File Sharing Wizard - POST SEH Overflow

This module exploits an unauthenticated HTTP POST SEH-based buffer overflow in File Sharing Wizard 1.5.0. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'File Sharing Wizard - POST SEH Overflow...

Micro Focus (HPE) Data Protector SUID Privilege Escalation

This module exploits the trusted $PATH environment variable of the SUID binary omniresolve in Micro Focus HPE Data Protector A.10.40 and prior. The omniresolve executable calls the oracleasm binary using a relative path and the trusted environment $PATH, which allows an attacker to execute a cust...

Windows Silent Process Exit Persistence

Windows allows you to set up a debug process when a process exits. This module uploads a payload and declares that it is the debug process to launch when a specified process exits. This module requires Metasploit: https://metasploit.com/download Current source:...

DOUBLEPULSAR Payload Execution and Neutralization

This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the "Neutralize implant" target allows you to disable the implant...

Chrome Debugger Arbitrary File Read / Arbitrary Web Request

This module uses the Chrome Debugger's API to read files off the remote file system, or to make web requests from a remote machine. Useful for cloud metadata endpoints! This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free

The RDP termdd.sys driver improperly handles binds to internal-only channel MST120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve...

Mazda 2 Instrument Cluster Accelorometer Mover

This module moves the needle of the accelorometer and speedometer of the Mazda 2 instrument cluster This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Mazda 2 Instrument Cluster Accelorometer...

Generic Zip Slip Traversal Vulnerability

This is a generic arbitrary file overwrite technique, which typically results in remote command execution. This targets a simple yet widespread vulnerability that has been seen affecting a variety of popular products including HP, Amazon, Apache, Cisco, etc. The idea is that often archive...

Linux Polkit pkexec helper PTRACE_TRACEME local root exploit

This module exploits an issue in ptracelink in kernel/ptrace.c before Linux kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but not over an SSH session, as it requires execution from within the context of a user with an active Polkit agent. In the Linux kernel before...

Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)

This module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool is run with the "autoElevate" property set to true, however it can be moved to a new Windows directory containing a space C:\Windows \System32\ where, upon execution, it will load our payload dll propsys.dll. This...

Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry

This module exploits a flaw in the WSReset.exe file associated with the Windows Store. This binary has autoelevate privs, and it will run a binary file contained in a low-privilege registry location. By placing a link to the binary in the registry location, WSReset.exe will launch the binary as a...

OpenEMR 5.0.1 Patch 6 SQLi Dump

This module exploits a SQLi vulnerability found in OpenEMR version 5.0.1 Patch 6 and lower. The vulnerability allows the contents of the entire database with exception of log and task tables to be extracted. This module saves each table as a .csv file in your loot directory and has been tested wi...

October CMS Upload Protection Bypass Code Execution

This module exploits an Authenticated user with permission to upload and manage media contents can upload various files on the server. Application prevents the user from uploading PHP code by checking the file extension. It uses black-list based approach, as seen in...

Cisco UCS Director default scpuser password

This module abuses a known default password on Cisco UCS Director. The 'scpuser' has the password of 'scpuser', and allows an attacker to login to the virtual appliance via SSH. This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in...

Cisco UCS Director Unauthenticated Remote Code Execution

The Cisco UCS Director virtual appliance contains two flaws that can be combined and abused by an attacker to achieve remote code execution as root. The first one, CVE-2019-1937, is an authentication bypass, that allows the attacker to authenticate as an administrator. The second one,...

Android Janus APK Signature bypass

This module exploits CVE-2017-13156 in Android to install a payload into another application. The payload APK will have the same signature and can be installed as an update, preserving the existing data. The vulnerability was fixed in the 5th December 2017 security patch, and was additionally fix...

Ubiquiti airOS Arbitrary File Upload

This module exploits a pre-auth file upload to install a new root user to /etc/passwd and an SSH key to /etc/dropbear/authorizedkeys. FYI, /etc/passwd,dropbear/authorizedkeys will be overwritten. /etc/persistent/rc.poststart will be overwritten if PERSISTETC is true. This method is used by the "m...

Pulse Secure VPN Arbitrary File Disclosure

This module exploits a pre-auth directory traversal in the Pulse Secure VPN server to dump an arbitrary file. Dumped files are stored in loot. If the "Automatic" action is set, plaintext and hashed credentials, as well as session IDs, will be dumped. Valid sessions can be hijacked by setting the...

Webmin password_change.cgi Backdoor

This module exploits a backdoor in Webmin versions 1.890 through 1.920. Only the SourceForge downloads were backdoored, but they are listed as official downloads on the project's site. Unknown attackers inserted Perl qx statements into the build server's source code on two separate occasions: onc...

ktsuss suid Privilege Escalation

This module attempts to gain root privileges by exploiting a vulnerability in ktsuss versions 1.4 and prior. The ktsuss executable is setuid root and does not drop privileges prior to executing user specified commands, resulting in command execution with root privileges. This module has been test...

LibreNMS Collectd Command Injection

This module exploits a command injection vulnerability in the Collectd graphing functionality in LibreNMS. The to and from parameters used to define the range for a graph are sanitized using the mysqliescaperealstring function, which permits backticks. These parameters are used as part of a shell...

Applocker Evasion - Microsoft Workflow Compiler

This module will assist you in evading Microsoft Windows Applocker and Software Restriction Policies. This technique utilises the Microsoft signed binaries Microsoft.Workflow.Compiler.exe to execute user supplied code. This module requires Metasploit: https://metasploit.com/download Current sourc...

Applocker Evasion - Microsoft .NET Assembly Registration Utility

This module will assist you in evading Microsoft Windows Applocker and Software Restriction Policies. This technique utilises the Microsoft signed binaries RegAsm.exe or RegSvcs.exe to execute user supplied code. This module requires Metasploit: https://metasploit.com/download Current source:...

