MS12-020 Microsoft Remote Desktop Use-After-Free DoS

This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service...

PHP Exec, PHP Command Shell, Bind TCP (via Perl)

Execute a PHP payload from a command. Listen for a connection and spawn a command shell via perl persistent Module Options msf use payload/cmd/unix/php/bindperl msf payloadbindperl show actions ...actions... msf payloadbindperl set ACTION msf payloadbindperl show options ...show and set options...

Powershell Exec, Bind TCP Stager (No NX or Win7)

Execute an x86 payload from a command via PowerShell. Listen for a connection No NX Module Options msf use payload/cmd/windows/powershell/vncinject/bindnonxtcp msf payloadbindnonxtcp show actions ...actions... msf payloadbindnonxtcp set ACTION msf payloadbindnonxtcp show options ...show and set...

Powershell Exec, Reverse TCP Stager (No NX or Win7)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker No NX Module Options msf use payload/cmd/windows/powershell/patchupmeterpreter/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION msf payloadreversenonxtcp show...

Powershell Exec, Windows x64 Reverse TCP Stager

Execute an x64 payload from a command via PowerShell. Connect back to the attacker Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options...

Powershell Exec, Windows x64 Reverse Named Pipe (SMB) Stager

Execute an x64 payload from a command via PowerShell. Connect back to the attacker via a named pipe pivot Module Options msf use payload/cmd/windows/powershell/x64/meterpreter/reversenamedpipe msf payloadreversenamedpipe show actions ...actions... msf payloadreversenamedpipe set ACTION msf...

Powershell Exec, Windows x64 Reverse HTTPS Stager (winhttp)

Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTPS Windows x64 winhttp Module Options msf use payload/cmd/windows/powershell/x64/vncinject/reversewinhttps msf payloadreversewinhttps show actions ...actions... msf payloadreversewinhttps set ACTION msf...

Linux Container Enumeration

This module attempts to enumerate containers on the target machine and optionally run a command on each active container found. Currently it supports Docker, LXC and RKT. Module Options msf use post/linux/gather/enumcontainers msf postenumcontainers show actions ...actions... msf postenumcontaine...

Bolt CMS 3.7.0 - Authenticated Remote Code Execution

This module exploits multiple vulnerabilities in Bolt CMS version 3.7.0 and 3.6. in order to execute arbitrary commands as the user running Bolt. This module first takes advantage of a vulnerability that allows an authenticated user to change the username in /bolt/profile to a PHP system$GET""...

Tiki-Wiki CMS Calendar Command Execution

Tiki-Wiki CMS's calendar module contains a remote code execution vulnerability within the viewmode GET parameter. The calendar module is NOT enabled by default. If enabled, the default permissions are set to NOT allow anonymous users to access. Vulnerable versions: 'Tiki-Wiki CMS Calendar Command...

SysAid Help Desk Database Credentials Disclosure

This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. This is used to download the server configuration file that contains the database username and password, which is encrypted with a fixed, known key. This modul...

Chargen Probe Utility

Chargen is a debugging and measurement tool and a character generator service. A character generator service simply sends data without regard to the input. Chargen is susceptible to spoofing the source of transmissions as well as use in a reflection attack vector. The misuse of the testing featur...

HTTP Fetch, Reverse All-Port TCP Stager

Fetch and execute an x86 payload from an HTTP server. Try to connect back to the attacker, on all possible ports 1-65535, slowly Module Options msf use payload/cmd/windows/http/x86/dllinject/reversetcpallports msf payloadreversetcpallports show actions ...actions... msf payloadreversetcpallports...

Powershell Exec, Bind IPv6 TCP Stager (Windows x86)

Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection Windows x86 Module Options msf use payload/cmd/windows/powershell/vncinject/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6tcp show options ...sh...

Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)

Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/powershell/x64/vncinject/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttps set ACTION msf payloadreversehttps...

Powershell Exec, Reverse TCP Stager (DNS)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/meterpreter/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf payloadreversetcpdns show options ...show...

Powershell Exec, Windows x64 Reverse HTTP Stager (winhttp)

Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTP Windows x64 winhttp Module Options msf use payload/cmd/windows/powershell/x64/meterpreter/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf...

Interact with Established SSH Connection

Interacts with a shell on an established SSH connection Module Options msf use payload/generic/ssh/interact msf payloadinteract show actions ...actions... msf payloadinteract set ACTION msf payloadinteract show options ...show and set options... msf payloadinteract run This module requires...

FortiLogger Arbitrary File Upload Exploit

This module exploits an unauthenticated arbitrary file upload via insecure POST request. It has been tested on versions use exploit/windows/http/fortiloggerarbitraryfileupload msf exploitfortiloggerarbitraryfileupload show targets ...targets... msf exploitfortiloggerarbitraryfileupload set TARGET...

Windows Net-NTLMv2 Reflection DCOM/RPC

Module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. Currently the module does not spawn as SYSTEM, however once achieving a shell, one can easily use incognito to impersonate the token. This module requires Metasploit:...

SMB Login Check Scanner

This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. This module requires Metasploit: https://metasploit.com/downloa...

Windows Manage Enable Remote Desktop

This module enables the Remote Desktop Service RDP. It provides the options to create an account and configure it to be a member of the Local Administrators and Remote Desktop Users group. It can also forward the target's port 3389/tcp. This module requires Metasploit:...

ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)

This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code. The Debian Squeeze version of the exploit uses a litt...

Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)

Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/powershell/patchupdllinject/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION msf...

