6846 matches found
HTTP Fetch, Linux Execute Command
Fetch and execute a x86 payload from an HTTP server. Execute an arbitrary command or just a /bin/sh shell Module Options msf use payload/cmd/linux/http/x86/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf...
HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)
Fetch and execute an x64 payload from an HTTP server. Custom shellcode stage. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/http/x64/custom/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttps set ACTION msf...
HTTP Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an x64 payload from an HTTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/http/x64/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp show...
Python Exec, Python Meterpreter, Python Reverse TCP Stager with UUID Support
Execute a Python payload as an OS command from a Posix-compatible shell. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Connect back to the attacker with UUID Support Module Options msf use payload/cmd/unix/python/meterpreter/reversetcpuuid msf payloadreversetcpuuid show actio...
HTTPS Fetch, Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
Fetch and execute an x86 payload from an HTTPS server. Uploads an executable and runs it staged. Connect back to the attacker No NX Module Options msf use payload/cmd/windows/https/x86/upexec/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION...
TFTP Fetch, Linux Execute Command
Fetch and execute an RISC-V 64-bit payload from a TFTP server. Execute an arbitrary command Module Options msf use payload/cmd/linux/tftp/riscv64le/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec ru...
HTTP Fetch
Fetch and execute an ARMLE payload from an HTTP server. Module Options msf use payload/cmd/linux/http/armle/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...show a...
HTTP Fetch
Fetch and execute an x64 payload from an HTTP server. Module Options msf use payload/cmd/windows/http/x64/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run This module requires Metasploit:...
HTTPS Fetch, Linux Command Shell, Bind TCP Random Port Inline
Fetch and execute an x64 payload from an HTTPS server. Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'. Module Options msf use payload/cmd/linux/https/x64/shellbindtcprandomport msf payloadshellbindtcprandomport show...
Python Exec, Python Meterpreter, Python Reverse HTTPS Stager
Execute a Python payload from a command. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Tunnel communication over HTTP using SSL Module Options msf use payload/cmd/windows/python/meterpreter/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttp...
update-motd.d Persistence
This module will add a script in /etc/update-motd.d/ in order to persist a payload. The payload will be executed with root privileges everytime a user logs in. Module Options msf use exploit/linux/local/motdpersistence msf exploitmotdpersistence show targets ...targets... msf exploitmotdpersisten...
VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure
VMWare Aria Operations for Networks vRealize Network Insight versions 6.0.0 through 6.10.0 do not randomize the SSH keys on virtual machine initialization. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as the "support" root user. Module Options msf...
HTTP Fetch
Fetch and execute an x64 payload from an HTTP server. Module Options msf use payload/cmd/windows/http/x64/powershellreversetcpssl msf payloadpowershellreversetcpssl show actions ...actions... msf payloadpowershellreversetcpssl set ACTION msf payloadpowershellreversetcpssl show options ...show and...
VMware vCenter Server Virtual SAN Health Check Plugin RCE
This module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. Tested against VMware vCenter Server 6.7 Update 3m Linux...
SAP Unauthenticated WebService User Creation
This module leverages an unauthenticated web service to submit a job which will create a user with a specified role. The job involves running a wizard. After the necessary action is taken, the job is canceled to avoid unnecessary system changes. Module Options msf use...
Microsoft Windows HTTP to LDAP Relay
This module supports running an HTTP server which validates credentials, and then attempts to execute a relay attack against an LDAP server on the configured RHOSTS hosts. It is not possible to relay NTLMv2 to LDAP due to the Message Integrity Check MIC. As a result, this will only work with...
HTTPS Fetch, Windows Upload/Execute, Windows x86 Bind Named Pipe Stager
Fetch and execute an x86 payload from an HTTPS server. Uploads an executable and runs it staged. Listen for a pipe connection Windows x86 Module Options msf use payload/cmd/windows/https/x86/upexec/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTI...
