Powershell Exec, Windows x86 Bind Named Pipe Stager

Execute an x86 payload from a command via PowerShell. Listen for a pipe connection Windows x86 Module Options msf use payload/cmd/windows/powershell/patchupdllinject/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf payloadbindnamedpipe show...

Powershell Exec, Hidden Bind Ipknock TCP Stager

Execute an x86 payload from a command via PowerShell. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socke...

Powershell Exec, Windows x64 Reverse HTTPS Stager (winhttp)

Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTPS Windows x64 winhttp Module Options msf use payload/cmd/windows/powershell/x64/meterpreter/reversewinhttps msf payloadreversewinhttps show actions ...actions... msf payloadreversewinhttps set ACTION msf...

Powershell Exec, Windows Command Shell, Reverse TCP Stager

Execute an x86 payload from a command via PowerShell. Spawn a piped command shell staged. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp sho...

Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)

Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/powershell/x64/meterpreter/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf payloadreversehttp sho...

Android 'Towelroot' Futex Requeue Kernel Exploit

This module exploits a bug in futexrequeue in the Linux kernel, using similar techniques employed by the towelroot exploit. Any Android device with a kernel built before June 2014 is likely to be vulnerable. This module requires Metasploit: https://metasploit.com/download Current source:...

Quectel Cellular Modem Pivot (Serial AT)

Opens a serial connection to a Quectel cellular modem and registers it as a 'modem' session capable of network pivoting. The Quectel modems have a limited number of sockets available, configurable using MODEMSOCKETS. Once the session is established, it can be routed through using the route comman...

HTTP Fetch, Bind IPv6 TCP Stager (Windows x86)

Fetch and execute an x86 payload from an HTTP server. Listen for an IPv6 connection Windows x86 Module Options msf use payload/cmd/windows/http/x86/meterpreter/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6tcp show options ...sh...

HTTPS Fetch, Bind IPv6 TCP Stager with UUID Support (Windows x86)

Fetch and execute an x86 payload from an HTTPS server. Listen for an IPv6 connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/https/x86/patchupmeterpreter/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION ms...

HTTPS Fetch, Reverse HTTP Stager Proxy

Fetch and execute an x86 payload from an HTTPS server. Tunnel communication over HTTP Module Options msf use payload/cmd/windows/https/x86/dllinject/reversehttpproxypstore msf payloadreversehttpproxypstore show actions ...actions... msf payloadreversehttpproxypstore set ACTION msf...

HTTPS Fetch, Windows shellcode stage, Windows x86 Bind Named Pipe Stager

Fetch and execute an x86 payload from an HTTPS server. Custom shellcode stage. Listen for a pipe connection Windows x86 Module Options msf use payload/cmd/windows/https/x86/custom/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf...

HTTP Fetch, Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)

Fetch and execute an x86 payload from an HTTP server. Uploads an executable and runs it staged. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x86/upexec/reversetcprc4dns msf payloadreversetcprc4dns show actions ...actions... msf payloadreversetcprc4dns set ACTION ms...

HTTPS Fetch, DNS TXT Record Payload Download and Execution

Fetch and execute an x86 payload from an HTTPS server. Performs a TXT query against a series of DNS records and executes the returned x86 shellcode. The DNSZONE option is used as the base name to iterate over. The payload will first request the TXT contents of the a hostname, followed by b, then ...

ESC/POS Printer Command Injector

This module exploits an unauthenticated ESC/POS command vulnerability in networked Epson-compatible printers. You can print a custom message, trigger the attached cash drawer, or cut the paper. Module Options msf use auxiliary/admin/printer/escpostcpcommandinjector msf...

HTTPS Fetch, Linux Command Shell, Reverse TCP Stager (IPv6)

Fetch and execute an x86 payload from an HTTPS server. Spawn a command shell staged. Connect back to attacker over IPv6 Module Options msf use payload/cmd/linux/https/x86/shell/reverseipv6tcp msf payloadreverseipv6tcp show actions ...actions... msf payloadreverseipv6tcp set ACTION msf...

vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.

