Rancher Audit Log Sensitive Information Leak

Rancher versions between 2.6.0-2.6.13, 2.7.0-2.7.9, 2.8.0-2.8.1 inclusive contain a vulnerability where sensitive data is leaked into the audit logs. Rancher Audit Logging is an opt-in feature, only deployments that have it enabled and have AUDITLEVEL set to 1 or above are impacted by this issue...

Shadow Credentials

This module can read and write the necessary LDAP attributes to configure a particular account with a Key Credential Link. This allows weaponising write access to a user account by adding a certificate that can subsequently be used to authenticate. In order for this to succeed, the authenticated...

Gibbon School Platform Authenticated PHP Deserialization Vulnerability

A Remote Code Execution vulnerability in Gibbon online school platform version 26.0.00 and lower allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the endpoint /modules/System%20Admin/importrun.php&type=externalAssessment&step=4. As it...

Jenkins cli Ampersand Replacement Arbitrary File Read

This module utilizes the Jenkins cli protocol to run the help command. The cli is accessible with read-only permissions by default, which are all thats required. Jenkins cli utilizes args4j's parseArgument, which calls expandAtFiles to replace any @ with the contents of a file. We are then able t...

WatchGuard XTM Firebox Unauthenticated Remote Command Execution

This module exploits a buffer overflow at the administration interface 8080 or 4117 of WatchGuard Firebox and XTM appliances which is built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impac...

Unauthenticated RCE in Bricks Builder Theme

This module exploits an unauthenticated remote code execution vulnerability in the Bricks Builder Theme versions use exploit/multi/http/wpbricksbuilderrce msf exploitwpbricksbuilderrce show targets ...targets... msf exploitwpbricksbuilderrce set TARGET msf exploitwpbricksbuilderrce show options...

Sharepoint Dynamic Proxy Generator Unauth RCE

This module exploits two vulnerabilities in Sharepoint 2019, an auth bypass CVE-2023-29357 which was patched in June of 2023 and CVE-2023-24955, an RCE which was patched in May of 2023. The auth bypass allows attackers to impersonate the Sharepoint Admin user. This vulnerability stems from the...

Artica Proxy Unauthenticated PHP Deserialization Vulnerability

A Command Injection vulnerability in Artica Proxy appliance version 4.50 and 4.40 allows remote attackers to run arbitrary commands via unauthenticated HTTP request. The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and...

OpenNMS Horizon Authenticated RCE

This module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLEFILESYSTEMEDITOR privileges and either ROLEADMIN or ROLEREST. For versions 32.0.1 a...

JetBrains TeamCity Unauthenticated Remote Code Execution

This module exploits an authentication bypass vulnerability in JetBrains TeamCity. An unauthenticated attacker can leverage this to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload, allowing the attacker...

MinIO Bootstrap Verify Information Disclosure

MinIO is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIOSECRETKEY and MINIOROOTPASSWORD, resulting in information disclosure. Verified...

GitLab Password Reset Account Takeover

This module exploits an account-take-over vulnerability that allows users to take control of a gitlab account without user interaction. The vulnerability lies in the password reset functionality. Its possible to provide 2 emails and the reset code will be sent to both. It is therefore possible to...

GitLab Tags RSS feed email disclosure

An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It is possible to read the user email address via tags feed although the visibility in the user profile has been disabled. Module Options msf use...

BoidCMS Command Injection

This module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS version 2.0.0 and below. BoidCMS allows the authenticated upload of a php file as media if the file has the GIF header, even if the file is a php file. Module Options msf use exploit/multi/http/cve202338836boidcms msf...

ConnectWise ScreenConnect Unauthenticated Remote Code Execution

This module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage this to achieve RCE by uploading a malicious extension module. All versions of...

QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution in quick.cgi

There exists an unauthenticated command injection vulnerability in the QNAP operating system known as QTS and QuTS hero. QTS is a core part of the firmware for numerous QNAP entry and mid-level Network Attached Storage NAS devices, and QuTS hero is a core part of the firmware for numerous QNAP...

