Python Exec, Python Meterpreter Shell, Reverse HTTPS Inline

Execute a Python payload as an OS command from a Posix-compatible shell. Connect back to the attacker and spawn a Meterpreter shell Module Options msf use payload/cmd/unix/python/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehtt...

FreeBSD ip6_setpktopt Use-After-Free Privilege Escalation

This module exploits a race and use-after-free vulnerability in the FreeBSD kernel IPv6 socket handling. A missing synchronization lock in the IPV62292PKTOPTIONS option handling in setsockopt permits racing ip6setpktopt access to a freed ip6pktopts struct. This exploit overwrites the ip6popktinfo...

Trend Micro Web Security (Virtual Appliance) Remote Code Execution

This module exploits multiple vulnerabilities together in order to achive a remote code execution. Unauthenticated users can execute a terminal command under the context of the root user. The specific flaw exists within the LogSettingHandler class of administrator interface software. When parsing...

glibc '$ORIGIN' Expansion Privilege Escalation

This module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library glibc dynamic linker. glibc ld.so versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LDAUDIT environment variable when loading setuid executables which...

ExaGrid Known SSH Key and Default Password

ExaGrid ships a public/private key pair on their backup appliances to allow passwordless authentication to other ExaGrid appliances. Since the private key is easily retrievable, an attacker can use it to gain unauthorized remote access as root. Additionally, this module will attempt to use the...

MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution

This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332. The vulnerability is known to affect Internet Explorer 3.0 until version 11 within Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will only target Windows XP and Windows 7 box due ...

Majordomo2 _list_file_get() Directory Traversal

This module exploits a directory traversal vulnerability present in the listfileget function of Majordomo2 help function. By default, this module will attempt to download the Majordomo config.pl file. This module requires Metasploit: https://metasploit.com/download Current source:...

ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)

This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code. This module requires Metasploit:...

Adobe Flash Player "Button" Remote Code Execution

This module exploits a vulnerability in the handling of certain SWF movies within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially...

ColdFusion Server Check

This module attempts to exploit the directory traversal in the 'locale' attribute. According to the advisory the following versions are vulnerable: ColdFusion MX6 6.1 base patches, ColdFusion MX7 7,0,0,91690 base patches, ColdFusion MX8 8,0,1,195765 base patches, ColdFusion MX8 8,0,1,195765 with...

TikiWiki tiki-graph_formula Remote PHP Code Execution

TikiWiki 'TikiWiki tiki-graphformula Remote PHP Code Execution', 'Description' = %q TikiWiki 'Matteo Cantoni ', 'jduck' , 'License' = MSFLICENSE, 'References' = 'CVE', '2007-5423', 'OSVDB', '40478', 'BID', '26006', , 'Privileged' = false, 'Payload' = 'DisableNops' = true, 6k. Really...

HTTP Fetch, Bind TCP Stager (No NX or Win7)

Fetch and execute an x86 payload from an HTTP server. Listen for a connection No NX Module Options msf use payload/cmd/windows/http/x86/dllinject/bindnonxtcp msf payloadbindnonxtcp show actions ...actions... msf payloadbindnonxtcp set ACTION msf payloadbindnonxtcp show options ...show and set...

HTTP Fetch, Reverse HTTP Stager Proxy

Fetch and execute an x86 payload from an HTTP server. Tunnel communication over HTTP Module Options msf use payload/cmd/windows/http/x86/dllinject/reversehttpproxypstore msf payloadreversehttpproxypstore show actions ...actions... msf payloadreversehttpproxypstore set ACTION msf...

Powershell Exec, Find Tag Ordinal Stager

Execute an x86 payload from a command via PowerShell. Use an established connection Module Options msf use payload/cmd/windows/powershell/peinject/findtag msf payloadfindtag show actions ...actions... msf payloadfindtag set ACTION msf payloadfindtag show options ...show and set options... msf...

Powershell Exec, Reverse TCP Stager with UUID Support (Windows x64)

Execute an x64 payload from a command via PowerShell. Connect back to the attacker with UUID Support Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/vncinject/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf...

