Progress MOVEit SFTP Authentication Bypass for Arbitrary File Read

This module exploits CVE-2024-5806, an authentication bypass vulnerability in the MOVEit Transfer SFTP service. The following version are affected: MOVEit Transfer 2023.0.x Fixed in 2023.0.11 MOVEit Transfer 2023.1.x Fixed in 2023.1.6 MOVEit Transfer 2024.0.x Fixed in 2024.0.2 The module can...

Azure CLI Credentials Gatherer

This module will collect the Azure CLI 2.0+ az cli settings files for all users on a given target. These configuration files contain JWT tokens used to authenticate users and other subscription information. Once tokens are stolen from one host, they can be used to impersonate the user from a...

Zyxel parse_config.py Command Injection

This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series. The affected firmware versions depend on the device module, see this module's documentation for more details. Note this module was unable to be tested against a real Zyxel device and was tested...

MS-NRPC Domain Users Enumeration

This module will enumerate valid Domain Users via no authentication against MS-NRPC interface. It calls DsrGetDcNameEx2 to check if the domain user account exists or not. It has been tested with Windows servers 2012, 2016, 2019 and 2022. Module Options msf use auxiliary/scanner/dcerpc/nrpcenumuse...

Netis router MW5360 unauthenticated RCE.

Netis router MW5360 has a command injection vulnerability via the password parameter on the login page. The vulnerability stems from improper handling of the "password" parameter within the router's web interface. The router's login page authorization can be bypassed by simply deleting the...

SolarWinds Serv-U Unauthenticated Arbitrary File Read

This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to the vendor supplied hotfix "15.4.2 Hotfix 2" version 15.4.2.157 are affected. Module...

PHP CGI Argument Injection Remote Code Execution

This module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations on a Windows target. A vulnerable configuration is locale dependant such as Chinese or Japanese, such that the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen 0xAD in...

Apache OFBiz forgotPassword/ProgramExport RCE

Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability CVE-2024-32113. The vulnerable endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which in turn allows for remote code execution in the context of the user runni...

Telerik Report Server Auth Bypass and Deserialization RCE

This module chains an authentication bypass vulnerability CVE-2024-4358 with a deserialization vulnerability CVE-2024-1800 to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior. The authentication bypass flaw allows an unauthenticated user to create a new use...

Cacti Import Packages RCE

This exploit module leverages an arbitrary file write vulnerability CVE-2024-25641 in Cacti versions prior to 1.2.27 to achieve RCE. It abuses the Import Packages feature to upload a specially crafted package that embeds a PHP file. Cacti will extract this file to an accessible location. The modu...

Check Point Security Gateway Arbitrary File Read

This module leverages an unauthenticated arbitrary root file read vulnerability for Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades are enabled on affected devices, traversal payloads can be used to read any files on the local file system. Password hashes read...

Telerik Report Server Auth Bypass

This module exploits an authentication bypass vulnerability in Telerik Report Server versions 10.0.24.305 and prior which allows an unauthenticated attacker to create a new account with administrative privileges. The vulnerability leverages the initial setup page which is still accessible once th...

Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution

The Rejetto HTTP File Server HFS version 2.x is vulnerable to an unauthenticated server side template injection SSTI vulnerability. A remote unauthenticated attacker can execute code with the privileges of the user account running the HFS.exe server process. This exploit has been tested to work...

VSCode ipynb Remote Development RCE

VSCode when opening an Jupyter notebook .ipynb file bypasses the trust model. On versions v1.4.0 - v1.71.1, its possible for the Jupyter notebook to embed HTML and javascript, which can then open new terminal windows within VSCode. Each of these new windows can then execute arbitrary code at...

WordPress Hash Form Plugin RCE

The Hash Form - Drag & Drop Form Builder plugin for WordPress suffers from a critical vulnerability due to missing file type validation in the fileuploadaction function. This vulnerability exists in all versions up to and including 1.1.0. Unauthenticated attackers can exploit this flaw to upload...

OS X x64 Shell Bind TCP

Bind an arbitrary command to an arbitrary port Module Options msf use payload/osx/aarch64/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options ...show and set options... msf payloadshellbindtcp run This module...

OSX aarch64 Shell Reverse TCP

Connect back to attacker and spawn a command shell Module Options msf use payload/osx/aarch64/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp show options ...show and set options... msf payloadshellreversetcp r...

