OSX Meterpreter, Reverse TCP Stager

Inject the mettle server payload staged. Connect back to the attacker Module Options msf use payload/osx/aarch64/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set options... msf...

Windows Cloud File Mini Filer Driver Heap Overflow

This module exploits the Windows Cloud Files Mini FIlter Driver cldflt.sys on Windows workstation versions 101809 through 1123H2 and Windows server versions 2022 to 2223H2. Module Options msf use exploit/windows/local/cve202430085cloudfiles msf exploitcve202430085cloudfiles show targets...

Apache Couchdb Erlang RCE

In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. Module Options msf use exploit/multi/http/apachecouchdberlangrce msf exploitapachecouchdberlangrce show targets ...targets... msf...

Gogs Git Hooks Remote Code Execution

This module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gogs. This is possible when the current user is allowed to create git hooks, which is the default for administrative users. For non-administrative users, the permission needs...

Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE

Linux kernels from 5.7-rc1 prior to 5.13-rc4, 5.12.4, 5.11.21, and 5.10.37 are vulnerable to a bug in the eBPF verifier's verification of ALU32 operations in the scalar32minmaxand function when performing AND operations, whereby under certain conditions the bounds of a 32 bit register would not b...

IconEnvironmentDataBlock - Windows LNK File Special UNC Path NTLM Leak

This module creates a malicious Windows shortcut LNK file that specifies a special UNC path in IconEnvironmentDataBlock of Shell Link .LNK that can trigger an authentication attempt to a remote server. This can be used to harvest NTLM authentication credentials. When a victim browse to the locati...

Roundcube Post-Auth RCE via PHP Object Deserialization

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. An attacker can execute arbitrary system commands as the...

Froxlor Log Path RCE

Froxlor v2.0.7 and below suffer from a bug that allows authenticated users to change the application logs path to any directory on the OS level which the user www-data can write without restrictions from the backend which leads to writing a malicious Twig template that the application will render...

MongoDB Memory Disclosure (CVE-2025-14847) - Mongobleed

This module exploits a memory disclosure vulnerability in MongoDB's zlib decompression handling CVE-2025-14847. By sending crafted OPCOMPRESSED messages with inflated BSON document lengths, the server reads beyond the decompressed buffer and returns leaked memory contents in error messages. The...

Cisco IOX XE unauthenticated Command Line Interface (CLI) execution

This module leverages CVE-2023-20198 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute arbitrary CLI commands with privilege level 15. You must specify the IOS command mode to execute a CLI command in. Valid modes are user, privileged, and...

Cisco IOX XE unauthenticated OS command execution

This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute arbitrary OS commands with root privileges. This module leverages CVE-2023-20198 to create a new admin user, then authenticating...

LDAP Login Scanner

This module attempts to login to the LDAP service. Module Options msf use auxiliary/scanner/ldap/ldaplogin msf auxiliaryldaplogin show actions ...actions... msf auxiliaryldaplogin set ACTION msf auxiliaryldaplogin show options ...show and set options... msf auxiliaryldaplogin run This module...

JetBrains TeamCity Unauthenticated Remote Code Execution

This module exploits an authentication bypass vulnerability in JetBrains TeamCity. An unauthenticated attacker can leverage this to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload, allowing the attacker...

Craft CMS Image Transform Preauth RCE (CVE-2025-32432)

This module exploits an unauthenticated remote code execution vulnerability in Craft CMS versions 3.x, 4.x, and 5.x use exploit/linux/http/craftcmspreauthrcecve202532432 msf exploitcraftcmspreauthrcecve202532432 show targets ...targets... msf exploitcraftcmspreauthrcecve202532432 set TARGET msf...

SolarWinds Serv-U Unauthenticated Arbitrary File Read

This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to the vendor supplied hotfix "15.4.2 Hotfix 2" version 15.4.2.157 are affected. Module...

SpecialFolderDatablock - Windows LNK File Special UNC Path NTLM Leak

This module creates a malicious Windows shortcut LNK file that specifies a special UNC path in SpecialFolderDatablock of Shell Link .LNK that can trigger an authentication attempt to a remote server. This can be used to harvest NTLM authentication credentials. When a victim browse to the location...

Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability

A Remote Code Execution vulnerability in Gambio online webshop version 4.9.2.0 and lower allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request. The identified vulnerability within Gambio pertains to an insecure deserialization flaw, which ultimately allows an...

Pretalx Limited File Write to Remote Code Execution

This module exploits CVE-2023-28458, a limited file write in Pretalx, up to version 2.3.1. The module will use the vulnerability to write a malicious site-specific configuration hook forPython. Once hook is written, payload will be executed every time Pretalx user runs any Python code. Pretalx...

Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE (time param)

This module exploits an unauthenticated remote command injection vulnerability in the Shenzhen Aitemi M300 Wi-Fi Repeater hardware model MT02. The vulnerability lies in the 'time' parameter of the time configuration endpoint, which is passed unsanitized to a shell command executed via the date -s...

TAR Path Traversal in Zimbra (CVE-2022-41352)

This module creates a .tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in the cpio command- line utlity that can...

SOCKS Proxy Server

This module provides a SOCKS proxy server that uses the builtin Metasploit routing to relay connections. Module Options msf use auxiliary/server/socksproxy msf auxiliarysocksproxy show actions ...actions... msf auxiliarysocksproxy set ACTION msf auxiliarysocksproxy show options ...show and set...

Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146

When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the msstyles file, and if that file's PACKMEVERSION is 999, it then attempts to load an accompanying dll file ending in vrf.dll Before loading that file, it verifies that the file is signed. It does...

InvoiceShelf unauthenticated PHP Deserialization Vulnerability

InvoiceShelf is an open-source web & mobile app that helps you track expenses, payments, create professional invoices & estimates and is based on the PHP framework Laravel. InvoiceShelf has a Remote Code Execution vulnerability that allows remote unauthenticated attackers to conduct PHP...

Ivanti Connect Secure Authenticated Remote Code Execution via OpenSSL CRLF Injection

This module exploits a CRLF injection vulnerability in Ivanti Connect Secure to achieve remote code execution CVE-2024-37404. Versions prior to 22.7R2.1 are vulnerable. Note that Ivanti Policy Secure versions prior to 22.7R1.1 are also vulnerable but this module doesn't support this software. Val...

Netfilter x_tables Heap OOB Write Privilege Escalation

A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/xtables.c. This allows an attacker to gain privileges or cause a DoS via heap memory corruption through user name space. Kernels up to 5.11 including are vulnerable. More information about vulnerable...

Pandora ITSM authenticated command injection leading to RCE via the backup function

Pandora ITSM is a platform for Service Management & Support including a Helpdesk for support and customer service teams, aligned with ITIL processes. This module exploits a command injection vulnerability in the name backup setting at the application setup page of Pandora ITSM. This can be...

OS Command Exec, Unix Command Shell, Bind TCP (via Ruby) IPv6

Execute an OS command from PHP. Continually listen for a connection and spawn a command shell via Ruby Module Options msf use payload/php/unix/cmd/bindrubyipv6 msf payloadbindrubyipv6 show actions ...actions... msf payloadbindrubyipv6 set ACTION msf payloadbindrubyipv6 show options ...show and se...

Malicious Windows Registration Entries (.reg) File

This module creates a Windows Registration Entries .reg file which adds the specified payload to the Windows Registry. The payload runs upon Windows login for the current user. If the user has elevated privileges when opening the file, the payload will run upon login when any user logs in. The us...

CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961)

This combination of an Arbitrary File Read CVE-2024-34102 and a Buffer Overflow in glibc CVE-2024-2961 allows for unauthenticated Remote Code Execution on the following versions of Magento and Adobe Commerce and earlier if the PHP and glibc versions are also vulnerable: - 2.4.7 and earlier -...

Windows Persistent Task Scheduler

This module establishes persistence by creating a scheduled task to run a payload. Module Options msf use exploit/windows/persistence/taskscheduler msf exploittaskscheduler show targets ...targets... msf exploittaskscheduler set TARGET msf exploittaskscheduler show options ...show and set...

Microsoft Exchange ProxyNotShell RCE

This module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend CVE-2022-41040, where a deserialization flaw can be leveraged to obtain code execution CVE-2022-41082. This exploit only suppor...

Yum Package Manager Persistence

This module will run a payload when the package manager is used. This module modifies a yum plugin to launch a binary of choice. grep -F 'enabled=1' /etc/yum/pluginconf.d/ will show what plugins are currently enabled on the system. root persmissions are likely required. Verified on Centos 7.1...

Wordpress RegistrationMagic task_ids Authenticated SQLi

RegistrationMagic, a WordPress plugin, prior to 5.0.1.5 is affected by an authenticated SQL injection via the taskids parameter. Module Options msf use auxiliary/scanner/http/wpregistrationmagicsqli msf auxiliarywpregistrationmagicsqli show actions ...actions... msf auxiliarywpregistrationmagicsq...

Maldoc in PDF Polyglot converter

A malicious MHT file created can be opened in Microsoft Word even though it has magic numbers and file structure of PDF. If the file has configured macro, by opening it in Microsoft Word, VBS runs and performs malicious behaviors. The attack does not bypass configured macro locks. And the malicio...

