Windows Inject PE Files, Reverse TCP Stager (DNS)

Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE loader will execute the pre-mapped PE image starting from the address of entry after performing image base relocation and API address resolution. This module requires a PE file that contains...

Windows Inject PE Files, Reverse Ordinal TCP Stager (No NX or Win7)

Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE loader will execute the pre-mapped PE image starting from the address of entry after performing image base relocation and API address resolution. This module requires a PE file that contains...

Windows Inject PE Files, Hidden Bind Ipknock TCP Stager

Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE loader will execute the pre-mapped PE image starting from the address of entry after performing image base relocation and API address resolution. This module requires a PE file that contains...

Windows Inject PE Files, Windows x86 Bind Named Pipe Stager

Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE loader will execute the pre-mapped PE image starting from the address of entry after performing image base relocation and API address resolution. This module requires a PE file that contains...

Windows Inject PE Files, Reverse TCP Stager

Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE loader will execute the pre-mapped PE image starting from the address of entry after performing image base relocation and API address resolution. This module requires a PE file that contains...

Windows Inject PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)

Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE loader will execute the pre-mapped PE image starting from the address of entry after performing image base relocation and API address resolution. This module requires a PE file that contains...

Windows Inject PE Files, Find Tag Ordinal Stager

Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE loader will execute the pre-mapped PE image starting from the address of entry after performing image base relocation and API address resolution. This module requires a PE file that contains...

Windows Inject PE Files, Bind TCP Stager (No NX or Win7)

Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE loader will execute the pre-mapped PE image starting from the address of entry after performing image base relocation and API address resolution. This module requires a PE file that contains...

Windows Inject PE Files, Reverse All-Port TCP Stager

Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE loader will execute the pre-mapped PE image starting from the address of entry after performing image base relocation and API address resolution. This module requires a PE file that contains...

Peplink Balance routers SQLi

Firmware versions up to 7.0.0-build1904 of Peplink Balance routers are affected by an unauthenticated SQL injection vulnerability in the bauth cookie, successful exploitation of the vulnerability allows an attacker to retrieve the cookies of authenticated users, bypassing the web portal...

LDAP Information Disclosure

This module uses an anonymous-bind LDAP connection to dump data from an LDAP server. Searching for attributes with user credentials e.g. userPassword. Module Options msf use auxiliary/gather/ldaphashdump msf auxiliaryldaphashdump show actions ...actions... msf auxiliaryldaphashdump set ACTION msf...

Cisco 7937G Denial-of-Service Attack

This module exploits a bug in how the conference station handles incoming SSH connections that provide an incompatible key exchange. By connecting with an incompatible key exchange, the device becomes nonresponsive until it is manually power cycled. Module Options msf use...

Cisco 7937G SSH Privilege Escalation

This module exploits a feature that should not be available via the web interface. An unauthenticated user may change the credentials for SSH access to any username and password combination desired, giving access to administrative functions through an SSH connection. Module Options msf use...

Cisco 7937G Denial-of-Service Reboot Attack

This module exploits a bug in how the conference station handles executing a ping via its web interface. By repeatedly executing the ping function without clearing out the resulting output, a DoS is caused that will reset the device after a few minutes. Module Options msf use...

Arista Configuration Importer

This module imports an Arista device configuration. Module Options msf use auxiliary/admin/networking/aristaconfig msf auxiliaryaristaconfig show actions ...actions... msf auxiliaryaristaconfig set ACTION msf auxiliaryaristaconfig show options ...show and set options... msf auxiliaryaristaconfig...

TeamViewer Unquoted URI Handler SMB Redirect

This module exploits an unquoted parameter call within the Teamviewer URI handler to create an SMB connection to an attacker controlled IP. TeamViewer use auxiliary/server/teamviewerurismbredirect msf auxiliaryteamviewerurismbredirect show actions ...actions... msf auxiliaryteamviewerurismbredire...

D-Link Central WiFi Manager CWM(100) RCE

This module exploits a PHP code injection vulnerability in D-Link Central WiFi Manager CWM100 versions below v1.03R0100BETA6. The vulnerability exists in the username cookie, which is passed to eval without being sanitized. Dangerous functions are not disabled by default, which makes it possible ...

