KakaoTalk Credential Gatherer

This module searches for KakaoTalk credentials on a Windows host. KakaoTalk is a popular mobile messaging app most widely used in South Korea. Module Options msf use post/windows/gather/credentials/kakaotalk msf postkakaotalk show actions ...actions... msf postkakaotalk set ACTION msf postkakaota...

Seamonkey Credential Gatherer

This module searches for seamonkey credentials on a Windows host. Module Options msf use post/windows/gather/credentials/seamonkey msf postseamonkey show actions ...actions... msf postseamonkey set ACTION msf postseamonkey show options ...show and set options... msf postseamonkey run This module...

Direct windows syscall evasion technique

This module allows you to generate a Windows EXE that evades Host-based security products such as EDR/AVs. It uses direct windows syscalls to achieve stealthiness, and avoid EDR hooking. please try to use payloads that use a more secure transfer channel such as HTTPS or RC4 in order to avoid...

Cisco Gather Device General Information

This module collects a Cisco IOS or NXOS device information and configuration. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cisco Gather Device General Information', 'Description' = %q This...

Multi Manage the screen of the target meterpreter session

This module allows you to view and control the screen of the target computer via a local browser window. The module continually screenshots the target screen and also relays all mouse and keyboard events to session. This module requires Metasploit: https://metasploit.com/download Current source:...

Zahir Enterprise Plus 6 Stack Buffer Overflow

This module exploits a stack buffer overflow in Zahir Enterprise Plus version 6 build 10b and below. The vulnerability is triggered when opening a CSV file containing CR/LF and overly long string characters via Import from other File. This results in overwriting a structured exception handler...

Cambium cnPilot r200/r201 Command Execution as 'root'

Cambium cnPilot r200/r201 device software versions 4.2.3-R4 to 4.3.3-R4, contain an undocumented, backdoor 'root' shell. This shell is accessible via a specific url, to any authenticated user. The module uses this shell to execute arbitrary system commands as 'root'. This module requires...

Script Web Delivery

This module quickly fires up a web server that serves a payload. The module will provide a command to be run on the target machine based on the selected target. The provided command will download and execute a payload using either a specified scripting language interpreter or "squiblydoo" via...

Supervisor XML-RPC Authenticated Remote Code Execution

This module exploits a vulnerability in the Supervisor process control software, where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how...

Unix Command Shell, Reverse TCP (via R)

Connect back and create a command shell via R This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 157 include Msf::Payload::Single include Msf::Payload::R include...

Netgear R7000 and R6400 cgi-bin Command Injection

This module exploits an arbitrary command injection vulnerability in Netgear R7000 and R6400 router firmware version 1.0.7.21.1.93 and possibly earlier. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

mDNS Spoofer

This module will listen for mDNS multicast requests on 5353/udp for A and AAAA record queries, and respond with a spoofed IP address assuming the request matches our regex. This module requires Metasploit: https://metasploit.com/download Current source:...

NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Default Configuration Load and Administrator Password Reset

The NVRmini 2 Network Video Recorded and the ReadyNAS Surveillance application are vulnerable to an administrator password reset on the exposed web management interface. Note that this only works for unauthenticated attackers in earlier versions of the Nuuo firmware before v1.7.6, otherwise you...

Z/OS (MVS) Command Shell, Reverse TCP

Provide JCL which creates a reverse shell This implementation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Post Kill Antivirus and Hips

This module attempts to locate and terminate any processes that are identified as being Antivirus or Host-based IPS related. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Post Kill...

Python Meterpreter, Python Reverse TCP Stager with UUID Support

Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Connect back to the attacker with UUID Support This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include...

ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection

ManageEngine Password Manager Pro PMP has an authenticated blind SQL injection vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate privileges and obtain Super Administrator access. A Super Administrator can then use his privileges to dump the whole password database in CS...

MS14-009 .NET Deployment Service IE Sandbox Escape

This module abuses a process creation policy in Internet Explorer's sandbox, specifically in the .NET Deployment Service dfsvc.exe, which allows the attacker to escape the Enhanced Protected Mode, and execute code with Medium Integrity. This module requires Metasploit:...

