DNS BailiWicked Host Attack

This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed Jul 2008. This exploit caches a single malicious host entry into the target nameserver by sending random hostname queries to the target DNS server coupled with spoofed replies to those...

HTTPS Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x86)

Fetch and execute an x86 payload from an HTTPS server. Custom shellcode stage. Listen for a connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/https/x86/custom/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf...

HTTPS Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x86 payload from an HTTPS server. Connect back to the attacker Module Options msf use payload/cmd/windows/https/x86/patchupdllinject/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show options...

Synology Forget Password User Enumeration Scanner

This module attempts to enumerate users on the Synology NAS by sending GET requests for the forgot password URL. The Synology NAS will respond differently if a user is present or not. These count as login attempts, and the default is 10 logins in 5min to get a permanent block. Set delay according...

HTTPS Fetch, Reverse TCP Stager (DNS)

Fetch and execute an x86 payload from an HTTPS server. Connect back to the attacker Module Options msf use payload/cmd/windows/https/x86/meterpreter/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf payloadreversetcpdns show options ...show...

HTTPS Fetch, Bind TCP Stager (Windows x86)

Fetch and execute an x86 payload from an HTTPS server. Listen for a connection Windows x86 Module Options msf use payload/cmd/windows/https/x86/dllinject/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options...

HTTPS Fetch, Generic x86 Tight Loop

Fetch and execute an x86 payload from an HTTPS server. Generate a tight loop in the target process Module Options msf use payload/cmd/windows/https/x86/generic/tightloop msf payloadtightloop show actions ...actions... msf payloadtightloop set ACTION msf payloadtightloop show options ...show and s...

HTTPS Fetch, Windows Meterpreter Service, Bind TCP

Fetch and execute an x86 payload from an HTTPS server. Stub payload for interacting with a Meterpreter Service Module Options msf use payload/cmd/windows/https/x86/metsvcbindtcp msf payloadmetsvcbindtcp show actions ...actions... msf payloadmetsvcbindtcp set ACTION msf payloadmetsvcbindtcp show...

Python Exec, Python Meterpreter, Python Bind TCP Stager with UUID Support

Execute a Python payload from a command. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Listen for a connection with UUID Support Module Options msf use payload/cmd/windows/python/meterpreter/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid...

Powershell Exec, Windows shellcode stage, Bind TCP Stager (No NX or Win7)

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection No NX Module Options msf use payload/cmd/windows/powershell/custom/bindnonxtcp msf payloadbindnonxtcp show actions ...actions... msf payloadbindnonxtcp set ACTION msf payloadbindnonxtcp show...

Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it staged. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/upexec/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf...

Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump

This module uses a blind SQL injection CVE-2020-5724 affecting the Grandstream UCM62xx IP PBX to dump the users table. The injection occurs over a websocket at the websockify endpoint, and specifically occurs when the user requests the challenge as part of a challenge and response authentication...

Windows SAM secrets leak - HiveNightmare

Due to mismanagement of SAM and SYSTEM hives in Windows 10, it is possible for an unprivileged user to read those files. But, as they are locked while Windows is running we are not able to read them directly. The trick is to take advantage of Volume Shadow Copy, which is generally enabled, to...

F5 Gather Device General Information

This module collects a F5's device information and configuration. Module Options msf use post/networking/gather/enumf5 msf postenumf5 show actions ...actions... msf postenumf5 set ACTION msf postenumf5 show options ...show and set options... msf postenumf5 run This module requires Metasploit:...

Zivif Camera iptest.cgi Blind Remote Command Execution

This module exploits a remote command execution vulnerability in Zivif webcams. This is known to impact versions prior to and including v2.3.4.2103. Exploit was reported in CVE-2017-17105. This module requires Metasploit: https://metasploit.com/download Current source:...

AppXSvc Hard Link Privilege Escalation

There exists a privilege escalation vulnerability for Windows 10 builds prior to build 17763. Due to the AppXSvc's improper handling of hard links, a user can gain full privileges over a SYSTEM-owned file. The user can then utilize the new file to execute code as SYSTEM. This module employs a...