Apache OFBiz XML-RPC Java Deserialization

This module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for versions prior to 17.12.04. Module Options msf use exploit/linux/http/apacheofbizdeserialiation msf exploitapacheofbizdeserialiation show targets ...targets...

Geutebruck testaction.cgi Remote Command Execution

This module exploits an authenticated arbitrary command execution vulnerability within the 'server' GET parameter of the /uapi-cgi/testaction.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions use...

Safari Webkit JIT Exploit for iOS 7.1.2

This module exploits a JIT optimization bug in Safari Webkit. This allows us to write shellcode to an RWX memory section in JavaScriptCore and execute it. The shellcode contains a kernel exploit CVE-2016-4669 that obtains kernel rw, obtains root and disables code signing. Finally we download and...

vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.

This module exploits a logic bug within the template rendering code in vBulletin 5.x. The module uses the vBulletin template rendering functionality to render the 'widgettabbedcontainertabpanel' template while also providing the 'widgetphp' argument. This causes the former template to load the...

Jupyter Login Utility

This module checks if authentication is required on a Jupyter Lab or Notebook server. If it is, this module will bruteforce the password. Jupyter only requires a password to authenticate, usernames are not used. This module is compatible with versions 4.3.0 released 2016-12-08 and newer. Module...

Mikrotik Gather Device General Information

This module collects Mikrotik device information and configuration. This module has been tested against RouterOS 6.45.9. Module Options msf use post/networking/gather/enummikrotik msf postenummikrotik show actions ...actions... msf postenummikrotik set ACTION msf postenummikrotik show options...

Mikrotik Configuration Importer

This module imports a Mikrotik device configuration. Module Options msf use auxiliary/admin/networking/mikrotikconfig msf auxiliarymikrotikconfig show actions ...actions... msf auxiliarymikrotikconfig set ACTION msf auxiliarymikrotikconfig show options ...show and set options... msf...

Linux Container Enumeration

This module attempts to enumerate containers on the target machine and optionally run a command on each active container found. Currently it supports Docker, LXC and RKT. Module Options msf use post/linux/gather/enumcontainers msf postenumcontainers show actions ...actions... msf postenumcontaine...

Docker Privileged Container Escape

This module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release feature. This exploit should work against any container started with the following flags: --cap-add=SYSADMIN, --privileged. Module Options msf use...

Documalis Free PDF Editor and Scanner JPEG Stack Buffer Overflow

Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the us...

CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow

This module exploits a buffer overflow within the CA Unified Infrastructure Management nimcontroller. The vulnerability occurs in the robot controller component when sending a specially crafted directorylist probe. Technically speaking the target host must also be vulnerable to CVE-2020-8010 in...

SharePoint DataSet / DataTable Deserialization

A remotely exploitable vulnerability exists within SharePoint that can be leveraged by a remote authenticated attacker to execute code within the context of the SharePoint application service. The privileges in this execution context are determined by the account that is specified when SharePoint...

FreeBSD ip6_setpktopt Use-After-Free Privilege Escalation

This module exploits a race and use-after-free vulnerability in the FreeBSD kernel IPv6 socket handling. A missing synchronization lock in the IPV62292PKTOPTIONS option handling in setsockopt permits racing ip6setpktopt access to a freed ip6pktopts struct. This exploit overwrites the ip6popktinfo...

Baldr Botnet Panel Shell Upload Exploit

This module exploits an arbitrary file upload vulnerability within the Baldr stealer malware control panel when uploading victim log files which are uploaded as ZIP files. Attackers can turn this vulnerability into an RCE by first registering a new bot to the panel and then uploading a ZIP file...

Telegram Message Client

This module can be used to send a document and/or message to multiple chats on telegram. Please refer to the module documentation for info on how to retrieve the bot token and corresponding chat ID values. Module Options msf use auxiliary/client/telegram/sendmessage msf auxiliarysendmessage show...

SAP Unauthenticated WebService User Creation

This module leverages an unauthenticated web service to submit a job which will create a user with a specified role. The job involves running a wizard. After the necessary action is taken, the job is canceled to avoid unnecessary system changes. Module Options msf use...

