6843 matches found
JetBrains TeamCity Unauthenticated Remote Code Execution
This module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource...
Microsoft Error Reporting Local Privilege Elevation Vulnerability
This module takes advantage of a bug in the way Windows error reporting opens the report parser. If you open a report, Windows uses a relative path to locate the rendering program. By creating a specific alternate directory structure, we can coerce Windows into opening an arbitrary executable as...
TOTOLINK Wireless Routers unauthenticated remote command execution vulnerability.
Multiple TOTOLINK network products contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter. After exploitation, an attacker will have full access with the same user privileges under...
Unix Command Shell, Reverse TCP (via socat)
Creates an interactive shell via socat Module Options msf use payload/cmd/unix/reversesocattcp msf payloadreversesocattcp show actions ...actions... msf payloadreversesocattcp set ACTION msf payloadreversesocattcp show options ...show and set options... msf payloadreversesocattcp run This module...
Lexmark Device Embedded Web Server RCE
A unauthenticated Remote Code Execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19. The vulnerability is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user. If...
Apache Airflow 1.10.10 - Example DAG Remote Code Execution
This module exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow 1.10.10. The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow's example DAGs, "exampletriggertargetdag", which allo...
Ivanti Avalanche MDM Buffer Overflow
This module exploits a buffer overflow condition in Ivanti Avalanche MDM versions before v6.4.1. An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions. This vulnerability occurs...
Windows Gather Virtual Environment Detection
This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This module supports detection of Hyper-V, VMWare, VirtualBox, Xen, QEMU, and Parallels. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability
A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems. The clfs.sys driver contains a function CreateLogFile that is used to create open and edit '.blf' base log format...
Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)
This module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which allows for code execution in the context of the root user. Module Options msf use exploit/linux/http/ivantisentrymisclogservice msf exploitivantisentrymisclogservice show targets ...targets... msf...
Apache Superset Signed Cookie Priv Esc
Apache Superset versions use auxiliary/gather/apachesupersetcookiesigprivesc msf auxiliaryapachesupersetcookiesigprivesc show actions ...actions... msf auxiliaryapachesupersetcookiesigprivesc set ACTION msf auxiliaryapachesupersetcookiesigprivesc show options ...show and set options... msf...
Python Flask Cookie Signer
This is a generic module which can manipulate Python Flask-based application cookies. The Retrieve action will connect to a web server, grab the cookie, and decode it. The Resign action will do the same as above, but after decoding it, it will replace the contents with that in NEWCOOKIECONTENT,...
VMware vRealize Log Insight Unauthenticated RCE
VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as directory traversal, broken access control, deserialization, and information disclosure. When chained together, these vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands on the...
WinRAR CVE-2023-38831 Exploit
This module exploits a vulnerability in WinRAR CVE-2023-38831. When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution. Module Options msf use exploit/windows/fileformat/winrarcve202338831 msf exploitwinrarcve202338831 show targets...
LG Simple Editor Remote Code Execution
This Metasploit module exploits broken access control and directory traversal vulnerabilities in LG Simple Editor software for gaining code execution. The vulnerabilities exist in versions of LG Simple Editor prior to v3.21. By exploiting this flaw, an attacker can upload and execute a malicious...
Sonicwall
This module exploits a series of vulnerabilities - including auth bypass, SQL injection, and shell injection - to obtain remote code execution on SonicWall GMS versions use exploit/multi/http/sonicwallshellinjectioncve202334124 msf exploitsonicwallshellinjectioncve202334124 show targets...
OpenTSDB 2.4.1 unauthenticated command injection
This module exploits an unauthenticated command injection vulnerability in the key parameter in OpenTSDB through 2.4.1 CVE-2023-36812/CVE-2023-25826 in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If...
Kibana Timelion Prototype Pollution RCE
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This leads to an arbitrary command execution with permissions of the...
Prometheus Node Exporter And Windows Exporter Information Gather
This modules connects to a Prometheus Node Exporter or Windows Exporter service and gathers information about the host. Tested against Docker image 1.6.1, Linux 1.6.1, and Windows 0.23.1 Module Options msf use auxiliary/gather/prometheusnodeexportergather msf auxiliaryprometheusnodeexportergather...
Prometheus API Information Gather
This module utilizes Prometheus' API calls to gather information about the server's configuration, and targets. Fields which may contain credentials, or credential file names are then pulled out and printed. Targets may have a wealth of information, this module will print the following values whe...
Elasticsearch Memory Disclosure
This module exploits a memory disclosure vulnerability in Elasticsearch 7.10.0 to 7.13.3 inclusive. A user with the ability to submit arbitrary queries to Elasticsearch can generate an error message containing previously used portions of a data buffer. This buffer could contain sensitive...
SolarView Compact unauthenticated remote command execution vulnerability.
CONTEC's SolarView Series enables you to monitor and visualize solar power and is only available in Japan. This module exploits a command injection vulnerability on the SolarView Compact v6.00 web application via vulnerable endpoint downloader.php. After exploitation, an attacker will have full...
Roundcube TimeZone Authenticated File Disclosure
Roundcube Webmail allows unauthorized access to arbitrary files on the host's filesystem, including configuration files. This affects all versions from 1.1.0 through version 1.3.2. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires...
CVE-2023-21554 - QueueJumper - MSMQ RCE Check
This module checks the provided hosts for the CVE-2023-21554 vulnerability by sending a MSMQ message with an altered DataLength field within the SRMPEnvelopeHeader that overflows the given buffer. On patched systems, the error is caught and no response is sent back. On vulnerable systems, the...
Apache NiFi H2 Connection String Remote Code Execution
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This exploit will result in several shells 5-7. Successfully test...
