Unix Command Shell, Bind TCP (via BusyBox telnetd)

Listen for a connection and spawn a command shell via BusyBox telnetd This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 26 include Msf::Payload::Single include...

Overlayfs Privilege Escalation

This module attempts to exploit two different CVEs related to overlayfs. CVE-2015-1328: Ubuntu specific - 3.13.0-24 14.04 default 'Overlayfs Privilege Escalation', 'Description' = %q This module attempts to exploit two different CVEs related to overlayfs. CVE-2015-1328: Ubuntu specific - 3.13.0-2...

Microsoft Windows HTTP to LDAP Relay

This module supports running an HTTP server which validates credentials, and then attempts to execute a relay attack against an LDAP server on the configured RHOSTS hosts. It is not possible to relay NTLMv2 to LDAP due to the Message Integrity Check MIC. As a result, this will only work with...

HTTP Fetch, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager

Fetch and execute an x64 payload from an HTTP server. Spawn a piped command shell Windows x64 staged. Listen for a pipe connection Windows x64 Module Options msf use payload/cmd/windows/http/x64/shell/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set...

HTTP Fetch, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x64 payload from an HTTP server. Custom shellcode stage. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x64/custom/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show...

ManageEngine Endpoint Central Unauthenticated SAML RCE

This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10 and below CVE-2022-47966. Due to a dependency to an outdated library Apache Santuario version 1.4.1, it is possible to execute arbitrary code by...

HTTPS Fetch

Fetch and execute an x86 payload from an HTTPS server. Module Options msf use payload/cmd/windows/https/x86/powershellreversetcp msf payloadpowershellreversetcp show actions ...actions... msf payloadpowershellreversetcp set ACTION msf payloadpowershellreversetcp show options ...show and set...

HTTP Fetch

Fetch and execute an AARCH64 payload from an HTTP server. Module Options msf use payload/cmd/linux/http/aarch64/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...sh...

HTTPS Fetch

Fetch and execute an MIPSLE payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/mipsle/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...sh...

TFTP Fetch, Windows x64 IPv6 Bind TCP Stager

Fetch and execute an x64 payload from a TFTP server. Listen for an IPv6 connection Windows x64 Module Options msf use payload/cmd/windows/tftp/x64/meterpreter/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6tcp show options ...sho...

TFTP Fetch, Windows x64 Bind TCP Stager

Fetch and execute an x64 payload from a TFTP server. Listen for a connection Windows x64 Module Options msf use payload/cmd/windows/tftp/x64/vncinject/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options... msf...

Apache Tomcat Manager Authenticated Upload Code Execution

This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on...

Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution

This module exploits a remote unauthenticated command injection vulnerability in the Internet Key Exchange IKE packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. The affected devices are as follows: ATP Firmware version 4.60 to 5.35 inclusive, USG FLEX Firmware versio...

ua-parser-js npm module ReDoS

This module exploits a Regular Expression Denial of Service vulnerability in the npm module "ua-parser-js". Server-side applications that use "ua-parser-js" for parsing the browser user-agent string will be vulnerable if they call the "getOS" or "getResult" functions. This vulnerability was fixed...

Control iD iDSecure Authentication Bypass (CVE-2023-6329)

This module exploits an improper access control vulnerability CVE-2023-6329 in Control iD iDSecure use auxiliary/admin/http/idsecureauthbypass msf auxiliaryidsecureauthbypass show actions ...actions... msf auxiliaryidsecureauthbypass set ACTION msf auxiliaryidsecureauthbypass show options ...show...

TFTP Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager

Fetch and execute an x64 payload from a TFTP server. Spawn a piped command shell Windows x64 staged. Listen for an IPv6 connection Windows x64 Module Options msf use payload/cmd/windows/tftp/x64/shell/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION...

HTTP Fetch, Windows x64 Pingback, Reverse TCP Inline

Fetch and execute an x64 payload from an HTTP server. Connect back to attacker and report UUID Windows x64 Module Options msf use payload/cmd/windows/http/x64/pingbackreversetcp msf payloadpingbackreversetcp show actions ...actions... msf payloadpingbackreversetcp set ACTION msf...