Powershell Exec, Windows x86 Reverse Named Pipe (SMB) Stager

Execute an x86 payload from a command via PowerShell. Connect back to the attacker via a named pipe pivot Module Options msf use payload/cmd/windows/powershell/meterpreter/reversenamedpipe msf payloadreversenamedpipe show actions ...actions... msf payloadreversenamedpipe set ACTION msf...

Powershell Exec, Windows x86 Bind Named Pipe Stager

Execute an x86 payload from a command via PowerShell. Listen for a pipe connection Windows x86 Module Options msf use payload/cmd/windows/powershell/dllinject/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf payloadbindnamedpipe show option...

Python Exec, Command Shell, Bind TCP (via python)

Execute a Python payload as an OS command from a Posix-compatible shell. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+. Module Options msf use payload/cmd/unix/python/shellbindtcp msf payloadshellbindtcp show actions ...actions...

Geutebruck Camera Deface

This module will take an existing session on a vulnerable Geutebruck Camera and will allow the user to either freeze the camera and display the last image from the video stream, display an image on the camera, or restore the camera back to displaying the current feed/stream. Module Options msf us...

Nagios XI 5.6.0-5.7.3 - Mibs.php Authenticated Remote Code Exection

This module exploits CVE-2020-5791, an OS command injection vulnerability in admin/mibs.php that enables an authenticated user with admin privileges to achieve remote code execution as either the apache user or the www-data user on NagiosXI version 5.6.0 to 5.7.3 inclusive exact user depends on t...

TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution

This module exploits a command injection vulnerability in the tdpServer daemon /usr/bin/tdpServer, running on the router TP-Link Archer A7/C7 AC1750, hardware version 5, MIPS Architecture, firmware version 190726. The vulnerability can only be exploited by an attacker on the LAN side of the route...

Ubiquiti airOS Arbitrary File Upload

This module exploits a pre-auth file upload to install a new root user to /etc/passwd and an SSH key to /etc/dropbear/authorizedkeys. FYI, /etc/passwd,dropbear/authorizedkeys will be overwritten. /etc/persistent/rc.poststart will be overwritten if PERSISTETC is true. This method is used by the "m...

Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth

This module generates a remember me cookie for a valid username. Through unpropper seeding while userdate are requested from LDAP or OAuth it's possible to craft a valid remember me cookie. This cookie can be used for bypass authentication for everyone knowing a valid username. !/usr/bin/env...

Veritas/Symantec Backup Exec SSL NDMP Connection Use-After-Free

This module exploits a use-after-free vulnerability in the handling of SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for Windows. When SSL is re-established on a NDMP connection that previously has had SSL established, the BIO struct for the connection's previous SSL session...

NetBSD mail.local Privilege Escalation

This module attempts to exploit a race condition in mail.local with SUID bit set on: NetBSD 7.0 - 7.0.1 verified on 7.0.1 NetBSD 6.1 - 6.1.5 NetBSD 6.0 - 6.0.6 Successful exploitation relies on a crontab job with root privilege, which may take up to 10min to execute. This module requires...

MS15-078 Microsoft Windows Font Driver Buffer Overflow

This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing a malformed font. The vulnerability was exploited by the hacking team and disclosed in the July data leak. This module has been tested successfully on vulnerable builds of Windows 8.1 x64. This module requires...

Apache Axis2 Brute Force Utility

This module attempts to login to an Apache Axis2 instance using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. It has been verified to work on at least versions 1.4.1 and 1.6.2. This module requires Metasploit: https://metasploit.com/download...

Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)

This module leverages a kernel pool overflow in Win32k which allows local privilege escalation. The kernel shellcode nulls the ACL for the winlogon.exe process a SYSTEM process. This allows any unprivileged process to freely migrate to winlogon.exe, achieving privilege escalation. This exploit wa...

Telnet Login Check Scanner

This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. This module requires Metasploit:...

Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation

This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory. At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1. This module requires Metasploit:...

Polycom Command Shell Authorization Bypass

The login component of the Polycom Command Shell on Polycom HDX video endpoints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prom...

