Apache Flink JAR Upload Java Code Execution

This module uses job functionality in Apache Flink dashboard web interface to upload and execute a JAR file, leading to remote execution of arbitrary Java code as the web server user. This module has been tested successfully on Apache Flink versions: 1.9.3 on Ubuntu 18.04.4; 1.11.2 on Ubuntu...

Apache Flink JobManager Traversal

This module exploits an unauthenticated directory traversal vulnerability in Apache Flink versions 1.11.0 use auxiliary/scanner/http/apacheflinkjobmanagertraversal msf auxiliaryapacheflinkjobmanagertraversal show actions ...actions... msf auxiliaryapacheflinkjobmanagertraversal set ACTION msf...

WordPress ChopSlider3 id SQLi Scanner

The iDangero.us Chop Slider 3 WordPress plugin version 3.4 and prior contains a blind SQL injection in the id parameter of the getscript/index.php page. The injection is passed through GET parameters, and thus must be encoded, and magicquotes is applied at the server. Module Options msf use...

Micro Focus Operations Bridge Manager / Reporter Local Privilege Escalation

This module exploits an incorrectly permissioned folder in Micro Focus Operations Bridge Manager and Operations Bridge Reporter. An unprivileged user such as Guest can drop a JSP file in an exploded WAR directory and then access it without authentication by making a request to the OBM / OBR serve...

D-Link Central WiFiManager SQL injection

This module exploits a SQLi vulnerability found in D-Link Central WiFi Manager CWM100 before v1.03R0100BETA6. The vulnerability is an exposed API endpoint that allows the execution of SQL queries without authentication, using this vulnerability, it's possible to retrieve usernames and password...

Klog Server authenticate.php user Unauthenticated Command Injection

This module exploits an unauthenticated command injection vulnerability in Klog Server versions 2.4.1 and prior. The authenticate.php file uses the user HTTP POST parameter in a call to the shellexec PHP function without appropriate input validation, allowing arbitrary command execution as the...

Micro Focus Operations Bridge Manager Authenticated Remote Code Execution

This module exploits an authenticated Java deserialization that affects a truckload of Micro Focus products: Operations Bridge Manager, Application Performance Management, Data Center Automation, Universal CMDB, Hybrid Cloud Management and Service Management Automation. However this module was on...

Sudo Heap-Based Buffer Overflow

A heap based buffer overflow exists in the sudo command line utility that can be exploited by a local attacker to gain elevated privileges. The vulnerability was introduced in July of 2011 and affects version 1.8.2 through 1.8.31p2 as well as 1.9.0 through 1.9.5p1 in their default configurations...

Abandoned Cart for WooCommerce SQLi Scanner

Abandoned Cart, a plugin for WordPress which extends the WooCommerce plugin, prior to 5.8.2 is affected by an unauthenticated SQL injection via the billingfirstname parameter of the savedata AJAX call. A valid wpwoocommercesession cookie is required, which has at least one item in the cart. Modul...

OneDrive Sync Provider Enumeration Module

This module will identify the Office 365 OneDrive endpoints for both business and personal accounts across all users providing access is permitted. It is useful for identifying document libraries that may otherwise not be obvious which could contain sensitive or useful information. Module Options...

PRTG Network Monitor Authenticated RCE

Notifications can be created by an authenticated user and can execute scripts when triggered. Due to a poorly validated input on the script name, it is possible to chain it with a user-supplied command allowing command execution under the context of privileged user. The module uses provided...

Micro Focus UCMDB Java Deserialization Unauthenticated Remote Code Execution

This module exploits two vulnerabilities, that when chained allow an attacker to achieve unauthenticated remote code execution in Micro Focus UCMDB. UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected, but this module can probably also be used to exploit...

FannyBMP or DementiaWheel Detection Registry Check

This module searches for the Fanny.bmp worm related reg keys. fannybmp is a worm that exploited zero day vulns more specifically, the LNK Exploit CVE-2010-2568. Which allowed it to spread even if USB Autorun was turned off. This is the same exploit that was used in StuxNet. Module Options msf use...

PEAR Archive_Tar 1.4.10 Arbitrary File Write

This module takes advantages of ArchiveTar use exploit/multi/fileformat/archivetararbfilewrite msf exploitarchivetararbfilewrite show targets ...targets... msf exploitarchivetararbfilewrite set TARGET msf exploitarchivetararbfilewrite show options ...show and set options... msf...

MobileIron MDM Hessian-Based Java Deserialization RCE

This module exploits an ACL bypass in MobileIron MDM products to execute a Groovy gadget against a Hessian-based Java deserialization endpoint. Module Options msf use exploit/linux/http/mobileironmdmhessianrce msf exploitmobileironmdmhessianrce show targets ...targets... msf...

