6843 matches found
Powershell Exec, Find Tag Ordinal Stager
Execute an x86 payload from a command via PowerShell. Use an established connection Module Options msf use payload/cmd/windows/powershell/dllinject/findtag msf payloadfindtag show actions ...actions... msf payloadfindtag set ACTION msf payloadfindtag show options ...show and set options... msf...
Powershell Exec, Generic x86 Tight Loop
Execute an x86 payload from a command via PowerShell. Generate a tight loop in the target process Module Options msf use payload/cmd/windows/powershell/generic/tightloop msf payloadtightloop show actions ...actions... msf payloadtightloop set ACTION msf payloadtightloop show options ...show and s...
Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)
Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/powershell/dllinject/bindipv6tcpuuid msf payloadbindipv6tcpuuid show actions ...actions... msf payloadbindipv6tcpuuid set ACTION msf...
Powershell Exec, Reverse All-Port TCP Stager
Execute an x86 payload from a command via PowerShell. Try to connect back to the attacker, on all possible ports 1-65535, slowly Module Options msf use payload/cmd/windows/powershell/dllinject/reversetcpallports msf payloadreversetcpallports show actions ...actions... msf payloadreversetcpallport...
Powershell Exec, Bind TCP Stager (Windows x86)
Execute an x86 payload from a command via PowerShell. Listen for a connection Windows x86 Module Options msf use payload/cmd/windows/powershell/dllinject/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options...
Powershell Exec, Generic x86 Debug Trap
Execute an x86 payload from a command via PowerShell. Generate a debug trap in the target process Module Options msf use payload/cmd/windows/powershell/generic/debugtrap msf payloaddebugtrap show actions ...actions... msf payloaddebugtrap set ACTION msf payloaddebugtrap show options ...show and s...
Powershell Exec, Windows Executable Download (http,https,ftp) and Execute
Execute an x86 payload from a command via PowerShell. Download an EXE from an HTTPS/FTP URL and execute it Module Options msf use payload/cmd/windows/powershell/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options...
Powershell Exec, Reverse TCP Stager (IPv6)
Execute an x86 payload from a command via PowerShell. Connect back to the attacker over IPv6 Module Options msf use payload/cmd/windows/powershell/dllinject/reverseipv6tcp msf payloadreverseipv6tcp show actions ...actions... msf payloadreverseipv6tcp set ACTION msf payloadreverseipv6tcp show...
Powershell Exec, Windows MessageBox
Execute an x86 payload from a command via PowerShell. Spawns a dialog via MessageBox using a customizable title, text & icon Module Options msf use payload/cmd/windows/powershell/messagebox msf payloadmessagebox show actions ...actions... msf payloadmessagebox set ACTION msf payloadmessagebox sho...
Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)
Execute an x86 payload from a command via PowerShell. Listen for a connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/powershell/dllinject/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid show...
Cisco RV340 SSL VPN Unauthenticated Remote Code Execution
This module exploits a stack buffer overflow in the Cisco RV series routers SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet! The stack is executable and no ASLR is in place, which makes exploitation easier...
Spring Framework Class property RCE (Spring4Shell)
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an objec...
ZoneMinder Language Settings Remote Code Execution
This module exploits arbitrary file write in debug log file option chained with a path traversal in language settings that leads to a remote code execution in ZoneMinder surveillance software versions before 1.36.13 and before 1.37.11 Module Options msf use exploit/unix/webapp/zoneminderlangexec...
VMware Workspace ONE Access CVE-2022-22954
This module exploits CVE-2022-22954, an unauthenticated server-side template injection SSTI in VMware Workspace ONE Access, to execute shell commands as the "horizon" user. Module Options msf use exploit/linux/http/vmwareworkspaceoneaccesscve202222954 msf exploitvmwareworkspaceoneaccesscve2022229...
WSO2 Arbitrary File Upload to RCE
This module abuses a vulnerability in certain WSO2 products that allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5....
Redis Lua Sandbox Escape
This module exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The vulnerability was introduced by Debian and Ubuntu Redis packages that insufficiently sanitized the Lua environment. The maintainers failed to disable the package interface, allowing attackers to load arbitrary libraries. On...
Windows Installed AntiVirus Enumeration
This module will enumerate the AV products detected by WMIC Module Options msf use post/windows/gather/enumav msf postenumav show actions ...actions... msf postenumav set ACTION msf postenumav show options ...show and set options... msf postenumav run This module requires Metasploit:...