Dell iDRAC Default Login

This module attempts to login to a iDRAC webserver instance using default username and password. Tested against Dell Remote Access Controller 6 - Express version 1.50 and 1.85, Controller 7 - Enterprise 2.63.60.62 Controller 8 - Enterprise 2.83.05 Controller 9 - Enterprise 4.40.00.00 This module...

Authentication Capture: SMTP

This module provides a fake SMTP service that is designed to capture authentication credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Authentication Capture: SMTP', 'Description' = %...

Adobe Acrobat Bundled LibTIFF Integer Overflow

This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'zlib' class...

Unix Command Shell, Double Reverse TCP (telnet)

Creates an interactive shell through two inbound connections This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 130 include Msf::Payload::Single include...

Peyara Remote Mouse 1.0.1 Unauthenticated Remote Code Execution

This module exploits an unauthenticated remote code execution vulnerability in Peyara Remote Mouse 1.0.1. The application exposes a Socket.IO WebSocket service on TCP port 1313 and accepts unauthenticated keyboard input events. The module sends keyboard events to open the Windows command prompt a...

HTTP Fetch, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Listen for a connection Module Options msf use payload/cmd/windows/http/x86/custom/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf payloadbindtcprc4 show options ...show...

Powershell Exec, Find Tag Ordinal Stager

Execute an x86 payload from a command via PowerShell. Use an established connection Module Options msf use payload/cmd/windows/powershell/meterpreter/findtag msf payloadfindtag show actions ...actions... msf payloadfindtag set ACTION msf payloadfindtag show options ...show and set options... msf...

Apache Shiro v1.2.4 Cookie RememberME Deserial RCE

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Shiro v1.2.4. Note that other versions of Apache Shiro may also be exploitable if the encryption key used by Shiro to encrypt rememberMe cookies is known. This module requires Metasploit:...

Windows NtUserSetWindowFNID Win32k User Callback

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Serv...

php imap_open Remote Code Execution

The imapopen function within php, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imapopen to execute arbitrary commands. While many custom...

Cisco IKE Information Disclosure

A vulnerability in Internet Key Exchange version 1 IKEv1 packet processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information. The vulnerability is d...

Linux BPF doubleput UAF Privilege Escalation

Linux kernel 4.4 'Linux BPF doubleput UAF Privilege Escalation', 'Description' = %q Linux kernel 4.4 4.5.5 extended Berkeley Packet Filter eBPF does not properly reference count file descriptors, resulting in a use-after-free, which can be abused to escalate privileges. The target system must be...

MS16-016 mrxdav.sys WebDav Local Privilege Escalation

This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process. This module requires Metasploit:...

Forward SSH Agent Requests To Remote Pageant

This module forwards SSH agent requests from a local socket to a remote Pageant instance. If a target Windows machine is compromised and is running Pageant, this will allow the attacker to run normal OpenSSH commands e.g. ssh-add -l against the Pageant host which are tunneled through the...

Apple TV Image Remote Control

This module will show an image on an AppleTV device for a period of time. Some AppleTV devices are actually password-protected, in that case please set the PASSWORD datastore option. For password brute forcing, please see the module auxiliary/scanner/http/appletvlogin. This module requires...

Apple iOS Default SSH Password Vulnerability

This module exploits the default credentials of Apple iOS when it has been jailbroken and the passwords for the 'root' and 'mobile' users have not been changed. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require...

Ruby on Rails Devise Authentication Password Reset

The Devise authentication gem for Ruby on Rails is vulnerable to a password reset exploit leveraging type confusion. By submitting XML to rails, we can influence the type used for the resetpasswordtoken parameter. This allows for resetting passwords of arbitrary accounts, knowing only the...

Windows Capture Keystroke Recorder

This module can be used to capture keystrokes. To capture keystrokes when the session is running as SYSTEM, the MIGRATE option must be enabled and the CAPTURETYPE option should be set to one of Explorer, Winlogon, or a specific PID. To capture the keystrokes of the interactive user, the Explorer...

Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow

This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be able to execute arbitrary code. The success of this module is much greater once the service has been restarted. This module...