HTTPS Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support

Fetch and execute an x64 payload from an HTTPS server. Spawn a piped command shell Windows x64 staged. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/https/x64/shell/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf...

Python Exec, Python Meterpreter, Python Bind TCP Stager

Execute a Python payload from a command. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Listen for a connection Module Options msf use payload/cmd/windows/python/meterpreter/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp...

Polkit D-Bus Authentication Bypass

A vulnerability exists within the polkit system service that can be leveraged by a local, unprivileged attacker to perform privileged operations. In order to leverage the vulnerability, the attacker invokes a method over D-Bus and kills the client process. This will occasionally cause the operati...

HTTPS Fetch, Windows Command Shell, Hidden Bind Ipknock TCP Stager

Fetch and execute an x86 payload from an HTTPS server. Spawn a piped command shell staged. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get...

WordPress StoryChief Plugin Unauthenticated RCE

This module exploits an unauthenticated arbitrary file upload vulnerability in the StoryChief WordPress plugin use exploit/multi/http/wppluginstorycheffileupload msf exploitwppluginstorycheffileupload show targets ...targets... msf exploitwppluginstorycheffileupload set TARGET msf...

Gladinet CentreStack/Triofox Path Traversal

This module exploits a path traversal vulnerability CVE-2025-11371 in Gladinet CentreStack and Triofox that allows an unauthenticated attacker to read arbitrary files from the server's file system. The vulnerability exists in the /storage/t.dn endpoint which does not properly sanitize the s...

HTTPS Fetch, Windows x64 Reverse HTTP Stager (winhttp)

Fetch and execute an x64 payload from an HTTPS server. Tunnel communication over HTTP Windows x64 winhttp Module Options msf use payload/cmd/windows/https/x64/meterpreter/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf...

HTTP Fetch, Linux Command Shell, Reverse SCTP Stager

Fetch and execute an x64 payload from an HTTP server. Spawn a command shell staged. Connect back to the attacker Module Options msf use payload/cmd/linux/http/x64/shell/reversesctp msf payloadreversesctp show actions ...actions... msf payloadreversesctp set ACTION msf payloadreversesctp show...

HTTPS Fetch, Windows Upload/Execute, Hidden Bind TCP Stager

Fetch and execute an x86 payload from an HTTPS server. Uploads an executable and runs it staged. Listen for a connection from a hidden port and spawn a command shell to the allowed host. Module Options msf use payload/cmd/windows/https/x86/upexec/bindhiddentcp msf payloadbindhiddentcp show action...

HTTPS Fetch, Linux Reboot

Fetch and execute an RISC-V 32-bit payload from an HTTPS server. A very small shellcode for rebooting the system using the reboot syscall. This payload is sometimes helpful for testing purposes. Requires CAPSYSBOOT privileges. Module Options msf use payload/cmd/linux/https/riscv32le/reboot msf...

Ghostscript Command Execution via Format String

This module exploits a format string vulnerability in Ghostscript versions before 10.03.1 to achieve a SAFER sandbox bypass and execute arbitrary commands. This vulnerability is reachable via libraries such as ImageMagick. This exploit only works against Ghostscript versions 10.03.0 and 10.01.2...

HTTP Fetch, Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)

Fetch and execute a x86 payload from an HTTP server. Spawn a command shell staged. Listen for an IPv6 connection Linux x86 Module Options msf use payload/cmd/linux/http/x86/shell/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6tcp...

HTTPS Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)

Fetch and execute an x64 payload from an HTTPS server. Custom shellcode stage. Tunnel communication over HTTP Windows x64 winhttp Module Options msf use payload/cmd/windows/https/x64/custom/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION ms...

TFTP Fetch, Linux x64 Command Shell, Bind TCP Inline (IPv6)

Fetch and execute an x64 payload from a TFTP server. Listen for an IPv6 connection and spawn a command shell Module Options msf use payload/cmd/linux/tftp/x64/shellbindipv6tcp msf payloadshellbindipv6tcp show actions ...actions... msf payloadshellbindipv6tcp set ACTION msf payloadshellbindipv6tcp...

HTTPS Fetch, Windows Reverse HTTP Stager (wininet)

Fetch and execute an x86 payload from an HTTPS server. Tunnel communication over HTTP Windows wininet Module Options msf use payload/cmd/windows/https/x86/vncinject/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf payloadreversehttp show options...

GrandStream GXP1600 proxy SIP traffic

This capture module works against Grandstream GXP1600 series VoIP devices and can reconfigure the device to use an arbitrary SIP proxy. You can first leverage the exploit/linux/http/grandstreamgxp1600unauthrce exploit module to get a root session on a target GXP1600 series device before running...

Gladinet CentreStack/Triofox Access Ticket Forge

This module forges access tickets for the Gladinet CentreStack/Triofox /storage/filesvr.dn endpoint. The vulnerability exists because the application uses hardcoded cryptographic keys in GladCtrl64.dll to encrypt/decrypt access tickets. The access ticket is an encrypted string that contains: -...

