Cesar FTP 0.99g MKD Command Buffer Overflow

This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g. You must have valid credentials to trigger this vulnerability. Also, you only get one chance, so choose your target carefully. This module requires Metasploit: https://metasploit.com/download Current source:...

HTTP Fetch, Windows shellcode stage, Windows Reverse HTTPS Stager (wininet)

Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Tunnel communication over HTTPS Windows wininet Module Options msf use payload/cmd/windows/http/x86/custom/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttps set ACTION msf...

HTTP Fetch, Windows shellcode stage, Reverse TCP Stager (DNS)

Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x86/custom/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf payloadreversetcpdns show...

Powershell Exec, Reverse TCP Stager (DNS)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/vncinject/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf payloadreversetcpdns show options ...show an...

Powershell Exec, Find Tag Ordinal Stager

Execute an x86 payload from a command via PowerShell. Use an established connection Module Options msf use payload/cmd/windows/powershell/dllinject/findtag msf payloadfindtag show actions ...actions... msf payloadfindtag set ACTION msf payloadfindtag show options ...show and set options... msf...

Rapid7 Metasploit Framework msfvenom APK Template Command Injection

This module exploits a command injection vulnerability in Metasploit Framework's msfvenom payload generator when using a crafted APK file as an Android payload template. Affects Metasploit Framework -x Module Options msf use exploit/unix/fileformat/metasploitmsfvenomapktemplatecmdinjection msf...

WebLogic Server Deserialization RCE BadAttributeValueExpException ExtComp

There exists a Java object deserialization vulnerability in multiple versions of WebLogic. Unauthenticated remote code execution can be achieved by sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable versions of WebLogic. Leveraging an ExtractorComparator...

Drupal RESTful Web Services unserialize() RCE

This module exploits a PHP unserialize vulnerability in Drupal RESTful Web Services by sending a crafted request to the /node REST endpoint. As per SA-CORE-2019-003, the initial remediation was to disable POST, PATCH, and PUT, but Ambionics discovered that GET was also vulnerable albeit cached...

Windows SetImeInfoEx Win32k NULL Pointer Dereference

This module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2 when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install...

HP Jetdirect Path Traversal Arbitrary Code Execution

The module exploits a path traversal via Jetdirect to gain arbitrary code execution by writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer is restarted using SNMP. Impacted printers: HP PageWide Managed MFP P57750dw HP PageWide Managed P55250dw HP PageWide Pro MF...

Windows Capcom.sys Kernel Execution Exploit (x64 only)

This module abuses the Capcom.sys kernel driver's function that allows for an arbitrary function to be executed in the kernel from user land. This function purposely disables SMEP prior to invoking a function given by the caller. This has been tested on Windows 7, 8.1, 10 x64 and Windows 11 x64...

Outlook Web App (OWA) Brute Force Utility

This module tests credentials on OWA 2003, 2007, 2010, 2013, and 2016 servers. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Outlook Web App OWA Brute Force Utility', 'Description' = %q This...

Windows Manage User Level Persistent Payload Installer

Creates a scheduled task that will run using service-for-user S4U. This allows the scheduled task to run even as an unprivileged user that is not logged into the device. This will result in lower security context, allowing access to local resources only. The module requires 'Logon as a batch job'...

MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption

This module exploits a memory corruption flaw in Internet Explorer 8 when handling objects with the same ID property. At the moment this module targets IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging as well as the heap spray method seen in the wild Java msvcrt71.dll...

ICMP Exfiltration Service

This module is designed to provide a server-side component to receive and store files exfiltrated over ICMP echo request packets. To use this module you will need to send an initial ICMP echo request containing the specific start trigger defaults to '^BOF' this can be followed by the filename bei...

AWStats configdir Remote Command Execution

This module exploits an arbitrary command execution vulnerability in the AWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2 are vulnerable. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework cla...