Applocker Evasion - Windows Presentation Foundation Host

This module will assist you in evading Microsoft Windows Applocker and Software Restriction Policies. This technique utilises the Microsoft signed binary PresentationHost.exe to execute user supplied code. This module requires Metasploit: https://metasploit.com/download Current source:...

Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth

This module generates a remember me cookie for a valid username. Through unpropper seeding while userdate are requested from LDAP or OAuth it's possible to craft a valid remember me cookie. This cookie can be used for bypass authentication for everyone knowing a valid username. !/usr/bin/env...

LibreOffice Macro Python Code Execution

LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events to them. LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE. This module generates an ODT file with a dom loaded event that, when triggered, will...

Nagios XI Enumeration

NagiosXI may store credentials of the hosts it monitors. This module extracts these credentials, creating opportunities for lateral movement. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

Cisco RV110W/RV130(W)/RV215W Routers Management Interface Remote Command Execution

A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The...

Applocker Evasion - MSBuild

This module will assist you in evading Microsoft Windows Applocker and Software Restriction Policies. This technique utilises the Microsoft signed binary MSBuild.exe to execute user supplied code. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows x86 Pingback, Bind TCP Inline

Open a socket and report UUID when a connection is received Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 314 include Msf::Payload::Windows include Msf::Payload::Sing...

Windows x86 Pingback, Reverse TCP Inline

Connect back to attacker and report UUID Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 307 include Msf::Payload::Windows include Msf::Payload::Single include...

Unix Command Shell, Pingback Reverse TCP (via netcat)

Creates a socket, send a UUID, then exit This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 99 include Msf::Payload::Single include Msf::Payload::Pingback include...

Ruby Pingback, Bind TCP

Listens for a connection from the attacker, sends a UUID, then terminates module MetasploitModule CachedSize = 103 include Msf::Payload::Single include Msf::Payload::Ruby include Msf::Payload::Pingback include Msf::Payload::Pingback::Options def initializeinfo = supermergeinfoinfo, 'Name' = 'Ruby...

Ruby Pingback, Reverse TCP

Connect back to the attacker, sends a UUID, then terminates module MetasploitModule CachedSize = 100 include Msf::Payload::Single include Msf::Payload::Ruby include Msf::Payload::Pingback include Msf::Payload::Pingback::Options def initializeinfo = supermergeinfoinfo, 'Name' = 'Ruby Pingback,...

Python Pingback, Reverse TCP (via python)

Connects back to the attacker, sends a UUID, then terminates module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Payload::Python include Msf::Payload::Pingback include Msf::Payload::Pingback::Options def initializeinfo = supermergeinfoinfo, 'Name' = 'Python...

Unix Command Shell, Pingback Bind TCP (via netcat)

Accept a connection, send a UUID, then exit This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 103 include Msf::Payload::Single include Msf::Payload::Pingback include...

Linux x64 Pingback, Reverse TCP Inline

Connect back to attacker and report UUID Linux x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 125 include Msf::Payload::Linux::X64::Prepends include Msf::Payload::Single inclu...

Linux x64 Pingback, Bind TCP Inline

Accept a connection from attacker and report UUID Linux x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 109 include Msf::Payload::Linux::X64::Prepends include...

Windows x64 Pingback, Reverse TCP Inline

Connect back to attacker and report UUID Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 425 include Msf::Payload::Windows include Msf::Payload::Single include...

Python Pingback, Bind TCP (via python)

Listens for a connection from the attacker, sends a UUID, then terminates module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Payload::Python include Msf::Payload::Pingback include Msf::Payload::Pingback::Options def initializeinfo = supermergeinfoinfo, 'Name' ...

OS X Manage Sonic Pi

This module controls Sonic Pi via its local OSC server. The server runs on 127.0.0.1:4557 and receives OSC messages over UDP. Yes, this is RCE, but it's local. I suggest playing music. :- This module requires Metasploit: https://metasploit.com/download Current source:...

Redis Unauthenticated Code Execution

This module can be used to leverage the extension functionality added by Redis 4.x and 5.x to execute arbitrary code. To transmit the given extension it makes use of the feature of Redis which called replication between master and slave...

Brocade Configuration Importer

This module imports a Brocade device configuration. شما به این سطح از خدمات دسترسی ندارید - شکن meta name="twitter:label1" content="زمان تقریبی برای خ...

DotNetNuke Cookie Deserialization Remote Code Excecution

This module exploits a deserialization vulnerability in DotNetNuke DNN versions 5.0.0 to 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML. The expected structure includes a "type" attribute to instruct the server which type of object to...

Ahsay Backup v7.x-v8.1.1.50 (authenticated) file upload

This module exploits an authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. To succesfully execute the upload credentials are needed, default on Ahsay Backup trial accounts are enabled so an account can be created. It can be exploited in Windows and Linux...

Cisco Data Center Network Manager Unauthenticated Remote Code Execution

DCNM exposes a file upload servlet FileUploadServlet at /fm/fileUpload. An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps directory and achieve remote code execution as root. This module exploits two other vulnerabilities, CVE-2019-1619 for authentication...

Schneider Electric Pelco Endura NET55XX Encoder

This module exploits inadequate access controls within the webUI to enable the SSH service and change the root password. This module has been tested successfully on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500, NET5516, NET550 versions. This module requires Metasploit:...

Windows NtUserSetWindowFNID Win32k User Callback

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Serv...

Cisco Configuration Importer

This module imports a Cisco IOS or NXOS device configuration. شما به این سطح از خدمات دسترسی ندارید - شکن meta name="twitter:label1" content="زمان تقر...

Juniper Configuration Importer

This module imports a Juniper ScreenOS or JunOS device configuration...