6849 matches found
HTTP Fetch, Reverse All-Port TCP Stager
Fetch and execute an x86 payload from an HTTP server. Try to connect back to the attacker, on all possible ports 1-65535, slowly Module Options msf use payload/cmd/windows/http/x86/dllinject/reversetcpallports msf payloadreversetcpallports show actions ...actions... msf payloadreversetcpallports...
Powershell Exec, Hidden Bind Ipknock TCP Stager
Execute an x86 payload from a command via PowerShell. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socke...
Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)
Execute an x86 payload from a command via PowerShell. Listen for a connection Module Options msf use payload/cmd/windows/powershell/vncinject/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf payloadbindtcprc4 show options ...show and set options...
Safari Webkit Proxy Object Type Confusion
This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e....
Sync Breeze Enterprise GET Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in the web interface of Sync Breeze Enterprise v9.4.28, v10.0.28, and v10.1.16, caused by improper bounds checking of the request in HTTP GET and POST requests sent to the built-in web server. This module has been tested successfull...
Android Meterpreter Browsable Launcher
This module allows you to open an android meterpreter via a browser. An Android meterpreter must be installed as an application beforehand on the target device in order to use this. For best results, you can consider using the auxiliary/client/sms/sendtext to trick your target into opening the...
SMB to Meterpreter Upgrade via PsExec
Upgrades an authenticated SMB session to a Meterpreter session using PsExec techniques. This module uploads a service-wrapped executable payload to the ADMIN$ share via the existing authenticated SMB connection, then creates and starts a Windows service that executes the payload. This mirrors the...
SSL Labs API Client
This module is a simple client for the SSL Labs APIs, designed for SSL/TLS assessment during a penetration test. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'activesupport/inflector' require 'json' require...
NFR Agent FSFUI Record Arbitrary Remote File Access
NFRAgent.exe, a component of Novell File Reporter NFR, allows remote attackers to retrieve arbitrary text files via a directory traversal while handling requests to /FSF/CMD with an FSFUI record with UICMD 126. This module has been tested successfully against NFR Agent 1.0.4.3 File Reporter 1.0.2...
Tomcat UTF-8 Directory Traversal Vulnerability
This module tests whether a directory traversal vulnerability is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 - 6.0.16 under specific and non-default installations. The connector must have allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the...
PHP Exec, PHP Command, Double Reverse TCP Connection (via Perl)
Execute a PHP payload from a command. Creates an interactive shell via perl Module Options msf use payload/cmd/unix/php/reverseperl msf payloadreverseperl show actions ...actions... msf payloadreverseperl set ACTION msf payloadreverseperl show options ...show and set options... msf...
Powershell Exec, Windows x64 Bind Named Pipe Stager
Execute an x64 payload from a command via PowerShell. Listen for a pipe connection Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/vncinject/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf payloadbindnamedpipe show...
Powershell Exec, Windows Reverse HTTP Stager (winhttp)
Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP Windows winhttp Module Options msf use payload/cmd/windows/powershell/dllinject/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf payloadreversewinhttp...
NSClient++ 0.5.2.35 - ExternalScripts Authenticated Remote Code Execution
This module allows an attacker with knowledge of the admin password of NSClient++ to start a privilege shell. For this module to work, both web interface of NSClient++ and ExternalScripts feature should be enabled. Module Options msf use exploit/windows/http/nscpauthenticatedrce msf...
CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
This module exploits a buffer overflow within the CA Unified Infrastructure Management nimcontroller. The vulnerability occurs in the robot controller component when sending a specially crafted directorylist probe. Technically speaking the target host must also be vulnerable to CVE-2020-8010 in...
Pandora FMS Events Remote Command Execution
This module exploits a vulnerability CVE-2020-13851 in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 and perhaps older versions in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in the Events feature of Pandora FMS. This flaw...
Multi Gather VirtualBox VM Enumeration
This module will attempt to enumerate any VirtualBox VMs on the target machine. Due to the nature of VirtualBox, this module can only enumerate VMs registered for the current user, therefore, this module needs to be invoked from a user context. This module requires Metasploit:...