Ivanti Connect Secure Unauthenticated Remote Code Execution

This module chains a server side request forgery SSRF vulnerability CVE-2024-21893 and a command injection vulnerability CVE-2024-21887 to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supporte...

Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.

A command injection vulnerability exists in Kafka ui between v0.4.0 and v0.7.1 allowing an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section. Module Options msf use exploit/linux/http/kafkauiunauthrcecve202352251 msf...

Authentication Capture: LDAP

This module mocks an LDAP service to capture authentication information of a client trying to authenticate against an LDAP service Module Options msf use auxiliary/server/capture/ldap msf auxiliaryldap show actions ...actions... msf auxiliaryldap set ACTION msf auxiliaryldap show options ...show...

SMB Fetch, Windows shellcode stage, Windows x64 Reverse TCP Stager

Fetch and execute an x64 payload from an SMB server. Custom shellcode stage. Connect back to the attacker Windows x64 Module Options msf use payload/cmd/windows/smb/x64/custom/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show...

SMB Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support

Fetch and execute an x64 payload from an SMB server. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/smb/x64/vncinject/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION msf...

SMB Fetch, Windows x64 IPv6 Bind TCP Stager

Fetch and execute an x64 payload from an SMB server. Listen for an IPv6 connection Windows x64 Module Options msf use payload/cmd/windows/smb/x64/peinject/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6tcp show options ...show an...

SMB Fetch, Windows x64 Reverse HTTP Stager (wininet)

Fetch and execute an x64 payload from an SMB server. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/smb/x64/vncinject/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttps set ACTION msf payloadreversehttps show...

SMB Fetch, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x64 payload from an SMB server. Spawn a piped command shell Windows x64 staged. Connect back to the attacker Module Options msf use payload/cmd/windows/smb/x64/shell/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf...

SMB Fetch, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)

Fetch and execute an x64 payload from an SMB server. Spawn a piped command shell Windows x64 staged. Listen for a connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/smb/x64/shell/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid...

SMB Fetch, Windows x64 Reverse HTTP Stager (wininet)

Fetch and execute an x64 payload from an SMB server. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/smb/x64/vncinject/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf payloadreversehttp show options...

SMB Fetch, Windows x64 Pingback, Reverse TCP Inline

Fetch and execute an x64 payload from an SMB server. Connect back to attacker and report UUID Windows x64 Module Options msf use payload/cmd/windows/smb/x64/pingbackreversetcp msf payloadpingbackreversetcp show actions ...actions... msf payloadpingbackreversetcp set ACTION msf...

SMB Fetch, Bind TCP Stager with UUID Support (Windows x64)

Fetch and execute an x64 payload from an SMB server. Listen for a connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/smb/x64/vncinject/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid show optio...

SMB Fetch, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)

Fetch and execute an x64 payload from an SMB server. Custom shellcode stage. Tunnel communication over HTTPS Windows x64 winhttp Module Options msf use payload/cmd/windows/smb/x64/custom/reversewinhttps msf payloadreversewinhttps show actions ...actions... msf payloadreversewinhttps set ACTION ms...

SMB Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x64 payload from an SMB server. Connect back to the attacker Module Options msf use payload/cmd/windows/smb/x64/vncinject/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show options ...show and se...

SMB Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x64 payload from an SMB server. Connect back to the attacker Module Options msf use payload/cmd/windows/smb/x64/peinject/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf payloadbindtcprc4 show options ...show and set options...

SMB Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support

Fetch and execute an x64 payload from an SMB server. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/smb/x64/meterpreter/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION msf...

SMB Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)

Fetch and execute an x64 payload from an SMB server. Custom shellcode stage. Listen for a connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/smb/x64/custom/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf...

SMB Fetch, Reverse TCP Stager with UUID Support (Windows x64)

Fetch and execute an x64 payload from an SMB server. Connect back to the attacker with UUID Support Windows x64 Module Options msf use payload/cmd/windows/smb/x64/meterpreter/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf...

