Linux Meterpreter, Reverse HTTP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1140752 include...

Command Shell, Bind TCP (via python)

Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+. module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Payload::Python include Msf::Sessions::CommandShellOptions def initializeinfo =...

Linux Meterpreter, Reverse TCP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1238560 include...

vBulletin 5.1.2 Unserialize Code Execution

This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'vBulletin 5.1.2 Unserialize Code Execution', 'Description' ...

Jenkins-CI Unauthenticated Script-Console Scanner

This module scans for unauthenticated Jenkins-CI script consoles and executes the specified command. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'cgi' class MetasploitModule 'Jenkins-CI Unauthenticated...

Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)

This module will bypass Windows UAC by utilizing the missing .manifest on the script host cscript/wscript.exe binaries. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Escalate UAC...

Lenovo System Update Privilege Escalation

The named pipe, \SUPipeServer, can be accessed by normal users to interact with the System update service. The service provides the possibility to execute arbitrary commands as SYSTEM if a valid security token is provided. This token can be generated by calling the GetSystemInfoData function in t...

Windows Drive Formatter

This payload formats all mounted disks in Windows aka ShellcodeOfDeath. After formatting, this payload sets the volume label to the string specified in the VOLUMELABEL option. If the code is unable to access a drive for any reason, it skips the drive and proceeds to the next volume. This module...

MS14-062 Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation

A vulnerability within Microsoft Bluetooth Personal Area Networking module, BthPan.sys, can allow an attacker to inject memory controlled by the attacker into an arbitrary location. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently callin...

MQAC.sys Arbitrary Write Privilege Escalation

A vulnerability within the MQAC.sys module allows an attacker to overwrite an arbitrary location in kernel memory. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process. This module requires Metasploit: https://metasploit.com/download Current source:...

MantisBT Admin SQL Injection Arbitrary File Read

Versions 1.2.13 through 1.2.16 are vulnerable to a SQL injection attack if an attacker can gain access to administrative credentials. This vuln was fixed in 1.2.17. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework clas...

Drupal OpenID External Entity Injection

This module abuses an XML External Entity Injection vulnerability on the OpenID module from Drupal. The vulnerability exists in the parsing of a malformed XRDS file coming from a malicious OpenID endpoint. This module has been tested successfully on Drupal 7.15 and 7.2 with the OpenID module...

Multi Gather Malware Verifier

This module will check a file for malware on VirusTotal based on the checksum. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'net/http' require 'uri' class MetasploitModule 'Multi Gather Malware Verifier',...

MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free

This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research...

MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The...

ZeroShell Remote Code Execution

This module exploits a vulnerability found in ZeroShell 2.0 RC2 and lower. It will leverage an unauthenticated local file inclusion vulnerability in the "/cgi-bin/kerbynet" url. The file retrieved is "/var/register/system/ldap/rootpw". This file contains the admin password in cleartext. The...

Windows Command Shell, Reverse TCP (via Lua)

Creates an interactive shell via Lua This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 224 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinfo ...

Sophos Web Protection Appliance patience.cgi Directory Traversal

This module abuses a directory traversal in Sophos Web Protection Appliance, specifically on the /cgi-bin/patience.cgi component. This module has been tested successfully on the Sophos Web Virtual Appliance v3.7.0. This module requires Metasploit: https://metasploit.com/download Current source:...

VMWare Setuid vmware-mount Unsafe popen(3)

VMWare Workstation up to and including 9.0.2 build-1031769 and Player have a setuid executable called vmware-mount that invokes lsbrelease in the PATH with popen3. Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an...

Windows Gather Enumerate Active Domain Users

This module will enumerate computers included in the primary Domain and attempt to list all locations the targeted user has sessions on. If the HOST option is specified the module will target only that host. If the HOST is specified and USER is set to nil, all users logged into that host will be...

Foxit Reader Plugin URL Processing Buffer Overflow

This module exploits a vulnerability in the Foxit Reader Plugin, it exists in the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts, overly long query strings within URLs can cause a stack-based buffer overflow, which can be exploited to execute arbitrary code. This exploit...

Ruby on Rails JSON Processor YAML Deserialization Scanner

This module attempts to identify Ruby on Rails instances vulnerable to an arbitrary object instantiation flaw in the JSON request processor. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Ruby...

Windows Gather Credential Cache Dump

This module uses the registry to extract the stored domain hashes that have been cached as a result of a GPO setting. The default setting on Windows is to store the last ten successful logins. This module requires Metasploit: https://metasploit.com/download Current source:...

Ruby on Rails JSON Processor YAML Deserialization Code Execution

This module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application...

Windows Manage Local Microsoft SQL Server Authorization Bypass

When this module is executed, it can be used to add a sysadmin to local SQL Server instances. It first attempts to gain LocalSystem privileges using the "getsystem" escalation methods. If those privileges are not sufficient to add a sysadmin, then it will migrate to the SQL Server service process...

Windows Gather Unattended Answer File Enumeration

This module will check the file system for a copy of unattend.xml and/or autounattend.xml found in Windows Vista, or newer Windows systems. And then extract sensitive information such as usernames and decoded passwords. Also checks for '.vmimport' files that could have been created by the AWS EC2...

