Powershell Exec, Windows x64 IPv6 Bind TCP Stager with UUID Support

Execute an x64 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/meterpreter/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION msf...

Powershell Exec, Bind TCP Stager with UUID Support (Windows x64)

Execute an x64 payload from a command via PowerShell. Listen for a connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/vncinject/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid sh...

Moodle Admin Shell Upload

This module will generate a plugin which can receive a malicious payload request and upload it to a server running Moodle provided valid admin credentials are used. Then the payload is sent for execution, and the plugin uninstalled. You must have an admin account to exploit this vulnerability...

Sage X3 Administration Service Authentication Bypass Command Execution

This module leverages an authentication bypass exploit within Sage X3 AdxSrv's administration protocol to execute arbitrary commands as SYSTEM against a Sage X3 Server running an available AdxAdmin service. Module Options msf use exploit/windows/sage/x3adxsrvauthbypasscmdexec msf...

Microsoft Windows RRAS Service MIBEntryGet Overflow

This module exploits an overflow in the Windows Routing and Remote Access Service RRAS to execute code as SYSTEM. The RRAS DCERPC endpoint is accessible to unauthenticated users via SMBv1 browser named pipe on Windows Server 2003 and Windows XP hosts; however, this module targets Windows Server...

WebLogic Server Deserialization RCE - BadAttributeValueExpException

There exists a Java object deserialization vulnerability in multiple versions of WebLogic. Unauthenticated remote code execution can be achieved by sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable WebLogic servers. This module requires Metasploit:...

Windows x64 Pingback, Reverse TCP Inline

Connect back to attacker and report UUID Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 425 include Msf::Payload::Windows include Msf::Payload::Single include...

Cisco RV320 and RV325 Unauthenticated Remote Code Execution

This exploit module combines an information disclosure CVE-2019-1653 and a command injection vulnerability CVE-2019-1652 together to gain unauthenticated remote code execution on Cisco RV320 and RV325 small business routers. Can be exploited via the WAN interface of the router. Either via HTTPS o...

Android get_user/put_user Exploit

This module exploits a missing check in the getuser and putuser API functions in the linux kernel before 3.5.5. The missing checks on these functions allow an unprivileged user to read and write kernel memory. This exploit first reads the kernel memory to identify the commitcreds and ptmxfops...

NETGEAR ProSafe Network Management System 300 Arbitrary File Upload

Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has multiple vulnerabilities that can allow an unauthenticated remote attacker to execute code as SYSTEM user. Vulnerabilities include authentication bypass, SQL injection, arbitrary file upload...

Zabbix Authenticated Remote Command Execution

ZABBIX allows an administrator to create scripts that will be run on hosts. An authenticated attacker can create a script containing a payload, then a host with an IP of 127.0.0.1 and run the arbitrary script on the ZABBIX host. This module was tested against Zabbix v2.0.9, v2.0.5, v3.0.1, v4.0.1...

Windows Management Instrumentation (WMI) Remote Command Execution

This module executes powershell on the remote host using the current user credentials or those supplied. Instead of using PSEXEC over TCP port 445 we use the WMIC command to start a Remote Procedure Call on TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel traffic through that...

MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability

This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the...

NTP Monitor List Scanner

This module identifies NTP servers which permit "monlist" queries and obtains the recent clients list. The monlist feature allows remote attackers to cause a denial of service traffic amplification via spoofed requests. The more clients there are in the list, the greater the amplification. This...

Powershell Exec, Windows shellcode stage, Find Tag Ordinal Stager

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Use an established connection Module Options msf use payload/cmd/windows/powershell/custom/findtag msf payloadfindtag show actions ...actions... msf payloadfindtag set ACTION msf payloadfindtag show options ...show and...

Powershell Exec, Reverse TCP Stager (No NX or Win7)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker No NX Module Options msf use payload/cmd/windows/powershell/meterpreter/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION msf payloadreversenonxtcp show option...

Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/meterpreter/reversetcprc4dns msf payloadreversetcprc4dns show actions ...actions... msf payloadreversetcprc4dns set ACTION msf payloadreversetcprc4dns show...

Windows Installed AntiVirus Enumeration

This module will enumerate the AV products detected by WMIC Module Options msf use post/windows/gather/enumav msf postenumav show actions ...actions... msf postenumav set ACTION msf postenumav show options ...show and set options... msf postenumav run This module requires Metasploit:...

ICQ Credential Gatherer

This module searches for ICQ credentials on a Windows host. Module Options msf use post/windows/gather/credentials/icq msf posticq show actions ...actions... msf posticq set ACTION msf posticq show options ...show and set options... msf posticq run This module requires Metasploit:...

Git Ignore Retriever

This module finds potentially sensitive items by finding .gitignore files. Module Options msf use post/osx/gather/gitignore msf postgitignore show actions ...actions... msf postgitignore set ACTION msf postgitignore show options ...show and set options... msf postgitignore run class...

Microsoft Windows Uninitialized Variable Local Privilege Elevation

This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability within win32k which occurs due to an uninitalized variable, which allows user mode attackers to write a limited amount of controlled data to an attacker controlled address in kernel memory. By utilizing this...

WordPress InfiniteWP Client Authentication Bypass

This module exploits an authentication bypass in the WordPress InfiniteWP Client plugin to log in as an administrator and execute arbitrary PHP code by overwriting the file specified by PLUGINFILE. The module will attempt to retrieve the original PLUGINFILE contents and restore them after payload...

PHP Exec, PHP Command Shell, Bind TCP (via perl) IPv6

Execute a PHP payload from a command. Listen for a connection and spawn a command shell via perl persistent over IPv6 Module Options msf use payload/cmd/unix/php/bindperlipv6 msf payloadbindperlipv6 show actions ...actions... msf payloadbindperlipv6 set ACTION msf payloadbindperlipv6 show options...

Powershell Exec, Find Tag Ordinal Stager

Execute an x86 payload from a command via PowerShell. Use an established connection Module Options msf use payload/cmd/windows/powershell/vncinject/findtag msf payloadfindtag show actions ...actions... msf payloadfindtag set ACTION msf payloadfindtag show options ...show and set options... msf...

Powershell Exec, Reverse TCP Stager with UUID Support (Windows x64)

Execute an x64 payload from a command via PowerShell. Connect back to the attacker with UUID Support Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/meterpreter/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf...

Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/peinject/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show options ...show and...

Powershell Exec

Execute an x86 payload from a command via PowerShell Module Options msf use payload/cmd/windows/powershell/powershellbindtcp msf payloadpowershellbindtcp show actions ...actions... msf payloadpowershellbindtcp set ACTION msf payloadpowershellbindtcp show options ...show and set options... msf...

Microsoft OMI Management Interface Authentication Bypass

By removing the authentication exchange, an attacker can issue requests to the local OMI management socket that will cause it to execute an operating system command as the root user. This vulnerability was patched in OMI version 1.6.8-1 released September 8th 2021. Module Options msf use...

Zabbix Server Brute Force Utility

This module attempts to login to Zabbix server instance using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. It will also test for the Zabbix default login Admin:zabbix and guest access. This module requires Metasploit:...

GlassFish Brute Force Utility

This module attempts to login to GlassFish instance using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. It will also try to do an authentication bypass against older versions of GlassFish. Note: by default, GlassFish 4.0 requires HTTPS, which...

HTTP Fetch, Windows shellcode stage, Reverse TCP Stager

Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x86/custom/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options...

HTTP Fetch, Bind TCP Stager with UUID Support (Windows x86)

Fetch and execute an x86 payload from an HTTP server. Listen for a connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/http/x86/dllinject/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid show...

Powershell Exec, Windows x86 Bind Named Pipe Stager

Execute an x86 payload from a command via PowerShell. Listen for a pipe connection Windows x86 Module Options msf use payload/cmd/windows/powershell/patchupmeterpreter/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf payloadbindnamedpipe sh...

