Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability

This module exploits a vulnerability in a statement in the system programming guide of the Intel 64 and IA-32 architectures software developer's manual being mishandled in various operating system kerneles, resulting in unexpected behavior for DB excpetions that are deferred by MOV SS or POP SS...

Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner

This module scans for the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTPUSERAGENT environment variable to a malicious function definition. PROTIP: Use exploit/multi/handler...

Linux Gather Dump Password Hashes for Linux Systems

Post Module to dump the password hashes for all users on a Linux System This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Linux Gather Dump Password Hashes for Linux Systems', 'Description' = %q...

HTTP Fetch, Reverse TCP Stager with UUID Support

Fetch and execute an x86 payload from an HTTP server. Connect back to the attacker with UUID Support Module Options msf use payload/cmd/windows/http/x86/dllinject/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf payloadreversetcpuuid sho...

Powershell Exec, Reverse All-Port TCP Stager

Execute an x86 payload from a command via PowerShell. Try to connect back to the attacker, on all possible ports 1-65535, slowly Module Options msf use payload/cmd/windows/powershell/patchupmeterpreter/reversetcpallports msf payloadreversetcpallports show actions ...actions... msf...

Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/vncinject/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show options ...show an...

Powershell Exec

Execute an x64 payload from a command via PowerShell Module Options msf use payload/cmd/windows/powershell/x64/powershellbindtcp msf payloadpowershellbindtcp show actions ...actions... msf payloadpowershellbindtcp set ACTION msf payloadpowershellbindtcp show options ...show and set options... msf...

Powershell Exec, Bind TCP Stager (No NX or Win7)

Execute an x86 payload from a command via PowerShell. Listen for a connection No NX Module Options msf use payload/cmd/windows/powershell/patchupmeterpreter/bindnonxtcp msf payloadbindnonxtcp show actions ...actions... msf payloadbindnonxtcp set ACTION msf payloadbindnonxtcp show options ...show...

Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)

Execute an x86 payload from a command via PowerShell. Listen for a connection Module Options msf use payload/cmd/windows/powershell/peinject/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf payloadbindtcprc4 show options ...show and set options... m...

Powershell Exec, Reverse TCP Stager (No NX or Win7)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker No NX Module Options msf use payload/cmd/windows/powershell/dllinject/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION msf payloadreversenonxtcp show options...

Powershell Exec, Bind IPv6 TCP Stager (Windows x86)

Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection Windows x86 Module Options msf use payload/cmd/windows/powershell/meterpreter/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6tcp show options...

Powershell Exec, Reverse All-Port TCP Stager

Execute an x86 payload from a command via PowerShell. Try to connect back to the attacker, on all possible ports 1-65535, slowly Module Options msf use payload/cmd/windows/powershell/dllinject/reversetcpallports msf payloadreversetcpallports show actions ...actions... msf payloadreversetcpallport...

XChat Credential Gatherer

This module searches for XChat credentials on a Windows host. XChat is an IRC chat program for both Linux and Windows. Module Options msf use post/windows/gather/credentials/xchat msf postxchat show actions ...actions... msf postxchat set ACTION msf postxchat show options ...show and set options...

SuiteCRM Log File Remote Code Execution

This module exploits an input validation error on the log file extension parameter. It does not properly validate upper/lower case characters. Once this occurs, the application log file will be treated as a php file. The log file can then be populated with php code by changing the username of a...

vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection

This module exploits a SQL injection vulnerability found in vBulletin 5.x.x to dump the user table information or to dump all of the vBulletin tables based on the selected options. This module has been tested successfully on VBulletin Version 5.6.1 on Ubuntu Linux. This module requires Metasploit...

Plesk/myLittleAdmin ViewState .NET Deserialization

This module exploits a ViewState .NET deserialization vulnerability in web-based MS SQL Server management tool myLittleAdmin, for version 3.8 and likely older versions, due to hardcoded parameters in the web.config file for ASP.NET. Popular web hosting control panel Plesk offers myLittleAdmin as ...