Advantech Switch Bash Environment Variable Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the 'ping.sh' CGI script, accessible through the Boa web server on Advantech switches. This module was tested against firmware version 1322D1.98. This module...

OpenSSL Heartbeat (Heartbleed) Client Memory Exposure

This module provides a fake SSL service that is intended to leak memory from client systems as they connect. This module is hardcoded for using the AES-128-CBC-SHA1 cipher. This module requires Metasploit: https://metasploit.com/download Current source:...

Distributed Ruby Remote Code Execution

This module exploits remote code execution vulnerabilities in dRuby...

HTTPS Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x86 payload from an HTTPS server. Connect back to the attacker Module Options msf use payload/cmd/windows/https/x86/dllinject/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show options ...show an...

HTTPS Fetch, Bind TCP Stager (No NX or Win7)

Fetch and execute an x86 payload from an HTTPS server. Listen for a connection No NX Module Options msf use payload/cmd/windows/https/x86/meterpreter/bindnonxtcp msf payloadbindnonxtcp show actions ...actions... msf payloadbindnonxtcp set ACTION msf payloadbindnonxtcp show options ...show and set...

HTTPS Fetch, Bind TCP Stager with UUID Support (Windows x86)

Fetch and execute an x86 payload from an HTTPS server. Listen for a connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/https/x86/meterpreter/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid show...

HTTPS Fetch, Reverse TCP Stager (DNS)

Fetch and execute an x86 payload from an HTTPS server. Connect back to the attacker Module Options msf use payload/cmd/windows/https/x86/patchupdllinject/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf payloadreversetcpdns show options...

HTTP Fetch, Find Tag Ordinal Stager

Fetch and execute an x86 payload from an HTTP server. Use an established connection Module Options msf use payload/cmd/windows/http/x86/patchupdllinject/findtag msf payloadfindtag show actions ...actions... msf payloadfindtag set ACTION msf payloadfindtag show options ...show and set options... m...

Powershell Exec, Windows shellcode stage, Windows Reverse HTTPS Stager (wininet)

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTPS Windows wininet Module Options msf use payload/cmd/windows/powershell/custom/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttps set ACTION msf...

Powershell Exec, Windows shellcode stage, Windows x86 Reverse Named Pipe (SMB) Stager

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker via a named pipe pivot Module Options msf use payload/cmd/windows/powershell/custom/reversenamedpipe msf payloadreversenamedpipe show actions ...actions... msf payloadreversenamedpipe set...

Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)

Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/powershell/x64/custom/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttps set ACTION msf...

Powershell Exec, Windows shellcode stage, Reverse TCP Stager (DNS)

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/custom/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf payloadreversetcpdns sh...

Powershell Exec, Reverse TCP Stager

Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/peinject/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...

Powershell Exec, Reverse All-Port TCP Stager

Execute an x86 payload from a command via PowerShell. Try to connect back to the attacker, on all possible ports 1-65535, slowly Module Options msf use payload/cmd/windows/powershell/vncinject/reversetcpallports msf payloadreversetcpallports show actions ...actions... msf payloadreversetcpallport...

HTTP Fetch, Bind TCP Stager (Windows x86)

Fetch and execute an x86 payload from an HTTP server. Listen for a connection Windows x86 Module Options msf use payload/cmd/windows/http/x86/meterpreter/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options...

HTTPS Fetch, Windows Reverse HTTP Stager (wininet)

Fetch and execute an x86 payload from an HTTPS server. Tunnel communication over HTTP Windows wininet Module Options msf use payload/cmd/windows/https/x86/dllinject/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf payloadreversehttp show options...

Disable ClamAV

This module will write to the ClamAV Unix socket to shutoff ClamAV. Module Options msf use post/linux/manage/disableclamav msf postdisableclamav show actions ...actions... msf postdisableclamav set ACTION msf postdisableclamav show options ...show and set options... msf postdisableclamav run This...

Powershell Exec, Windows Disable Windows ICF, Command Shell, Bind TCP Inline

Execute an x86 payload from a command via PowerShell. Disable the Windows ICF, then listen for a connection and spawn a command shell Module Options msf use payload/cmd/windows/powershell/shellbindtcpxpfw msf payloadshellbindtcpxpfw show actions ...actions... msf payloadshellbindtcpxpfw set ACTIO...