This module exploits a logic bug within the template rendering code in vBulletin 5.x. The module uses the vBulletin template rendering functionality to render the 'widgettabbedcontainertabpanel' template while also providing the 'widgetphp' argument. This causes the former template to load the...

ColdFusion 'password.properties' Hash Extraction

This module uses a directory traversal vulnerability to extract information such as password, rdspassword, and "encrypted" properties. This module has been tested successfully on ColdFusion 9 and ColdFusion 10 auto-detect. This module requires Metasploit: https://metasploit.com/download Current...

HTTPS Fetch, Reverse TCP Stager

Fetch and execute an x86 payload from an HTTPS server. Connect back to the attacker Module Options msf use payload/cmd/windows/https/x86/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...

Powershell Exec, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)

Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker with UUID Support Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/custom/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid s...

Powershell Exec, Windows Reverse HTTP Stager (winhttp)

Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP Windows winhttp Module Options msf use payload/cmd/windows/powershell/vncinject/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf payloadreversewinhttp...

Powershell Exec, Windows x64 IPv6 Bind TCP Stager with UUID Support

Execute an x64 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/vncinject/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION msf...

Wordpress MasterStudy Admin Account Creation

MasterStudy LMS, a WordPress plugin, prior to 2.7.6 is affected by a privilege escalation where an unauthenticated user is able to create an administrator account for wordpress itself. Module Options msf use auxiliary/admin/http/wpmasterstudyprivesc msf auxiliarywpmasterstudyprivesc show actions...

Sitecore Experience Platform (XP) PreAuth Deserialization RCE

This module exploits a deserialization vulnerability in the Report.ashx page of Sitecore XP 7.5 to 7.5.2, 8.0 to 8.0.7, 8.1 to 8.1.3, and 8.2 to 8.2.7. Versions 7.2.6 and earlier and 9.0 and later are not affected. The vulnerability occurs due to Report.ashx's handler, located in...

HTTP Fetch, Reverse TCP Stager (IPv6)

Fetch and execute an x86 payload from an HTTP server. Connect back to the attacker over IPv6 Module Options msf use payload/cmd/windows/http/x86/meterpreter/reverseipv6tcp msf payloadreverseipv6tcp show actions ...actions... msf payloadreverseipv6tcp set ACTION msf payloadreverseipv6tcp show...

HTTPS Fetch, Bind TCP Stager with UUID Support (Windows x86)

Fetch and execute an x86 payload from an HTTPS server. Listen for a connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/https/x86/patchupmeterpreter/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuu...

HTTPS Fetch, Bind IPv6 TCP Stager (Windows x86)

Fetch and execute an x86 payload from an HTTPS server. Listen for an IPv6 connection Windows x86 Module Options msf use payload/cmd/windows/https/x86/patchupdllinject/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6tcp show option...

HTTP Fetch, Windows Command Shell, Reverse TCP Stager (DNS)

Fetch and execute an x86 payload from an HTTP server. Spawn a piped command shell staged. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x86/shell/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf...

HTTPS Fetch, Windows shellcode stage, Reverse TCP Stager (No NX or Win7)

Fetch and execute an x86 payload from an HTTPS server. Custom shellcode stage. Connect back to the attacker No NX Module Options msf use payload/cmd/windows/https/x86/custom/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION msf...

HTTP Fetch, Reverse HTTP Stager Proxy

Fetch and execute an x86 payload from an HTTP server. Tunnel communication over HTTP Module Options msf use payload/cmd/windows/http/x86/vncinject/reversehttpproxypstore msf payloadreversehttpproxypstore show actions ...actions... msf payloadreversehttpproxypstore set ACTION msf...

TFTP Fetch, Reverse TCP Stager

Fetch and execute a x86 payload from a TFTP server. Connect back to the attacker Module Options msf use payload/cmd/linux/tftp/x86/meterpreter/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION msf payloadreversenonxtcp show options ...show an...

Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/custom/reversetcprc4dns msf payloadreversetcprc4dns show actions ...actions... msf payloadreversetcprc4dns set ACTION msf...

Powershell Exec, Reverse TCP Stager

Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/vncinject/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...

