Netgear PNPX_GetShareFolderList Authentication Bypass

This module targets an authentication bypass vulnerability in the minihttp binary of several Netgear Routers running firmware versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84. The vulnerability allows unauthenticated attackers to reveal the password for the admin user that is used to...

Direct windows syscall evasion technique

This module allows you to generate a Windows EXE that evades Host-based security products such as EDR/AVs. It uses direct windows syscalls to achieve stealthiness, and avoid EDR hooking. please try to use payloads that use a more secure transfer channel such as HTTPS or RC4 in order to avoid...

Geutebruck Camera Deface

This module will take an existing session on a vulnerable Geutebruck Camera and will allow the user to either freeze the camera and display the last image from the video stream, display an image on the camera, or restore the camera back to displaying the current feed/stream. Module Options msf us...

Git Remote Code Execution via git-lfs (CVE-2020-27955)

A critical vulnerability CVE-2020-27955 in Git Large File Storage Git LFS, an open source Git extension for versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker's malicious repository using a vulnerable Git...

ManageEngine OpManager SumPDU Java Deserialization

An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of the OpManager application NT AUTHORITY\SYSTEM on Windows ...

elFinder Archive Command Injection

elFinder versions below 2.1.59 are vulnerable to a command injection vulnerability via its archive functionality. When creating a new zip archive, the name parameter is sanitized with the escapeshellarg php function and then passed to the zip utility. Despite the sanitization, supplying the -TmTT...

Geutebruck instantrec Remote Command Execution

This module exploits a buffer overflow within the 'action' parameter of the /uapi-cgi/instantrec.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions == 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5...

Jira Users Enumeration

This module exploits an information disclosure vulnerability that allows an unauthenticated user to enumerate users in the /ViewUserHover.jspa endpoint. This only affects Jira versions use auxiliary/scanner/http/jirauserenum msf auxiliaryjirauserenum show actions ...actions... msf...

Atlassian Confluence WebWork OGNL Injection

This module exploits an OGNL injection in Atlassian Confluence's WebWork component to execute commands as the Tomcat user. Module Options msf use exploit/linux/http/atlassianconfluencewebworkognlinjection msf exploitatlassianconfluencewebworkognlinjection show targets ...targets... msf...

Office 365 User Enumeration

Enumerate valid usernames email addresses from Office 365 using ActiveSync. Differences in the HTTP Response code and HTTP Headers can be used to differentiate between: - Valid Username Response code 401 - Valid Username and Password without 2FA Response Code 200 - Valid Username and Password wit...

Geutebruck Multiple Remote Command Execution

This module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder and exploits multiple authenticated arbitrary command execution vulnerabilities within the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devic...

Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE

Linux kernels from 5.7-rc1 prior to 5.13-rc4, 5.12.4, 5.11.21, and 5.10.37 are vulnerable to a bug in the eBPF verifier's verification of ALU32 operations in the scalar32minmaxand function when performing AND operations, whereby under certain conditions the bounds of a 32 bit register would not b...

Git LFS Clone Command Exec

Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems are vulnerable to remote code execution while cloning a repository. Usage of clean / smudge filters through Git LFS and a case-insensitive file system changes the checkout order of...

Wordpress LearnPress current_items Authenticated SQLi

LearnPress, a learning management plugin for WordPress, prior to 3.2.6.8 is affected by an authenticated SQL injection via the currentitems parameter of the post-new.php page. Module Options msf use auxiliary/scanner/http/wplearnpresssqli msf auxiliarywplearnpresssqli show actions ...actions... m...

Microsoft Exchange ProxyShell RCE

This module exploits a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication CVE-2021-31207, impersonate an arbitrary user CVE-2021-34523 and write an arbitrary file CVE-2021-34473 to achieve the RCE Remote Code Execution. By taking advantage of this...

Lucee Administrator imgProcess.cfm Arbitrary File Write

This module exploits an arbitrary file write in Lucee Administrator's imgProcess.cfm file to execute commands as the Tomcat user. Module Options msf use exploit/linux/http/luceeadminimgprocessfilewrite msf exploitluceeadminimgprocessfilewrite show targets ...targets... msf...

Canon Driver Privilege Escalation

Canon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files within the "CanonBJ" directory and its subdirectories. By overwriting the DLL at C:\ProgramData\CanonBJ\IJPrinter\CNMWINDOWS\Canon TR150 series\LanguageModules\040C\CNMurGE.dll with a malicious DLL at the...

Lexmark Driver Privilege Escalation

Various Lexmark Universal Printer drivers as listed at advisory TE953 allow low-privileged authenicated users to elevate their privileges to SYSTEM on affected Windows systems by modifying the XML file at C:\ProgramData\Universal Color Laser.gdl to replace the DLL path to unires.dll with a...

Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE

This module can be used to upload a plugin on Atlassian Cloud via the pdkinstall development plugin as an unauthenticated attacker. The payload is uploaded as a JAR archive containing a servlet using a POST request to /crowd/admin/uploadplugin.action. The check command will check that the...

Windows SAM secrets leak - HiveNightmare

Due to mismanagement of SAM and SYSTEM hives in Windows 10, it is possible for an unprivileged user to read those files. But, as they are locked while Windows is running we are not able to read them directly. The trick is to take advantage of Volume Shadow Copy, which is generally enabled, to...

Pi-Hole Remove Commands Linux Priv Esc

Pi-Hole versions 3.0 - 5.3 allows for command line input to the removecustomcname, removecustomdns, and removestaticdhcp functions without properly validating the parameters before passing to sed. When executed as the www-data user, this allows for a privilege escalation to root since www-data is...

Netgear R7000 backup.cgi Heap Overflow RCE

This module exploits a heap buffer overflow in the genie.cgi?backup.cgi page of Netgear R7000 routers running firmware version 1.0.11.116. Successful exploitation results in unauthenticated attackers gaining code execution as the root user. The exploit utilizes these privileges to enable the teln...

Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution

This module allows an attacker with a privileged Wordpress account to launch a reverse shell due to an arbitrary file upload vulnerability in Wordpress plugin Modern Events Calendar .php Module Options msf use exploit/multi/http/wppluginmoderneventscalendarrce msf...

Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution

This module allows an attacker with a privileged Wordpress account to launch a reverse shell due to an arbitrary file upload vulnerability in Wordpress plugin SP Project & Document /.php Module Options msf use exploit/multi/http/wppluginspprojectdocumentrce msf exploitwppluginspprojectdocumentrce...

Apache Tapestry HMAC secret key leak

This exploit finds the HMAC secret key used in Java serialization by Apache Tapestry. This key is located in the file AppModule.class by default and looks like the standard representation of UUID in hex digits hd : 6hd-4hd-4hd-4hd-12hd If the HMAC key has been changed to look differently, this...

Sage X3 Administration Service Authentication Bypass Command Execution

This module leverages an authentication bypass exploit within Sage X3 AdxSrv's administration protocol to execute arbitrary commands as SYSTEM against a Sage X3 Server running an available AdxAdmin service. Module Options msf use exploit/windows/sage/x3adxsrvauthbypasscmdexec msf...

Wordpress Plugin Backup Guard - Authenticated Remote Code Execution

This module allows an attacker with a privileged Wordpress account to launch a reverse shell due to an arbitrary file upload vulnerability in Wordpress plugin Backup Guard .php Module Options msf use exploit/multi/http/wppluginbackupguardrce msf exploitwppluginbackupguardrce show targets...

Sage X3 AdxAdmin Login Scanner

This module allows an attacker to perform a password guessing attack against the Sage X3 AdxAdmin service, which in turn can be used to authenticate to a local Windows account. This module implements the X3Crypt function to 'encrypt' any passwords to be used during the authentication process, giv...

VMware vCenter Server Virtual SAN Health Check Plugin RCE

This module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. Tested against VMware vCenter Server 6.7 Update 3m Linux...

ForgeRock / OpenAM Jato Java Deserialization

This module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM's implementation of the Jato framework and can be triggered by a simple one-line GET or POST...

Windows Process Memory Dump

This module creates a memory dump of a process to disk and downloads the file for offline analysis. Options for DUMPTYPE affect the completeness of the dump: "full" retrieves the entire process address space all allocated pages; "standard" excludes image files e.g. DLLs and EXEs in the address...

Polkit D-Bus Authentication Bypass

A vulnerability exists within the polkit system service that can be leveraged by a local, unprivileged attacker to perform privileged operations. In order to leverage the vulnerability, the attacker invokes a method over D-Bus and kills the client process. This will occasionally cause the operati...

Print Spooler Remote DLL Injection

The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running. Module Options msf use...

NSClient++ 0.5.2.35 - Privilege escalation

This module allows an attacker with an unprivileged windows account to gain admin access on windows system and start a shell. For this module to work, both the NSClient++ web interface and ExternalScripts features must be enabled. You must also know where the NSClient config file is, as it is use...

Docker Container Escape Via runC Overwrite

This module leverages a flaw in runc to escape a Docker container and get command execution on the host as root. This vulnerability is identified as CVE-2019-5736. It overwrites the runc binary with the payload and wait for someone to use docker exec to get into the container. This will trigger t...