Ivanti EPM Agent Portal Command Execution

This module leverages an unauthenticated RCE in Ivanti's EPM Agent Portal where a RPC client can invoke a method which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM. This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2. Module...

TFTP Fetch, Windows x64 Pingback, Reverse TCP Inline

Fetch and execute an x64 payload from a TFTP server. Connect back to attacker and report UUID Windows x64 Module Options msf use payload/cmd/windows/tftp/x64/pingbackreversetcp msf payloadpingbackreversetcp show actions ...actions... msf payloadpingbackreversetcp set ACTION msf...

HTTPS Fetch, Windows x64 Bind TCP Stager

Fetch and execute an x64 payload from an HTTPS server. Listen for a connection Windows x64 Module Options msf use payload/cmd/windows/https/x64/peinject/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options... m...

HTTPS Fetch

Fetch and execute an x64 payload from an HTTPS server. Module Options msf use payload/cmd/windows/https/x64/powershellreversetcp msf payloadpowershellreversetcp show actions ...actions... msf payloadpowershellreversetcp set ACTION msf payloadpowershellreversetcp show options ...show and set...

Windows Gather Installed Application Within Chocolatey Enumeration

This module will enumerate all installed applications on a Windows system with chocolatey installed Module Options msf use post/windows/gather/enumchocolateyapplications msf postenumchocolateyapplications show actions ...actions... msf postenumchocolateyapplications set ACTION msf...

WordPress Modern Events Calendar SQLi Scanner

Modern Events Calendar plugin contains an unauthenticated timebased SQL injection in versions before 6.1.5. The time parameter is vulnerable to injection. Module Options msf use auxiliary/scanner/http/wpmoderneventscalendarsqli msf auxiliarywpmoderneventscalendarsqli show actions ...actions... ms...

TFTP Fetch, Reverse TCP Stager (IPv6)

Fetch and execute a x86 payload from a TFTP server. Connect back to attacker over IPv6 Module Options msf use payload/cmd/linux/tftp/x86/meterpreter/reverseipv6tcp msf payloadreverseipv6tcp show actions ...actions... msf payloadreverseipv6tcp set ACTION msf payloadreverseipv6tcp show options...

TFTP Fetch, Windows x64 IPv6 Bind TCP Stager

Fetch and execute an x64 payload from a TFTP server. Listen for an IPv6 connection Windows x64 Module Options msf use payload/cmd/windows/tftp/x64/vncinject/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6tcp show options ...show...

HTTP Fetch

Fetch and execute an x64 payload from an HTTP server. Module Options msf use payload/cmd/windows/http/x64/powershellreversetcp msf payloadpowershellreversetcp show actions ...actions... msf payloadpowershellreversetcp set ACTION msf payloadpowershellreversetcp show options ...show and set...

HTTPS Fetch, Reverse TCP Stager with UUID Support (Windows x64)

Fetch and execute an x64 payload from an HTTPS server. Connect back to the attacker with UUID Support Windows x64 Module Options msf use payload/cmd/windows/https/x64/peinject/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf...

Remote Mouse RCE

This module utilizes the Remote Mouse Server by Emote Interactive protocol to deploy a payload and run it from the server on versions use exploit/windows/misc/remotemouserce msf exploitremotemouserce show targets ...targets... msf exploitremotemouserce set TARGET msf exploitremotemouserce show...

Moodle Teacher Enrollment Privilege Escalation to RCE

Moodle version 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions allow for a teacher to exploit chain to RCE. A bug in the privileges system allows a teacher to add themselves as a manager to their own class. They can then add any other users, and thus look to add...

GetSimpleCMS PHP File Upload Vulnerability

This module exploits a file upload vulnerability in GetSimple CMS. By abusing the upload.php file, a malicious authenticated user can upload an arbitrary file, including PHP code, which results in arbitrary code execution. This module requires Metasploit: https://metasploit.com/download Current...

HTTPS Fetch, Windows Upload/Execute, Reverse UDP Stager with UUID Support

Fetch and execute an x86 payload from an HTTPS server. Uploads an executable and runs it staged. Connect back to the attacker with UUID Support Module Options msf use payload/cmd/windows/https/x86/upexec/reverseudp msf payloadreverseudp show actions ...actions... msf payloadreverseudp set ACTION...

HTTPS Fetch, Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)

Fetch and execute an x86 payload from an HTTPS server. Uploads an executable and runs it staged. Listen for a connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/https/x86/upexec/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid s...

HTTPS Fetch, Reverse TCP Stager

Fetch and execute an x86 payload from an HTTPS server. Connect back to the attacker Module Options msf use payload/cmd/windows/https/x86/vncinject/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...

