6843 matches found
Windows Privilege Escalation via TokenMagic (UAC Bypass)
This module leverages a UAC bypass TokenMagic in order to spawn a process/conduct a DLL hijacking attack to gain SYSTEM-level privileges. Windows 7 through Windows 10 1803 are affected. Module Options msf use exploit/windows/local/tokenmagic msf exploittokenmagic show targets ...targets... msf...
Dell DBUtil_2_3.sys IOCTL memmove
The DBUtil23.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by an attacker read and write kernel-mode memory. Module Options msf use exploit/windows/local/cve202121551dbutilmemmove msf exploitcve202121551dbutilmemmove show targets ...targets... msf...
ExifTool DjVu ANT Perl injection
This module exploits a Perl injection vulnerability in the DjVu ANT parsing code of ExifTool versions 7.44 through 12.23 inclusive. The injection is used to execute a shell command using Perl backticks. The DjVu image can be embedded in a wrapper image using the HasselbladExif EXIF field. Module...
macOS Gatekeeper check bypass
This module exploits two CVEs that bypass Gatekeeper. For CVE-2021-30657, this module serves an OSX app as a zip that contains no Info.plist, which bypasses gatekeeper in macOS use exploit/osx/browser/osxgatekeeperbypass msf exploitosxgatekeeperbypass show targets ...targets... msf...
UNIX Gather Kerberos Tickets
Post Module to obtain all kerberos tickets on the targeted UNIX machine. Module Options msf use post/multi/gather/unixkerberostickets msf postunixkerberostickets show actions ...actions... msf postunixkerberostickets set ACTION msf postunixkerberostickets show options ...show and set options... m...
UNIX Gather Cached AD Hashes
Post Module to obtain all cached AD hashes on the targeted UNIX machine. These can be cracked with John the Ripper JtR. Module Options msf use post/multi/gather/unixcachedadhashes msf postunixcachedadhashes show actions ...actions... msf postunixcachedadhashes set ACTION msf postunixcachedadhashe...
GravCMS Remote Command Execution
This module exploits arbitrary config write/update vulnerability to achieve remote code execution. Unauthenticated users can execute a terminal command under the context of the web server user. Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify...
Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE
This module exploits an issue in the V8 engine on x86x64 builds of Google Chrome before 89.0.4389.128/90.0.4430.72 when handling XOR operations in JIT'd JavaScript code. Successful exploitation allows an attacker to execute arbitrary code within the context of the V8 process. As the V8 process is...
IGEL OS Secure VNC/Terminal Command Injection RCE
This module exploits a command injection vulnerability in IGEL OS Secure Terminal and Secure Shadow services. Both Secure Terminal telnetsslconnector - 30022/tcp and Secure Shadow vncsslconnector - 5900/tcp services are vulnerable. Module Options msf use exploit/linux/misc/igelcommandinjection ms...
Micro Focus Operations Bridge Reporter Unauthenticated Command Injection
This module exploits a command injection vulnerability on login yes, you read that right that affects Micro Focus Operations Bridge Reporter on Linux, versions 10.40 and below. It's a straight up command injection, with little escaping required and it works before authentication. This module has...
Micro Focus Operations Bridge Reporter shrboadmin default password
This module abuses a known default password on Micro Focus Operations Bridge Reporter. The 'shrboadmin' user, installed by default by the product has the password of 'shrboadmin', and allows an attacker to login to the server via SSH. This module has been tested with Micro Focus Operations Bridge...
Redis Extractor
This module connects to a Redis instance and retrieves keys and data stored. Module Options msf use auxiliary/gather/redisextractor msf auxiliaryredisextractor show actions ...actions... msf auxiliaryredisextractor set ACTION msf auxiliaryredisextractor show options ...show and set options... msf...
VMware vRealize Operations (vROps) Manager SSRF RCE
This module exploits a pre-auth SSRF CVE-2021-21975 and post-auth file write CVE-2021-21983 in VMware vRealize Operations Manager to leak admin creds and write/execute a JSP payload. CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and CVE-2021-21983 affects the...
Apache Druid 0.20.0 Remote Command Execution
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests; however, that feature is disabled by default. In Druid versions prior to 0.20.1, an authenticated user can send a specially-crafted request that both enables the JavaScript...
Microsoft RDP Web Client Login Enumeration
Enumerate valid usernames and passwords against a Microsoft RDP Web Client by attempting authentication and performing a timing based check against the provided username. Module Options msf use auxiliary/scanner/http/rdpweblogin msf auxiliaryrdpweblogin show actions ...actions... msf...
KOFFEE - Kia OFFensivE Exploit
This module exploits CVE-2020-8539, which is an arbitrary code execution vulnerability that allows an to attacker execute the micomd binary file on the head unit of Kia Motors. This module has been tested on SOP.003.30.18.0703, SOP.005.7.181019 and SOP.007.1.191209 head unit software versions. Th...