VMware vCenter Server vmdir Authentication Bypass

This module bypasses LDAP authentication in VMware vCenter Server's vmdir service to add an arbitrary administrator user. Version 6.7 prior to the 6.7U3f update is vulnerable, only if upgraded from a previous release line, such as 6.0 or 6.5. Note that it is also possible to provide a bind userna...

Jenkins Credential Collector

This module can be used to extract saved Jenkins credentials, user tokens, SSH keys, and secrets. Interesting files will be stored in loot along with combined csv output. require 'nokogiri' require 'base64' require 'digest' require 'openssl' require 'sshkey' class MetasploitModule 'Jenkins...

Exim "perl_startup" Privilege Escalation

This module exploits a Perl injection vulnerability in Exim 'Exim "perlstartup" Privilege Escalation', 'Description' = %q This module exploits a Perl injection vulnerability in Exim 'Dawid Golunski', Vulnerability discovery 'wvu' Metasploit module , 'References' = %wCVE 2016-1531, %wEDB 39549,...

Webmin File Disclosure

A vulnerability has been reported in Webmin and Usermin, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of an URL. This can be exploited to read the contents of any files on the...

HTTP Fetch, Windows shellcode stage, Bind IPv6 TCP Stager with UUID Support (Windows x86)

Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Listen for an IPv6 connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/http/x86/custom/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set...

HTTP Fetch, Hidden Bind Ipknock TCP Stager

Fetch and execute an x86 payload from an HTTP server. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socke...

HTTP Fetch, Reverse TCP Stager

Fetch and execute an x86 payload from an HTTP server. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x86/dllinject/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set options...

Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)

Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/powershell/peinject/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION msf...

Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)

Execute an x86 payload from a command via PowerShell. Listen for a connection Module Options msf use payload/cmd/windows/powershell/meterpreter/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf payloadbindtcprc4 show options ...show and set options...

Powershell Exec, Bind TCP Stager (Windows x86)

Execute an x86 payload from a command via PowerShell. Listen for a connection Windows x86 Module Options msf use payload/cmd/windows/powershell/patchupmeterpreter/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set...

Powershell Exec, Reverse TCP Stager with UUID Support

Execute an x86 payload from a command via PowerShell. Connect back to the attacker with UUID Support Module Options msf use payload/cmd/windows/powershell/vncinject/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf payloadreversetcpuuid...

Powershell Exec, Reverse TCP Stager (IPv6)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker over IPv6 Module Options msf use payload/cmd/windows/powershell/peinject/reverseipv6tcp msf payloadreverseipv6tcp show actions ...actions... msf payloadreverseipv6tcp set ACTION msf payloadreverseipv6tcp show optio...

Powershell Exec, Bind TCP Stager (No NX or Win7)

Execute an x86 payload from a command via PowerShell. Listen for a connection No NX Module Options msf use payload/cmd/windows/powershell/meterpreter/bindnonxtcp msf payloadbindnonxtcp show actions ...actions... msf payloadbindnonxtcp set ACTION msf payloadbindnonxtcp show options ...show and set...

Powershell Exec

Execute an x86 payload from a command via PowerShell Module Options msf use payload/cmd/windows/powershell/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run This module requires Metasploit:...

Powershell Exec, Reverse TCP Stager (IPv6)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker over IPv6 Module Options msf use payload/cmd/windows/powershell/dllinject/reverseipv6tcp msf payloadreverseipv6tcp show actions ...actions... msf payloadreverseipv6tcp set ACTION msf payloadreverseipv6tcp show...

Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)

Execute an x86 payload from a command via PowerShell. Listen for a connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/powershell/dllinject/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid show...

Python Exec, Python Meterpreter, Python Reverse TCP Stager

Execute a Python payload as an OS command from a Posix-compatible shell. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Connect back to the attacker Module Options msf use payload/cmd/unix/python/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf...

Emby SSRF HTTP Scanner

Generates a GET request to the provided web servers and executes an SSRF against the targeted EMBY server. Returns the server header, HTML title attribute and location header if set. This is useful for rapidly identifying web applications on the internal network using the Emby SSRF vulnerability...