MS05-017 Microsoft Message Queueing Service Path Overflow

This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. The offset to the return address changes based on the length of the system hostname, so this must be provided via the 'HNAME' option. Much thanks to snort.org and Jean-Baptiste Marchand's...

HTTP Fetch, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)

Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x86/custom/reversetcprc4dns msf payloadreversetcprc4dns show actions ...actions... msf payloadreversetcprc4dns set ACTION msf...

HTTP Fetch, Windows shellcode stage, Windows Reverse HTTPS Stager (winhttp)

Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Tunnel communication over HTTPS Windows winhttp Module Options msf use payload/cmd/windows/http/x86/custom/reversewinhttps msf payloadreversewinhttps show actions ...actions... msf payloadreversewinhttps set ACTION msf...

HTTP Fetch, Windows x86 Bind Named Pipe Stager

Fetch and execute an x86 payload from an HTTP server. Listen for a pipe connection Windows x86 Module Options msf use payload/cmd/windows/http/x86/dllinject/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf payloadbindnamedpipe show options...

Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)

Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/patchupmeterpreter/reversetcprc4dns msf payloadreversetcprc4dns show actions ...actions... msf payloadreversetcprc4dns set ACTION msf payloadreversetcprc4dns sh...

Powershell Exec, Hidden Bind Ipknock TCP Stager

Execute an x86 payload from a command via PowerShell. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socke...

Powershell Exec, Hidden Bind Ipknock TCP Stager

Execute an x86 payload from a command via PowerShell. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socke...

Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution

This module allows an attacker with a privileged Wordpress account to launch a reverse shell due to an arbitrary file upload vulnerability in Wordpress plugin SP Project & Document /.php Module Options msf use exploit/multi/http/wppluginspprojectdocumentrce msf exploitwppluginspprojectdocumentrce...

FortiOS Path Traversal Credential Gatherer

Fortinet FortiOS versions 5.4.6 to 5.4.12, 5.6.3 to 5.6.7 and 6.0.0 to 6.0.4 are vulnerable to a path traversal vulnerability within the SSL VPN web portal which allows unauthenticated attackers to download FortiOS system files through specially crafted HTTP requests. This module exploits this...

Xorg X11 Server SUID logfile Privilege Escalation

This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code...

LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator

Generates a Malicious ODT File which can be used with auxiliary/server/capture/smb or similar to capture hashes. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'base64' require 'rex/zip' class MetasploitModul...

Zyxel/Eir D1000 DSL Modem NewNTPServer Command Injection Over TR-064

Broadband DSL modems manufactured by Zyxel and distributed by some European ISPs are vulnerable to a command injection vulnerability when setting the 'NewNTPServer' value using the TR-64 SOAP-based configuration protocol. In the tested case, no authentication is required to set this value on...

JSON Swagger CodeGen Parameter Injector

This module generates an Open API Specification 2.0 Swagger compliant json document that includes payload insertion points in parameters. In order for the payload to be executed, an attacker must convince someone to generate code from a specially modified swagger.json file within a vulnerable...

Juniper SSH Backdoor Scanner

This module scans for the Juniper SSH backdoor also valid on Telnet. Any username is required, and the password is 'Juniper SSH Backdoor Scanner', 'Description' = %q This module scans for the Juniper SSH backdoor also valid on Telnet. Any username is required, and the password is 'hdm', Discovery...

MS14-064 Microsoft Windows OLE Package Manager Code Execution

This module exploits a vulnerability found in Windows Object Linking and Embedding OLE allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass. The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms such as Windows Vista SP2...

SSH User Code Execution

This module connects to the target system and executes the necessary commands to run the specified payload via SSH. If a native payload is specified, an appropriate stager will be used. This module requires Metasploit: https://metasploit.com/download Current source:...

Authentication Capture: VNC

This module provides a fake VNC service that is designed to capture authentication credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Authentication Capture: VNC', 'Description' = %q...

Setuid Nmap Exploit

Nmap's man page mentions that "Nmap should never be installed with special privileges e.g. suid root for security reasons.." and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This module abuse...

Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution

This module abuses a metacharacter injection vulnerability in the HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise Communication Server 7.1 and earlier. The Unified Maintenance Tool contains a 'masterCGI' binary which allows an unauthenticated attacker to execute arbitrary...

HTTP Fetch

Fetch and execute an x86 payload from an HTTP server. Module Options msf use payload/cmd/windows/http/x86/adduser msf payloadadduser show actions ...actions... msf payloadadduser set ACTION msf payloadadduser show options ...show and set options... msf payloadadduser run This module requires...

HTTP Fetch, Windows shellcode stage, Reverse Ordinal TCP Stager (No NX or Win7)

Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x86/custom/reverseordtcp msf payloadreverseordtcp show actions ...actions... msf payloadreverseordtcp set ACTION msf payloadreverseordtcp show...

HTTP Fetch, Windows shellcode stage, Reverse TCP Stager (IPv6)

Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Connect back to the attacker over IPv6 Module Options msf use payload/cmd/windows/http/x86/custom/reverseipv6tcp msf payloadreverseipv6tcp show actions ...actions... msf payloadreverseipv6tcp set ACTION msf...

Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Execute an x64 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/x64/peinject/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show options ...show...

Powershell Exec

Execute an x86 payload from a command via PowerShell Module Options msf use payload/cmd/windows/powershell/formatalldrives msf payloadformatalldrives show actions ...actions... msf payloadformatalldrives set ACTION msf payloadformatalldrives show options ...show and set options... msf...

Powershell Exec, Hidden Bind TCP Stager

Execute an x86 payload from a command via PowerShell. Listen for a connection from a hidden port and spawn a command shell to the allowed host. Module Options msf use payload/cmd/windows/powershell/meterpreter/bindhiddentcp msf payloadbindhiddentcp show actions ...actions... msf...

Srware Credential Gatherer

This module searches for Srware credentials on a Windows host. SRWare Iron is a Chromium-based web browser developed by the German company SRWare. Module Options msf use post/windows/gather/credentials/srware msf postsrware show actions ...actions... msf postsrware set ACTION msf postsrware show...

Micro Focus Operations Bridge Reporter Unauthenticated Command Injection

This module exploits a command injection vulnerability on login yes, you read that right that affects Micro Focus Operations Bridge Reporter on Linux, versions 10.40 and below. It's a straight up command injection, with little escaping required and it works before authentication. This module has...

VyOS restricted-shell Escape and Privilege Escalation

This module exploits command injection vulnerabilities and an insecure default sudo configuration on VyOS versions 1.0.0 use exploit/linux/ssh/vyosrestrictedshellprivesc msf exploitvyosrestrictedshellprivesc show targets ...targets... msf exploitvyosrestrictedshellprivesc set TARGET msf...

ManageEngine Exchange Reporter Plus Unauthenticated RCE

This module exploits a remote code execution vulnerability that exists in Exchange Reporter Plus 'ManageEngine Exchange Reporter Plus Unauthenticated RCE', 'Description' = %q This module exploits a remote code execution vulnerability that exists in Exchange Reporter Plus MSFLICENSE, 'Author' =...

Joomla com_contenthistory Error-Based SQL Injection

This module exploits a SQL injection vulnerability in Joomla versions 3.2 through 3.4.4 in order to either enumerate usernames and password hashes. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModul...

Openfire Admin Console Authentication Bypass

This module exploits an authentication bypass vulnerability in the administration console of Openfire servers. By using this vulnerability it is possible to upload/execute a malicious Openfire plugin on the server and execute arbitrary Java code. This module has been tested against Openfire 3.6.0...

Java Applet Rhino Script Engine Remote Code Execution

This module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java for example: IE, Firefox,...

rlogin Authentication Scanner

This module will test an rlogin service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports below 1024. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Samba trans2open Overflow (Linux x86)

This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow...