Puppet Config Gather

This module will grab Puppet config files, credentials, host information, and file buckets. Module Options msf use post/linux/gather/puppet msf postpuppet show actions ...actions... msf postpuppet set ACTION msf postpuppet show options ...show and set options... msf postpuppet run This module...

Mirth Connect Deserialization RCE

A vulnerability exists within Mirth Connect due to its mishandling of deserialized data. This vulnerability can be leveraged by an attacker using a crafted HTTP request to execute OS commands within the context of the target application. The original vulnerability was identified by IHTeam and...

Atlassian Confluence SSTI Injection

This module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses the injection to evaluate an OGNL expression resulting in OS command execution. Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable. Module Options msf use...

GL.iNet Unauthenticated Remote Command Execution via the logread module.

A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the glsystemlog and glcrashlog interface in the logread module. This exploit requires post-authentication using the Admin-Token...

Memory Search

This module allows for searching the memory space of running processes for potentially sensitive data such as passwords. Module Options msf use post/multi/gather/memorysearch msf postmemorysearch show actions ...actions... msf postmemorysearch set ACTION msf postmemorysearch show options ...show...

Saltstack Minion Payload Deployer

This exploit module uses saltstack salt to deploy a payload and run it on all targets which have been selected default all. Currently only works against nix targets. Module Options msf use exploit/linux/local/saltstacksaltminiondeployer msf exploitsaltstacksaltminiondeployer show targets...

PRTG CVE-2023-32781 Authenticated RCE

Authenticated RCE in Paessler PRTG Module Options msf use exploit/windows/http/prtgauthenticatedrcecve202332781 msf exploitprtgauthenticatedrcecve202332781 show targets ...targets... msf exploitprtgauthenticatedrcecve202332781 set TARGET msf exploitprtgauthenticatedrcecve202332781 show options...

Ivanti Connect Secure Unauthenticated Remote Code Execution

This module chains an authentication bypass vulnerability CVE-2023-46805 and a command injection vulnerability CVE-2024-21887 to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions...

MajorDoMo Command Injection

This module exploits a command injection vulnerability in MajorDoMo versions before 0662e5e. Module Options msf use exploit/linux/http/majordomocmdinjectcve202350917 msf exploitmajordomocmdinjectcve202350917 show targets ...targets... msf exploitmajordomocmdinjectcve202350917 set TARGET msf...

Apache Commons Text RCE

This exploit takes advantage of the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the "script", "dns" and "url" lookup keys...

Ansible Playbook Error Message File Reader

This module will read the first line of a file based on an error message from ansible-playbook with sudo privileges. ansible-playbook takes a yaml file as input, and if there is an error, such as a non-yaml file, it outputs the line where the error occurs. This can be exploited to read the first...

Ansible Config Gather

This module will grab ansible information including hosts, ping status, and the configuration file. Module Options msf use post/linux/gather/ansible msf postansible show actions ...actions... msf postansible set ACTION msf postansible show options ...show and set options... msf postansible run Th...

WordPress Backup Migration Plugin PHP Filter Chain RCE

This module exploits an unauth RCE in the WordPress plugin: Backup Migration use exploit/multi/http/wpbackupmigrationphpfilter msf exploitwpbackupmigrationphpfilter show targets ...targets... msf exploitwpbackupmigrationphpfilter set TARGET msf exploitwpbackupmigrationphpfilter show options ...sh...

Ansible Agent Payload Deployer

This exploit module creates an ansible module for deployment to nodes in the network. It creates a new yaml playbook which copies our payload, chmods it, then runs it on all targets which have been selected default all. Module Options msf use exploit/linux/local/ansiblenodedeployer msf...

Windows Gather Mikrotik Winbox "Keep Password" Credentials Extractor

This module extracts Mikrotik Winbox credentials saved in the "settings.cfg.viw" file when the "Keep Password" option is selected in Winbox. Module Options msf use post/windows/gather/credentials/winboxsettings msf postwinboxsettings show actions ...actions... msf postwinboxsettings set ACTION ms...

Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146

When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the msstyles file, and if that file's PACKMEVERSION is 999, it then attempts to load an accompanying dll file ending in vrf.dll Before loading that file, it verifies that the file is signed. It does...