NetMotion Mobility Server MvcUtil Java Deserialization

This module exploits an unauthenticated Java deserialization in the NetMotion Mobility server's MvcUtil.valueStringToObject method, as invoked through the /mobility/Menu/isLoggedOn endpoint, to execute code as the SYSTEM account. Mobility server versions 11.x before 11.73 and 12.x before 12.02 ar...

VMware vCenter Server Unauthenticated OVA File Upload RCE

This module exploits an unauthenticated OVA file upload and path traversal in VMware vCenter Server to write a JSP payload to a web-accessible directory. Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c. Note that later vulnerable versions of the Linux appliance aren't exploitab...

PRTG Network Monitor Authenticated RCE

Notifications can be created by an authenticated user and can execute scripts when triggered. Due to a poorly validated input on the script name, it is possible to chain it with a user-supplied command allowing command execution under the context of privileged user. The module uses provided...

WordPress Total Upkeep Unauthenticated Backup Downloader

This module exploits an unauthenticated database backup vulnerability in WordPress plugin 'Boldgrid-Backup' also known as 'Total Upkeep' version use auxiliary/scanner/http/wptotalupkeepdownloader msf auxiliarywptotalupkeepdownloader show actions ...actions... msf auxiliarywptotalupkeepdownloader...

Redis Replication Code Execution

This module can be used to leverage the extension functionality added since Redis 4.0.0 to execute arbitrary code. To transmit the given extension it makes use of the feature of Redis which called replication between master and slave. This module requires Metasploit: https://metasploit.com/downlo...

Xymon Daemon Gather Information

This module retrieves information from a Xymon daemon service formerly Hobbit, based on Big Brother, including server configuration information, a list of monitored hosts, and associated client log for each host. This module also retrieves usernames and password hashes from the xymonpasswd config...

Dynamic key XOR Encoder

An x64 XOR encoder with dynamic key size This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Dynamic key XOR Encoder', 'Description' = 'An x64 XOR encoder with dynamic key size', 'Author' = 'lupman...

WinRM Login Utility

This module attempts to authenticate to a WinRM service. It currently works only if the remote end allows NegotiateNTLM authentication. Kerberos is not currently supported. Please note: in order to use this module without SSL, the 'AllowUnencrypted' winrm option must be set. Otherwise adjust the...

MS08-067 Microsoft Server Service Relative Path Stack Corruption

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service along with a dozen others in the same...

HTTP Fetch, Windows shellcode stage, Reverse TCP Stager with UUID Support

Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Connect back to the attacker with UUID Support Module Options msf use payload/cmd/windows/http/x86/custom/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf...

Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/peinject/reverseordtcp msf payloadreverseordtcp show actions ...actions... msf payloadreverseordtcp set ACTION msf payloadreverseordtcp show options ...show and...

Powershell Exec, Windows x64 Bind Named Pipe Stager

Execute an x64 payload from a command via PowerShell. Listen for a pipe connection Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/meterpreter/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf payloadbindnamedpipe show...

Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)

Execute an x86 payload from a command via PowerShell. Listen for a connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/powershell/patchupdllinject/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid...

Powershell Exec, Reverse TCP Stager (IPv6)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker over IPv6 Module Options msf use payload/cmd/windows/powershell/vncinject/reverseipv6tcp msf payloadreverseipv6tcp show actions ...actions... msf payloadreverseipv6tcp set ACTION msf payloadreverseipv6tcp show...

BillQuick Web Suite txtID SQLi

This module exploits a SQL injection vulnerability in BillQUick Web Suite prior to version 22.0.9.1. The application is .net based, and the database is required to be MSSQL. Luckily the website gives error based SQLi messages, so it is trivial to pull data from the database. However the webapp us...

D-Link Central WiFiManager SQL injection

This module exploits a SQLi vulnerability found in D-Link Central WiFi Manager CWM100 before v1.03R0100BETA6. The vulnerability is an exposed API endpoint that allows the execution of SQL queries without authentication, using this vulnerability, it's possible to retrieve usernames and password...