Unix Command Shell, Bind SCTP (via socat)

Creates an interactive shell via socat Module Options msf use payload/cmd/unix/bindsocatsctp msf payloadbindsocatsctp show actions ...actions... msf payloadbindsocatsctp set ACTION msf payloadbindsocatsctp show options ...show and set options... msf payloadbindsocatsctp run This module requires...

Unix Command Shell, Reverse SCTP (via socat)

Creates an interactive shell via socat Module Options msf use payload/cmd/unix/reversesocatsctp msf payloadreversesocatsctp show actions ...actions... msf payloadreversesocatsctp set ACTION msf payloadreversesocatsctp show options ...show and set options... msf payloadreversesocatsctp run This...

Python Exec, Command Shell, Reverse SCTP (via python)

Execute a Python payload as an OS command from a Posix-compatible shell. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+. Module Options msf use payload/cmd/unix/python/shellreversesctp msf payloadshellreversesctp show actions...

Rocket Software Unidata udadmin_server Authentication Bypass

This module exploits an authentication bypass vulnerability in the Linux version of udadminserver, which is an RPC service that comes with the Rocket Software UniData server. This affects versions of UniData prior to 8.2.4 build 3003. This service typically runs as root. It accepts a username of...

Rocket Software Unidata udadmin_server Stack Buffer Overflow in Password

This modlue exploits an authentication bypass vulnerability in the Linux version of udadminserver, which is an RPC service that comes with the Rocket Software UniData server, which runs as root. This vulnerability affects UniData versions 8.2.4 build 3003 and earlier for Linux, but this module...

Ancillary Function Driver (AFD) for WinSock Elevation of Privilege

A vulnerability exists in the Windows Ancillary Function Driver for Winsock afd.sys can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. Due to a flaw in AfdNotifyRemoveIoCompletion, it is possible to create an arbitrary kernel Write-Where primitive, which can b...

SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE

The SolarWinds Information Service SWIS is vulnerable to RCE by way of a crafted message received through the AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted message whose body is a serialized .NET object which can lead to OS command...

Optergy Proton and Enterprise BMS Command Injection using a backdoor

This module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise Building Management System BMS applications. Versions 2.0.3a and below are vulnerable. Attackers can exploit this issue by directly navigating to an undocumented backdoor script called Console.jsp in...

AMQP 0-9-1 Version Scanner

Detect AMQP version information. Module Options msf use auxiliary/scanner/amqp/amqpversion msf auxiliaryamqpversion show actions ...actions... msf auxiliaryamqpversion set ACTION msf auxiliaryamqpversion show options ...show and set options... msf auxiliaryamqpversion run This module requires...

AMQP 0-9-1 Login Check Scanner

This module will test AMQP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Module Options msf use auxiliary/scanner/amqp/amqplogin msf...

Monitorr unauthenticated Remote Code Execution (RCE)

This module exploits an arbitrary file upload vulnerability and achieving an RCE in the Monitorr application. Using a specially crafted request, custom PHP code can be uploaded and injected through endpoint upload.php because of missing input validation. Any user privileges can exploit this...

Zyxel Unauthenticated LAN Remote Code Execution

This module exploits a buffer overflow in the zhttpd binary /bin/zhttpd. It is present on more than 40 Zyxel routers and CPE devices. The code execution vulnerability can only be exploited by an attacker if the zhttp webserver is reachable. No authentication is required. After exploitation, an...

XOR POLY Encoder

An x86 Simple POLY Xor encoding method. using polymorphism Register swapping, and instructions modification Module Options msf use encoder/x86/xorpoly msf encoderxorpoly show actions ...actions... msf encoderxorpoly set ACTION msf encoderxorpoly show options ...show and set options... msf...

WhatsUp Gold Credentials Dump

This module exports and decrypts credentials from WhatsUp Gold to a CSV file; it is intended as a post-exploitation module for Windows hosts with WhatsUp Gold installed. The module has been tested on and can successfully decrypt credentials from WhatsUp versions 11.0 to the latest 22.x. Extracted...

Open Web Analytics 1.7.3 - Remote Code Execution (RCE)

Open Web Analytics OWA before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with ' use exploit/multi/http/openwebanalyticsrce msf...

Bitbucket Environment Variable RCE

For various versions of Bitbucket, there is an authenticated command injection vulnerability that can be exploited by injecting environment variables into a user name. This module achieves remote code execution as the atlbitbucket user by injecting the GITEXTERNALDIFF environment variable, a null...

Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation

This module exploits a vulnerability in RedHat based systems where improper file permissions are applied to /usr/lib/tmpfiles.d/tomcat.conf for Apache Tomcat versions before 7.0.54-8. This may also work against The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage temporary...

Fortinet FortiNAC keyUpload.jsp arbitrary file write

This module uploads a payload to the /tmp directory in addition to a cron job to /etc/cron.d which executes the payload in the context of the root user. The core vulnerability is an arbitrary file write issue in /configWizard/keyUpload.jsp which is accessible remotely and without authentication...

SugarCRM unauthenticated Remote Code Execution (RCE)

This module exploits CVE-2023-22952, a Remote Code Execution RCE vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. The vulnerability occurs due to a lack of appropriat...

Gather Wowza Streaming Engine Credentials

This module collects Wowza Streaming Engine user credentials. Module Options msf use post/multi/gather/wowzastreamingenginecreds msf postwowzastreamingenginecreds show actions ...actions... msf postwowzastreamingenginecreds set ACTION msf postwowzastreamingenginecreds show options ...show and set...

Wowza Streaming Engine Manager Login Utility

This module will attempt to authenticate to Wowza Streaming Engine via Wowza Streaming Engine Manager web interface. Module Options msf use auxiliary/scanner/http/wowzastreamingenginemanagerlogin msf auxiliarywowzastreamingenginemanagerlogin show actions ...actions... msf...

Lucee Authenticated Scheduled Job Code Execution

This module can be used to execute a payload on Lucee servers that have an exposed administrative web interface. It's possible for an administrator to create a scheduled job that queries a remote ColdFusion file, which is then downloaded and executed when accessed. The payload is uploaded as a cf...

Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload

This module exploits an unauthenticated arbitrary file upload vulnerability in Oracle Web Applications Desktop Integrator, as shipped with Oracle EBS versions 12.2.3 through to 12.2.11, in order to gain remote code execution as the oracle user. Module Options msf use...

Softing Secure Integration Server Login Utility

This module will attempt to authenticate to a Softing Secure Integration Server. Module Options msf use auxiliary/scanner/http/softingsislogin msf auxiliarysoftingsislogin show actions ...actions... msf auxiliarysoftingsislogin set ACTION msf auxiliarysoftingsislogin show options ...show and set...

Disable ClamAV

This module will write to the ClamAV Unix socket to shutoff ClamAV. Module Options msf use post/linux/manage/disableclamav msf postdisableclamav show actions ...actions... msf postdisableclamav set ACTION msf postdisableclamav show options ...show and set options... msf postdisableclamav run This...

pyLoad js2py Python Execution

pyLoad versions prior to 0.5.0b3.dev31 are vulnerable to Python code injection due to the pyimport functionality exposed through the js2py library. An unauthenticated attacker can issue a crafted POST request to the flash/addcrypted2 endpoint to leverage this for code execution. pyLoad by default...

Froxlor Log Path RCE

Froxlor v2.0.7 and below suffer from a bug that allows authenticated users to change the application logs path to any directory on the OS level which the user www-data can write without restrictions from the backend which leads to writing a malicious Twig template that the application will render...

GitLab GitHub Repo Import Deserialization RCE

An authenticated user can import a repository from GitHub into GitLab. If a user attempts to import a repo from an attacker-controlled server, the server will reply with a Redis serialization protocol object in the nested defaultbranch. GitLab will cache this object and then deserialize it when...

Cisco RV Series Authentication Bypass and Command Injection

This module exploits two vulnerabilities, a session ID directory traversal authentication bypass CVE-2022-20705 and a command injection vulnerability CVE-2022-20707, on Cisco RV160, RV260, RV340, and RV345 Small Business Routers, allowing attackers to execute arbitrary commands with www-data user...

ManageEngine Endpoint Central Unauthenticated SAML RCE

This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10 and below CVE-2022-47966. Due to a dependency to an outdated library Apache Santuario version 1.4.1, it is possible to execute arbitrary code by...

Fortra GoAnywhere MFT Unsafe Deserialization RCE

This module exploits CVE-2023-0669, which is an object deserialization vulnerability in Fortra GoAnywhere MFT. Module Options msf use exploit/multi/http/fortragoanywherercecve20230669 msf exploitfortragoanywherercecve20230669 show targets ...targets... msf exploitfortragoanywherercecve20230669 se...

ManageEngine ADSelfService Plus Unauthenticated SAML RCE

This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine AdSelfService Plus versions 6210 and below CVE-2022-47966. Due to a dependency to an outdated library Apache Santuario version 1.4.1, it is possible to execute arbitrary code by providing a crafted...

Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection

This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm configuration wizards that allow an authenticated user to perform remote code execution on Nagios XI versions 5.5.6 to 5.7.5 as the apach...

ManageEngine ServiceDesk Plus Unauthenticated SAML RCE

This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below CVE-2022-47966. Due to a dependency to an outdated library Apache Santuario version 1.4.1, it is possible to execute arbitrary code by providing a crafted...

Apache Tomcat on Ubuntu Log Init Privilege Escalation

Tomcat 6, 7, 8 packages provided by default repositories on Debian-based distributions including Debian, Ubuntu etc. provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account for example, by exploiting an RCE vulnerability in a java w...

Lenovo Diagnostics Driver IOCTL memmove

Incorrect access control for the Lenovo Diagnostics Driver allows a low-privileged user the ability to issue device IOCTLs to perform arbitrary physical/virtual memory read/write. Module Options msf use exploit/windows/local/cve20223699lenovodiagnosticsdriver msf...

F5 Big-IP Create Admin User

This creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most ...

Veeam Backup and Replication Credentials Dump

This module exports and decrypts credentials from Veeam Backup & Replication and Veeam ONE Monitor Server to a CSV file; it is intended as a post-exploitation module for Windows hosts with either of these products installed. The module supports automatic detection of VBR / Veeam ONE and is capabl...

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

An app may be able to execute arbitrary code with kernel privileges Module Options msf use exploit/osx/local/macdirtycow msf exploitmacdirtycow show targets ...targets... msf exploitmacdirtycow set TARGET msf exploitmacdirtycow show options ...show and set options... msf exploitmacdirtycow exploi...

vmwgfx Driver File Descriptor Handling Priv Esc

If the vmwgfx driver fails to copy the 'fencerep' object to userland, it tries to recover by deallocating the already populated file descriptor. This is wrong, as the fd gets released via putunusedfd which shouldn't be used, as the fd table slot was already populated via the previous call to...

io_uring Same Type Object Reuse Priv Esc

This module exploits a bug in iouring leading to an additional putcred that can be exploited to hijack credentials of other processes. We spawn SUID programs to get the free'd cred object reallocated by a privileged process and abuse them to create a SUID root binary ourselves that'll pop a shell...

CWP login.php Unauthenticated RCE

Control Web Panel versions use exploit/linux/http/controlwebpanellogincmdexec msf exploitcontrolwebpanellogincmdexec show targets ...targets... msf exploitcontrolwebpanellogincmdexec set TARGET msf exploitcontrolwebpanellogincmdexec show options ...show and set options... msf...

Kerberos Authentication Check Scanner

This module will test Kerberos logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Kerberos accounts which do not require pre-authentication...

Kerberos ticket converter

This module converts tickets to the ccache format from the kirbi format and vice versa. Module Options msf use auxiliary/admin/kerberos/ticketconverter msf auxiliaryticketconverter show actions ...actions... msf auxiliaryticketconverter set ACTION msf auxiliaryticketconverter show options ...show...

Kerberos Ticket Inspecting

This module outputs the contents of a ccache/kirbi file and optionally when provided with the appropriate key decrypts and displays the encrypted content too. Can be used for inspecting tickets that aren't working as intended in an effort to debug them. Module Options msf use...

Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging

This module forges a Kerberos ticket. Four different techniques can be used: - Silver ticket: Using a service account hash, craft a ticket impersonating any user and privileges to that account. - Golden ticket: Using the krbtgt hash, craft a ticket impersonating any user and privileges. - Diamond...

Kerberos keytab utilities

Utilities for interacting with keytab files, which can store the hashed passwords of one or more principals. Discovered keytab files can be used to generate Kerberos Ticket Granting Tickets, or bruteforced offline. Keytab files can be also useful for decrypting Kerberos traffic using Wireshark...

Kerberos TGT/TGS Ticket Requester

This module requests TGT/TGS Kerberos tickets from the KDC Module Options msf use auxiliary/admin/kerberos/getticket msf auxiliarygetticket show actions ...actions... msf auxiliarygetticket set ACTION msf auxiliarygetticket show options ...show and set options... msf auxiliarygetticket run This...

Active Directory Certificate Services (ADCS) privilege escalation (Certifried)

This module exploits a privilege escalation vulnerability in Active Directory Certificate Services ADCS to generate a valid certificate impersonating the Domain Controller DC computer account. This certificate is then used to authenticate to the target as the DC account using PKINIT...

Python Exec, Command Shell, Reverse UDP (via python)

Execute a Python payload from a command. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+. Module Options msf use payload/cmd/windows/python/shellreverseudp msf payloadshellreverseudp show actions ...actions... msf...