HTTPS Fetch, Windows Command Shell, Reverse TCP Stager (DNS)

Fetch and execute an x86 payload from an HTTPS server. Spawn a piped command shell staged. Connect back to the attacker Module Options msf use payload/cmd/windows/https/x86/shell/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf...

CarotDAV Credential Gatherer

This module searches for credentials stored on CarotDAV FTP Client on a Windows host. Module Options msf use post/windows/gather/credentials/carotdavftp msf postcarotdavftp show actions ...actions... msf postcarotdavftp set ACTION msf postcarotdavftp show options ...show and set options... msf...

SMB Fetch, Windows x64 Pingback, Reverse TCP Inline

Fetch and execute an x64 payload from an SMB server. Connect back to attacker and report UUID Windows x64 Module Options msf use payload/cmd/windows/smb/x64/pingbackreversetcp msf payloadpingbackreversetcp show actions ...actions... msf payloadpingbackreversetcp set ACTION msf...

TFTP Fetch, Bind TCP Stager (Linux x86)

Fetch and execute a x86 payload from a TFTP server. Listen for a connection Linux x86 Module Options msf use payload/cmd/linux/tftp/x86/meterpreter/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options... msf...

HTTP Fetch, Linux Meterpreter Service, Bind TCP

Fetch and execute a x86 payload from an HTTP server. Stub payload for interacting with a Meterpreter Service Module Options msf use payload/cmd/linux/http/x86/metsvcbindtcp msf payloadmetsvcbindtcp show actions ...actions... msf payloadmetsvcbindtcp set ACTION msf payloadmetsvcbindtcp show option...

TFTP Fetch, Windows shellcode stage, Windows x64 Bind Named Pipe Stager

Fetch and execute an x64 payload from a TFTP server. Custom shellcode stage. Listen for a pipe connection Windows x64 Module Options msf use payload/cmd/windows/tftp/x64/custom/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf...

HTTPS Fetch, Windows x64 Reverse TCP Stager

Fetch and execute an x64 payload from an HTTPS server. Connect back to the attacker Windows x64 Module Options msf use payload/cmd/windows/https/x64/peinject/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and...

Spring Cloud Gateway Remote Code Execution

This module exploits an unauthenticated remote code execution vulnerability in Spring Cloud Gateway versions = 3.1.0 and 3.0.0 to 3.0.6. The vulnerability can be exploited when the Gateway Actuator endpoint is enabled, exposed and unsecured. An unauthenticated attacker can use SpEL expressions to...

TFTP Fetch, Windows Meterpreter Shell, Reverse HTTP Inline (x64)

Fetch and execute an x64 payload from a TFTP server. Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. Module Options msf use payload/cmd/windows/tftp/x64/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf...

TFTP Fetch, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x64 payload from a TFTP server. Spawn a piped command shell Windows x64 staged. Connect back to the attacker Module Options msf use payload/cmd/windows/tftp/x64/shell/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf...

VMware vCenter Secrets Dump

Grab secrets and keys from the vCenter server and add them to loot. This module is tested against the vCenter appliance only; it will not work on Windows vCenter instances. It is intended to be run after successfully acquiring root access on a vCenter appliance and is useful for penetrating furth...

Modbus Banner Grabbing

This module grabs the banner of any device running the Modbus protocol by sending a request with Modbus Function Code 43 Read Device Identification. Modbus is a data communications protocol originally published by Modicon now Schneider Electric in 1979 for use with its programmable logic...

HTTPS Fetch, Windows Command Shell, Bind TCP Inline

Fetch and execute an x86 payload from an HTTPS server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/windows/https/x86/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options...

SMB Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x64 payload from an SMB server. Connect back to the attacker Module Options msf use payload/cmd/windows/smb/x64/peinject/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show options ...show and set...

TFTP Fetch, Windows shellcode stage, Windows x64 Bind TCP Stager

Fetch and execute an x64 payload from a TFTP server. Custom shellcode stage. Listen for a connection Windows x64 Module Options msf use payload/cmd/windows/tftp/x64/custom/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show a...

TFTP Fetch

Fetch and execute an x64 payload from a TFTP server. Module Options msf use payload/cmd/windows/tftp/x64/powershellbindtcp msf payloadpowershellbindtcp show actions ...actions... msf payloadpowershellbindtcp set ACTION msf payloadpowershellbindtcp show options ...show and set options... msf...

Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE

This module exploits LFI and log poisoning vulnerabilities CVE-2020-16152 in Aerohive NetConfig, version 10.0r8a build-242466 and older in order to achieve unauthenticated remote code execution as the root user. NetConfig is the Aerohive/Extreme Networks HiveOS administrative webinterface...

Citrix ADC (NetScaler) CVE-2026-3055 Scanner

This module scans for a vulnerability that allows a remote, unauthenticated attacker to leak memory from a target Citrix ADC server configured as a SAML IdP. The leaked memory is then scanned for session cookies which can be hijacked if found. Module Options msf use...

Tenable Security Center

This module collects credentials and setup information from Tenable Security Center. root or TNS user permissions are required. We don't utilize SC's builtin backup functionality as that requires SC to be shut down. The module works in 2 phases: Phase 1: gather all passwords which can be decrypte...

HUSTOJ Admin users can zip-slip problem_import_qduoj.php, planting PHP files in webroot for RCE

A user with administrative privileges can abuse the problemimportqduoj.php CGI script using a crafted zip file zip-slip to traverse backwards through the filesystem, then to the webroot, where they can extract a PHP file that spawns a shell to get full RCE in the context of the webserver. Module...

HTTP Fetch, Bind IPv6 TCP Stager (Windows x86)

Fetch and execute an x86 payload from an HTTP server. Listen for an IPv6 connection Windows x86 Module Options msf use payload/cmd/windows/http/x86/patchupdllinject/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6tcp show options...

HTTP Fetch, Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)

Fetch and execute an x86 payload from an HTTP server. Uploads an executable and runs it staged. Listen for an IPv6 connection Windows x86 Module Options msf use payload/cmd/windows/http/x86/upexec/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf...

HTTP Fetch, Bind TCP Stager (Windows x86)

Fetch and execute an x86 payload from an HTTP server. Listen for a connection Windows x86 Module Options msf use payload/cmd/windows/http/x86/vncinject/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options... ms...

Docker Privileged Container Kernel Escape

This module performs a container escape onto the host as the daemon user. It takes advantage of the SYSMODULE capability. If that exists and the linux headers are available to compile on the target, then we can escape onto the host. Module Options msf use...

SMB Fetch, Windows Meterpreter Shell, Reverse HTTP Inline (x64)

Fetch and execute an x64 payload from an SMB server. Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. Module Options msf use payload/cmd/windows/smb/x64/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf...

Find Users Without Pre-Auth Required (ASREP-roast)

This module searches for AD users without pre-auth required. Two different approaches are provided: - Brute force of usernames does not require a user account; should not lock out accounts - LDAP lookup requires an AD user account Module Options msf use auxiliary/gather/asrep msf auxiliaryasrep...

HTTP Fetch, Linux Command Shell, Bind TCP Stager

Fetch and execute a x86 payload from an HTTP server. Spawn a command shell staged. Listen for a connection Module Options msf use payload/cmd/linux/http/x86/shell/bindnonxtcp msf payloadbindnonxtcp show actions ...actions... msf payloadbindnonxtcp set ACTION msf payloadbindnonxtcp show options...

HTTPS Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support

Fetch and execute an x64 payload from an HTTPS server. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/https/x64/meterpreter/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION msf...

HTTPS Fetch, Linux Command Shell, Reverse TCP Stager

Fetch and execute an x64 payload from an HTTPS server. Spawn a command shell staged. Connect back to the attacker Module Options msf use payload/cmd/linux/https/x64/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show option...

HTTP Fetch, Windows x86 Pingback, Reverse TCP Inline

Fetch and execute an x86 payload from an HTTP server. Connect back to attacker and report UUID Windows x86 Module Options msf use payload/cmd/windows/http/x86/pingbackreversetcp msf payloadpingbackreversetcp show actions ...actions... msf payloadpingbackreversetcp set ACTION msf...

SMB Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support

Fetch and execute an x64 payload from an SMB server. Spawn a piped command shell Windows x64 staged. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/smb/x64/shell/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf...

HTTPS Fetch, Reverse TCP Stager (IPv6)

Fetch and execute an x86 payload from an HTTPS server. Connect back to attacker over IPv6 Module Options msf use payload/cmd/linux/https/x86/meterpreter/reverseipv6tcp msf payloadreverseipv6tcp show actions ...actions... msf payloadreverseipv6tcp set ACTION msf payloadreverseipv6tcp show options...

HTTP Fetch, Windows Meterpreter Shell, Reverse HTTPS Inline (x64)

Fetch and execute an x64 payload from an HTTP server. Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. Module Options msf use payload/cmd/windows/http/x64/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf...

TFTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x64 payload from a TFTP server. Connect back to the attacker Module Options msf use payload/cmd/windows/tftp/x64/vncinject/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf payloadbindtcprc4 show options ...show and set options...

HTTPS Fetch, Windows x64 Command Shell, Bind TCP Inline

Fetch and execute an x64 payload from an HTTPS server. Listen for a connection and spawn a command shell Windows x64 Module Options msf use payload/cmd/windows/https/x64/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show...

TFTP Fetch, Linux x64 Pingback, Bind TCP Inline

Fetch and execute an x64 payload from a TFTP server. Accept a connection from attacker and report UUID Linux x64 Module Options msf use payload/cmd/linux/tftp/x64/pingbackbindtcp msf payloadpingbackbindtcp show actions ...actions... msf payloadpingbackbindtcp set ACTION msf payloadpingbackbindtcp...

Sourcegraph gitserver sshCommand RCE

A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can then be triggered on demand by executing a git push operation. The vulnerability was...

Apache Druid 0.20.0 Remote Command Execution

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests; however, that feature is disabled by default. In Druid versions prior to 0.20.1, an authenticated user can send a specially-crafted request that both enables the JavaScript...

TVT NVMS-1000 Directory Traversal

This module exploits an unauthenticated directory traversal vulnerability which exists in TVT network surveillance management software-1000 version 3.4.1. NVMS listens by default on port 80. This module requires Metasploit: https://metasploit.com/download Current source:...

WordPress Admin Shell Upload

This module will generate a plugin, pack the payload into it and upload it to a server running WordPress provided valid admin credentials are used. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/zip' cla...

Supsystic Contact Form Wordpress Plugin SSTI RCE

This module performs SSTI achieving RCE in webpages containing the Contact Form Wordpress plugin by Supsystic in versions 1.7.36 and before. Module Options msf use exploit/multi/http/wppluginsupsysticcontactformrce msf exploitwppluginsupsysticcontactformrce show targets ...targets... msf...

HTTPS Fetch, Reverse TCP Stager (DNS)

Fetch and execute an x86 payload from an HTTPS server. Connect back to the attacker Module Options msf use payload/cmd/windows/https/x86/vncinject/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf payloadreversetcpdns show options ...show an...

HTTP Fetch

Fetch and execute an x86 payload from an HTTP server. Module Options msf use payload/cmd/windows/http/x86/powershellreversetcp msf payloadpowershellreversetcp show actions ...actions... msf payloadpowershellreversetcp set ACTION msf payloadpowershellreversetcp show options ...show and set...

Calibre Python Code Injection (CVE-2024-6782)

This module exploits a Python code injection vulnerability in the Content Server component of Calibre v6.9.0 - v7.15.0. Once enabled disabled by default, it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any...

HTTP Fetch, Bind TCP Stager

Fetch and execute a x86 payload from an HTTP server. Listen for a connection Module Options msf use payload/cmd/linux/http/x86/meterpreter/bindnonxtcp msf payloadbindnonxtcp show actions ...actions... msf payloadbindnonxtcp set ACTION msf payloadbindnonxtcp show options ...show and set options...

TFTP Fetch, Linux Add User

Fetch and execute a x86 payload from a TFTP server. Create a new user with UID 0 Module Options msf use payload/cmd/linux/tftp/x86/adduser msf payloadadduser show actions ...actions... msf payloadadduser set ACTION msf payloadadduser show options ...show and set options... msf payloadadduser run...

TFTP Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support

Fetch and execute an x64 payload from a TFTP server. Custom shellcode stage. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/tftp/x64/custom/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set...

HTTPS Fetch, Linux Execute Command

Fetch and execute an x64 payload from an HTTPS server. Execute an arbitrary command or just a /bin/sh shell Module Options msf use payload/cmd/linux/https/x64/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf...

ManageEngine ADAudit Plus CVE-2022-28219

This module exploits CVE-2022-28219, which is a pair of vulnerabilities in ManageEngine ADAudit Plus versions before build 7060: a path traversal in the /cewolf endpoint, and a blind XXE in, to upload and execute an executable file. Module Options msf use...

HTTP Fetch, Windows Command Shell, Bind TCP Stager (No NX or Win7)

Fetch and execute an x86 payload from an HTTP server. Spawn a piped command shell staged. Listen for a connection No NX Module Options msf use payload/cmd/windows/http/x86/shell/bindnonxtcp msf payloadbindnonxtcp show actions ...actions... msf payloadbindnonxtcp set ACTION msf payloadbindnonxtcp...