HTTP Fetch, Windows x64 Bind TCP Stager

Fetch and execute an x64 payload from an HTTP server. Listen for a connection Windows x64 Module Options msf use payload/cmd/windows/http/x64/peinject/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options... msf...

Apache Tomcat on Ubuntu Log Init Privilege Escalation

Tomcat 6, 7, 8 packages provided by default repositories on Debian-based distributions including Debian, Ubuntu etc. provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account for example, by exploiting an RCE vulnerability in a java w...

HTTPS Fetch, Linux Chmod

Fetch and execute an RISC-V 32-bit payload from an HTTPS server. Runs chmod on the specified file with specified mode. Module Options msf use payload/cmd/linux/https/riscv32le/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and s...

Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability

A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems. The clfs.sys driver contains a function CreateLogFile that is used to create open and edit '.blf' base log format...

TFTP Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support

Fetch and execute an x64 payload from a TFTP server. Spawn a piped command shell Windows x64 staged. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/tftp/x64/shell/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf...

HTTP Fetch, Windows shellcode stage, Windows x64 Bind TCP Stager

Fetch and execute an x64 payload from an HTTP server. Custom shellcode stage. Listen for a connection Windows x64 Module Options msf use payload/cmd/windows/http/x64/custom/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show...

HTTP Fetch, Linux x64 Command Shell, Bind TCP Inline (IPv6)

Fetch and execute an x64 payload from an HTTP server. Listen for an IPv6 connection and spawn a command shell Module Options msf use payload/cmd/linux/http/x64/shellbindipv6tcp msf payloadshellbindipv6tcp show actions ...actions... msf payloadshellbindipv6tcp set ACTION msf payloadshellbindipv6tc...

VICIdial Multiple Authenticated SQLi

This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to svn/trunk revision 3555 VICIBox 10.0.0, prior to January 20 is vulnerable. Injection point 1 is on vicidial/admin.php when adding a user, in the modifyemailaccounts parameter. Injection point 2 is ...

HTTPS Fetch, Windows Upload/Execute, Find Tag Ordinal Stager

Fetch and execute an x86 payload from an HTTPS server. Uploads an executable and runs it staged. Use an established connection Module Options msf use payload/cmd/windows/https/x86/upexec/findtag msf payloadfindtag show actions ...actions... msf payloadfindtag set ACTION msf payloadfindtag show...

TFTP Fetch, Linux Command Shell, Bind TCP Inline

Fetch and execute an RISC-V 32-bit payload from a TFTP server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/tftp/riscv32le/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show...

HTTPS Fetch

Fetch and execute an MIPSBE payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/mipsbe/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...sh...

HTTP Fetch

Fetch and execute a MIPS64 payload from an HTTP server. Module Options msf use payload/cmd/linux/http/mips64/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and set...

HTTPS Fetch, Reverse TCP Stager with UUID Support (Windows x64)

Fetch and execute an x64 payload from an HTTPS server. Connect back to the attacker with UUID Support Windows x64 Module Options msf use payload/cmd/windows/https/x64/meterpreter/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf...

Atlassian Confluence Namespace OGNL Injection

This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution. Module Options msf use exploit/multi/http/atlassianconfluencenamespaceognlinjection msf...

OpenBSD Dynamic Loader chpass Privilege Escalation

This module exploits a vulnerability in the OpenBSD ld.so dynamic loader CVE-2019-19726. The dlgetenv function fails to reset the LDLIBRARYPATH environment variable when set with approximately ARGMAX colons. This can be abused to load libutil.so from an untrusted path, using LDLIBRARYPATH in...

HTTP Fetch, Linux Execute Command

Fetch and execute an MIPSBE payload from an HTTP server. A very small shellcode for executing commands. This module is sometimes helpful for testing purposes. Module Options msf use payload/cmd/linux/http/mipsbe/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf...

Kibana Upgrade Assistant Telemetry Collector Prototype Pollution

Kibana before version 7.6.3 suffers from a prototype pollution bug within the Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we're able to execute arbitrary code. Code execution is possible through two different ways. Either by sending data directly to Elastic, or using...