Acronis TrueImage XPC Privilege Escalation
Acronis TrueImage versions 2019 update 1 through 2021 update 1 are vulnerable to privilege escalation. The com.acronis.trueimagehelper helper tool does not perform any validation on connecting clients, which gives arbitrary clients the ability to execute functions provided by the helper tool with...
Grandstream GXV31XX 'settimezone' Unauthenticated Command Execution
This module exploits a command injection vulnerability in Grandstream GXV31XX IP multimedia phones. The 'settimezone' action does not validate input in the 'timezone' parameter allowing injection of arbitrary commands. A buffer overflow in the 'phonecookie' cookie parsing allows authentication to...
Microsoft Windows NtUserMNDragOver Local Privilege Elevation
This module exploits a NULL pointer dereference vulnerability in MNGetpItemFromIndex, which is reachable via a NtUserMNDragOver system call. The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint function does not effectively check the validity of the tagPOPUPMENU objects it...
Password Cracker: Linux
This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from unshadowed passwd files from Unix/Linux systems. The module will only crack MD5, BSDi and DES implementations by default. However, it can also crack Blowfish and SHA256/512, but it is much slower...
HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation
This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer overflow in the Connection HTTP header handling by the web server. Exploiting this vulnerability gives full access to the REST API, allowing arbitrary accounts creation. This module requires Metasploit:...
Adobe Flash opaqueBackground Use After Free
This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling the opaqueBackground property 7 setter of the flash.display.DisplayObject class. This...
Netgear Unauthenticated SOAP Password Extractor
This module exploits an authentication bypass vulnerability in different Netgear devices. It allows to extract the password for the remote management interface. This module has been tested on a Netgear WNDR3700v4 - V1.0.1.42, but other devices are reported as vulnerable: NetGear WNDR3700v4 -...
MS12-020 Microsoft Remote Desktop Use-After-Free DoS
This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service...
Windows Manage Enable Remote Desktop
This module enables the Remote Desktop Service RDP. It provides the options to create an account and configure it to be a member of the Local Administrators and Remote Desktop Users group. It can also forward the target's port 3389/tcp. This module requires Metasploit:...
Apache Storm Nimbus getTopologyHistory Unauthenticated Command Execution
This module exploits an unauthenticated command injection vulnerability within the Nimbus service component of Apache Storm. The getTopologyHistory RPC method method takes a single argument which is the name of a user which is concatenated into a string that is executed by bash. In order for the...
Microsoft Azure Active Directory Login Enumeration
This module enumerates valid usernames and passwords against a Microsoft Azure Active Directory domain by utilizing a flaw in how SSO authenticates. Module Options msf use auxiliary/scanner/http/azureadlogin msf auxiliaryazureadlogin show actions ...actions... msf auxiliaryazureadlogin set ACTION...
Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution
This module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy...
Windows Gather Local SQL Server Hash Dump
This module extracts the usernames and password hashes from an MSSQL server and stores them as loot. It uses the same technique in mssqllocalauthbypass. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Powershell Exec, Windows Meterpreter Service, Reverse TCP Inline
Execute an x86 payload from a command via PowerShell. Stub payload for interacting with a Meterpreter Service Module Options msf use payload/cmd/windows/powershell/metsvcreversetcp msf payloadmetsvcreversetcp show actions ...actions... msf payloadmetsvcreversetcp set ACTION msf...
Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)
Execute an x86 payload from a command via PowerShell. Listen for a connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/powershell/meterpreter/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid show...
Dell DBUtil_2_3.sys IOCTL memmove
The DBUtil23.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by an attacker read and write kernel-mode memory. Module Options msf use exploit/windows/local/cve202121551dbutilmemmove msf exploitcve202121551dbutilmemmove show targets ...targets... msf...
