Craft CMS Twig Template Injection RCE via FTP Templates Path

This module exploits a Twig template injection vulnerability in Craft CMS by abusing the --templatesPath argument. The vulnerability allows arbitrary template loading via FTP, leading to Remote Code Execution RCE. Module Options msf use exploit/linux/http/craftcmsftptemplate msf...

LibreNMS Authenticated RCE (CVE-2024-51092)

An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. Those two defects combined then allows to inject arbitrary OS commands inside shellexec calls, thus achieving arbitrary code execution. Module Options...

Cleo LexiCom, VLTrader, and Harmony Unauthenticated Remote Code Execution

This module exploits an unauthenticated file write vulnerability in Cleo LexiCom, VLTrader, and Harmony versions 5.8.0.23 and below. Module Options msf use exploit/multi/http/cleorcecve202455956 msf exploitcleorcecve202455956 show targets ...targets... msf exploitcleorcecve202455956 set TARGET ms...

Acronis Cyber Protect/Backup remote code execution

Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all, compute, storage and application resources. Businesses and Service Providers are using it to protect and backup all IT assets in their IT environment. The Acronis Cyber Protect appliance, in its default...

Ubuntu needrestart Privilege Escalation

Local attackers can execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable. Verified against Ubuntu 22.04 with needrestart 3.5-5ubuntu2.1 Attempted exploitation against Debian 12, expliotation failed...

Pandora FMS authenticated command injection leading to RCE via LDAP using default DB password

Pandora FMS is a monitoring solution that provides full observability for your organization's technology. This module exploits an command injection vulnerability in the LDAP authentication mechanism of Pandora FMS. You need have admin access at the Pandora FMS Web application in order to execute...

Netis Router Exploit Chain Reactor (CVE-2024-48455, CVE-2024-48456 and CVE-2024-48457).

Several Netis Routers including rebranded routers from GLCtec and Stonet suffer from a command injection vulnerability at the change admin password page of the router web interface see CVE-2024-48456 for more details. The vulnerability stems from improper handling of the 'password' and 'new...

Selenium geckodriver RCE

Selenium Server Grid use exploit/linux/http/seleniumgreedfirefoxrcecve202228108 msf exploitseleniumgreedfirefoxrcecve202228108 show targets ...targets... msf exploitseleniumgreedfirefoxrcecve202228108 set TARGET msf exploitseleniumgreedfirefoxrcecve202228108 show options ...show and set options...

Selenium arbitrary file read

If there is an open selenium web driver, a remote attacker can send requests to the victims browser. In certain cases this can be used to access to the remote file system. Module Options msf use auxiliary/gather/seleniumfileread msf auxiliaryseleniumfileread show actions ...actions... msf...

Selenium chrome RCE

Selenium Server Grid before 4.0.0-alpha-7 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain. Module Options msf use exploit/linux/http/seleniumgreedchromercecve202228108 msf exploitseleniumgreedchromercecve20222810...

OneDev Unauthenticated Arbitrary File Read

This module exploits an unauthenticated arbitrary file read vulnerability CVE-2024-45309, which affects OneDev versions use auxiliary/gather/onedevarbitraryfileread msf auxiliaryonedevarbitraryfileread show actions ...actions... msf auxiliaryonedevarbitraryfileread set ACTION msf...

Obsidian Plugin Persistence

This module searches for Obsidian vaults for a user, and uploads a malicious community plugin to the vault. The vaults must be opened with community plugins enabled NOT restricted mode, but the plugin will be enabled automatically. Tested against Obsidian 1.7.7 on Kali, Ubuntu 22.04, and Windows...

Palo Alto Networks PAN-OS Management Interface Unauthenticated Remote Code Execution

This module exploits an authentication bypass vulnerability CVE-2024-0012 and a command injection vulnerability CVE-2024-9474 in the PAN-OS management web interface. An unauthenticated attacker can execute arbitrary code with root privileges. The following versions are affected: PAN-OS 11.2 up to...

NTP Timeroast

Windows authenticates NTP requests by calculating the message digest using the NT hash followed by the first 48 bytes of the NTP message all fields preceding the key ID. An attacker can abuse this to recover hashes that can be cracked offline for machine and trust accounts. The attacker must know...

GameOver(lay) Privilege Escalation and Container Escape

This module exploits the use of unsafe functions in a number of Ubuntu kernels utilizing vulnerable versions of overlayfs. To mitigate CVE-2021-3493 the Linux kernel added a call to vfssetxattr during ovldosetxattr. Due to independent changes to the kernel by the Ubuntu development team...

Clinic's Patient Management System 1.0 - Unauthenticated RCE

This module exploits an unauthenticated file upload vulnerability in Clinic's Patient Management System 1.0. An attacker can upload a PHP web shell and execute it by leveraging directory listing enabled on the /pms/userimages directory. Module Options msf use...

