6849 matches found
Python Exec, Python Meterpreter Shell, Reverse HTTP Inline
Execute a Python payload as an OS command from a Posix-compatible shell. Connect back to the attacker and spawn a Meterpreter shell Module Options msf use payload/cmd/unix/python/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp...
Kubernetes Enumeration
Enumerate a Kubernetes API to report useful resources such as available namespaces, pods, secrets, etc. Useful resources will be highlighted using the HIGHLIGHTNAMEPATTERN option. Module Options msf use auxiliary/cloud/kubernetes/enumkubernetes msf auxiliaryenumkubernetes show actions ...actions...
Haserl Arbitrary File Reader
This module exploits haserl prior to 0.9.36 to read arbitrary files. The most widely accepted exploitation vector is reading /etc/shadow, which will reveal root's hash for cracking. Module Options msf use post/linux/gather/haserlread msf posthaserlread show actions ...actions... msf posthaserlrea...
Safari in Operator Side Effect Exploit
This module exploits an incorrect side-effect modeling of the 'in' operator. The DFG compiler assumes that the 'in' operator is side-effect free, however the element with the PDF plugin provides a callback that can trigger side-effects leading to type confusion CVE-2020-9850. The type confusion c...
Cisco Gather Device General Information
This module collects a Cisco IOS or NXOS device information and configuration. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cisco Gather Device General Information', 'Description' = %q This...
Multi Manage the screen of the target meterpreter session
This module allows you to view and control the screen of the target computer via a local browser window. The module continually screenshots the target screen and also relays all mouse and keyboard events to session. This module requires Metasploit: https://metasploit.com/download Current source:...
Evince CBT File Command Injection
This module exploits a command injection vulnerability in Evince before version 3.24.1 when opening comic book .cbt files. Some file manager software, such as Nautilus and Atril, may allow automatic exploitation without user interaction due to thumbnailer preview functionality. Note that limited...
WordPress WP GDPR Compliance Plugin Privilege Escalation
The Wordpress GDPR Compliance plugin 'WordPress WP GDPR Compliance Plugin Privilege Escalation', 'Description' = %q The Wordpress GDPR Compliance plugin = v1.4.2 allows unauthenticated users to set wordpress administration options by overwriting values within the database. The vulnerability is...
Cambium cnPilot r200/r201 Command Execution as 'root'
Cambium cnPilot r200/r201 device software versions 4.2.3-R4 to 4.3.3-R4, contain an undocumented, backdoor 'root' shell. This shell is accessible via a specific url, to any authenticated user. The module uses this shell to execute arbitrary system commands as 'root'. This module requires...
Check For and Prep the Pyrotechnic Devices (Airbags, Battery Clamps, etc.)
Acting in the role of a Pyrotechnical Device Deployment Tool PDT, this module will first query all Pyrotechnic Control Units PCUs in the target vehicle to discover how many pyrotechnic devices are present, then attempt to validate the security access token using the default simplified algorithm. ...
Unix Command Shell, Reverse TCP (via R)
Connect back and create a command shell via R This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 157 include Msf::Payload::Single include Msf::Payload::R include...
NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Default Configuration Load and Administrator Password Reset
The NVRmini 2 Network Video Recorded and the ReadyNAS Surveillance application are vulnerable to an administrator password reset on the exposed web management interface. Note that this only works for unauthenticated attackers in earlier versions of the Nuuo firmware before v1.7.6, otherwise you...
Z/OS (MVS) Command Shell, Reverse TCP
Provide JCL which creates a reverse shell This implementation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically. This module requires Metasploit: https://metasploit.com/download Current source:...
Zemra Botnet CnC Web Panel Remote Code Execution
This module exploits the CnC web panel of Zemra Botnet which contains a backdoor inside its leaked source code. Zemra is a crimeware bot that can be used to conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra. This module requires Metasploit: https://metasploit.com/download Current...
Windows Post Kill Antivirus and Hips
This module attempts to locate and terminate any processes that are identified as being Antivirus or Host-based IPS related. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Post Kill...
Python Meterpreter, Python Reverse TCP Stager with UUID Support
Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Connect back to the attacker with UUID Support This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include...
Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection
This module exploits a SQL injection vulnerability in the "explorer" action of "miqpolicy" controller of the Red Hat CloudForms Management Engine 5.1 ManageIQ Enterprise Virtualization Manager 5.0 and earlier by changing the password of the target account to the specified password. This module...
Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability
This module exploits an authentication bypass vulnerability in Pandora FMS v3.1 as disclosed by Juan Galiana Lara. It also integrates with the built-in pandora upload which allows a user to upload arbitrary files to the '/images/' directory. This module was created as an exercise in the Metasploi...
OpenMediaVault Cron Remote Command Execution
OpenMediaVault allows an authenticated user to create cron jobs as arbitrary users on the system. An attacker can abuse this to run arbitrary commands as any user available on the system including root. This module requires Metasploit: https://metasploit.com/download Current source:...
Multi Gather Firefox Signon Credential Collection
This module will collect credentials from the Firefox web browser if it is installed on the targeted machine. Additionally, cookies are downloaded. Which could potentially yield valid web sessions. Firefox stores passwords within the signons.sqlite database file. There is also a keys3.db file whi...
Windows Manage Remote Point-to-Point Tunneling Protocol
This module initiates a PPTP connection to a remote machine VPN server. Once the tunnel is created we can use it to force the victim traffic to go through the server getting a man in the middle attack. Be sure to allow forwarding and masquerading on the VPN server mitm. This module requires...
WordPress Plugin Google Document Embedder Arbitrary File Disclosure
This module exploits an arbitrary file disclosure flaw in the WordPress blogging software plugin known as Google Document Embedder. The vulnerability allows for database credential disclosure via the /libs/pdf.php script. The Google Document Embedder plug-in versions 2.4.6 and below are vulnerabl...
Splunk Custom App Remote Code Execution
This module exploits a feature of Splunk whereby a custom application can be uploaded through the web based interface. Through the 'script' search command a user can call commands defined in their custom application which includes arbitrary perl or python code. To abuse this behavior, a valid...
phpMyAdmin 3.5.2.2 server_sync.php Backdoor
This module exploits an arbitrary code execution backdoor placed into phpMyAdmin v3.5.2.2 through a compromised SourceForge mirror. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'phpMyAdmin...
Apache Struts Remote Command Execution
This module exploits a remote command execution vulnerability in Apache Struts versions 'Apache Struts Remote Command Execution', 'Description' = %q This module exploits a remote command execution vulnerability in Apache Struts versions 'Johannes Dahse', Vulnerability discovery and PoC 'Andreas...
Multi Gather Skype User Data Enumeration
This module will enumerate Skype account settings, contact list, call history, chat logs, file transfer history, and voicemail logs, saving all the data to CSV files for analysis. This module requires Metasploit: https://metasploit.com/download Current source:...
Ability Server 2.34 STOR Command Stack Buffer Overflow
This module exploits a stack-based buffer overflow in Ability Server 2.34. Ability Server fails to check input size when parsing 'STOR' and 'APPE' commands, which leads to a stack based buffer overflow. This plugin uses the 'STOR' command. The vulnerability has been confirmed on version 2.34 and...
7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow
This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application fails to do proper bounds checking before copying data into a small buffer on the stack. This causes a buffer overflow...
SNMP Enumeration Module
This module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is "public". This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewor...
Novell iPrint Client ActiveX Control Date/Time Buffer Overflow
This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When passing a specially crafted date/time string via certain parameters to ienipp.ocx an attacker can execute arbitrary code. NOTE: The "operation" variable must be set to a valid command in order to reach this...
MS09-020 IIS6 WebDAV Unicode Authentication Bypass
This module attempts to to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication. This module...
Python Exec, Python Pingback, Reverse TCP (via python)
Execute a Python payload as an OS command from a Posix-compatible shell. Connects back to the attacker, sends a UUID, then terminates Module Options msf use payload/cmd/unix/python/pingbackreversetcp msf payloadpingbackreversetcp show actions ...actions... msf payloadpingbackreversetcp set ACTION...
Tlen Credential Gatherer
This module searches for Tlen credentials on a Windows host. Tlen is a free Polish instant messaging service. Module Options msf use post/windows/gather/credentials/tlen msf posttlen show actions ...actions... msf posttlen set ACTION msf posttlen show options ...show and set options... msf posttl...