Windows Gather Mikrotik Winbox "Keep Password" Credentials Extractor

This module extracts Mikrotik Winbox credentials saved in the "settings.cfg.viw" file when the "Keep Password" option is selected in Winbox. Module Options msf use post/windows/gather/credentials/winboxsettings msf postwinboxsettings show actions ...actions... msf postwinboxsettings set ACTION ms...

PHP Exec, PHP Command Shell, Bind TCP (via PHP)

Execute a PHP payload as an OS command from a Posix-compatible shell. Listen for a connection and spawn a command shell via php Module Options msf use payload/cmd/unix/php/bindphp msf payloadbindphp show actions ...actions... msf payloadbindphp set ACTION msf payloadbindphp show options ...show a...

ICTBroadcast Unauthenticated Remote Code Execution

This module exploits an unauthenticated remote code execution RCE vulnerability in ICTBroadcast. The vulnerability exists in the way session cookies are handled and processed, allowing an attacker to inject arbitrary system commands. Module Options msf use...

rc.local Persistence

This module will edit /etc/rc.local in order to persist a payload. The payload will be executed on the next reboot. Verified on Ubuntu 18.04.3 Module Options msf use exploit/linux/persistence/rclocal msf exploitrclocal show targets ...targets... msf exploitrclocal set TARGET msf exploitrclocal sh...

OS Command Exec, Unix Command Shell, Reverse TCP SSL (via python)

Execute an OS command from PHP. Creates an interactive shell via python, uses SSL, encodes with base64 by design. Module Options msf use payload/php/unix/cmd/reversepythonssl msf payloadreversepythonssl show actions ...actions... msf payloadreversepythonssl set ACTION msf payloadreversepythonssl...

ProjectSend r1295 - r1605 Unauthenticated Remote Code Execution

This module exploits an improper authorization vulnerability in ProjectSend versions r1295 through r1605. The vulnerability allows an unauthenticated attacker to obtain remote code execution by enabling user registration, disabling the whitelist of allowed file extensions, and uploading a malicio...

Apache Commons Text RCE

This exploit takes advantage of the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the "script", "dns" and "url" lookup keys...

Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.

A command injection vulnerability exists in Kafka ui between v0.4.0 and v0.7.1 allowing an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section. Module Options msf use exploit/linux/http/kafkauiunauthrcecve202352251 msf...

SolarWinds Orion Secrets Dump

This module exports and decrypts credentials from SolarWinds Orion Network Performance Monitor NPM to a CSV file; it is intended as a post-exploitation module for Windows hosts with SolarWinds Orion NPM installed. The module supports decryption of AES-256, RSA, and XMLSEC secrets. Separate action...

Invision Community 5.0.6 customCss RCE

Invision Community up to and including version 5.0.6 contains a remote code execution vulnerability in the theme editor's customCss endpoint. By crafting a specially formatted content parameter with a expression="..." construct, arbitrary PHP can be evaluated. This module leverages that flaw to...

WordPress Hash Form Plugin RCE

The Hash Form - Drag & Drop Form Builder plugin for WordPress suffers from a critical vulnerability due to missing file type validation in the fileuploadaction function. This vulnerability exists in all versions up to and including 1.1.0. Unauthenticated attackers can exploit this flaw to upload...

PyTorch Model Server Registration and Deserialization RCE

The PyTorch model server contains multiple vulnerabilities that can be chained together to permit an unauthenticated remote attacker arbitrary Java code execution. The first vulnerability is that the management interface is bound to all IP addresses and not just the loop back interface as the...

vBulletin replaceAdTemplate Remote Code Execution

This module exploits a design flaw in vBulletin's AJAX API handler and template rendering system, present in versions 5.0.0 through 6.0.3. The vulnerability allows unauthenticated attackers to invoke protected controller methods via the ajax/api/ad/replaceAdTemplate endpoint, due to improper use ...

Remote for Mac 2025.6 Unauthenticated UDP Keyboard RCE

This module exploits an unauthenticated remote code execution vulnerability in Remote for Mac 2025.6. When the "Allow unknown devices" setting is enabled, it is possible to simulate keyboard input via UDP packets without authentication. By sending a sequence of key presses, an attacker can open t...

Sharepoint Dynamic Proxy Generator Unauth RCE

This module exploits two vulnerabilities in Sharepoint 2019, an auth bypass CVE-2023-29357 which was patched in June of 2023 and CVE-2023-24955, an RCE which was patched in May of 2023. The auth bypass allows attackers to impersonate the Sharepoint Admin user. This vulnerability stems from the...

Xorcom CompletePBX Authenticated File Disclosure via Backup Download

This module exploits an authenticated file disclosure vulnerability in CompletePBX use auxiliary/scanner/http/xorcomcompletepbxfiledisclosure msf auxiliaryxorcomcompletepbxfiledisclosure show actions ...actions... msf auxiliaryxorcomcompletepbxfiledisclosure set ACTION msf...