Cloud Lookup (and Bypass)
This module can be useful if you need to test the security of your server and your website behind a solution Cloud based. By discovering the origin IP address of the targeted host. More precisely, this module uses multiple data sources in order ViewDNS.info, DNS enumeration and Censys to collect...
Onion Omega2 Login Brute-Force
OnionOS login scanner module for Onion Omega2 devices. !/usr/bin/env python3 -- coding: utf-8 -- 2019-03-27 05-55 Standard Modules from metasploit import module, loginscanner import json Extra Modules dependenciesmissing = False try: import requests except ImportError: dependenciesmissing = True...
Gather Ticket Granting Service (TGS) tickets for User Service Principal Names (SPN)
This module will try to find Service Principal Names that are associated with normal user accounts. Since normal accounts' passwords tend to be shorter than machine accounts, and knowing that a TGS request will encrypt the ticket with the account the SPN is running under, this could be used for a...
WordPress Traversal Directory DoS
Cross-site request forgery CSRF vulnerability in the wpajaxupdateplugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the checkajaxreferer...
NFS Mount Scanner
This module scans NFS mounts and their permissions. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'NFS Mount Scanner', 'Description' = %q This module scans NFS mounts and their permissions. ,...
Powershell Exec
Execute an x86 payload from a command via PowerShell Module Options msf use payload/cmd/windows/powershell/powershellreversetcpssl msf payloadpowershellreversetcpssl show actions ...actions... msf payloadpowershellreversetcpssl set ACTION msf payloadpowershellreversetcpssl show options ...show an...
Powershell Exec, Windows Reverse HTTP Stager (wininet)
Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP Windows wininet Module Options msf use payload/cmd/windows/powershell/dllinject/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf payloadreversehttp show options...
WordPress ChopSlider3 id SQLi Scanner
The iDangero.us Chop Slider 3 WordPress plugin version 3.4 and prior contains a blind SQL injection in the id parameter of the getscript/index.php page. The injection is passed through GET parameters, and thus must be encoded, and magicquotes is applied at the server. Module Options msf use...
Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation
This module exploits a vulnerability in the rdspagecopyuser function in net/rds/page.c RDS in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root CVE-2010-3904. This module has been tested successfully on: Fedora 13 i686 kernel version 2.6.33.3-85.fc13.i686.PAE; and Ubuntu 10.04...
PHP apache_request_headers Function Buffer Overflow
This module exploits a stack based buffer overflow in the CGI version of PHP 5.4.x before 5.4.3. The vulnerability is due to the insecure handling of the HTTP headers. This module has been tested against the thread safe version of PHP 5.4.2, from "windows.php.net", running with Apache 2.2.22 from...
FrontPage Server Extensions Anonymous Login Scanner
This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'FrontPage Server Extensions Anonymous Log...
HTTP Vuln Scanner
This module identifies common vulnerable files or cgis. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Vuln Scanner', 'Description' = %q This module identifies common vulnerable files or...
Powershell Exec, Windows x64 Reverse TCP Stager
Execute an x64 payload from a command via PowerShell. Connect back to the attacker Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/vncinject/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...sho...
Powershell Exec, Windows Reverse HTTP Stager (winhttp)
Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP Windows winhttp Module Options msf use payload/cmd/windows/powershell/meterpreter/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf payloadreversewinhttp...
Powershell Exec, Bind TCP Stager (Windows x86)
Execute an x86 payload from a command via PowerShell. Listen for a connection Windows x86 Module Options msf use payload/cmd/windows/powershell/peinject/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options... m...
Powershell Exec, Reverse TCP Stager (No NX or Win7)
Execute an x86 payload from a command via PowerShell. Connect back to the attacker No NX Module Options msf use payload/cmd/windows/powershell/peinject/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION msf payloadreversenonxtcp show options...
Powershell Exec, Reverse HTTP Stager Proxy
Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP Module Options msf use payload/cmd/windows/powershell/vncinject/reversehttpproxypstore msf payloadreversehttpproxypstore show actions ...actions... msf payloadreversehttpproxypstore set ACTION msf...