Elasticsearch Enumeration Utility
This module enumerates Elasticsearch instances. It uses the REST API in order to gather information about the server, the cluster, nodes, in the cluster, indices, and pull data from those indices. Module Options msf use auxiliary/gather/elasticsearchenum msf auxiliaryelasticsearchenum show action...
Chamilo unauthenticated command injection in PowerPoint upload
Chamilo is an e-learning platform, also called Learning Management Systems LMS. This module exploits an unauthenticated remote command execution vulnerability that affects Chamilo versions 1.11.18 and below CVE-2023-34960. Due to a functionality called Chamilo Rapid to easily convert PowerPoint...
Jorani unauthenticated Remote Code Execution
This module exploits an unauthenticated Remote Code Execution in Jorani prior to 1.0.2. It abuses 3 vulnerabilities: log poisoning and redirection bypass via header spoofing, then it uses path traversal to trigger the vulnerability. It has been tested on Jorani 1.0.0. Module Options msf use...
Greenshot .NET Deserialization Fileformat Exploit
There exists a .NET deserialization vulnerability in Greenshot version 1.3.274 and below. The deserialization allows the execution of commands when a user opens a Greenshot file. The commands execute under the same permissions as the Greenshot service. Typically, is the logged in user. Module...
Maltrail Unauthenticated Command Injection
Maltrail is a malicious traffic detection system, utilizing publicly available blacklists containing malicious and/or generally suspicious trails. The Maltrail versions use exploit/unix/http/maltrailrce msf exploitmaltrailrce show targets ...targets... msf exploitmaltrailrce set TARGET msf...
H2 Web Interface Create Alias RCE
The H2 database contains an alias function which allows for arbitrary Java code to be used. This functionality can be abused to create an exec functionality to pull our payload down and execute it. H2's web interface contains restricts MANY characters, so injecting a payload directly is not...
RaspAP Unauthenticated Command Injection
RaspAP is feature-rich wireless router software that just works on many popular Debian-based devices, including the Raspberry Pi. A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands in the context of the user running...
Metabase Setup Token RCE
Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new database, an H2 database string is created wi...
Unix SSH Shell, Bind Instance Connect (via AWS API)
Creates an SSH shell using AWS Instance Connect Module Options msf use payload/cmd/unix/bindawsinstanceconnect msf payloadbindawsinstanceconnect show actions ...actions... msf payloadbindawsinstanceconnect set ACTION msf payloadbindawsinstanceconnect show options ...show and set options... msf...
Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE
This module exploits an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by the .htaccess file not preventing the execution of .pht, .phar, and .xhtml files. Files with these extensions are not included in the .htaccess blacklist, hence...
Citrix ADC (NetScaler) Forms SSO Target RCE
A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root. Module Options msf use...
OSX Meterpreter, Reverse HTTPS Inline
Run the Meterpreter / Mettle server payload stageless Module Options msf use payload/osx/aarch64/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...show and set...
OSX Meterpreter, Reverse HTTP Inline
Run the Meterpreter / Mettle server payload stageless Module Options msf use payload/osx/aarch64/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show and set options...
OSX Meterpreter, Reverse TCP Inline
Run the Meterpreter / Mettle server payload stageless Module Options msf use payload/osx/aarch64/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and set options... m...
OSX Meterpreter, Reverse TCP Stager
Inject the mettle server payload staged. Connect back to the attacker Module Options msf use payload/osx/aarch64/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set options... msf...
Rudder Server SQLI Remote Code Execution
This Metasploit module exploits a SQL injection vulnerability in RudderStack's rudder-server, an open source Customer Data Platform CDP. The vulnerability exists in versions of rudder-server prior to 1.3.0-rc.1. By exploiting this flaw, an attacker can execute arbitrary SQL commands, which may le...
Western Digital MyCloud unauthenticated command injection
This module exploits authentication bypass CVE-2018-17153 and command injection CVE-2016-10108 vulnerabilities in Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user. The module first performs a check to see if the target is WD MyClou...
Wordpress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode
The Wordpress plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users, but is also works in an...
VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE
VMWare Aria Operations for Networks vRealize Network Insight is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the ro...
Openfire authentication bypass with RCE plugin
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup...
Piwigo CVE-2023-26876 Gather Credentials via SQL Injection
This module allows an authenticated user to retrieve the usernames and encrypted passwords of other users in Piwigo through SQL injection using the filteruserid parameter. Module Options msf use auxiliary/gather/piwigocve202326876 msf auxiliarypiwigocve202326876 show actions ...actions... msf...
pfSense Restore RRD Data Command Injection
This module exploits an authenticated command injection vulnerabilty in the "restorerrddata" function of pfSense prior to version 2.7.0 which allows an authenticated attacker with the "WebCfg - Diagnostics: Backup & Restore" privilege to execute arbitrary operating system commands as the "root"...
SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution
This module exploits a vulnerability in the SmarterTools SmarterMail software for version numbers use exploit/windows/http/smartermailrce msf exploitsmartermailr...
Wordpress Plugin WooCommerce Payments Unauthenticated Admin Creation
WooCommerce-Payments plugin for Wordpress versions 4.8', '4.8.2, 4.9', '4.9.1, 5.0', '5.0.4, 5.1', '5.1.3, 5.2', '5.2.2, 5.3', '5.3.1, 5.4', '5.4.1, 5.5', '5.5.2, and 5.6', '5.6.2 contain an authentication bypass by specifying a valid user ID number within the X-WCPAY-PLATFORM-CHECKOUT-USER heade...
Apache RocketMQ update config RCE
RocketMQ versions 5.1.0 and below are vulnerable to Arbitrary Code Injection. Broker component of RocketMQ is leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that...