NCR Command Center Agent Remote Code Execution

CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter within an XML document sent to port 8089 that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. The...

TFTP Fetch

Fetch and execute an MIPSBE payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/mipsbe/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and set...

LDAP Password Disclosure

This module will gather passwords and password hashes from a target LDAP server via multiple techniques including Windows LAPS. For best results, run with SSL because some attributes are only readable over encrypted connections. Module Options msf use auxiliary/gather/ldappasswords msf...

TFTP Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline

Fetch and execute an ARMBE payload from a TFTP server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/tftp/armbe/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options...

Windows Access Mode Mismatch LPE in ks.sys

The ks.sys driver on Windows is one of the core components of Kernel Streaming and is installed by default. There exists a LPE in this driver which can be exploited on many recent versions of Windows 10, Windows 11, Windows Server 2022. Module Options msf use...

TFTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager

Fetch and execute an AARCH64 payload from a TFTP server. dup2 socket in x12, then execve. Connect back to the attacker Module Options msf use payload/cmd/linux/tftp/aarch64/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp sho...

Linux Gather ManageEngine Password Manager Pro Password Extractor

This module gathers the encrypted passwords stored by Password Manager Pro and decrypt them using key materials stored in multiple configuration files. Module Options msf use post/linux/gather/manageenginepasswordmanagercreds msf postmanageenginepasswordmanagercreds show actions ...actions... msf...

Centreon authenticated command injection leading to RCE via broker engine "reload" parameter

Centreon is a platform designed to monitor your cloud and on-premises infrastructure. This module exploits an command injection vulnerability using the broker engine reload setting on the poller configuration page of the Centreon web application. Injecting a malcious payload at the broker engine...

HTTP Fetch, Windows MessageBox x64

Fetch and execute an x64 payload from an HTTP server. Spawn a dialog via MessageBox using a customizable title, text & icon Module Options msf use payload/cmd/windows/http/x64/messagebox msf payloadmessagebox show actions ...actions... msf payloadmessagebox set ACTION msf payloadmessagebox show...

CWP login.php Unauthenticated RCE

Control Web Panel versions use exploit/linux/http/controlwebpanellogincmdexec msf exploitcontrolwebpanellogincmdexec show targets ...targets... msf exploitcontrolwebpanellogincmdexec set TARGET msf exploitcontrolwebpanellogincmdexec show options ...show and set options... msf...

Bash Profile Persistence

This module writes an execution trigger to the target's Bash profile. The execution trigger executes a call back payload whenever the target user opens a Bash terminal. Verified on Ubuntu 22.04 and 18.04 desktop with Gnome Module Options msf use exploit/linux/persistence/bashprofile msf...

Selenium chrome RCE

Selenium Server Grid before 4.0.0-alpha-7 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain. Module Options msf use exploit/linux/http/seleniumgreedchromercecve202228108 msf exploitseleniumgreedchromercecve20222810...

Roundcube TimeZone Authenticated File Disclosure

Roundcube Webmail allows unauthorized access to arbitrary files on the host's filesystem, including configuration files. This affects all versions from 1.1.0 through version 1.3.2. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires...

Unauthenticated remote code execution in Ignition

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of filegetcontents and fileputcontents. This is exploitable on sites using debug mode with Laravel before 8.4.2. Module Options msf use...

LINQPad Deserialization

This module exploits a bug in LIQPad up to version 5.48.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts. Module...

Remote Code Execution Vulnerability in Vvveb

Vvveb CMS is vulnerable to code injection via the Code Editor functionality. Unsanitized editing functionality allows attacker-controlled changes to existing files on the web-accessible filesystem, allowing remote authenticated attackers with access to the Code Editor to achieve code execution wh...

TFTP Fetch

Fetch and execute an MIPSBE payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/mipsbe/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...show...

CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check

This module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MST120 channel outside of its normal slot and sending non-DoS packets which respond differently on patched and vulnerable hosts. It can optionally trigger the DoS vulnerability. This module requires Metasploit:...

ReDoc API Docs UI Exposed

Detects publicly exposed ReDoc API documentation pages. The module performs safe, read-only GET requests and reports likely ReDoc instances based on HTML markers. Module Options msf use auxiliary/scanner/http/redocexposed msf auxiliaryredocexposed show actions ...actions... msf...