Notepad++ Plugin Persistence
This module create persistence by adding a malicious plugin to Notepad++, as it blindly loads and executes DLL from its plugin directory on startup, meaning that the payload will be executed every time Notepad++ is launched. Module Options msf use...
Kemp LoadMaster Unauthenticated Command Injection
This module exploits an unauthenticated command injection vulnerability in Progress Kemp LoadMaster in the authorization header after vversion 7.2.48.1. The following versions are patched: 7.2.59.2 GA, 7.2.54.8 LTSF and 7.2.48.10 LTS. Module Options msf use...
TFTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support
Fetch and execute an x64 payload from a TFTP server. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/tftp/x64/vncinject/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION msf...
HTTP Fetch, Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
Fetch and execute an x64 payload from an HTTP server. Spawn a piped command shell Windows x64 staged. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x64/shell/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf...
Microsoft Office CVE-2017-11882
Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory. This module requires Metasploit:...
IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval
This module identifies IPMI 2.0-compatible systems and attempts to retrieve the HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a file using the OUTPUTFILE option and then cracked using hmacsha1crack.rb in the tools subdirectory as well hashcat cpu 0.46 or newer using...
Xerte Online Toolkits Arbitrary File Upload - Upload Image
This module exploits the user template file import function's unrestricted file upload in versions 3.14 and earlier to upload and execute a shell. This targets editor/uploadImage.php. This has only been tested in implementations where the authentication type is "Db". OPSEC - if the user is logged...
HTTPS Fetch, Linux Command Shell, Bind TCP Inline
Fetch and execute an RISC-V 32-bit payload from an HTTPS server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/https/riscv32le/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp sh...
HTTPS Fetch, Linux Add User
Fetch and execute an ARMLE payload from an HTTPS server. Create a new user with UID 0 Module Options msf use payload/cmd/linux/https/armle/adduser msf payloadadduser show actions ...actions... msf payloadadduser set ACTION msf payloadadduser show options ...show and set options... msf...
AjaxPro Deserialization Remote Code Execution
This module leverages an insecure deserialization of data to get remote code execution on the target OS in the context of the user running the website which utilized AjaxPro. To achieve code execution, the module will construct some JSON data which will be sent to the target. This data will be...
RaspAP Unauthenticated Command Injection
RaspAP is feature-rich wireless router software that just works on many popular Debian-based devices, including the Raspberry Pi. A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands in the context of the user running...
HTTP Fetch, Linux Command Shell, Bind TCP Random Port Inline
Fetch and execute an x64 payload from an HTTP server. Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'. Module Options msf use payload/cmd/linux/http/x64/shellbindtcprandomport msf payloadshellbindtcprandomport show...
Malicious Git HTTP Server For CVE-2018-17456
This module exploits CVE-2018-17456, which affects Git versions 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1 and lower. When a submodule url which starts with a dash e.g "-u./payload" is passed as an argument to git clone, the file "payload" inside the repository is executed. This module...
AVideo Encoder getImage.php Unauthenticated Command Injection
This module exploits an unauthenticated OS command injection vulnerability in AVideo Encoder's getImage.php endpoint CVE-2026-29058. The base64Url GET parameter is base64-decoded and injected directly into an ffmpeg shell command within double quotes, without any sanitization or use of...
udev persistence
This module will add a script in /lib/udev/rules.d/ in order to execute a payload written on disk. It'll be executed with root privileges everytime a network interface other than l0 comes up. Module Options msf use exploit/linux/local/udevpersistence msf exploitudevpersistence show targets...
HTTPS Fetch
Fetch and execute an ARMBE payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/armbe/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and set...
HTTPS Fetch
Fetch and execute an MIPSLE payload from an HTTPS server. Module Options msf use payload/cmd/linux/https/ppc/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show and...
Rancher Audit Log Sensitive Information Leak
Rancher versions between 2.6.0-2.6.13, 2.7.0-2.7.9, 2.8.0-2.8.1 inclusive contain a vulnerability where sensitive data is leaked into the audit logs. Rancher Audit Logging is an opt-in feature, only deployments that have it enabled and have AUDITLEVEL set to 1 or above are impacted by this issue...