Splunk __raw Server Info Disclosure

Splunk 6.2.3 through 7.0.1 allows information disclosure by appending /raw/services/server/info/server-info?outputmode=json to a query. Versisons 6.6.0 through 7.0.1 require authentication. Module Options msf use auxiliary/gather/splunkrawserverinfo msf auxiliarysplunkrawserverinfo show actions...

Craft CMS unauthenticated Remote Code Execution (RCE)

This module exploits Remote Code Execution vulnerability CVE-2023-41892 in Craft CMS which is a popular content management system. Craft CMS versions between 4.0.0-RC1 - 4.4.14 are affected by this vulnerability allowing attackers to execute arbitrary code remotely, potentially compromising the...

Vinchin Backup and Recovery Command Injection

This module exploits a command injection vulnerability in Vinchin Backup & Recovery v5.0., v6.0., v6.7., and v7.0.. Due to insufficient input validation in the checkIpExists API endpoint, an attacker can execute arbitrary commands as the web server user. Module Options msf use...

Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)

A buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBCTUNABLES environment variable. This issue allows an local attacker to use maliciously crafted GLIBCTUNABLES when launching binaries with SUID permission to execute code in the context of the root user...

Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)

This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator. This module...

Splunk Authenticated XSLT Upload RCE

This Metasploit module exploits a Remote Code Execution RCE vulnerability in Splunk Enterprise. The affected versions include 9.0.x before 9.0.7 and 9.1.x before 9.1.2. The exploitation process leverages a weakness in the XSLT transformation functionality of Splunk. Successful exploitation requir...

Find Users Without Pre-Auth Required (ASREP-roast)

This module searches for AD users without pre-auth required. Two different approaches are provided: - Brute force of usernames does not require a user account; should not lock out accounts - LDAP lookup requires an AD user account Module Options msf use auxiliary/gather/asrep msf auxiliaryasrep...

Kerberos Ticket Management

Manage kerberos tickets on a compromised host. Module Options msf use post/windows/manage/kerberostickets msf postkerberostickets show actions ...actions... msf postkerberostickets set ACTION msf postkerberostickets show options ...show and set options... msf postkerberostickets run This module...

Docker cgroups Container Escape

This exploit module takes advantage of a Docker image which has either the privileged flag, or SYSADMIN Linux capability. If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system. A vulnerability was found in the Linux kernel's...

ownCloud Phpinfo Reader

Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app graph installed contain a test file which prints phpinfo to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter. Docker m...

WordPress Royal Elementor Addons RCE

Exploit for the unauthenticated file upload vulnerability in WordPress Royal Elementor Addons and Templates plugin use exploit/multi/http/wproyalelementoraddonsrce msf exploitwproyalelementoraddonsrce show targets ...targets... msf exploitwproyalelementoraddonsrce set TARGET msf...

ZoneMinder Snapshots Command Injection

This module exploits an unauthenticated command injection in zoneminder that can be exploited by appending a command to the "create monitor ids"-action of the snapshot view. Affected versions: use exploit/unix/webapp/zonemindersnapshots msf exploitzonemindersnapshots show targets ...targets... ms...

Windows Gather PL/SQL Developer Connection Credentials

This module can decrypt the histories and connection credentials of PL/SQL Developer, and passwords are available if the user chooses to remember. Module Options msf use post/windows/gather/credentials/plsqldeveloper msf postplsqldeveloper show actions ...actions... msf postplsqldeveloper set...

Apache NiFi Credentials Gather

This module will grab Apache NiFi credentials from various files on Linux. Module Options msf use post/linux/gather/apachenificredentials msf postapachenificredentials show actions ...actions... msf postapachenificredentials set ACTION msf postapachenificredentials show options ...show and set...

Cisco IOX XE Unauthenticated RCE Chain

This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are: 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2,...

Cisco IOX XE unauthenticated Command Line Interface (CLI) execution

This module leverages CVE-2023-20198 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute arbitrary CLI commands with privilege level 15. You must specify the IOS command mode to execute a CLI command in. Valid modes are user, privileged, and...

Cisco IOX XE unauthenticated OS command execution

This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute arbitrary OS commands with root privileges. This module leverages CVE-2023-20198 to create a new admin user, then authenticating...