ZenTao Pro 8.8.2 Remote Code Execution

This module exploits a command injection vulnerability in ZenTao Pro 8.8.2 and earlier versions in order to execute arbitrary commands with SYSTEM privileges. The module first attempts to authenticate to the ZenTao dashboard. It then tries to execute the payload by submitting fake repositories vi...

Pandora FMS Events Remote Command Execution

This module exploits a vulnerability CVE-2020-13851 in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 and perhaps older versions in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in the Events feature of Pandora FMS. This flaw...

F5 BIG-IP TMUI Directory Traversal and File Upload RCE

This module exploits a directory traversal in F5's BIG-IP Traffic Management User Interface TMUI to upload a shell script and execute it as the Unix root user. Unix shell access is obtained by escaping the restricted Traffic Management Shell TMSH. The escape may not be reliable, and you may have ...

Netgear R6700v3 Unauthenticated LAN Admin Password Reset

This module targets ZDI-20-704 aka CVE-2020-10924, a buffer overflow vulnerability in the UPNP daemon /usr/sbin/upnpd, on Netgear R6700v3 routers running firmware versions from V1.0.2.62 up to but not including V1.0.4.94, to reset the password for the 'admin' user back to its factory default of...

Directory Traversal in Spring Cloud Config Server

This module exploits an unauthenticated directory traversal vulnerability which exists in Spring Cloud Config versions 2.2.x prior to 2.2.3 and 2.1.x prior to 2.1.9, and older unsupported versions. Spring Cloud Config listens by default on port 8888. This module requires Metasploit:...

openSIS Unauthenticated PHP Code Execution

This module exploits multiple vulnerabilities in openSIS 7.4 and prior versions which could be abused by unauthenticated attackers to execute arbitrary PHP code with the permissions of the webserver. The exploit chain abuses an incorrect access control issue which allows access to scripts which...

Bolt CMS 3.7.0 - Authenticated Remote Code Execution

This module exploits multiple vulnerabilities in Bolt CMS version 3.7.0 and 3.6. in order to execute arbitrary commands as the user running Bolt. This module first takes advantage of a vulnerability that allows an authenticated user to change the username in /bolt/profile to a PHP system$GET""...

FortiMail Unauthenticated Login Bypass Scanner

This module attempts to detect instances of FortiMail vulnerable against an unauthenticated login bypass CVE-2020-9294. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'FortiMail Unauthenticated...

Cisco Data Center Network Manager Unauthenticated File Download

DCNM exposes a servlet to download files on /fm/downloadServlet. An authenticated user can abuse this servlet to download arbitrary files as root by specifying the full path of the file. This module was tested on the DCNM Linux virtual appliance 10.42, 11.01 and 11.11, and should work on a few...

Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access

This module tests for a logic vulnerability in the Cisco VPN Concentrator 3000 series. It is possible to execute some FTP statements without authentication CWD, RNFR, MKD, RMD, SIZE, CDUP. It also appears to have some memory leak bugs when working with CWD commands. This module simply creates an...

Cisco Secure ACS Unauthorized Password Change

This module exploits an authentication bypass issue which allows arbitrary password change requests to be issued for any user in the local store. Instances of Secure ACS running version 5.1 with patches 3, 4, or 5 as well as version 5.2 with either no patches or patches 1 and 2 are vulnerable. Th...

Cisco ASA Authentication Bypass (EXTRABACON)

This module patches the authentication functions of a Cisco ASA to allow uncredentialed logins. Uses improved shellcode for payload. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cisco ASA...

Cisco Configuration Importer

This module imports a Cisco IOS or NXOS device configuration. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cisco Configuration Importer', 'Description' = %q This module imports a Cisco IOS o...

Ubiquiti Configuration Importer

This module imports an Ubiquiti device configuration. The db file within the .unf backup is the data file for Unifi. This module can take either the db file or .unf. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Brocade Configuration Importer

This module imports a Brocade device configuration. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Brocade Configuration Importer', 'Description' = %q This module imports a Brocade device...

Juniper Configuration Importer

This module imports a Juniper ScreenOS or JunOS device configuration. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Juniper Configuration Importer', 'Description' = %q This module imports a...

Cisco Gather Device General Information

This module collects a Cisco IOS or NXOS device information and configuration. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cisco Gather Device General Information', 'Description' = %q This...