Apache Flink JAR Upload Java Code Execution
This module uses job functionality in Apache Flink dashboard web interface to upload and execute a JAR file, leading to remote execution of arbitrary Java code as the web server user. This module has been tested successfully on Apache Flink versions: 1.9.3 on Ubuntu 18.04.4; 1.11.2 on Ubuntu...
vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection
This module exploits a SQL injection vulnerability found in vBulletin 5.6.1 and earlier This module uses the getIndexableContent vulnerability to reset the administrators password, it then uses the administrators login information to achieve RCE on the target. This module has been tested...
SSH Key Persistence
This module will add an SSH key to a specified user or all, to allow remote login via SSH at any time. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'sshkey' class MetasploitModule 'SSH Key Persistence',...
Windows Gather TeamViewer Passwords
This module will find and decrypt stored TeamViewer passwords This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework @blurbdust based this code off of...
Linux x64 Pingback, Bind TCP Inline
Accept a connection from attacker and report UUID Linux x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 109 include Msf::Payload::Linux::X64::Prepends include...
SystemTap MODPROBE_OPTIONS Privilege Escalation
This module attempts to gain root privileges by exploiting a vulnerability in the staprun executable included with SystemTap version 1.3. The staprun executable does not clear environment variables prior to executing modprobe, allowing an arbitrary configuration file to be specified in the...
AddressSanitizer (ASan) SUID Executable Privilege Escalation
This module attempts to gain root privileges on Linux systems using setuid executables compiled with AddressSanitizer ASan. ASan configuration related environment variables are permitted when executing setuid executables built with libasan. The logpath option can be set using the ASANOPTIONS...
Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entries are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated...
Siemens Profinet Scanner
This module will use Layer2 packets, known as Profinet Discovery packets, to detect all Siemens and sometimes other devices on a network. It is perfectly SCADA-safe, as there will only be ONE single packet sent out. Devices will respond with their IP configuration and hostnames. Created by XiaK...
Android Settings Remove Device Locks (4.0-4.3)
This module exploits a bug in the Android 4.0 to 4.3 com.android.settings.ChooseLockGeneric class. Any unprivileged app can exploit this vulnerability to remove the lockscreen. A logic flaw / design error exists in the settings application that allows an Intent from any application to clear the...
Microsoft Windows Shell LNK Code Execution
This module exploits a vulnerability in the MS10-046 patch to abuse again the handling of Windows Shortcut files .LNK that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload and the trigger, and generates a LNK file which must be sent to the...
WordPress WP EasyCart Plugin Privilege Escalation
The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20 allows authenticated users of any user level to set any system option via a lack of validation in the ecajaxupdateoption and ecajaxclearalltaxrates functions located in /inc/admin/adminajaxfunctions.php. The module first changes the...
NTP Mode 7 GET_RESTRICT DRDoS Scanner
This module identifies NTP servers which permit "reslist" queries and obtains the list of restrictions placed on various network interfaces, networks or hosts. The reslist feature allows remote attackers to cause a distributed, reflected denial of service aka, "DRDoS" or traffic amplification via...
Java storeImageArray() Invalid Array Indexing Vulnerability
This module abuses an Invalid Array Indexing Vulnerability on the static function storeImageArray function in order to cause a memory corruption and escape the Java Sandbox. The vulnerability affects Java version 7u21 and earlier. The module, which doesn't bypass click2play, has been tested...
Windows Gather Deleted Files Enumeration and Recovering
This module lists and attempts to recover deleted files from NTFS file systems. Use the FILES option to guide recovery. Leave this option empty to enumerate deleted files in the DRIVE. Set FILES to an extension e.g., "pdf" to recover deleted files with that extension, or set FILES to a comma...
FTP Authentication Scanner
This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. This module requires Metasploit: https://metasploit.com/download...
Windows AlwaysInstallElevated MSI
This module checks the AlwaysInstallElevated registry keys which dictates if .MSI files should be installed with elevated privileges NT AUTHORITY\SYSTEM. The generated .MSI file has an embedded executable which is extracted and run by the installer. After execution the .MSI file intentionally fai...