OSX aarch64 Execute Command

Execute an arbitrary command Module Options msf use payload/osx/aarch64/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run This module requires Metasploit: https://metasploit.com/download Current...

Flowmon Unauthenticated Command Injection

This module exploits an unauthenticated command injection vulnerability in Progress Flowmon versions before v12.03.02. Module Options msf use exploit/linux/http/progressflowmonunauthcmdinjection msf exploitprogressflowmonunauthcmdinjection show targets ...targets... msf...

Progress Flowmon Local sudo privilege escalation

This module abuses a feature of the sudo command on Progress Flowmon. Certain binary files are allowed to automatically elevate with the sudo command. This is based off of the file name. This includes executing a PHP command with a specific file name. If the file is overwritten with PHP code it c...

Jasmin Ransomware Web Server Unauthenticated Directory Traversal

The Jasmin Ransomware web server contains an unauthenticated directory traversal vulnerability within the download functionality. As of April 15, 2024 this was still unpatched, so all versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched. Module Options msf us...

Jasmin Ransomware Web Server Unauthenticated SQL Injection

The Jasmin Ransomware web server contains an unauthenticated SQL injection vulnerability within the login functionality. As of April 15, 2024 this was still unpatched, so all versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched. Retrieving the victim's data m...

NorthStar C2 XSS to Agent RCE

NorthStar C2, prior to commit 7674a44 on March 11 2024, contains a vulnerability where the logs page is vulnerable to a stored xss. An unauthenticated user can simulate an agent registration to cause the XSS and take over a users session. With this access, it is then possible to run a new payload...

AVideo WWBNIndex Plugin Unauthenticated RCE

This module exploits an unauthenticated remote code execution RCE vulnerability in the WWBNIndex plugin of the AVideo platform. The vulnerability exists within the submitIndex.php file, where user-supplied input is passed directly to the require function without proper sanitization. By exploiting...

Chaos RAT XSS to RCE

CHAOS v5.0.8 is a free and open-source Remote Administration Tool that allows generated binaries to control remote operating systems. The webapp contains a remote command execution vulnerability which can be triggered by an authenticated user when generating a new executable. The webapp also...

CarotDAV Credential Gatherer

This module searches for credentials stored on CarotDAV FTP Client on a Windows host. Module Options msf use post/windows/gather/credentials/carotdavftp msf postcarotdavftp show actions ...actions... msf postcarotdavftp set ACTION msf postcarotdavftp show options ...show and set options... msf...

Halloy IRC Credential Gatherer

This module searches for credentials stored on Halloy IRC Client on a Windows host. Module Options msf use post/windows/gather/credentials/halloyirc msf posthalloyirc show actions ...actions... msf posthalloyirc set ACTION msf posthalloyirc show options ...show and set options... msf posthalloyir...

Adi IRC Credential Gatherer

This module searches for credentials stored on AdiIRC Client on a Windows host. Module Options msf use post/windows/gather/credentials/adiirc msf postadiirc show actions ...actions... msf postadiirc set ACTION msf postadiirc show options ...show and set options... msf postadiirc run This module...

Sylpheed Email Credential Gatherer

This module searches for credentials stored on Sylpheed email client on a Windows host. Module Options msf use post/windows/gather/credentials/sylpheed msf postsylpheed show actions ...actions... msf postsylpheed set ACTION msf postsylpheed show options ...show and set options... msf postsylpheed...

Quassel IRC Credential Gatherer

This module searches for credentials stored on Quassel IRC Client on a Windows host. Module Options msf use post/windows/gather/credentials/quasselirc msf postquasselirc show actions ...actions... msf postquasselirc set ACTION msf postquasselirc show options ...show and set options... msf...

Windows Registry Security Descriptor Utility

Read or write a Windows registry security descriptor remotely. In READ mode, the FILE option can be set to specify where the security descriptor should be written to. The following format is used: key: securityinfo: sd: In WRITE mode, the FILE option can be used to specify the information needed ...

Kemp LoadMaster Local sudo privilege escalation

This module abuses a feature of the sudo command on Progress Kemp LoadMaster. Certain binary files are allowed to automatically elevate with the sudo command. This is based off of the file name. Some files have this permission are not write-protected from the default 'bal' user. As such, if the...