Powershell Exec, Windows Upload/Execute, Bind TCP Stager (No NX or Win7)

Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it staged. Listen for a connection No NX Module Options msf use payload/cmd/windows/powershell/upexec/bindnonxtcp msf payloadbindnonxtcp show actions ...actions... msf payloadbindnonxtcp set ACTION msf...

WordPress Loginizer log SQLi Scanner

Loginizer wordpress plugin contains an unauthenticated timebased SQL injection in versions before 1.6.4. The vulnerable parameter is in the log parameter. Wordpress has forced updates of the plugin to all servers Module Options msf use auxiliary/scanner/http/wploginizerlogsqli msf...

PHPMailer Sendmail Argument Injection

PHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This module writes a payload to th...

Apache Reverse Proxy Bypass Vulnerability Scanner

Scan for poorly configured reverse proxy servers. By default, this module attempts to force the server to make a request with an invalid domain name. Then, if the bypass is successful, the server will look it up and of course fail, then responding with a status code 502. A baseline status code is...

HTTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x86 payload from an HTTP server. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x86/meterpreter/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show options ...show an...

Softing Secure Integration Server Login Utility

This module will attempt to authenticate to a Softing Secure Integration Server. Module Options msf use auxiliary/scanner/http/softingsislogin msf auxiliarysoftingsislogin show actions ...actions... msf auxiliarysoftingsislogin set ACTION msf auxiliarysoftingsislogin show options ...show and set...

Powershell Exec, Windows Command Shell, Reverse TCP Stager with UUID Support

Execute an x86 payload from a command via PowerShell. Spawn a piped command shell staged. Connect back to the attacker with UUID Support Module Options msf use payload/cmd/windows/powershell/shell/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set...

Microsoft Windows SMB Direct Session Takeover

This module will intercept direct SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. To exploit...

Linux BPF Sign Extension Local Privilege Escalation

Linux kernel prior to 4.14.8 contains a vulnerability in the Berkeley Packet Filter BPF verifier. The checkaluop function performs incorrect sign extension which allows the verifier to be bypassed, leading to arbitrary kernel read/write. The target system must be compiled with BPF support and...

LNK Code Execution Vulnerability

This module exploits a vulnerability in the handling of Windows Shortcut files .LNK that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 CVE-2015-0096. The created LNK file is similar except an additional SpecialFolderDataBlock is included. The...

NTLM Relay to Self (HTTP to LDAP) - Post Exploitation

This module performs an NTLM relay-to-self privilege escalation attack. It starts an HTTP-to-LDAP relay server on the compromised host, then triggers the WebClient service via an ETW event allowing a low-privilege user to start it, and coerces the local machine account to authenticate via...

HTTPS Fetch, Hidden Bind Ipknock TCP Stager

Fetch and execute an x86 payload from an HTTPS server. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The sock...

HTTPS Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x86)

Fetch and execute an x86 payload from an HTTPS server. Custom shellcode stage. Listen for a connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/https/x86/custom/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf...

Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)

Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/powershell/x64/meterpreter/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttps set ACTION msf payloadreversehttps...

Powershell Exec, Windows x86 Reverse Named Pipe (SMB) Stager

Execute an x86 payload from a command via PowerShell. Connect back to the attacker via a named pipe pivot Module Options msf use payload/cmd/windows/powershell/peinject/reversenamedpipe msf payloadreversenamedpipe show actions ...actions... msf payloadreversenamedpipe set ACTION msf...

Netgear PNPX_GetShareFolderList Authentication Bypass

This module targets an authentication bypass vulnerability in the minihttp binary of several Netgear Routers running firmware versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84. The vulnerability allows unauthenticated attackers to reveal the password for the admin user that is used to...

Microsoft Spooler Local Privilege Elevation Vulnerability

This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds...

ThinkPHP Multiple PHP Injection RCEs

This module exploits one of two PHP injection vulnerabilities in the ThinkPHP web framework to execute code as the web user. Versions up to and including 5.0.23 are exploitable, though 5.0.23 is vulnerable to a separate vulnerability. The module will automatically attempt to detect the version of...