WSO2 API Manager Documentation File Upload Remote Code Execution

A vulnerability in the 'Add API Documentation' feature allows malicious users with specific permissions /permission/admin/login and /permission/admin/manage/api/publish to upload arbitrary files to a user-controlled server location. This flaw could be exploited to execute remote code, enabling an...

WordPress WP Time Capsule Arbitrary File Upload to RCE

This module exploits an arbitrary file upload vulnerability in the WordPress WP Time Capsule plugin versions use exploit/multi/http/wptimecapsulefileuploadrce msf exploitwptimecapsulefileuploadrce show targets ...targets... msf exploitwptimecapsulefileuploadrce set TARGET msf...

WordPress Plugin Perfect Survey 1.5.1 SQLi (Unauthenticated)

This module exploits a SQL injection vulnerability in the Perfect Survey plugin for WordPress version 1.5.1. An unauthenticated attacker can exploit the SQLi to retrieve sensitive information such as usernames, emails, and password hashes from the wpusers table. Module Options msf use...

SAMR Account Management

Add, lookup and delete user / machine accounts via MS-SAMR. By default standard active directory users can add up to 10 new computers to the domain MachineAccountQuota. Administrative privileges however are required to delete the created accounts, or to create/delete user accounts. Module Options...

SMB Password Change

Change the password of an account using SMB. This provides several different APIs, each of which have their respective benefits and drawbacks. Module Options msf use auxiliary/admin/smb/changepassword msf auxiliarychangepassword show actions ...actions... msf auxiliarychangepassword set ACTION ms...

Primefaces Remote Code Execution Exploit

This module exploits a Java Expression Language remote code execution flaw in the Primefaces JSF framework. Primefaces versions prior to 5.2.21, 5.3.8 or 6.0 are vulnerable to a padding oracle attack, due to the use of weak crypto and default encryption password and salt. Tested against Docker...

WordPress Really Simple SSL Plugin Authentication Bypass to RCE

This module exploits an authentication bypass vulnerability in the WordPress Really Simple SSL plugin versions 9.0.0 to 9.1.1.1. The vulnerability allows bypassing two-factor authentication 2FA and uploading a plugin to achieve remote code execution RCE. Note: For the system to be vulnerable, 2FA...

Change Password

This module allows Active Directory users to change their own passwords, or reset passwords for accounts they have privileges over. Module Options msf use auxiliary/admin/ldap/changepassword msf auxiliarychangepassword show actions ...actions... msf auxiliarychangepassword set ACTION msf...

Moodle Remote Code Execution (CVE-2024-43425)

This module exploits a command injection vulnerability in Moodle CVE-2024-43425 to obtain remote code execution. Affected versions include 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11, and earlier unsupported versions. Module Options msf use exploit/linux/http/moodlerce msf...

CyberPanel Multi CVE Pre-auth RCE

This module exploits three separate unauthenticated Remote Code Execution vulnerabilities in CyberPanel: - CVE-2024-51567: Command injection vulnerability in the "upgrademysqlstatus" endpoint. - CVE-2024-51568: Command Injection via the "completePath" parameter in the "outputExecutioner" sink. -...

vCenter Sudo Privilege Escalation

VMware vCenter Server use exploit/linux/local/vcentersudolpe msf exploitvcentersudolpe show targets ...targets... msf exploitvcentersudolpe set TARGET msf exploitvcentersudolpe show options ...show and set options... msf exploitvcentersudolpe exploit This module requires Metasploit:...

Windows Access Mode Mismatch LPE in ks.sys

The ks.sys driver on Windows is one of the core components of Kernel Streaming and is installed by default. There exists a LPE in this driver which can be exploited on many recent versions of Windows 10, Windows 11, Windows Server 2022. Module Options msf use...

Chamilo v1.11.24 Unrestricted File Upload PHP Webshell

Chamilo LMS is a free software e-learning and content management system. In versions prior to use exploit/linux/http/chamilobiguploadwebshell msf exploitchamilobiguploadwebshell show targets ...targets... msf exploitchamilobiguploadwebshell set TARGET msf exploitchamilobiguploadwebshell show...

Ivanti Connect Secure Authenticated Remote Code Execution via OpenSSL CRLF Injection

This module exploits a CRLF injection vulnerability in Ivanti Connect Secure to achieve remote code execution CVE-2024-37404. Versions prior to 22.7R2.1 are vulnerable. Note that Ivanti Policy Secure versions prior to 22.7R1.1 are also vulnerable but this module doesn't support this software. Val...

Fortinet FortiManager Unauthenticated RCE

This module exploits a missing authentication vulnerability affecting FortiManager and FortiManager Cloud devices to achieve unauthenticated RCE with root privileges. The vulnerable FortiManager versions are: 7.6.0 7.4.0 through 7.4.4 7.2.0 through 7.2.7 7.0.0 through 7.0.12 6.4.0 through 6.4.14...