Cockpit CMS NoSQLi to RCE
This module exploits two NoSQLi vulnerabilities to retrieve the user list, and password reset tokens from the system. Next, the USER is targetted to reset their password. Then a command injection vulnerability is used to execute the payload. While it is possible to upload a payload and execute it...
Nagios XI 5.5.0-5.7.3 - Snmptrap Authenticated Remote Code Exection
This module exploits an OS command injection vulnerability in includes/components/nxti/index.php that enables an authenticated user with admin privileges to achieve remote code execution as the apache user. The module uploads a simple PHP shell via includes/components/nxti/index.php to...
Nagios XI 5.6.0-5.7.3 - Mibs.php Authenticated Remote Code Exection
This module exploits CVE-2020-5791, an OS command injection vulnerability in admin/mibs.php that enables an authenticated user with admin privileges to achieve remote code execution as either the apache user or the www-data user on NagiosXI version 5.6.0 to 5.7.3 inclusive exact user depends on t...
Citrix ADC (NetScaler) Directory Traversal RCE
This module exploits a directory traversal in Citrix Application Delivery Controller ADC, aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload. Module Options msf use exploit/freebsd/http/citrixdirtraversalrce msf exploitcitrixdirtraversalrce show...
Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection
This module exploits a command injection vulnerability CVE-2020-35578 in the /admin/monitoringplugins.php page of Nagios XI versions prior to 5.8.0 when uploading plugins. Successful exploitation allows an authenticated admin user to achieve remote code execution as the apache user by uploading a...
Nagios XI Prior to 5.6.6 getprofile.sh Authenticated Remote Command Execution
This module exploits a vulnerability in the getprofile.sh script of Nagios XI prior to 5.6.6 in order to upload a malicious checkping plugin and thereby execute arbitrary commands. For Nagios XI 5.2.0-5.4.13, the commands are run as the nagios user. For versions 5.5.0-5.6.5 the commands are run a...
Haserl Arbitrary File Reader
This module exploits haserl prior to 0.9.36 to read arbitrary files. The most widely accepted exploitation vector is reading /etc/shadow, which will reveal root's hash for cracking. Module Options msf use post/linux/gather/haserlread msf posthaserlread show actions ...actions... msf posthaserlrea...
Google Chrome versions before 87.0.4280.88 integer overflow during SimplfiedLowering phase
This module exploits an issue in Google Chrome versions before 87.0.4280.88 64 bit. The exploit makes use of an integer overflow in the SimplifiedLowering phase in turbofan. It is used along with a type hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1. This is...
Gitea Git Hooks Remote Code Execution
This module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gitea. This is possible when the current user is allowed to create git hooks, which is the default for administrative users. For non-administrative users, the permission need...
Gogs Git Hooks Remote Code Execution
This module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gogs. This is possible when the current user is allowed to create git hooks, which is the default for administrative users. For non-administrative users, the permission needs...
Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server
This module retrieves the secstore.properties file on a SMDAgent. This file contains the credentials used by the SMDAgent to connect to the SAP Solution Manager server. Module Options msf use post/multi/sap/smdagentgetproperties msf postsmdagentgetproperties show actions ...actions... msf...
Apache OFBiz SOAP Java Deserialization
This module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated SOAP endpoint /webtools/control/SOAPService for versions prior to 17.12.06. Module Options msf use exploit/linux/http/apacheofbizdeserializationsoap msf exploitapacheofbizdeserializationsoap show targets...
SaltStack Salt API Unauthenticated RCE through wheel_async client
This module leverages an authentication bypass and directory traversal vulnerabilities in Saltstack Salt's REST API to execute commands remotely on the master as the root user. Every 60 seconds, salt-master service performs a maintenance process check that reloads and executes all the grains on t...
F5 iControl REST Unauthenticated SSRF Token Generation RCE
This module exploits a pre-auth SSRF in the F5 iControl REST API's /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that can be used to execute root commands on an affected BIG-IP or BIG-IQ device. This vulnerability is known as CVE-2021-22986. CVE-2021-22986 affects the following...
Windows Gather Exchange Server Mailboxes
This module will gather information from an on-premise Exchange Server running on the target machine. Two actions are supported: LIST default action: List basic information about all Exchange servers and mailboxes hosted on the target. EXPORT: Export and download a chosen mailbox in the form of a...
Nagios XI Scanner
The module detects the version of Nagios XI applications and suggests matching exploit modules based on the version number. Since Nagios XI applications only reveal the version to authenticated users, valid credentials for a Nagios XI account are required. Alternatively, it is possible to provide...
