Service System V Persistence

This module will create a service via System V on the box, and mark it for auto-restart. We need enough access to write service files and potentially restart services. Some systems include backwards compatibility, such as Ubuntu up to about 16.04. Targets: CentOS use...

Periodic Script Persistence

This module will achieve persistence by writing a script to the /etc/periodic directory. According to The Art of Mac Malware no such malware species persist in this manner 2024. This payload requires root privileges to run. This module can be run on BSD, OSX or Arch Linux. Module Options msf use...

Remote Code Execution Vulnerability in MotionEye Frontend (CVE-2025-60787)

This module exploits a template injection vulnerability in the MotionEye Frontend. MotionEye Frontend versions 0.43.1b4 and prior are vulnerable to OS Command Injection in configuration parameters such as imagefilename. Unsanitized user input is written to MotionEye Frontend configuration files,...

Listmonk Insecure Sprig Template Functions Environment Disclosure

This module exploits insecure Sprig template functions in Listmonk versions prior to v5.0.2. The env and expandenv functions are enabled by default, allowing authenticated users with campaign permissions to extract sensitive environment variables via campaign preview. Module Options msf use...

Malicious Windows Script Host Script File (.wsf)

This module creates a Windows Script Host WSH Windows Script File .wsf. Module Options msf use exploit/windows/fileformat/windowsscripthostwsf msf exploitwindowsscripthostwsf show targets ...targets... msf exploitwindowsscripthostwsf set TARGET msf exploitwindowsscripthostwsf show options ...show...

Mac OS X Persistent Payload Installer

This module provides a persistent boot payload by creating a launch item, which can be a LaunchAgent or a LaunchDaemon. LaunchAgents run with user level permissions and are triggered upon login by a plist entry in /Library/LaunchAgents. LaunchDaemons run with elevated privilleges, and are launche...

Windows Shortcut (LNK) Padding

This module generates Windows LNK shortcut file that can execute arbitrary commands. The LNK file uses environment variables and execute its arguments from COMMANDLINEARGUMENTS with extra juicy whitespace character padding bytes and concatenates the actual payload. Module Options msf use...

IconEnvironmentDataBlock - Windows LNK File Special UNC Path NTLM Leak

This module creates a malicious Windows shortcut LNK file that specifies a special UNC path in IconEnvironmentDataBlock of Shell Link .LNK that can trigger an authentication attempt to a remote server. This can be used to harvest NTLM authentication credentials. When a victim browse to the locati...

SpecialFolderDatablock - Windows LNK File Special UNC Path NTLM Leak

This module creates a malicious Windows shortcut LNK file that specifies a special UNC path in SpecialFolderDatablock of Shell Link .LNK that can trigger an authentication attempt to a remote server. This can be used to harvest NTLM authentication credentials. When a victim browse to the location...

Right-Click Execution - Windows LNK File Special UNC Path NTLM Leak

This module creates a malicious Windows shortcut LNK file that specifies a special UNC path in EnvironmentVariableDataBlock of Shell Link .LNK that can trigger an authentication attempt to a remote server. This can be used to harvest NTLM authentication credentials. When a victim right-click the...

Windows Silent Process Exit Persistence

Windows allows you to set up a debug process when a process exits. This module uploads a payload and declares that it is the debug process to launch when a specified process exits. Module Options msf use exploit/windows/persistence/imageexecoptions msf exploitimageexecoptions show targets...

Service SystemD override.conf Persistence

This module will create an override.conf file for a SystemD service on the box. The ExecStartPost hook is used to launch the payload after the service is started. We need enough access typically root to write in the /etc/systemd/system directory and potentially restart services. Verified on Ubunt...

FreePBX ajax.php unauthenticated SQLi to RCE

This module exploits an unauthenticated SQL injection flaw in FreePBX prior to versions 15.0.66, 16.0.89, and 17.0.3. The vulnerability lies in the /admin/ajax.php endpoint, which is accessible without authentication. Additionally, the database user created by FreePBX can schedule cronjobs,...

Yum Package Manager Persistence

This module will run a payload when the package manager is used. This module modifies a yum plugin to launch a binary of choice. grep -F 'enabled=1' /etc/yum/pluginconf.d/ will show what plugins are currently enabled on the system. root persmissions are likely required. Verified on Centos 7.1...

Cron Persistence

This module will create a cron or crontab entry to execute a payload. The module includes the ability to automatically clean up those entries to prevent multiple executions. syslog will get a copy of the cron entry. Verified on Ubuntu 22.04.1, MacOS 13.7.4 Module Options msf use...