Adobe Flash Player Object Type Confusion

This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt AMF0 "error" response, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the "World Uyghur Congress...

Horde 3.3.12 Backdoor Arbitrary PHP Code Execution

This module exploits an arbitrary PHP code execution vulnerability introduced as a backdoor into Horde 3.3.12 and Horde Groupware 1.2.10. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Horde...

Windows Command Shell, Bind TCP (via perl) IPv6

Listen for a connection and spawn a command shell via perl persistent This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 140 include Msf::Payload::Single include...

Windows Gather Wireless Profile

This module extracts saved Wireless LAN profiles. It will also try to decrypt the network key material. Behavior is slightly different between OS versions when it comes to WPA. In Windows Vista/7 we will get the passphrase. In Windows XP we will get the PBKDF2 derived key. This module requires...

TYPO3 sa-2010-020 Remote File Disclosure

This module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes. Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0. This flaw can be used to read any file that the web server user account has access to view. This module requires Metasploit:...

Windows Gather Enumerate Domain Tokens

This module enumerates domain account tokens, processes running under domain accounts, and domain users in the local Administrators, Users and Backup Operator groups. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

HTTP Writable Path PUT/DELETE File Access

This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE. PUT is the default. If filename isn't specified, the module will generate a random string for you as a .txt file. If DELETE is used, a filename is...

Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability

This module exploits an authentication bypass vulnerability in login.php. In conjunction with the authentication bypass issue, the 'jlist' parameter in propertybox.php can be used to execute arbitrary system commands. This module was tested against Oracle Secure Backup version 10.3.0.1.0 This...

Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution

Symantec System Center Alert Management System is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewo...

Windows Gather Apple iOS MobileSync Backup File Collection

This module will collect sensitive files from any on-disk iOS device backups This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'English' class MetasploitModule 'Windows Gather Apple iOS MobileSync Backup File...

HP Web JetAdmin 6.5 Server Arbitrary Command Execution

This module abuses a command execution vulnerability within the web based management console of the Hewlett-Packard Web JetAdmin network printer tool v6.2 - v6.5. It is possible to execute commands as SYSTEM without authentication. The vulnerability also affects POSIX systems, however at this sta...

Symantec BackupExec Calendar Control Buffer Overflow

This module exploits a stack buffer overflow in Symantec BackupExec Calendar Control. By sending an overly long string to the "DOWText0" property located in the pvcalendar.ocx control, an attacker may be able to execute arbitrary code. This module requires Metasploit:...

Sun Solaris Telnet Remote Authentication Bypass Vulnerability

This module exploits the argument injection vulnerability in the telnet daemon in.telnetd of Solaris 10 and 11. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Sun Solaris Telnet Remote...

Windows Executable Download (http,https,ftp) and Execute

Download an EXE from an HTTPS/FTP URL and execute it This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 429 include Msf::Payload::Windows include Msf::Payload::Single include...

Chrome Debugger Arbitrary File Read / Arbitrary Web Request

This module uses the Chrome Debugger's API to read files off the remote file system, or to make web requests from a remote machine. Useful for cloud metadata endpoints! This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

LibreOffice Macro Code Execution

LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events to them. A macro can be tied to a program event by including the script that contains the macro and the function name to be executed. Additionally, a directory traversal vulnerability exis...

Oracle Weblogic Server Deserialization RCE - RMI UnicastRef

An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object sun.rmi.server.UnicastRef to the interface to execute code on vulnerable hosts. This module requires Metasploit: https://metasploit.com/download Current source:...

Linux Meterpreter, Reverse HTTP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1062084 include...

Ghostscript Failed Restore Command Execution

This module exploits a -dSAFER bypass in Ghostscript to execute arbitrary commands by handling a failed restore grestore in PostScript to disable LockSafetyParams and avoid invalidaccess. This vulnerability is reachable via libraries such as ImageMagick. This module requires Metasploit:...

Apache Spark Unauthenticated Command Execution

This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API. It uses the function CreateSubmissionRequest to submit a malious java class and trigger it. This module requires Metasploit: https://metasploit.com/download Curre...

Windows SMB Multi Dropper

This module dependent on the given filename extension creates either a .lnk, .scf, .url, .xml, or desktop.ini file which includes a reference to the specified remote host, causing SMB connections to be initiated from any user that views the file. This module requires Metasploit:...

Apple_iOS Meterpreter, Reverse HTTP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 796904 include...

Identify endpoints speaking the Remote Desktop Protocol (RDP)

This module attempts to connect to the specified Remote Desktop Protocol port and determines if it speaks RDP. When available, the Credential Security Support Provider CredSSP protocol will be used to identify the version of Windows on which the server is running. Enabling the DETECTNLA option wi...

Metasploit RPC Console Command Execution

This module connects to a specified Metasploit RPC server and uses the 'console.write' procedure to execute operating system commands. Valid credentials are required to access the RPC interface. This module has been tested successfully on Metasploit 4.15 on Kali 1.0.6; Metasploit 4.14 on Kali...