SAP Solution Manager remote unauthorized OS commands execution
This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet tcsmdagentapplicationeem of SAP Solution Manager SolMan running version 7.2. The vulnerability occurs due to missing authentication checks when submitting a SOAP request to the /EemAdminService/EemAdmin page to get...
SAP Solution Manager remote unauthorized OS commands execution
This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet tcsmdagentapplicationeem of SAP Solution Manager SolMan running version 7.2. The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get...
FortiLogger Arbitrary File Upload Exploit
This module exploits an unauthenticated arbitrary file upload via insecure POST request. It has been tested on versions use exploit/windows/http/fortiloggerarbitraryfileupload msf exploitfortiloggerarbitraryfileupload show targets ...targets... msf exploitfortiloggerarbitraryfileupload set TARGET...
Advantech iView Unauthenticated Remote Code Execution
This module exploits an unauthenticated configuration change combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\SYSTEM. This issue was demonstrated in the...
Microsoft Exchange ProxyLogon RCE
This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication, impersonating as the admin CVE-2021-26855 and write arbitrary file CVE-2021-27065 to get the RCE Remote Code Execution. By taking advantage of this vulnerability, you can execute...
Microsoft Exchange ProxyLogon Scanner
This module scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin CVE-2021-26855. By chaining this bug with another post-auth arbitrary-file-write vulnerability to get code execution CVE-2021-27065. As a result, a...
Microsoft Exchange ProxyLogon Collector
This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin CVE-2021-26855. By taking advantage of this vulnerability, it is possible to dump all mailboxes emails, attachments, contacts, .... This vulnerabili...
Win32k ConsoleControl Offset Confusion
A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This...
VMware View Planner Unauthenticated Log File Upload RCE
This module exploits an unauthenticated log file upload within the loguploadwsgi.py file of VMWare View Planner 4.6 prior to 4.6 Security Patch 1. Successful exploitation will result in RCE as the apache user inside the appacheServer Docker container. Module Options msf use...
Windows Server 2012 SrClient DLL hijacking
All editions of Windows Server 2012 but not 2012 R2 are vulnerable to DLL hijacking due to the way TiWorker.exe will try to call the non-existent SrClient.dll file when Windows Update checks for updates. This issue can be leveraged for privilege escalation if %PATH% includes directories that are...
Apache OFBiz XML-RPC Java Deserialization
This module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for versions prior to 17.12.01 using the ROME gadget chain. Versions up to 18.12.11 are exploitable utilizing an auth bypass CVE-2023-51467 and use the...
HPE Systems Insight Manager AMF Deserialization RCE
A remotely exploitable vulnerability exists within HPE System Insight Manager SIM version 7.6.x that can be leveraged by a remote unauthenticated attacker to execute code within the context of HPE System Insight Manager's hpsimsvc.exe process, which runs with administrative privileges. The...
VMware vCenter Server Unauthenticated OVA File Upload RCE
This module exploits an unauthenticated OVA file upload and path traversal in VMware vCenter Server to write a JSP payload to a web-accessible directory. Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c. Note that later vulnerable versions of the Linux appliance aren't exploitab...
Microsoft Windows RRAS Service MIBEntryGet Overflow
This module exploits an overflow in the Windows Routing and Remote Access Service RRAS to execute code as SYSTEM. The RRAS DCERPC endpoint is accessible to unauthenticated users via SMBv1 browser named pipe on Windows Server 2003 and Windows XP hosts; however, this module targets Windows Server...
FortiOS Path Traversal Credential Gatherer
Fortinet FortiOS versions 5.4.6 to 5.4.12, 5.6.3 to 5.6.7 and 6.0.0 to 6.0.4 are vulnerable to a path traversal vulnerability within the SSL VPN web portal which allows unauthenticated attackers to download FortiOS system files through specially crafted HTTP requests. This module exploits this...
Process Herpaderping evasion technique
This module allows you to generate a Windows executable that evades security products such as Windows Defender, Avast, etc. This uses the Process Herpaderping technique to bypass Antivirus detection. This method consists in obscuring the behavior of a running process by modifying the executable o...
Apache Flink JAR Upload Java Code Execution
This module uses job functionality in Apache Flink dashboard web interface to upload and execute a JAR file, leading to remote execution of arbitrary Java code as the web server user. This module has been tested successfully on Apache Flink versions: 1.9.3 on Ubuntu 18.04.4; 1.11.2 on Ubuntu...
Apache Flink JobManager Traversal
This module exploits an unauthenticated directory traversal vulnerability in Apache Flink versions 1.11.0 use auxiliary/scanner/http/apacheflinkjobmanagertraversal msf auxiliaryapacheflinkjobmanagertraversal show actions ...actions... msf auxiliaryapacheflinkjobmanagertraversal set ACTION msf...