Unauthenticated RCE in Bricks Builder Theme
This module exploits an unauthenticated remote code execution vulnerability in the Bricks Builder Theme versions use exploit/multi/http/wpbricksbuilderrce msf exploitwpbricksbuilderrce show targets ...targets... msf exploitwpbricksbuilderrce set TARGET msf exploitwpbricksbuilderrce show options...
SMB Fetch, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
Fetch and execute an x64 payload from an SMB server. Spawn a piped command shell Windows x64 staged. Connect back to the attacker with UUID Support Windows x64 Module Options msf use payload/cmd/windows/smb/x64/shell/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf...
HTTP Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)
Fetch and execute an x64 payload from an HTTP server. Custom shellcode stage. Listen for a connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/http/x64/custom/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf...
HTTPS Fetch, Windows Command Shell, Encrypted Reverse TCP Stager
Fetch and execute an x64 payload from an HTTPS server. Spawn a piped command shell staged. Connect to MSF and read in stage Module Options msf use payload/cmd/windows/https/x64/encryptedshell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf...
Wordpress XML-RPC Username/Password Login Scanner
This module attempts to authenticate against a Wordpress-site via XMLRPC using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. This module requires Metasploit: https://metasploit.com/download Current source:...
HTTP Fetch, Linux Command Shell, Reverse TCP Inline
Fetch and execute an AARCH64 payload from an HTTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/http/aarch64/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp...
HTTP Fetch, Linux Command Shell, Bind TCP Inline (IPv6)
Fetch and execute a x86 payload from an HTTP server. Listen for a connection over IPv6 and spawn a command shell Module Options msf use payload/cmd/linux/http/x86/shellbindipv6tcp msf payloadshellbindipv6tcp show actions ...actions... msf payloadshellbindipv6tcp set ACTION msf...
TFTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support
Fetch and execute an x64 payload from a TFTP server. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/tftp/x64/peinject/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION msf...
TFTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)
Fetch and execute an x64 payload from a TFTP server. Custom shellcode stage. Tunnel communication over HTTP Windows x64 winhttp Module Options msf use payload/cmd/windows/tftp/x64/custom/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf...
HTTPS Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
Fetch and execute an x64 payload from an HTTPS server. Spawn a piped command shell Windows x64 staged. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/https/x64/shell/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf...
Python Exec, Python Meterpreter, Python Bind TCP Stager
Execute a Python payload from a command. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Listen for a connection Module Options msf use payload/cmd/windows/python/meterpreter/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp...
NorthStar C2 XSS to Agent RCE
NorthStar C2, prior to commit 7674a44 on March 11 2024, contains a vulnerability where the logs page is vulnerable to a stored xss. An unauthenticated user can simulate an agent registration to cause the XSS and take over a users session. With this access, it is then possible to run a new payload...
Cacti RCE via SQLi in pollers.php
This exploit module leverages a SQLi CVE-2023-49085 and a LFI CVE-2023-49084 vulnerability in Cacti versions prior to 1.2.26 to achieve RCE. Authentication is needed and the account must have access to the vulnerable PHP script pollers.php. This is granted by setting the Sites/Devices/Data...
HTTP Fetch, Linux Command Shell, Reverse SCTP Stager
Fetch and execute an x64 payload from an HTTP server. Spawn a command shell staged. Connect back to the attacker Module Options msf use payload/cmd/linux/http/x64/shell/reversesctp msf payloadreversesctp show actions ...actions... msf payloadreversesctp set ACTION msf payloadreversesctp show...
Polkit D-Bus Authentication Bypass
A vulnerability exists within the polkit system service that can be leveraged by a local, unprivileged attacker to perform privileged operations. In order to leverage the vulnerability, the attacker invokes a method over D-Bus and kills the client process. This will occasionally cause the operati...