Multi Gather Firefox Signon Credential Collection

This module will collect credentials from the Firefox web browser if it is installed on the targeted machine. Additionally, cookies are downloaded. Which could potentially yield valid web sessions. Firefox stores passwords within the signons.sqlite database file. There is also a keys3.db file whi...

Windows Manage Remote Point-to-Point Tunneling Protocol

This module initiates a PPTP connection to a remote machine VPN server. Once the tunnel is created we can use it to force the victim traffic to go through the server getting a man in the middle attack. Be sure to allow forwarding and masquerading on the VPN server mitm. This module requires...

Splunk Custom App Remote Code Execution

This module exploits a feature of Splunk whereby a custom application can be uploaded through the web based interface. Through the 'script' search command a user can call commands defined in their custom application which includes arbitrary perl or python code. To abuse this behavior, a valid...

Oracle MySQL for Microsoft Windows MOF Execution

This module takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers due to the use of a .mof file. This may result in arbitrary code execution under the context of SYSTEM. This module requires a valid MySQL account on the target machine. This module...

phpMyAdmin 3.5.2.2 server_sync.php Backdoor

This module exploits an arbitrary code execution backdoor placed into phpMyAdmin v3.5.2.2 through a compromised SourceForge mirror. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'phpMyAdmin...

MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)

This module exploits a stack-based buffer overflow in the handling of the 'pFragments' shape property within the Microsoft Word RTF parser. All versions of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the MS10-087 bulletin are vulnerable. This module does not attempt to explo...

SNMP Enumeration Module

This module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is "public". This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewor...

Novell iPrint Client ActiveX Control Date/Time Buffer Overflow

This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When passing a specially crafted date/time string via certain parameters to ienipp.ocx an attacker can execute arbitrary code. NOTE: The "operation" variable must be set to a valid command in order to reach this...

MS09-020 IIS6 WebDAV Unicode Authentication Bypass

This module attempts to to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication. This module...

Unix Command Shell, Reverse TCP (via netcat)

Creates an interactive shell via netcat This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...

Oracle 9i XDB FTP UNLOCK Overflow (win32)

By passing an overly long token to the UNLOCK command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database XDB, during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat...

Python Exec, Python Pingback, Reverse TCP (via python)

Execute a Python payload as an OS command from a Posix-compatible shell. Connects back to the attacker, sends a UUID, then terminates Module Options msf use payload/cmd/unix/python/pingbackreversetcp msf payloadpingbackreversetcp show actions ...actions... msf payloadpingbackreversetcp set ACTION...

Tlen Credential Gatherer

This module searches for Tlen credentials on a Windows host. Tlen is a free Polish instant messaging service. Module Options msf use post/windows/gather/credentials/tlen msf posttlen show actions ...actions... msf posttlen set ACTION msf posttlen show options ...show and set options... msf posttl...

Apache Flink JAR Upload Java Code Execution

This module uses job functionality in Apache Flink dashboard web interface to upload and execute a JAR file, leading to remote execution of arbitrary Java code as the web server user. This module has been tested successfully on Apache Flink versions: 1.9.3 on Ubuntu 18.04.4; 1.11.2 on Ubuntu...

Safari in Operator Side Effect Exploit

This module exploits an incorrect side-effect modeling of the 'in' operator. The DFG compiler assumes that the 'in' operator is side-effect free, however the element with the PDF plugin provides a callback that can trigger side-effects leading to type confusion CVE-2020-9850. The type confusion c...

vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection

This module exploits a SQL injection vulnerability found in vBulletin 5.6.1 and earlier This module uses the getIndexableContent vulnerability to reset the administrators password, it then uses the administrators login information to achieve RCE on the target. This module has been tested...

Linux x64 Pingback, Bind TCP Inline

Accept a connection from attacker and report UUID Linux x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 109 include Msf::Payload::Linux::X64::Prepends include...