NSClient++ 0.5.2.35 - Privilege escalation

This module allows an attacker with an unprivileged windows account to gain admin access on windows system and start a shell. For this module to work, both the NSClient++ web interface and ExternalScripts features must be enabled. You must also know where the NSClient config file is, as it is use...

Google Chrome 67, 68 and 69 Object.create exploit

This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process. This module can target the render...

MS17-010 SMB RCE Detection

Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUSINSUFFSERVERRESOURCES", the machine does not have the MS17-010 patch. If the machine is missing the MS17-0...

HTTP Fetch, Reverse HTTP Stager Proxy

Fetch and execute an x86 payload from an HTTP server. Tunnel communication over HTTP Module Options msf use payload/cmd/windows/http/x86/meterpreter/reversehttpproxypstore msf payloadreversehttpproxypstore show actions ...actions... msf payloadreversehttpproxypstore set ACTION msf...

Powershell Exec, Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP Windows winhttp Module Options msf use payload/cmd/windows/powershell/custom/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf...

Apache Tika Header Command Injection

This module exploits a command injection vulnerability in Apache Tika 1.15 - 1.17 on Windows. A file with the image/jp2 content-type is used to bypass magic bytes checking. When OCR is specified in the request, parameters can be passed to change the parameters passed at command line to allow for...

NTP Mode 6 UNSETTRAP DRDoS Scanner

This module identifies NTP servers which permit mode 6 UNSETTRAP requests that can be used to conduct DRDoS attacks. In some configurations, NTP servers will respond to UNSETTRAP requests with multiple packets, allowing remote attackers to cause a distributed, reflected denial of service aka,...

Lotus Domino Password Hash Collector

Get users passwords hashes from names.nsf page This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Lotus Domino Password Hash Collector', 'Description' = 'Get users passwords hashes from names.nsf...

NTLM Relay to Self (HTTP to LDAP) - Post Exploitation

This module performs an NTLM relay-to-self privilege escalation attack. It starts an HTTP-to-LDAP relay server on the compromised host, then triggers the WebClient service via an ETW event allowing a low-privilege user to start it, and coerces the local machine account to authenticate via...

HTTPS Fetch, Reverse TCP Stager (No NX or Win7)

Fetch and execute an x86 payload from an HTTPS server. Connect back to the attacker No NX Module Options msf use payload/cmd/windows/https/x86/patchupmeterpreter/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION msf payloadreversenonxtcp show...

Kerberos Ticket Inspecting

This module outputs the contents of a ccache/kirbi file and optionally when provided with the appropriate key decrypts and displays the encrypted content too. Can be used for inspecting tickets that aren't working as intended in an effort to debug them. Module Options msf use...

Powershell Exec, Bind TCP Stager (Windows x86)

Execute an x86 payload from a command via PowerShell. Listen for a connection Windows x86 Module Options msf use payload/cmd/windows/powershell/dllinject/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options...

MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure

This module dumps memory contents using a crafted Range header and affects only Windows 8.1, Server 2012, and Server 2012R2. Note that if the target is running in VMware Workstation, this module has a high likelihood of resulting in BSOD; however, VMware ESX and non-virtualized hosts seem stable...

HTTP Fetch, Reverse All-Port TCP Stager

Fetch and execute an x86 payload from an HTTP server. Try to connect back to the attacker, on all possible ports 1-65535, slowly Module Options msf use payload/cmd/windows/http/x86/meterpreter/reversetcpallports msf payloadreversetcpallports show actions ...actions... msf payloadreversetcpallport...

HTTP Fetch, Reverse TCP Stager (No NX or Win7)

Fetch and execute an x86 payload from an HTTP server. Connect back to the attacker No NX Module Options msf use payload/cmd/windows/http/x86/meterpreter/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION msf payloadreversenonxtcp show options...

Powershell Exec, Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection Windows x86 Module Options msf use payload/cmd/windows/powershell/custom/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6t...