WordPress wpDiscuz Unauthenticated File Upload Vulnerability

This module exploits an arbitrary file upload in the WordPress wpDiscuz plugin versions = 7.0.0 and use exploit/unix/webapp/wpwpdiscuzunauthenticatedfileupload msf exploitwpwpdiscuzunauthenticatedfileupload show targets ...targets... msf exploitwpwpdiscuzunauthenticatedfileupload set TARGET msf...

rConfig Vendors Auth File Upload RCE

This module allows an attacker with a privileged rConfig account to start a reverse shell due to an arbitrary file upload vulnerability in /lib/crud/vendors.crud.php. Then, the uploaded payload can be triggered by a call to images/vendor/.php Module Options msf use...

Cisco DCNM auth bypass

This exploit is able to add an admin account to a Cisco DCNM with credentials you can choose. After that, you can login to the web interface with those credentials. The only necessary condition is the more or less recent connection of an admin as this exploit uses a kind of session stealing. Modu...

Cisco HyperFlex HX Data Platform unauthenticated file upload to RCE (CVE-2021-1499)

This module exploits an unauthenticated file upload vulnerability in Cisco HyperFlex HX Data Platform's /upload endpoint to upload and execute a payload as the Tomcat user. Module Options msf use exploit/linux/http/ciscohyperflexfileuploadrce msf exploitciscohyperflexfileuploadrce show targets...

Microsoft SharePoint Unsafe Control and ViewState RCE

The EditingPageParser.VerifyControlOnSafeList method fails to properly validate user supplied data. This can be leveraged by an attacker to leak sensitive information in rendered-preview content. This module will leak the ViewState validation key and then use it to sign a crafted object that will...

HashiCorp Nomad Remote Command Execution

Create a batch job on HashiCorp's Nomad service to spawn a shell. The default option is to use the 'rawexec' driver, which runs with high privileges. Development servers and client's explicitly enabling the 'rawexec' plugin can spawn these type of jobs. Regular 'exec' jobs can be created in a...

IPFire 2.25 Core Update 156 and Prior pakfire.cgi Authenticated RCE

This module exploits an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior to execute arbitrary code as the root user. Module Options msf use exploit/linux/http/ipfirepakfireexec msf...

Emby Version Scanner

This module attempts to identify the version of an Emby Media Server running on a host. If you wish to see all the information available, set VERBOSE to true. Use in conjunction with embyssrfscanner to locate devices vulnerable to CVE-2020-26948. Module Options msf use...

Emby SSRF HTTP Scanner

Generates a GET request to the provided web servers and executes an SSRF against the targeted EMBY server. Returns the server header, HTML title attribute and location header if set. This is useful for rapidly identifying web applications on the internal network using the Emby SSRF vulnerability...

NSClient++ 0.5.2.35 - ExternalScripts Authenticated Remote Code Execution

This module allows an attacker with knowledge of the admin password of NSClient++ to start a privilege shell. For this module to work, both web interface of NSClient++ and ExternalScripts feature should be enabled. Module Options msf use exploit/windows/http/nscpauthenticatedrce msf...

Cisco HyperFlex HX Data Platform Command Execution

This module exploits an unauthenticated command injection in Cisco HyperFlex HX Data Platform's /storfs-asup endpoint to execute shell commands as the Tomcat user. Module Options msf use exploit/linux/http/ciscohyperflexhxdataplatformcmdexec msf exploitciscohyperflexhxdataplatformcmdexec show...

SuiteCRM Log File Remote Code Execution

This module exploits an input validation error on the log file extension parameter. It does not properly validate upper/lower case characters. Once this occurs, the application log file will be treated as a php file. The log file can then be populated with php code by changing the username of a...

Cacti color filter authenticated SQLi to RCE

This module exploits a SQL injection vulnerability in Cacti 1.2.12 and before. An admin can exploit the filter variable within color.php to pull arbitrary values as well as conduct stacked queries. With stacked queries, the pathphpbinary value is changed within the settings table to a payload, an...

Git Ignore Retriever

This module finds potentially sensitive items by finding .gitignore files. Module Options msf use post/osx/gather/gitignore msf postgitignore show actions ...actions... msf postgitignore set ACTION msf postgitignore show options ...show and set options... msf postgitignore run class...

SMBv3 Compression Buffer Overflow

A vulnerability exists within the Microsoft Server Message Block 3.1.1 SMBv3 protocol that can be leveraged to execute code on a vulnerable server. This remove exploit implementation leverages this flaw to execute code in the context of the kernel, finally yielding a session as NT AUTHORITY\SYSTE...