Windows Shell, Reverse TCP (via jjs)
Connect back and create a command shell via jjs Module Options msf use payload/cmd/windows/jjsreversetcp msf payloadjjsreversetcp show actions ...actions... msf payloadjjsreversetcp set ACTION msf payloadjjsreversetcp show options ...show and set options... msf payloadjjsreversetcp run This modul...
ManageEngine ADSelfService Plus Custom Script Execution
This module exploits the "custom script" feature of ADSelfService Plus. The feature was removed in build 6122 as part of the patch for CVE-2022-28810. For purposes of this module, a "custom script" is arbitrary operating system command execution. This module uses an attacker provided "admin"...
Watch Queue Out of Bounds Write
This module exploits a vulnerability in the Linux Kernel's watchqueue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial of service ...
User Profile Arbitrary Junction Creation Local Privilege Elevation
The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability ...
ALLMediaServer 1.6 SEH Buffer Overflow
This module exploits a stack buffer overflow leading to a SEH handler overwrite in ALLMediaServer 1.6. The vulnerability is caused due to a boundary error within the handling of a HTTP request. Note that this exploit will only work against x86 or WoW64 targets, x64 is not supported at this time...
Windows Gather Installed Application Within Chocolatey Enumeration
This module will enumerate all installed applications on a Windows system with chocolatey installed Module Options msf use post/windows/gather/enumchocolateyapplications msf postenumchocolateyapplications show actions ...actions... msf postenumchocolateyapplications set ACTION msf...
Spring Cloud Function SpEL Injection
Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting the spring.cloud.function.routing-expression header, an unauthenticated attack...
Windows IIS HTTP Protocol Stack DOS
This module exploits CVE-2021-31166, a UAF bug in http.sys when parsing specially crafted Accept-Encoding headers that was patched by Microsoft in May 2021, on vulnerable IIS servers. Successful exploitation will result in the target computer BSOD'ing before subsequently rebooting. Note that the...
Python Exec, Python Meterpreter Shell, Reverse HTTP Inline
Execute a Python payload as an OS command from a Posix-compatible shell. Connect back to the attacker and spawn a Meterpreter shell Module Options msf use payload/cmd/unix/python/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp...
Python Exec, Command Shell, Reverse TCP SSL (via python)
Execute a Python payload as an OS command from a Posix-compatible shell. Creates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+. Module Options msf use payload/cmd/unix/python/shellreversetcpssl msf payloadshellreversetcpssl show...
Python Exec, Command Shell, Reverse UDP (via python)
Execute a Python payload as an OS command from a Posix-compatible shell. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+. Module Options msf use payload/cmd/unix/python/shellreverseudp msf payloadshellreverseudp show actions...
Python Exec, Python Meterpreter, Python Reverse HTTP Stager
Execute a Python payload as an OS command from a Posix-compatible shell. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Tunnel communication over HTTP Module Options msf use payload/cmd/unix/python/meterpreter/reversehttp msf payloadreversehttp show actions ...actions... msf...
Python Exec, Python Meterpreter, Python Reverse HTTPS Stager
Execute a Python payload as an OS command from a Posix-compatible shell. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Tunnel communication over HTTP using SSL Module Options msf use payload/cmd/unix/python/meterpreter/reversehttps msf payloadreversehttps show actions...
Python Exec, Python Meterpreter, Python Reverse TCP SSL Stager
Execute a Python payload as an OS command from a Posix-compatible shell. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Reverse Python connect back stager using SSL Module Options msf use payload/cmd/unix/python/meterpreter/reversetcpssl msf payloadreversetcpssl show actions...
Python Exec, Command Shell, Reverse TCP (via python)
Execute a Python payload as an OS command from a Posix-compatible shell. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+. Module Options msf use payload/cmd/unix/python/shellreversetcp msf payloadshellreversetcp show actions...
Python Exec, Python Meterpreter Shell, Bind TCP Inline
Execute a Python payload as an OS command from a Posix-compatible shell. Connect to the victim and spawn a Meterpreter shell Module Options msf use payload/cmd/unix/python/meterpreterbindtcp msf payloadmeterpreterbindtcp show actions ...actions... msf payloadmeterpreterbindtcp set ACTION msf...
Python Exec, Python Pingback, Reverse TCP (via python)
Execute a Python payload as an OS command from a Posix-compatible shell. Connects back to the attacker, sends a UUID, then terminates Module Options msf use payload/cmd/unix/python/pingbackreversetcp msf payloadpingbackreversetcp show actions ...actions... msf payloadpingbackreversetcp set ACTION...
Python Exec, Python Pingback, Bind TCP (via python)
Execute a Python payload as an OS command from a Posix-compatible shell. Listens for a connection from the attacker, sends a UUID, then terminates Module Options msf use payload/cmd/unix/python/pingbackbindtcp msf payloadpingbackbindtcp show actions ...actions... msf payloadpingbackbindtcp set...
Python Exec, Python Meterpreter, Python Reverse TCP Stager
Execute a Python payload as an OS command from a Posix-compatible shell. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Connect back to the attacker Module Options msf use payload/cmd/unix/python/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf...
Python Exec, Command Shell, Bind TCP (via python)
Execute a Python payload as an OS command from a Posix-compatible shell. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+. Module Options msf use payload/cmd/unix/python/shellbindtcp msf payloadshellbindtcp show actions ...actions...
Python Exec, Python Meterpreter, Python Reverse TCP Stager with UUID Support
Execute a Python payload as an OS command from a Posix-compatible shell. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Connect back to the attacker with UUID Support Module Options msf use payload/cmd/unix/python/meterpreter/reversetcpuuid msf payloadreversetcpuuid show actio...
Python Exec, Python Meterpreter, Python Bind TCP Stager with UUID Support
Execute a Python payload as an OS command from a Posix-compatible shell. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Listen for a connection with UUID Support Module Options msf use payload/cmd/unix/python/meterpreter/bindtcpuuid msf payloadbindtcpuuid show actions...
Python Exec, Python Meterpreter, Python Bind TCP Stager
Execute a Python payload as an OS command from a Posix-compatible shell. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Listen for a connection Module Options msf use payload/cmd/unix/python/meterpreter/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp s...
Python Exec, Python Meterpreter Shell, Reverse HTTPS Inline
Execute a Python payload as an OS command from a Posix-compatible shell. Connect back to the attacker and spawn a Meterpreter shell Module Options msf use payload/cmd/unix/python/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehtt...
Python Exec, Python Meterpreter Shell, Reverse TCP Inline
Execute a Python payload as an OS command from a Posix-compatible shell. Connect back to the attacker and spawn a Meterpreter shell Module Options msf use payload/cmd/unix/python/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set...
CVE-2022-21999 SpoolFool Privesc
The Windows Print Spooler has a privilege escalation vulnerability that can be leveraged to achieve code execution as SYSTEM. The SpoolDirectory, a configuration setting that holds the path that a printer's spooled jobs are sent to, is writable for all users, and it can be configured via...
GitLab GraphQL API User Enumeration
This module queries the GitLab GraphQL API without authentication to acquire the list of GitLab users CVE-2021-4191. The module works on all GitLab versions from 13.0 up to 14.8.2, 14.7.4, and 14.6.5. Module Options msf use auxiliary/scanner/http/gitlabgraphqluserenum msf...
Dirty Pipe Local Privilege Escalation via CVE-2022-0847
This exploit targets a vulnerability in the Linux kernel since 5.8, that allows writing of read only or immutable memory. The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102. The module exploits this vulnerability by overwriting a suid binary with the payload, executing it, and the...
Windows Encrypted Reverse Shell
Connect back to attacker and spawn an encrypted command shell Module Options msf use payload/windows/x64/encryptedshellreversetcp msf payloadencryptedshellreversetcp show actions ...actions... msf payloadencryptedshellreversetcp set ACTION msf payloadencryptedshellreversetcp show options ...show...
Windows Command Shell, Encrypted Reverse TCP Stager
Spawn a piped command shell staged. Connect to MSF and read in stage Module Options msf use payload/windows/x64/encryptedshell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set options... msf...
APISIX Admin API default access token RCE
Apache APISIX has a default, built-in API token edd1c9f034335f136f87ad84b625c8f1 that can be used to access all of the admin API, which leads to remote LUA code execution through the script parameter added in the 2.x version. This module also leverages another vulnerability to bypass the IP...
Wordpress MasterStudy Admin Account Creation
MasterStudy LMS, a WordPress plugin, prior to 2.7.6 is affected by a privilege escalation where an unauthenticated user is able to create an administrator account for wordpress itself. Module Options msf use auxiliary/admin/http/wpmasterstudyprivesc msf auxiliarywpmasterstudyprivesc show actions...
pfSense Diag Routes Web Shell Upload
This module exploits an arbitrary file creation vulnerability in the pfSense HTTP interface CVE-2021-41282. The vulnerability affects versions use exploit/unix/http/pfsensediagrouteswebshell msf exploitpfsensediagrouteswebshell show targets ...targets... msf exploitpfsensediagrouteswebshell set...