SystemTap MODPROBE_OPTIONS Privilege Escalation

This module attempts to gain root privileges by exploiting a vulnerability in the staprun executable included with SystemTap version 1.3. The staprun executable does not clear environment variables prior to executing modprobe, allowing an arbitrary configuration file to be specified in the...

Evince CBT File Command Injection

This module exploits a command injection vulnerability in Evince before version 3.24.1 when opening comic book .cbt files. Some file manager software, such as Nautilus and Atril, may allow automatic exploitation without user interaction due to thumbnailer preview functionality. Note that limited...

AddressSanitizer (ASan) SUID Executable Privilege Escalation

This module attempts to gain root privileges on Linux systems using setuid executables compiled with AddressSanitizer ASan. ASan configuration related environment variables are permitted when executing setuid executables built with libasan. The logpath option can be set using the ASANOPTIONS...

Check For and Prep the Pyrotechnic Devices (Airbags, Battery Clamps, etc.)

Acting in the role of a Pyrotechnical Device Deployment Tool PDT, this module will first query all Pyrotechnic Control Units PCUs in the target vehicle to discover how many pyrotechnic devices are present, then attempt to validate the security access token using the default simplified algorithm. ...

Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)

This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entries are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated...

IPFire proxy.cgi RCE

IPFire, a free linux based open source firewall distribution, version 'IPFire proxy.cgi RCE', 'Description' = %q IPFire, a free linux based open source firewall distribution, version 'h00die ', module '0x09AL' discovery , 'References' = 'CVE', '2017-9757' , 'EDB', '42149' , 'License' = MSFLICENSE...

Siemens Profinet Scanner

This module will use Layer2 packets, known as Profinet Discovery packets, to detect all Siemens and sometimes other devices on a network. It is perfectly SCADA-safe, as there will only be ONE single packet sent out. Devices will respond with their IP configuration and hostnames. Created by XiaK...

Zemra Botnet CnC Web Panel Remote Code Execution

This module exploits the CnC web panel of Zemra Botnet which contains a backdoor inside its leaked source code. Zemra is a crimeware bot that can be used to conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra. This module requires Metasploit: https://metasploit.com/download Current...

Android Settings Remove Device Locks (4.0-4.3)

This module exploits a bug in the Android 4.0 to 4.3 com.android.settings.ChooseLockGeneric class. Any unprivileged app can exploit this vulnerability to remove the lockscreen. A logic flaw / design error exists in the settings application that allows an Intent from any application to clear the...

Microsoft Windows Shell LNK Code Execution

This module exploits a vulnerability in the MS10-046 patch to abuse again the handling of Windows Shortcut files .LNK that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload and the trigger, and generates a LNK file which must be sent to the...

FreePBX config.php Remote Code Execution

This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11. It's possible to inject arbitrary PHP functions and commands in the "/admin/config.php" parameters "function" and "args". This module requires Metasploit: https://metasploit.com/download Current source:...

Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection

This module exploits a SQL injection vulnerability in the "explorer" action of "miqpolicy" controller of the Red Hat CloudForms Management Engine 5.1 ManageIQ Enterprise Virtualization Manager 5.0 and earlier by changing the password of the target account to the specified password. This module...

Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability

This module exploits an authentication bypass vulnerability in Pandora FMS v3.1 as disclosed by Juan Galiana Lara. It also integrates with the built-in pandora upload which allows a user to upload arbitrary files to the '/images/' directory. This module was created as an exercise in the Metasploi...

Java storeImageArray() Invalid Array Indexing Vulnerability

This module abuses an Invalid Array Indexing Vulnerability on the static function storeImageArray function in order to cause a memory corruption and escape the Java Sandbox. The vulnerability affects Java version 7u21 and earlier. The module, which doesn't bypass click2play, has been tested...

Windows Gather Deleted Files Enumeration and Recovering

This module lists and attempts to recover deleted files from NTFS file systems. Use the FILES option to guide recovery. Leave this option empty to enumerate deleted files in the DRIVE. Set FILES to an extension e.g., "pdf" to recover deleted files with that extension, or set FILES to a comma...