Commvault Command-Line Argument Injection to Traversal Remote Code Execution

This module exploits an unauthenticated remote code execution exploit chain for Commvault, tracked as CVE-2025-57790 and CVE-2025-57791. A command-line injection permits unauthenticated access to the 'localadmin' account, which then facilitates code execution via expression language injection...

Docker Image Persistence

This module maintains persistence on a host by creating a docker image which runs our payload, and has access to the host's file system /host in the container. Whenever the container restarts, the payload will run, or when the payload dies the executable will run again after a delay. This will...

Service SystemD Persistence

This module will create a service on the box, and mark it for auto-restart. We need enough access to write service files and potentially restart services Targets: CentOS 7 Debian = 7, = 15 Ubuntu = 15.04 Verified on Ubuntu 18.04.3 Module Options msf use exploit/linux/persistence/initsystemd msf...

Obsidian Plugin Persistence

This module searches for Obsidian vaults for a user, and uploads a malicious community plugin to the vault. The vaults must be opened with community plugins enabled NOT restricted mode, but the plugin will be enabled automatically. Tested against Obsidian 1.7.7 on Kali, Ubuntu 22.04, and Windows...

Init OpenRC Persistence

This module will create a service on the box via OpenRC, and mark it for auto-restart. We need enough access to write service files and potentially restart services. Verified against alpine 3.21.2 Module Options msf use exploit/linux/persistence/initopenrc msf exploitinitopenrc show targets...

rc.local Persistence

This module will edit /etc/rc.local in order to persist a payload. The payload will be executed on the next reboot. Verified on Ubuntu 18.04.3 Module Options msf use exploit/linux/persistence/rclocal msf exploitrclocal show targets ...targets... msf exploitrclocal set TARGET msf exploitrclocal sh...

update-motd.d Persistence

This module will add a script in /etc/update-motd.d/ in order to persist a payload. The payload will be executed with root privileges everytime a user logs in. Root privileges are likely required to write to /etc/update-motd.d/. Verified on Ubuntu 22.04 Module Options msf use...

at(1) Persistence

This module executes a metasploit payload utilizing at1 to execute jobs at a specific time. It should work out of the box with any UNIX-like operating system with atd running. Verified on Kali linux and OSX 13.7.4 Module Options msf use exploit/multi/persistence/at msf exploitat show targets...

Sitecore XP CVE-2025-34511 Post-Authentication File Upload

This module exploits CVE-2025-34511, a file upload vulnerability in PowerShell extensions. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold. Module Options msf use exploit/windows/http/sitecorexpcve202534511 msf exploitsitecorexpcve20253451...

Sitecore XP CVE-2025-34510 Post-Authentication Remote Code Execution

This module exploits CVE-2025-34510, path traversal leading to remote code execution. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold. Module Options msf use exploit/windows/http/sitecorexpcve202534510 msf exploitsitecorexpcve202534510 sho...

Autostart Desktop Item Persistence

This module will create an autostart .desktop entry to execute a payload. The payload will be executed when the users logs in. Verified on Ubuntu 22.04 desktop with Gnome, and 18.04.3. The following payloads were used in testing: - cmd/unix/reversenetcat - linux/x64/meterpreter/reversetcp -...

APT Package Manager Persistence

This module will run a payload when the APT package manager is used. This module creates a pre-invoke hook for APT in apt.conf.d. Write access to the apt.conf.d directory is required, typically requiring root access. The hook name is randomized if not specified. Verified on Ubuntu 22.04 Module...

Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE (time param)

This module exploits an unauthenticated remote command injection vulnerability in the Shenzhen Aitemi M300 Wi-Fi Repeater hardware model MT02. The vulnerability lies in the 'time' parameter of the time configuration endpoint, which is passed unsanitized to a shell command executed via the date -s...

Template Injection Vulnerability in Sawtooth Software's Lighthouse Studio (CVE-2025-34300)

This module exploits a template injection vulnerability in the Sawtooth Software Lighthouse Studio's ciwweb.pl web application. The application fails to properly sanitize user input within survey templates, allowing unauthenticated attackers to inject and execute arbitrary Perl commands on the...

Sudo Chroot 1.9.17 Privilege Escalation

Sudo before version 1.19.17p1 allows user to use chroot option, when executing command. The option is intended to run a command with user-selected root directory if sudoers file allow it. Change in version 1.9.14 allows resolving paths via chroot using user-specified root directory when sudoers i...

Bash Profile Persistence

This module writes an execution trigger to the target's Bash profile. The execution trigger executes a call back payload whenever the target user opens a Bash terminal. Verified on Ubuntu 22.04 and 18.04 desktop with Gnome Module Options msf use exploit/linux/persistence/bashprofile msf...