SMB Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x64 payload from an SMB server. Connect back to the attacker Module Options msf use payload/cmd/windows/smb/x64/peinject/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show options ...show and set...

SMB Fetch, Bind TCP Stager with UUID Support (Windows x64)

Fetch and execute an x64 payload from an SMB server. Listen for a connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/smb/x64/peinject/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid show option...

SMB Fetch, Windows x64 Reverse HTTP Stager (winhttp)

Fetch and execute an x64 payload from an SMB server. Tunnel communication over HTTP Windows x64 winhttp Module Options msf use payload/cmd/windows/smb/x64/meterpreter/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf payloadreversewinhttp...

SMB Fetch, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x64 payload from an SMB server. Custom shellcode stage. Connect back to the attacker Module Options msf use payload/cmd/windows/smb/x64/custom/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show...

SMB Fetch, Windows x64 Command Shell, Bind TCP Inline

Fetch and execute an x64 payload from an SMB server. Listen for a connection and spawn a command shell Windows x64 Module Options msf use payload/cmd/windows/smb/x64/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show...

SMB Fetch, Windows Meterpreter Shell, Reverse HTTPS Inline (x64)

Fetch and execute an x64 payload from an SMB server. Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. Module Options msf use payload/cmd/windows/smb/x64/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf...

SMB Fetch, Windows x64 Reverse Named Pipe (SMB) Stager

Fetch and execute an x64 payload from an SMB server. Connect back to the attacker via a named pipe pivot Module Options msf use payload/cmd/windows/smb/x64/peinject/reversenamedpipe msf payloadreversenamedpipe show actions ...actions... msf payloadreversenamedpipe set ACTION msf...

SMB Fetch, Windows x64 Reverse TCP Stager

Fetch and execute an x64 payload from an SMB server. Connect back to the attacker Windows x64 Module Options msf use payload/cmd/windows/smb/x64/peinject/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...

SMB Fetch

Fetch and execute an x64 payload from an SMB server. Module Options msf use payload/cmd/windows/smb/x64/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run This module requires Metasploit:...

SMB Fetch, Windows x64 LoadLibrary Path

Fetch and execute an x64 payload from an SMB server. Load an arbitrary x64 library path Module Options msf use payload/cmd/windows/smb/x64/loadlibrary msf payloadloadlibrary show actions ...actions... msf payloadloadlibrary set ACTION msf payloadloadlibrary show options ...show and set options...

SMB Fetch, Windows x64 IPv6 Bind TCP Stager

Fetch and execute an x64 payload from an SMB server. Listen for an IPv6 connection Windows x64 Module Options msf use payload/cmd/windows/smb/x64/meterpreter/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6tcp show options ...show...

SMB Fetch, Windows x64 Command Shell, Windows x64 Bind TCP Stager

Fetch and execute an x64 payload from an SMB server. Spawn a piped command shell Windows x64 staged. Listen for a connection Windows x64 Module Options msf use payload/cmd/windows/smb/x64/shell/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp...

SMB Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support

Fetch and execute an x64 payload from an SMB server. Listen for an IPv6 connection with UUID Support Windows x64 Module Options msf use payload/cmd/windows/smb/x64/peinject/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION msf...

SMB Fetch, Windows x64 Reverse Named Pipe (SMB) Stager

Fetch and execute an x64 payload from an SMB server. Connect back to the attacker via a named pipe pivot Module Options msf use payload/cmd/windows/smb/x64/meterpreter/reversenamedpipe msf payloadreversenamedpipe show actions ...actions... msf payloadreversenamedpipe set ACTION msf...

SMB Fetch, Windows x64 Bind Named Pipe Stager

Fetch and execute an x64 payload from an SMB server. Listen for a pipe connection Windows x64 Module Options msf use payload/cmd/windows/smb/x64/vncinject/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf payloadbindnamedpipe show options...

SMB Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x64 payload from an SMB server. Connect back to the attacker Module Options msf use payload/cmd/windows/smb/x64/vncinject/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf payloadbindtcprc4 show options ...show and set options...