OS Command Exec, Unix Command Shell, Reverse TCP (via Ksh)

Execute an OS command from PHP. Connect back and create a command shell via Ksh. Note: Although Ksh is often available, please be aware it isn't usually installed by default. Module Options msf use payload/php/unix/cmd/reverseksh msf payloadreverseksh show actions ...actions... msf...

OS Command Exec, Unix Command Shell, Reverse TCP SSL (telnet)

Execute an OS command from PHP. Creates an interactive shell via mkfifo and telnet. This method works on Debian and other systems compiled without /dev/tcp support. This module uses the '-z' option included on some systems to encrypt using SSL. Module Options msf use...

TFTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager

Fetch and execute an ARMLE payload from a TFTP server. dup2 socket in r12, then execve. Connect back to the attacker Module Options msf use payload/cmd/linux/tftp/armle/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show...

Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)

This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator. This module...

WordPress LearnPress Unauthenticated SQLi (CVE-2024-8522, CVE-2024-8529)

The LearnPress WordPress LMS Plugin up to version 4.2.7 is vulnerable to SQL injection via the 'conlyfields' and 'cfields' parameters. This allows unauthenticated attackers to exploit blind SQL injections and extract sensitive information. Module Options msf use...

F5 BIG-IP TMUI Directory Traversal and File Upload RCE

This module exploits a directory traversal in F5's BIG-IP Traffic Management User Interface TMUI to upload a shell script and execute it as the Unix root user. Unix shell access is obtained by escaping the restricted Traffic Management Shell TMSH. The escape may not be reliable, and you may have ...

Rootkit Privilege Escalation Signal Hunter

This module searches for rootkits which use signals to elevate process privileges to UID 0 root. Some rootkits install signal handlers which listen for specific signals to elevate process privileges. This module identifies these rootkits by sending signals and observing UID switching to root. Thi...

WonderCMS Remote Code Execution

This module exploits CVE-2023-41425, an authenticated file upload vulnerability affecting WonderCMS between 3.2.0 and 3.4.2. Module Options msf use exploit/multi/http/wondercmsrce msf exploitwondercmsrce show targets ...targets... msf exploitwondercmsrce set TARGET msf exploitwondercmsrce show...

FreeBSD rtsold/rtsol DNSSL Command Injection

This module exploits a command injection vulnerability CVE-2025-14558 in FreeBSD's rtsol8 and rtsold8 programs. These programs do not validate the domain search list options provided in IPv6 Router Advertisement messages; the option body is passed to resolvconf8 unmodified. resolvconf8 is a shell...

Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE

This module exploits a Server-Side Template Injection SSTI vulnerability CVE-2025-66294 in Grav CMS that allows bypassing the Twig sandbox to achieve remote code execution. The cleanDangerousTwig method uses weak regex that fails to sanitize nested Twig calls within the evaluatetwig function. To...

Netdata ndsudo privilege escalation

The ndsudo is a tool shipped with Netdata Agent. The version v1.45.0 and below contain vulnerability, which allows an attacker to gain privilege escalation using ndsudo binary. The vulnerability is untrusted search path, when searching for additional binary files, such as nvme. An attacker can...

TFTP Fetch

Fetch and execute an AARCH64 payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/aarch64/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show an...

WordPress Photo Gallery Plugin SQL Injection (CVE-2022-0169)

The Photo Gallery by 10Web WordPress plugin use auxiliary/gather/wpphotogallerysqli msf auxiliarywpphotogallerysqli show actions ...actions... msf auxiliarywpphotogallerysqli set ACTION msf auxiliarywpphotogallerysqli show options ...show and set options... msf auxiliarywpphotogallerysqli run Thi...

Monsta FTP downloadFile Remote Code Execution

This module exploits a pre-authenticated remote code execution vulnerability in Monsta FTP versions use exploit/multi/http/monstaftpdownloadfilerce msf exploitmonstaftpdownloadfilerce show targets ...targets... msf exploitmonstaftpdownloadfilerce set TARGET msf exploitmonstaftpdownloadfilerce sho...

TFTP Fetch, Linux Execute Command

Fetch and execute an MIPSBE payload from a TFTP server. A very small shellcode for executing commands. This module is sometimes helpful for testing purposes. Module Options msf use payload/cmd/linux/tftp/mipsbe/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf...