Microsoft Spooler Local Privilege Elevation Vulnerability

This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds...

CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP

The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December 2020 updates, did not set the IOFORCEACCESSCHECK or OBJFORCEACCESSCHECK flags when calling FltCreateFileEx and FltCreateFileEx2 within its HsmpOpCreatePlaceholders function with attacker controlled input. Th...

WordPress AIT CSV Import Export Unauthenticated Remote Code Execution

The AIT CSV Import/Export plugin use exploit/multi/http/wpaitcsvrce msf exploitwpaitcsvrce show targets ...targets... msf exploitwpaitcsvrce set TARGET msf exploitwpaitcsvrce show options ...show and set options... msf exploitwpaitcsvrce exploit This module requires Metasploit:...

Windows Manage Volume Shadow Copies

This module will perform management actions for Volume Shadow Copies on the system. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. Works on win2k3 and later. Module Options msf use post/windows/manage/vss msf postvss show actions ...actions... msf postvss set...

SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.

This module exploit BITS behavior which tries to connect to the local Windows Remote Management server WinRM every times it starts. The module launches a fake WinRM server which listen on port 5985 and triggers BITS. When BITS starts, it tries to authenticate to the Rogue WinRM server, which allo...

WordPress Total Upkeep Unauthenticated Backup Downloader

This module exploits an unauthenticated database backup vulnerability in WordPress plugin 'Boldgrid-Backup' also known as 'Total Upkeep' version use auxiliary/scanner/http/wptotalupkeepdownloader msf auxiliarywptotalupkeepdownloader show actions ...actions... msf auxiliarywptotalupkeepdownloader...

SpamTitan Unauthenticated RCE

TitanHQ SpamTitan Gateway is an anti-spam appliance that protects against unwanted emails and malwares. This module exploits an improper input sanitization in versions 7.01, 7.02, 7.03 and 7.07 to inject command directives into the SNMP configuration file and get remote code execution as root. No...

Apache Struts 2 Forced Multi OGNL Evaluation

The Apache Struts framework, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a tag's attributes are rendered. With a carefully crafted request, thi...

Shodan Host Port

This module uses the shodan API to return all port information found on a given host IP. Module Options msf use auxiliary/gather/shodanhost msf auxiliaryshodanhost show actions ...actions... msf auxiliaryshodanhost set ACTION msf auxiliaryshodanhost show options ...show and set options... msf...

WordPress Duplicator File Read Vulnerability

This module exploits an unauthenticated directory traversal vulnerability in WordPress plugin 'Duplicator' version 1.3.24-1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered. Module Options msf use...

WordPress Easy WP SMTP Password Reset

Wordpress plugin Easy WP SMTP versions use auxiliary/scanner/http/wpeasywpsmtp msf auxiliarywpeasywpsmtp show actions ...actions... msf auxiliarywpeasywpsmtp set ACTION msf auxiliarywpeasywpsmtp show options ...show and set options... msf auxiliarywpeasywpsmtp run This module requires Metasploit:...

Pulse Secure VPN gzip RCE

The Pulse Connect Secure appliance before 9.1R9 suffers from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root. Admin credentials are required for successful exploitation. Of note, MANY binaries are not ...

Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow

This module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 x86 in VirtualBox, VMware Fusion, and VMware...

Microsoft Windows DrawIconEx OOB Write Local Privilege Elevation

This module exploits CVE-2020-1054, an out of bounds write reachable from DrawIconEx within win32k. The out of bounds write can be used to overwrite the pvbits of a SURFOBJ. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code executio...

GitLab File Read Remote Code Execution

This module provides remote code execution against GitLab Community Edition CE and Enterprise Edition EE. It combines an arbitrary file read to extract the Rails "secretkeybase", and gains remote code execution with a deserialization vulnerability of a signed 'experimentationsubjectid' cookie tha...

Aerospike Database UDF Lua Code Execution

Aerospike Database versions before 5.1.0.3 permitted user-defined functions UDF to call the os.execute Lua function. This module creates a UDF utilising this function to execute arbitrary operating system commands with the privileges of the user running the Aerospike service. This module does not...

WordPress Email Subscribers and Newsletter Hash SQLi Scanner

Email Subscribers & Newsletters plugin contains an unauthenticated timebased SQL injection in versions before 4.3.1. The hash parameter is vulnerable to injection. Module Options msf use auxiliary/scanner/http/wpemailsubnewssqli msf auxiliarywpemailsubnewssqli show actions ...actions... msf...