Unix SSH Shell, Bind Instance Connect (via AWS API)

Creates an SSH shell using AWS Instance Connect Module Options msf use payload/cmd/unix/bindawsinstanceconnect msf payloadbindawsinstanceconnect show actions ...actions... msf payloadbindawsinstanceconnect set ACTION msf payloadbindawsinstanceconnect show options ...show and set options... msf...

TFTP Fetch, Windows x64 Reverse HTTP Stager (winhttp)

Fetch and execute an x64 payload from a TFTP server. Tunnel communication over HTTP Windows x64 winhttp Module Options msf use payload/cmd/windows/tftp/x64/meterpreter/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf payloadreversewinhtt...

HTTPS Fetch, Windows MessageBox x64

Fetch and execute an x64 payload from an HTTPS server. Spawn a dialog via MessageBox using a customizable title, text & icon Module Options msf use payload/cmd/windows/https/x64/messagebox msf payloadmessagebox show actions ...actions... msf payloadmessagebox set ACTION msf payloadmessagebox show...

Linux WSL via Startup Folder Persistence

This module establishes persistence by creating a payload in the windows startup folder from within the Windows Subsystem for Linux WSL environment. This allows for code execution on Windows user login. Verified on Windows 10 with Ubuntu 24.04 WSL distribution. Module Options msf use...

Barracuda ESG Spreadsheet::ParseExcel Arbitrary Code Execution

This module exploits CVE-2023-7102, an arbitrary code execution vulnerability in Barracuda Email Security Gateway ESG appliances. The vulnerability exists in how the Amavis scanner processes Excel attachments using the Perl Spreadsheet::ParseExcel library. The library's Utility.pm contains an...

Apache HugeGraph Gremlin RCE

This module exploits CVE-2024-27348 which is a Remote Code Execution RCE vulnerability that exists in Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve RCE through Gremlin, resulting in complete control over the server Module Options msf...

HTTP Fetch, Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)

Fetch and execute an x64 payload from an HTTP server. Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. Module Options msf use payload/cmd/windows/http/x64/meterpreterreverseipv6tcp msf payloadmeterpreterreverseipv6tcp show actions ...actions... msf...

TFTP Fetch, Windows x64 Bind TCP Stager

Fetch and execute an x64 payload from a TFTP server. Listen for a connection Windows x64 Module Options msf use payload/cmd/windows/tftp/x64/meterpreter/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options... m...

HTTP Fetch, Windows x64 Reverse HTTPS Stager (winhttp)

Fetch and execute an x64 payload from an HTTP server. Tunnel communication over HTTPS Windows x64 winhttp Module Options msf use payload/cmd/windows/http/x64/vncinject/reversewinhttps msf payloadreversewinhttps show actions ...actions... msf payloadreversewinhttps set ACTION msf...

HTTPS Fetch, Linux x64 Command Shell, Reverse TCP Inline (IPv6)

Fetch and execute an x64 payload from an HTTPS server. Connect back to attacker and spawn a command shell over IPv6 Module Options msf use payload/cmd/linux/https/x64/shellreverseipv6tcp msf payloadshellreverseipv6tcp show actions ...actions... msf payloadshellreverseipv6tcp set ACTION msf...

Unauthenticated information disclosure such as configuration, credentials and camera snapshots of a vulnerable Hikvision IP Camera

Many Hikvision IP cameras have improper authorization logic that allows unauthenticated information disclosure of camera information, such as detailed hardware and software configuration, user credentials, and camera snapshots. The vulnerability has been present in Hikvision products since 2014. ...

VMware vCenter Server vmdir Information Disclosure

This module uses an anonymous-bind LDAP connection to dump data from the vmdir service in VMware vCenter Server version 6.7 prior to the 6.7U3f update, only if upgraded from a previous release line, such as 6.0 or 6.5. If the bind username and password are provided BINDDN and BINDPW options, thes...

Linux Nested User Namespace idmap Limit Local Privilege Escalation

This module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root CVE-2018-18955. The target system must have unprivileged user namespaces enabled and the...

Microsoft IIS WebDav ScStoragePathFromUrl Overflow

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services IIS 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: Authors Zhiniang Peng Chen Wu Dominic Chell firefart...

HTTPS Fetch, Windows Command Shell, Reverse TCP Inline

Fetch and execute an x86 payload from an HTTPS server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/windows/https/x86/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp sho...

Azure CLI Credentials Gatherer

This module will collect the Azure CLI 2.0+ az cli settings files for all users on a given target. These configuration files contain JWT tokens used to authenticate users and other subscription information. Once tokens are stolen from one host, they can be used to impersonate the user from a...

Windows Gather Virtual Environment Detection

This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This module supports detection of Hyper-V, VMWare, VirtualBox, Xen, QEMU, and Parallels. This module requires Metasploit: https://metasploit.com/download Current source:...