HTTPS Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)

Fetch and execute an x64 payload from an HTTPS server. Custom shellcode stage. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/https/x64/custom/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttps set ACTION msf...

HTTP Fetch, Windows x64 Reverse Named Pipe (SMB) Stager

Fetch and execute an x64 payload from an HTTP server. Connect back to the attacker via a named pipe pivot Module Options msf use payload/cmd/windows/http/x64/meterpreter/reversenamedpipe msf payloadreversenamedpipe show actions ...actions... msf payloadreversenamedpipe set ACTION msf...

HTTP Fetch, Reverse TCP Stager

Fetch and execute an x64 payload from an HTTP server. Connect back to the attacker Module Options msf use payload/cmd/linux/http/x64/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set options...

F5 BIG-IP iControl CSRF File Write SOAP API

This module exploits a cross-site request forgery CSRF vulnerability in F5 Big-IP's iControl interface to write an arbitrary file to the filesystem. While any file can be written to any location as root, the exploitability is limited by SELinux; the vast majority of writable locations are...

HTTPS Fetch, Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)

Fetch and execute an x86 payload from an HTTPS server. Spawn a piped command shell staged. Listen for an IPv6 connection Windows x86 Module Options msf use payload/cmd/windows/https/x86/shell/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf...

HTTPS Fetch, Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)

Fetch and execute an x86 payload from an HTTPS server. Uploads an executable and runs it staged. Connect back to the attacker No NX Module Options msf use payload/cmd/windows/https/x86/upexec/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION...

HTTPS Fetch, Linux Reboot

Fetch and execute an RISC-V 64-bit payload from an HTTPS server. A very small shellcode for rebooting the system using the reboot syscall. This payload is sometimes helpful for testing purposes. Requires CAPSYSBOOT privileges. Module Options msf use payload/cmd/linux/https/riscv64le/reboot msf...

TFTP Fetch, Linux Command Shell, Reverse TCP Inline

Fetch and execute an RISC-V 32-bit payload from a TFTP server. Connect back to attacker and spawn a command shell. Module Options msf use payload/cmd/linux/tftp/riscv32le/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf...

Linux Reboot

A very small shellcode for rebooting the system using the reboot syscall. This payload is sometimes helpful for testing purposes. Requires CAPSYSBOOT privileges. Module Options msf use payload/linux/riscv32le/reboot msf payloadreboot show actions ...actions... msf payloadreboot set ACTION msf...

HTTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support

Fetch and execute an x64 payload from an HTTP server. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/http/x64/peinject/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION msf...

HTTP Fetch, Bind TCP Stager with UUID Support (Windows x64)

Fetch and execute an x64 payload from an HTTP server. Listen for a connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/http/x64/vncinject/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid show...

mySCADA MyPRO Authenticated Command Injection (CVE-2023-28384)

Authenticated Command Injection in MyPRO use exploit/windows/scada/myprocmdexe msf exploitmyprocmdexe show targets ...targets... msf exploitmyprocmdexe set TARGET msf exploitmyprocmdexe show options ...show and set options... msf exploitmyprocmdexe exploit class MetasploitModule 'mySCADA MyPRO...

TFTP Fetch, Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)

Fetch and execute an x64 payload from a TFTP server. Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. Module Options msf use payload/cmd/windows/tftp/x64/meterpreterreverseipv6tcp msf payloadmeterpreterreverseipv6tcp show actions ...actions... msf...

HTTPS Fetch, Windows Upload/Execute, Windows x86 Bind Named Pipe Stager

Fetch and execute an x86 payload from an HTTPS server. Uploads an executable and runs it staged. Listen for a pipe connection Windows x86 Module Options msf use payload/cmd/windows/https/x86/upexec/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTI...

TFTP Fetch, Linux Execute Command

Fetch and execute an RISC-V 64-bit payload from a TFTP server. Execute an arbitrary command Module Options msf use payload/cmd/linux/tftp/riscv64le/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec ru...

Notepad++ Plugin Persistence

This module create persistence by adding a malicious plugin to Notepad++, as it blindly loads and executes DLL from its plugin directory on startup, meaning that the payload will be executed every time Notepad++ is launched. Module Options msf use...