Apache ActiveMQ Unauthenticated Remote Code Execution

This module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to 5.16.6, and all versions before 5.15.16. Module Options msf use...

MagnusBilling application unauthenticated Remote Command Execution.

A Command Injection vulnerability in MagnusBilling application 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request. A piece of demonstration code is present in lib/icepay/icepay.php, with a call to an exec. The parameter to exec includes the GET paramete...

AjaxPro Deserialization Remote Code Execution

This module leverages an insecure deserialization of data to get remote code execution on the target OS in the context of the user running the website which utilized AjaxPro. To achieve code execution, the module will construct some JSON data which will be sent to the target. This data will be...

F5 BIG-IP TMUI Directory Traversal and File Upload RCE

This module exploits a directory traversal in F5's BIG-IP Traffic Management User Interface TMUI to upload a shell script and execute it as the Unix root user. Unix shell access is obtained by escaping the restricted Traffic Management Shell TMSH. The escape may not be reliable, and you may have ...

F5 BIG-IP TMUI AJP Smuggling RCE

This module exploits a flaw in F5's BIG-IP Traffic Management User Interface TMUI that enables an external, unauthenticated attacker to create an administrative user. Once the user is created, the module uses the new account to execute a command payload. Both the exploit and check methods...

Citrix ADC (NetScaler) Bleed Scanner

This module scans for a vulnerability that allows a remote, unauthenticated attacker to leak memory for a target Citrix ADC server. The leaked memory is then scanned for session cookies which can be hijacked if found. Module Options msf use auxiliary/scanner/http/citrixbleedcve20234966 msf...

Splunk "edit_user" Capability Privilege Escalation

A low-privileged user who holds a role that has the "edituser" capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the "edituser" capability does not honor the "grantableRoles" setting in the authorize.con...

Add a new user to the system

This command adds a new user to the system Module Options msf use post/linux/manage/adduser msf postadduser show actions ...actions... msf postadduser set ACTION msf postadduser show options ...show and set options... msf postadduser run This module requires Metasploit:...

VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure

VMWare Aria Operations for Networks vRealize Network Insight versions 6.0.0 through 6.10.0 do not randomize the SSH keys on virtual machine initialization. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as the "support" root user. Module Options msf...

Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control

This module exploits a broken access control vulnerability in Atlassian Confluence servers leading to an authentication bypass. A specially crafted request can be create new admin account without authentication on the target Atlassian server. Module Options msf use...

Atlassian Confluence Unauthenticated Remote Code Execution

This module exploits an improper input validation issue in Atlassian Confluence, allowing arbitrary HTTP parameters to be translated into getter/setter sequences via the XWorks2 middleware and in turn allows for Java objects to be modified at run time. The exploit will create a new administrator...

Apache Superset Signed Cookie RCE

Apache Superset versions use exploit/linux/http/apachesupersetcookiesigrce msf exploitapachesupersetcookiesigrce show targets ...targets... msf exploitapachesupersetcookiesigrce set TARGET msf exploitapachesupersetcookiesigrce show options ...show and set options... msf...

PyTorch Model Server Registration and Deserialization RCE

The PyTorch model server contains multiple vulnerabilities that can be chained together to permit an unauthenticated remote attacker arbitrary Java code execution. The first vulnerability is that the management interface is bound to all IP addresses and not just the loop back interface as the...

Kibana Upgrade Assistant Telemetry Collector Prototype Pollution

Kibana before version 7.6.3 suffers from a prototype pollution bug within the Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we're able to execute arbitrary code. Code execution is possible through two different ways. Either by sending data directly to Elastic, or using...

Progress Software WS_FTP Unauthenticated Remote Code Execution

This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code execution against a vulnerable WSFTP server running the Ad Hoc Transfer module. All versions of WSFTP Server prior to 2020.0.4 version 8.7.4 and 2022.0.2 version 8.8.2 are vulnerable to this...

LDAP Login Scanner

This module attempts to login to the LDAP service. Module Options msf use auxiliary/scanner/ldap/ldaplogin msf auxiliaryldaplogin show actions ...actions... msf auxiliaryldaplogin set ACTION msf auxiliaryldaplogin show options ...show and set options... msf auxiliaryldaplogin run This module...

Junos OS PHPRC Environment Variable Manipulation RCE

This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The...