Remote Code Execution Vulnerability in XWiki Platform (CVE-2025-24893)

This module exploits a template injection vulnerability in the the XWiki Platform. XWiki includes a macro called SolrSearch defined in Main.SolrSearchMacros that enables full-text search through the embedded Solr engine. The vulnerability stems from the way this macro evaluates search parameters ...

Periodic Script Persistence

This module will achieve persistence by writing a script to the /etc/periodic directory. According to The Art of Mac Malware no such malware species persist in this manner 2024. This payload requires root privileges to run. This module can be run on BSD, OSX or Arch Linux. Module Options msf use...

Remote for Mac 2025.6 Unauthenticated UDP Keyboard RCE

This module exploits an unauthenticated remote code execution vulnerability in Remote for Mac 2025.6. When the "Allow unknown devices" setting is enabled, it is possible to simulate keyboard input via UDP packets without authentication. By sending a sequence of key presses, an attacker can open t...

Pretalx Limited File Write to Remote Code Execution

This module exploits CVE-2023-28458, a limited file write in Pretalx, up to version 2.3.1. The module will use the vulnerability to write a malicious site-specific configuration hook forPython. Once hook is written, payload will be executed every time Pretalx user runs any Python code. Pretalx...

Pretalx Arbitrary File Read/Limited File Write

This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx will iteratively include any file referenced by any HTML tag and does not properly check the path of the file, which can lead to arbitrary file read. The module requires credentials that allo...

Netdata ndsudo privilege escalation

The ndsudo is a tool shipped with Netdata Agent. The version v1.45.0 and below contain vulnerability, which allows an attacker to gain privilege escalation using ndsudo binary. The vulnerability is untrusted search path, when searching for additional binary files, such as nvme. An attacker can...

Windows Download Execute

Downloads and executes the file from the specified url. Module Options msf use payload/windows/x64/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options ...show and set options... msf payloaddownloadexec run...

Powershell Exec

Execute an x64 payload from a command via PowerShell Module Options msf use payload/cmd/windows/powershell/x64/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options ...show and set options... msf payloaddownloadexec...

SMB Fetch

Fetch and execute an x64 payload from an SMB server. Module Options msf use payload/cmd/windows/smb/x64/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options ...show and set options... msf payloaddownloadexec run Th...

TFTP Fetch

Fetch and execute an x64 payload from a TFTP server. Module Options msf use payload/cmd/windows/tftp/x64/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options ...show and set options... msf payloaddownloadexec run...

HTTP Fetch

Fetch and execute an x64 payload from an HTTP server. Module Options msf use payload/cmd/windows/http/x64/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options ...show and set options... msf payloaddownloadexec run...

HTTPS Fetch

Fetch and execute an x64 payload from an HTTPS server. Module Options msf use payload/cmd/windows/https/x64/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options ...show and set options... msf payloaddownloadexec ru...

PivotX Remote Code Execution

This module gains remote code execution in PivotX management system. The PivotX allows admin user to directly edit files on the webserver, including PHP files. The module exploits this by writing a malicious payload into index.php file, gaining remote code execution. Module Options msf use...

Wazuh server remote code execution caused by an unsafe deserialization vulnerability.

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are serialized as JSON and...

Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)

This module exploits the authentication bypass vulnerabilities CVE-2025-49706 and CVE-2025-53771, and an unsafe deserialization vulnerability CVE-2025-49704, to achieve unauthenticated RCE against a vulnerable Microsoft SharePoint Server. The vulnerability CVE-2025-53770 was disclosed as being a...

Pandora ITSM authenticated command injection leading to RCE via the backup function

Pandora ITSM is a platform for Service Management & Support including a Helpdesk for support and customer service teams, aligned with ITIL processes. This module exploits a command injection vulnerability in the name backup setting at the application setup page of Pandora ITSM. This can be...

ICTBroadcast Unauthenticated Remote Code Execution

This module exploits an unauthenticated remote code execution RCE vulnerability in ICTBroadcast. The vulnerability exists in the way session cookies are handled and processed, allowing an attacker to inject arbitrary system commands. Module Options msf use...

Malicious XDG Desktop File

This module creates a malicious XDG Desktop .desktop file. On most modern systems, desktop files are not trusted by default. The user will receive a warning prompt that the file is not trusted when running the file, but may choose to run the file anyway. The default file manager applications in...

LDAP Update Object

This module allows creating, reading, updating and deleting attributes of LDAP objects. Users can specify the object and must specify a corresponding attribute. Module Options msf use auxiliary/admin/ldap/ldapobjectattribute msf auxiliaryldapobjectattribute show actions ...actions... msf...