Powershell Exec

Execute an x86 payload from a command via PowerShell Module Options msf use payload/cmd/windows/powershell/adduser msf payloadadduser show actions ...actions... msf payloadadduser set ACTION msf payloadadduser show options ...show and set options... msf payloadadduser run This module requires...

Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/dllinject/reversetcprc4dns msf payloadreversetcprc4dns show actions ...actions... msf payloadreversetcprc4dns set ACTION msf payloadreversetcprc4dns show option...

WordPress Plugin Automatic Config Change to RCE

This module exploits an unauthenticated arbitrary wordpress options change vulnerability in the Automatic wp-automatic plugin use auxiliary/admin/http/wpautomaticpluginprivesc msf auxiliarywpautomaticpluginprivesc show actions ...actions... msf auxiliarywpautomaticpluginprivesc set ACTION msf...

WordPress Traversal Directory DoS

Cross-site request forgery CSRF vulnerability in the wpajaxupdateplugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the checkajaxreferer...

Windows ClientCopyImage Win32k Exploit

This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64. This module requires Metasploit: https://metasploit.com/download Current source:...

Dhclient Bash Environment Variable Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment...

Linksys WRT120N tmUnblock Stack Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in the WRT120N Linksys router to reset the password of the management interface temporarily to an empty value. This module has been tested successfully on a WRT120N device with firmware version 1.0.07. This module requires Metasploi...

SVN wc.db Scanner

Scan for servers that allow access to the SVN wc.db file. Based on the work by Tim Meddin. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SVN wc.db Scanner', 'Description' = %q Scan for server...

Unix Command Shell, Bind TCP (via Perl)

Listen for a connection and spawn a command shell via perl This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 240 include Msf::Payload::Single include Msf::Sessions::CommandShellOptio...

Powershell Exec, Windows Reverse HTTP Stager (wininet)

Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP Windows wininet Module Options msf use payload/cmd/windows/powershell/vncinject/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf payloadreversehttp show options...

Powershell Exec, Bind IPv6 TCP Stager (Windows x86)

Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection Windows x86 Module Options msf use payload/cmd/windows/powershell/peinject/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6tcp show options ...sho...

Powershell Exec, Reverse TCP Stager

Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/dllinject/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...

Powershell Exec, Hidden Bind Ipknock TCP Stager

Execute an x86 payload from a command via PowerShell. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socke...

Cacti color filter authenticated SQLi to RCE

This module exploits a SQL injection vulnerability in Cacti 1.2.12 and before. An admin can exploit the filter variable within color.php to pull arbitrary values as well as conduct stacked queries. With stacked queries, the pathphpbinary value is changed within the settings table to a payload, an...

GitLab File Read Remote Code Execution

This module provides remote code execution against GitLab Community Edition CE and Enterprise Edition EE. It combines an arbitrary file read to extract the Rails "secretkeybase", and gains remote code execution with a deserialization vulnerability of a signed 'experimentationsubjectid' cookie tha...

Android Gather Dump Password Hashes for Android Systems

Post Module to dump the password hashes for Android System. Root is required. To perform this operation, two things are needed. First, a password.key file is required as this contains the hash but no salt. Next, a sqlite3 database is needed with supporting files to pull the salt from. Combined,...

MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service

This module will check if scanned hosts are vulnerable to CVE-2015-1635 MS15-034, a vulnerability in the HTTP protocol stack HTTP.sys that could result in arbitrary code execution. This module will try to cause a denial-of-service. This module requires Metasploit: https://metasploit.com/download...

MediaWiki Thumb.php Remote Command Execution

MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote unauthenticated users to execute arbitrary commands via shell metacharacters. If no target file is specified this module will attempt to log in with the...

Samba read_nttrans_ea_list Integer Overflow

Integer overflow in the readnttransealist function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote attackers to cause a denial of service memory consumption via a malformed packet. Important Note: in order to work, the "ea support" option o...

Windows Manage Reflective DLL Injection Module

This module will inject a specified reflective DLL into the memory of a process, new or existing. If arguments are specified, they are passed to the DllMain entry point as the lpvReserved 3rd parameter. To read output from the injected process, set PID to zero and WAIT to non-zero. Make sure the...

Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/vncinject/reversetcprc4dns msf payloadreversetcprc4dns show actions ...actions... msf payloadreversetcprc4dns set ACTION msf payloadreversetcprc4dns show option...

Powershell Exec, Reverse TCP Stager (IPv6)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker over IPv6 Module Options msf use payload/cmd/windows/powershell/meterpreter/reverseipv6tcp msf payloadreverseipv6tcp show actions ...actions... msf payloadreverseipv6tcp set ACTION msf payloadreverseipv6tcp show...

Powershell Exec, Reverse TCP Stager (DNS)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/patchupmeterpreter/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf payloadreversetcpdns show options...

Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)

Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/powershell/patchupmeterpreter/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION ms...

Powershell Exec, Find Tag Ordinal Stager

Execute an x86 payload from a command via PowerShell. Use an established connection Module Options msf use payload/cmd/windows/powershell/patchupdllinject/findtag msf payloadfindtag show actions ...actions... msf payloadfindtag set ACTION msf payloadfindtag show options ...show and set options...

Powershell Exec, Windows x86 Bind Named Pipe Stager

Execute an x86 payload from a command via PowerShell. Listen for a pipe connection Windows x86 Module Options msf use payload/cmd/windows/powershell/peinject/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf payloadbindnamedpipe show options...