Powershell Exec, Windows x64 IPv6 Bind TCP Stager with UUID Support

Execute an x64 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/peinject/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION msf...

Powershell Exec, Bind TCP Stager (Windows x86)

Execute an x86 payload from a command via PowerShell. Listen for a connection Windows x86 Module Options msf use payload/cmd/windows/powershell/patchupdllinject/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set...

Powershell Exec, Windows Command Shell, Find Tag Ordinal Stager

Execute an x86 payload from a command via PowerShell. Spawn a piped command shell staged. Use an established connection Module Options msf use payload/cmd/windows/powershell/shell/findtag msf payloadfindtag show actions ...actions... msf payloadfindtag set ACTION msf payloadfindtag show options...

Python Exec, Python Meterpreter Shell, Bind TCP Inline

Execute a Python payload as an OS command from a Posix-compatible shell. Connect to the victim and spawn a Meterpreter shell Module Options msf use payload/cmd/unix/python/meterpreterbindtcp msf payloadmeterpreterbindtcp show actions ...actions... msf payloadmeterpreterbindtcp set ACTION msf...

OpenSMTPD MAIL FROM Remote Code Execution

This module exploits a command injection in the MAIL FROM field during SMTP interaction with OpenSMTPD to execute a command as the root user. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)

This module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when Window backup and restore is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a regist...

Erlang Port Mapper Daemon Cookie RCE

The erlang port mapper daemon is used to coordinate distributed erlang instances. Should an attacker get the authentication cookie RCE is trivial. Usually, this cookie is named ".erlang.cookie" and varies on location. This module requires Metasploit: https://metasploit.com/download Current source...

Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability

This module exploits a vulnerability in a statement in the system programming guide of the Intel 64 and IA-32 architectures software developer's manual being mishandled in various operating system kerneles, resulting in unexpected behavior for DB excpetions that are deferred by MOV SS or POP SS...

Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner

This module scans for the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTPUSERAGENT environment variable to a malicious function definition. PROTIP: Use exploit/multi/handler...

PostgreSQL for Linux Payload Execution

On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and may source UDF Shared Libraries from there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the...

HTTP Fetch, Reverse TCP Stager (DNS)

Fetch and execute an x86 payload from an HTTP server. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x86/dllinject/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf payloadreversetcpdns show options ...show and...

Powershell Exec, Reverse All-Port TCP Stager

Execute an x86 payload from a command via PowerShell. Try to connect back to the attacker, on all possible ports 1-65535, slowly Module Options msf use payload/cmd/windows/powershell/patchupmeterpreter/reversetcpallports msf payloadreversetcpallports show actions ...actions... msf...

Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/vncinject/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show options ...show an...

Powershell Exec

Execute an x64 payload from a command via PowerShell Module Options msf use payload/cmd/windows/powershell/x64/powershellbindtcp msf payloadpowershellbindtcp show actions ...actions... msf payloadpowershellbindtcp set ACTION msf payloadpowershellbindtcp show options ...show and set options... msf...

Powershell Exec, Reverse All-Port TCP Stager

Execute an x86 payload from a command via PowerShell. Try to connect back to the attacker, on all possible ports 1-65535, slowly Module Options msf use payload/cmd/windows/powershell/peinject/reversetcpallports msf payloadreversetcpallports show actions ...actions... msf payloadreversetcpallports...

Powershell Exec, Bind TCP Stager (No NX or Win7)

Execute an x86 payload from a command via PowerShell. Listen for a connection No NX Module Options msf use payload/cmd/windows/powershell/patchupmeterpreter/bindnonxtcp msf payloadbindnonxtcp show actions ...actions... msf payloadbindnonxtcp set ACTION msf payloadbindnonxtcp show options ...show...

Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)

Execute an x86 payload from a command via PowerShell. Listen for a connection Module Options msf use payload/cmd/windows/powershell/peinject/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf payloadbindtcprc4 show options ...show and set options... m...