Options msf use payload/cmd/windows/http/x64/vncinject/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options... ms...
HTTP Fetch, Reverse TCP Stager with UUID Support (Windows x64)
Fetch and execute an x64 payload from an HTTP server. Connect back to the attacker with UUID Support Windows x64 Module Options msf use payload/cmd/windows/http/x64/vncinject/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf...
Open Web Analytics 1.7.3 - Remote Code Execution (RCE)
Open Web Analytics OWA before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with ' use exploit/multi/http/openwebanalyticsrce msf...
Spring Cloud Function SpEL Injection
Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting the spring.cloud.function.routing-expression header, an unauthenticated attack...
Bypass the macOS TCC Framework
This module exploits a vulnerability in the TCC daemon on macOS Catalina use post/osx/escalate/tccbypass msf posttccbypass show actions ...actions... msf posttccbypass set ACTION msf posttccbypass show options ...show and set options... msf posttccbypass run This module requires Metasploit:...
Microsoft UPnP Local Privilege Elevation Vulnerability
This exploit uses two vulnerabilities to execute a command as an elevated user. The first CVE-2019-1405 uses the UPnP Device Host Service to elevate to NT AUTHORITY\LOCAL SERVICE The second CVE-2019-1322 leverages the Update Orchestrator Service to elevate from NT AUTHORITY\LOCAL SERVICE to NT...
Web-Check Screenshot API Command Injection RCE
This module exploits a command injection vulnerability in Web-Check's /api/screenshot endpoint. The directChromiumScreenshot function uses childprocess.exec with unsanitized user input, allowing command injection via URL query parameters. The vulnerability was patched in commit...
HTTP Fetch, Linux Execute Command
Fetch and execute an RISC-V 32-bit payload from an HTTP server. Execute an arbitrary command Module Options msf use payload/cmd/linux/http/riscv32le/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec r...
HTTPS Fetch, Linux dup2 Command Shell, Reverse TCP Stager
Fetch and execute an ARMLE payload from an HTTPS server. dup2 socket in r12, then execve. Connect back to the attacker Module Options msf use payload/cmd/linux/https/armle/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show...
HTTP Fetch, Windows shellcode stage, Windows x64 Bind Named Pipe Stager
Fetch and execute an x64 payload from an HTTP server. Custom shellcode stage. Listen for a pipe connection Windows x64 Module Options msf use payload/cmd/windows/http/x64/custom/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf...
Watch Queue Out of Bounds Write
This module exploits a vulnerability in the Linux Kernel's watchqueue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial of service ...
Windows Service for User (S4U) Scheduled Task Persistence - Event Trigger
Creates a scheduled task that will run using service-for-user S4U. This allows the scheduled task to run even as an unprivileged user that is not logged into the device. This will result in lower security context, allowing access to local resources only. The module requires 'Logon as a batch job'...
SPIP Saisies Plugin Unauthenticated RCE
This module exploits an unauthenticated PHP code injection in the SPIP Saisies plugin CVE-2025-71243. The anciennesvaleurs form parameter is interpolated unsanitized into a hidden field rendered with interdirescripts=false, allowing direct PHP code execution via template eval. Exploitation requir...
HTTP Fetch, Linux Chmod
Fetch and execute an RISC-V 64-bit payload from an HTTP server. Runs chmod on the specified file with specified mode. Module Options msf use payload/cmd/linux/http/riscv64le/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set...
Splunk "edit_user" Capability Privilege Escalation
A low-privileged user who holds a role that has the "edituser" capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the "edituser" capability does not honor the "grantableRoles" setting in the authorize.con...
Bitbucket Git Command Injection
Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/projectKey/repos/repositorySlug/archive endpoint creates an archive of the repository, leveraging the git-archive...
Advantech iView NetworkServlet Command Injection
Versions of Advantech iView software below 5.7.04.6469 are vulnerable to an unauthenticated command injection vulnerability via the NetworkServlet endpoint. The database backup functionality passes a user-controlled parameter, backupfile to the mysqldump command. The sanitization functionality on...
Ivanti Endpoint Manager Mobile (EPMM) unauthenticated RCE
This module exploits a OS command injection issue in Ivanti Endpoint Manager Mobile EPMM, formerly known as MobileIron. A remote attacker can achieve unauthenticated RCE with root privileges on an affected device. Module Options msf use exploit/linux/http/ivantiepmmrce msf exploitivantiepmmrce sh...
HTTP Fetch
Fetch and execute an MIPSBE payload from an HTTP server. Module Options msf use payload/cmd/linux/http/mipsbe/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...show...
HTTP Fetch, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
Fetch and execute an x64 payload from an HTTP server. Spawn a piped command shell Windows x64 staged. Listen for a connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/http/x64/shell/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuui...
Fortinet FortiNAC keyUpload.jsp arbitrary file write
This module uploads a payload to the /tmp directory in addition to a cron job to /etc/cron.d which executes the payload in the context of the root user. The core vulnerability is an arbitrary file write issue in /configWizard/keyUpload.jsp which is accessible remotely and without authentication...
WordPress File Manager Unauthenticated Remote Code Execution
The File Manager wp-file-manager plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload or mkfile...
FrontPage .pwd File Credential Dump
This module downloads and parses the 'vtipvt/service.pwd', 'vtipvt/administrators.pwd', and 'vtipvt/authors.pwd' files on a FrontPage server to find credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
HTTPS Fetch
Fetch and execute an AARCH64 payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/aarch64/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show...
TFTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)
Fetch and execute an x64 payload from a TFTP server. Custom shellcode stage. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/tftp/x64/custom/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf...
Zimbra sudo + postfix privilege escalation
This module exploits a vulnerable sudo configuration that permits the zimbra user to execute postfix as root. In turn, postfix can execute arbitrary shellscripts, which means it can execute a root shell. Module Options msf use exploit/linux/local/zimbrapostfixprivesc msf exploitzimbrapostfixprive...
Wordpress LiteSpeed Cache plugin cookie theft
This module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a Wordpress plugin that currently has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when the Debug Logging feature is enabled, the plugin will log admin cookies to the...
HTTP Fetch, Linux Command Shell, Reverse TCP Stager
Fetch and execute an x64 payload from an HTTP server. Spawn a command shell staged. Connect back to the attacker Module Options msf use payload/cmd/linux/http/x64/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options...
VMware Workspace ONE Access VMSA-2022-0011 exploit chain
This module combines two vulnerabilities in order achieve remote code execution in the context of the horizon user. The first vulnerability CVE-2022-22956 is an authentication bypass in OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the authentication...