FlexDotnetCMS Arbitrary ASP File Upload

This module exploits an arbitrary file upload vulnerability in FlexDotnetCMS v1.5.8 and prior in order to execute arbitrary commands with elevated privileges. The module first tries to authenticate to FlexDotnetCMS via an HTTP POST request to /login. It then attempts to upload a random TXT file a...

Windows Pulse Secure Connect Client Saved Password Extractor

This module extracts and decrypts saved Pulse Secure Connect Client passwords from the Windows Registry. This module can only access credentials created by the user that the Meterpreter session is running as. Note that this module cannot link the password to a username unless the Meterpreter...

Avast AV Memory Dumping Utility

This module leverages an Avast Anti-Virus memory dump utility that is shipped by default with Avast Anti-Virus Home software suite. Module Options msf use post/windows/gather/avastmemorydump msf postavastmemorydump show actions ...actions... msf postavastmemorydump set ACTION msf...

WordPress Simple File List Unauthenticated Remote Code Execution

Simple File List simple-file-list plugin before 4.2.3 for WordPress allows remote unauthenticated attackers to upload files within a controlled list of extensions. However, the rename function does not conform to the file extension restrictions, thus allowing arbitrary PHP code to be uploaded fir...

Kong Gateway Admin API Remote Code Execution

This module uses the Kong admin API to create a route and a serverless function plugin that is associated with the route. The plugin runs Lua code and is used to run a system command using os.execute. After execution the route is deleted, which also deletes the plugin. Module Options msf use...

Apache NiFi API Remote Code Execution

This module uses the NiFi API to create an ExecuteProcess processor that will execute OS commands. The API must be unsecured or credentials provided and the ExecuteProcess processor must be available. An ExecuteProcessor processor is created then is configured with the payload and started. The...

Apache Tomcat AJP File Read

When using the Apache JServ Protocol AJP, care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that...

OpenMediaVault rpc.php Authenticated PHP Code Injection

This module exploits an authenticated PHP code injection vulnerability found in openmediavault versions before 4.1.36 and 5.x versions before 5.5.12 inclusive in the "sortfield" POST parameter of the rpc.php page, because "jsonencodesafe" is not used in config/databasebackend.inc. Successful...

Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution

This module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy...

Oracle WebLogic Server Administration Console Handle RCE

This module exploits a path traversal and a Java class instantiation in the handle implementation of WebLogic's Administration Console to execute code as the WebLogic user. Versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 are known to be affected. Tested against 12.2.1.3.0...

HorizontCMS Arbitrary PHP File Upload

This module exploits an arbitrary file upload vulnerability in HorizontCMS 1.0.0-beta in order to execute arbitrary commands. The module first attempts to authenticate to HorizontCMS. It then tries to upload a malicious PHP file via an HTTP POST request to /admin/file-manager/fileupload. The serv...

SaltStack Salt REST API Arbitrary Command Execution

This module exploits an authentication bypass and command injection in SaltStack Salt's REST API to execute commands as the root user. The following versions have received a patch: 2015.8.10, 2015.8.13, 2016.3.4, 2016.3.6, 2016.3.8, 2016.11.3, 2016.11.6, 2016.11.10, 2017.7.4, 2017.7.8, 2018.3.5,...

Rapid7 Metasploit Framework msfvenom APK Template Command Injection

This module exploits a command injection vulnerability in Metasploit Framework's msfvenom payload generator when using a crafted APK file as an Android payload template. Affects Metasploit Framework -x Module Options msf use exploit/unix/fileformat/metasploitmsfvenomapktemplatecmdinjection msf...

WordPress File Manager Unauthenticated Remote Code Execution

The File Manager wp-file-manager plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload or mkfile...

Apache ZooKeeper Information Disclosure

Apache ZooKeeper server service runs on TCP 2181 and by default, it is accessible without any authentication. This module targets Apache ZooKeeper service instances to extract information about the system environment, and service statistics. Module Options msf use...

WordPress Loginizer log SQLi Scanner

Loginizer wordpress plugin contains an unauthenticated timebased SQL injection in versions before 1.6.4. The vulnerable parameter is in the log parameter. Wordpress has forced updates of the plugin to all servers Module Options msf use auxiliary/scanner/http/wploginizerlogsqli msf...

Mikrotik Winbox Arbitrary File Read

MikroTik RouterOS bugfix 6.30.1-6.40.7, current 6.29-6.42, RC 6.29rc1-6.43rc3 allows unauthenticated remote attackers to read arbitrary files through a directory traversal through the WinBox interface typically port 8291. Module Options msf use auxiliary/gather/mikrotikwinboxfileread msf...

Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization

This module exploits the .NET deserialization vulnerability within the RadAsyncUpload RAU component of Telerik UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly DLL which is then loaded through the deserialization flaw...