Windows UAC Protection Bypass (Via FodHelper Registry Key)

This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module...

OS Command Exec, Unix Command Shell, Bind TCP (via R)

Execute an OS command from PHP. Continually listen for a connection and spawn a command shell via R Module Options msf use payload/php/unix/cmd/bindr msf payloadbindr show actions ...actions... msf payloadbindr set ACTION msf payloadbindr show options ...show and set options... msf payloadbindr r...

TFTP Fetch, Linux Execute Command

Fetch and execute an MIPSLE payload from a TFTP server. A very small shellcode for executing commands. This module is sometimes helpful for testing purposes as well as on targets with extremely limited buffer space. Module Options msf use payload/cmd/linux/tftp/mipsle/exec msf payloadexec show...

Webmin /file/show.cgi Remote Command Execution

This module exploits an arbitrary command execution vulnerability in Webmin 1.580. The vulnerability exists in the /file/show.cgi component and allows an authenticated user, with access to the File Manager Module, to execute arbitrary commands with root privileges. The module has been tested...

Mikrotik Configuration Importer

This module imports a Mikrotik device configuration. Module Options msf use auxiliary/admin/networking/mikrotikconfig msf auxiliarymikrotikconfig show actions ...actions... msf auxiliarymikrotikconfig set ACTION msf auxiliarymikrotikconfig show options ...show and set options... msf...

Pretalx Arbitrary File Read/Limited File Write

This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx will iteratively include any file referenced by any HTML tag and does not properly check the path of the file, which can lead to arbitrary file read. The module requires credentials that allo...

OneDev Unauthenticated Arbitrary File Read

This module exploits an unauthenticated arbitrary file read vulnerability CVE-2024-45309, which affects OneDev versions use auxiliary/gather/onedevarbitraryfileread msf auxiliaryonedevarbitraryfileread show actions ...actions... msf auxiliaryonedevarbitraryfileread set ACTION msf...

Twonky Server Log Leak Authentication Bypass

This module leverages an authentication bypass in Twonky Server 8.5.2. By exploiting an authorization flaw to access a privileged web API endpoint and leak application logs, encrypted administrator credentials are leaked CVE-2025-13315. The exploit will then decrypt these credentials using...

OS Command Exec, Unix Command Shell, Bind TCP (via netcat -e) IPv6

Execute an OS command from PHP. Listen for a connection and spawn a command shell via netcat Module Options msf use payload/php/unix/cmd/bindnetcatgapingipv6 msf payloadbindnetcatgapingipv6 show actions ...actions... msf payloadbindnetcatgapingipv6 set ACTION msf payloadbindnetcatgapingipv6 show...

Apache RocketMQ update config RCE

RocketMQ versions 5.1.0 and below are vulnerable to Arbitrary Code Injection. Broker component of RocketMQ is leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that...

TFTP Fetch

Fetch and execute a PPC64LE payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/ppc64le/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show and...

Rancher Authenticated API Credential Exposure

An issue was discovered in Rancher versions up to and including 2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys and Ranchers service account token used to provision clusters, were stored in plaintext directly on Kubernetes objects like Clusters, for example...

SMBv3 Compression Buffer Overflow

A vulnerability exists within the Microsoft Server Message Block 3.1.1 SMBv3 protocol that can be leveraged to execute code on a vulnerable server. This remove exploit implementation leverages this flaw to execute code in the context of the kernel, finally yielding a session as NT AUTHORITY\SYSTE...

OS Command Exec, Unix Command Shell, Reverse TCP (via jjs)

Execute an OS command from PHP. Connect back and create a command shell via jjs Module Options msf use payload/php/unix/cmd/reversejjs msf payloadreversejjs show actions ...actions... msf payloadreversejjs set ACTION msf payloadreversejjs show options ...show and set options... msf...

Remote for Mac Unauthenticated RCE

This module exploits an unauthenticated remote code execution vulnerability in Remote for Mac versions up to and including 2025.7 via the /api/executeScript endpoint. When authentication is disabled on the target system, it allows attackers to execute arbitrary AppleScript commands, which can...

Docker Container Escape Via runC Overwrite

This module leverages a flaw in runc to escape a Docker container and get command execution on the host as root. This vulnerability is identified as CVE-2019-5736. It overwrites the runc binary with the payload and wait for someone to use docker exec to get into the container. This will trigger t...