CrushFTP Unauthenticated Arbitrary File Read

This module leverages an unauthenticated server-side template injection vulnerability in CrushFTP use auxiliary/gather/crushftpfilereadcve20244040 msf auxiliarycrushftpfilereadcve20244040 show actions ...actions... msf auxiliarycrushftpfilereadcve20244040 set ACTION msf...

Docker Privileged Container Kernel Escape

This module performs a container escape onto the host as the daemon user. It takes advantage of the SYSMODULE capability. If that exists and the linux headers are available to compile on the target, then we can escape onto the host. Module Options msf use...

CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read

This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version '2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication token in the form of a UUID from the /CFIDE/adminapi/servermanager/servermanager.c...

MSSQL Version Utility

Executes a TDS7 pre-login request against the MSSQL instance to query for version information. Module Options msf use auxiliary/scanner/mssql/mssqlversion msf auxiliarymssqlversion show actions ...actions... msf auxiliarymssqlversion set ACTION msf auxiliarymssqlversion show options ...show and s...

Kemp LoadMaster Unauthenticated Command Injection

This module exploits an unauthenticated command injection vulnerability in Progress Kemp LoadMaster in the authorization header after vversion 7.2.48.1. The following versions are patched: 7.2.59.2 GA, 7.2.54.8 LTSF and 7.2.48.10 LTS. Module Options msf use...

Gitlab Version Scanner

This module scans a Gitlab install for information about its version. Module Options msf use auxiliary/scanner/http/gitlabversion msf auxiliarygitlabversion show actions ...actions... msf auxiliarygitlabversion set ACTION msf auxiliarygitlabversion show options ...show and set options... msf...

Apache Solr Backup/Restore APIs RCE

Apache Solr from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1 is affected by an Unrestricted Upload of File with Dangerous Type vulnerability which can result in remote code execution in the context of the user running Apache Solr. When Apache Solr creates a Collection, it will use a specific...

FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE

An SQLi injection vulnerability exists in FortiNet FortiClient EMS Endpoint Management Server. FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller...

GitLens Git Local Configuration Exec

GitKraken GitLens before v.14.0.0 allows an untrusted workspace to execute git commands. A repo may include its own .git folder including a malicious config file to execute arbitrary code. Tested against VSCode 1.87.2 with GitLens 13.6.0 on Ubuntu 22.04 and Windows 10 Module Options msf use...

Code Reviewer

Reviews code Module Options msf use exploit/multi/fileformat/visualstudiovsixexec msf exploitvisualstudiovsixexec show targets ...targets... msf exploitvisualstudiovsixexec set TARGET msf exploitvisualstudiovsixexec show options ...show and set options... msf exploitvisualstudiovsixexec exploit...

Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability

A Remote Code Execution vulnerability in Gambio online webshop version 4.9.2.0 and lower allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request. The identified vulnerability within Gambio pertains to an insecure deserialization flaw, which ultimately allows an...

Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution

This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that allow an unauthenticated attacker to create arbitrarily named files and execute shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or GlobalProtect Portal enabled and telemetry collection on...

Rancher Authenticated API Credential Exposure

An issue was discovered in Rancher versions up to and including 2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys and Ranchers service account token used to provision clusters, were stored in plaintext directly on Kubernetes objects like Clusters, for example...

pgAdmin Session Deserialization RCE

pgAdmin versions use exploit/multi/http/pgadminsessiondeserialization msf exploit...

CrushFTP Unauthenticated RCE

This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability CVE-2023-43177 to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1. It is possible to set some user's session properties by...

MongoDB Ops Manager Diagnostic Archive Sensitive Information Retriever

MongoDB Ops Manager Diagnostics Archive does not redact SAML SSL Pem Key File Password field mms.saml.ssl.PEMKeyFilePassword within app settings. Archives do not include the PEM files themselves. This module extracts that unredacted password and stores the diagnostic archive for additional manual...

Rancher Audit Log Sensitive Information Leak

Rancher versions between 2.6.0-2.6.13, 2.7.0-2.7.9, 2.8.0-2.8.1 inclusive contain a vulnerability where sensitive data is leaked into the audit logs. Rancher Audit Logging is an opt-in feature, only deployments that have it enabled and have AUDITLEVEL set to 1 or above are impacted by this issue...

Shadow Credentials

This module can read and write the necessary LDAP attributes to configure a particular account with a Key Credential Link. This allows weaponising write access to a user account by adding a certificate that can subsequently be used to authenticate. In order for this to succeed, the authenticated...