X11 Keylogger

This module binds to an open X11 host to log keystrokes. This is a fairly close copy of the old xspy c program which has been on Kali for a long time. The module works by connecting to the X11 session, creating a background window, binding a keyboard to it and creating a notification alert when a...

Asterisk AMI Originate Authenticated RCE

On Asterisk, prior to versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with 'write=originate' may change all configuration files in the '/etc/asterisk/' directory. Writing a new extension can be created which performs a system command to...

Wordpress POST SMTP Account Takeover

The POST SMTP WordPress plugin prior to 2.8.7 is affected by a privilege escalation where an unauthenticated user is able to reset the password of an arbitrary user. This is done by requesting a password reset, then viewing the latest email logs to find the associated password reset email. Module...

Acronis Cyber Protect/Backup remote code execution

Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all, compute, storage and application resources. Businesses and Service Providers are using it to protect and backup all IT assets in their IT environment. The Acronis Cyber Protect appliance, in its default...

Acronis Cyber Protect/Backup machine info disclosure

Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all, compute, storage and application resources. Businesses and Service Providers are using it to protect and backup all IT assets in their IT environment. This module exploits an authentication bypass vulnerability at...

CUPS IPP Attributes LAN Remote Code Execution

This module exploits vulnerabilities in OpenPrinting CUPS, which is running by default on most Linux distributions. The vulnerabilities allow an attacker on the LAN to advertise a malicious printer that triggers remote code execution when a victim sends a print job to the malicious printer...

Ivanti EPM Agent Portal Command Execution

This module leverages an unauthenticated RCE in Ivanti's EPM Agent Portal where a RPC client can invoke a method which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM. This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2. Module...

ProjectSend r1295 - r1605 Unauthenticated Remote Code Execution

This module exploits an improper authorization vulnerability in ProjectSend versions r1295 through r1605. The vulnerability allows an unauthenticated attacker to obtain remote code execution by enabling user registration, disabling the whitelist of allowed file extensions, and uploading a malicio...

Judge0 sandbox escape

Judge0 does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. Module Options msf use exploit/linux/http/judge0sandboxescapecve202428189 msf...

Strapi CMS Unauthenticated Password Reset

This module abuses the mishandling of a password reset request for Strapi CMS version 3.0.0-beta.17.4 to change the password of the admin user. Successfully tested against Strapi CMS version 3.0.0-beta.17.4. Module Options msf use auxiliary/scanner/http/strapi3passwordreset msf...

Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397)

CVE-2024-28397 is sandbox escape in js2py use exploit/linux/http/pyloadjs2pycve202439205 msf exploitpyloadjs2pycve202439205 show targets ...targets... msf exploitpyloadjs2pycve202439205 set TARGET msf exploitpyloadjs2pycve202439205 show options ...show and set options... msf...

JetBrains TeamCity Login Scanner

This module performs login attempts against a JetBrains TeamCity webpage to bruteforce possible credentials. Module Options msf use auxiliary/scanner/teamcity/teamcitylogin msf auxiliaryteamcitylogin show actions ...actions... msf auxiliaryteamcitylogin set ACTION msf auxiliaryteamcitylogin show...

Palo Alto Expedition Remote Code Execution (CVE-2024-5910 and CVE-2024-9464)

Obtain remote code execution in Palo Alto Expedition version 1.2.91 and below. The first vulnerability, CVE-2024-5910, allows to reset the password of the admin user, and the second vulnerability, CVE-2024-9464, is an authenticated OS command injection. In a default installation, commands will ge...

ESC8 Relay: SMB to HTTP(S)

This module creates an SMB server and then relays the credentials passed to it to an HTTP server to gain an authenticated connection. Once that connection is established, the module makes an authenticated request for a certificate based on a given template. Module Options msf use...

Linux Reboot

A very small shellcode for rebooting the system using the reboot syscall. This payload is sometimes helpful for testing purposes. Requires CAPSYSBOOT privileges. Module Options msf use payload/linux/riscv64le/reboot msf payloadreboot show actions ...actions... msf payloadreboot set ACTION msf...

Python Execute Command

Execute an arbitrary OS command. Compatible with Python 2.7 and 3.4+. Module Options msf use payload/python/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run module MetasploitModule CachedSize =...

Linux Reboot

A very small shellcode for rebooting the system using the reboot syscall. This payload is sometimes helpful for testing purposes. Requires CAPSYSBOOT privileges. Module Options msf use payload/linux/riscv32le/reboot msf payloadreboot show actions ...actions... msf payloadreboot set ACTION msf...

Linux Execute Command

Execute an arbitrary command Module Options msf use payload/linux/riscv32le/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run This module requires Metasploit: https://metasploit.com/download Curre...

Linux Execute Command

Execute an arbitrary command Module Options msf use payload/linux/riscv64le/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run This module requires Metasploit: https://metasploit.com/download Curre...