PHP Laravel Framework token Unserialize Remote Command Execution

This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x 'PHP Laravel Framework token Unserialize Remote Command Execution', 'Description' = %q This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x = 5.6.29. Remote Command...

Cisco Data Center Network Manager Unauthenticated File Download

DCNM exposes a servlet to download files on /fm/downloadServlet. An authenticated user can abuse this servlet to download arbitrary files as root by specifying the full path of the file. This module was tested on the DCNM Linux virtual appliance 10.42, 11.01 and 11.11, and should work on a few...

Exim 4.87 - 4.91 Local Privilege Escalation

This module exploits a flaw in Exim versions 4.87 to 4.91 inclusive. Improper validation of recipient address in delivermessage function in /src/deliver.c may lead to command execution with root privileges CVE-2019-10149. This module requires Metasploit: https://metasploit.com/download Current...

Xymon useradm Command Execution

This module exploits a command injection vulnerability in Xymon versions before 4.3.25 which allows authenticated users to execute arbitrary operating system commands as the web server user. When adding a new user to the system via the web interface with useradm.sh, the user's username and passwo...

Hostname-based Context Keyed Payload Encoder

Context-Keyed Payload Encoder based on hostname and x64 XOR encoder. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Hostname-based Context Keyed Payload Encoder', 'Description' = 'Context-Keye...

Xymon Daemon Gather Information

This module retrieves information from a Xymon daemon service formerly Hobbit, based on Big Brother, including server configuration information, a list of monitored hosts, and associated client log for each host. This module also retrieves usernames and password hashes from the xymonpasswd config...

Serv-U FTP Server prepareinstallation Privilege Escalation

This module attempts to gain root privileges on systems running Serv-U FTP Server versions prior to 15.1.7. The Serv-U executable is setuid root, and uses ARGV0 in a call to system, without validation, when invoked with the -prepareinstallation flag, resulting in command execution with root...

Nagios XI Magpie_debug.php Root Remote Code Execution

This module exploits two vulnerabilities in Nagios XI 'Nagios XI Magpiedebug.php Root Remote Code Execution', 'Description' = %q This module exploits two vulnerabilities in Nagios XI MSFLICENSE, 'Author' = 'Chris Lyne @lynerc', Discovery and exploit 'Guillaume André @yaumn', Metasploit module...

Unix Command Shell, Reverse TCP SSH

Connect back and create a command shell via SSH This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/handler/reversessh' module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include...

Amazon Web Services IAM credential enumeration

Provided AWS credentials, this module will call the authenticated API of Amazon Web Services to list all IAM credentials associated with the account This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'aws-sdk-iam...

Amazon Web Services EC2 instance enumeration

Provided AWS credentials, this module will call the authenticated API of Amazon Web Services to list all EC2 instances associated with the account This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'aws-sdk-ec2'...

Amazon Web Services S3 instance enumeration

Provided AWS credentials, this module will call the authenticated API of Amazon Web Services to list all S3 buckets associated with the account This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'aws-sdk-s3' clas...

WP Database Backup RCE

There exists a command injection vulnerability in the Wordpress plugin wp-database-backup for versions 'WP Database Backup RCE', 'Description' = %q There exists a command injection vulnerability in the Wordpress plugin wp-database-backup for versions 5.2. For the backup functionality, the plugin...

Windows Escalate UAC Protection Bypass (Via SilentCleanup)

There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables, %windir%...

Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability

This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the enableCmdLineArguments setting is set to true, a remote user can abuse this to execute system commands, and gain remote code execution. This module requires Metasploit: https://metasploit.com/download Current...

Extract zip from Modbus communication

This module is able to extract a zip file sent through Modbus from a pcap. Tested with Schneider TM221CE16R This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Extract zip from Modbus communication...

Webmin Package Updates Remote Command Execution

This module exploits an arbitrary command execution vulnerability in Webmin 1.910 and lower versions. Any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges. This module requires Metasploit: https://metasploit.com/download Current source:...

Cisco Prime Infrastructure Runrshell Privilege Escalation

This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root. This module requires Metasploit:...

Brocade Gather Device General Information

This module collects Brocade device information and configuration. This module has been tested against an icx6430 running 08.0.20T311...

Supra Smart Cloud TV Remote File Inclusion

This module exploits an unauthenticated remote file inclusion which exists in Supra Smart Cloud TV. The media control for the device doesn't have any session management or authentication. Leveraging this, an attacker on the local network can send a crafted request to broadcast a fake video. This...

Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability

This module exploits a vulnerability found in Cisco Prime Infrastructure. The issue is that the TarArchive Java class the HA Health Monitor component uses does not check for any directory traversals while unpacking a Tar file, which can be abused by a remote user to leverage the UploadServlet cla...

AppXSvc Hard Link Privilege Escalation

There exists a privilege escalation vulnerability for Windows 10 builds prior to build 17763. Due to the AppXSvc's improper handling of hard links, a user can gain full privileges over a SYSTEM-owned file. The user can then utilize the new file to execute code as SYSTEM. This module employs a...

Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)

Spawn a piped command shell Windows x64 staged. Connect back to the attacker -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 616 include Msf::Payload::Stager...

Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)

Inject the meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Connect back to the attacker -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)

Inject a VNC Dll via a reflective loader Windows x64 staged. Connect back to the attacker -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 616 include...

CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check

This module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MST120 channel outside of its normal slot and sending non-DoS packets which respond differently on patched and vulnerable hosts. It can optionally trigger the DoS vulnerability. This module requires Metasploit:...

Safari Webkit Proxy Object Type Confusion

This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e....

Password Cracker: Windows

This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from Windows systems. LANMAN is format 3000 in hashcat. NTLM is format 1000 in hashcat. MSCASH is format 1100 in hashcat. MSCASH2 is format 2100 in hashcat. NetNTLM is format 5500 in hashcat. NetNTLMv2 ...

Password Cracker: OSX

This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from OSX systems. The module will only crack xsha from OSX 10.4-10.6, xsha512 from 10.7, and PBKDF2 from OSX 10.8+. XSHA is 122 in hashcat. XSHA512 is 1722 in hashcat. PBKDF2 PBKDF2-HMAC-SHA512 is 7100 ...

Password Cracker: Linux

This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from unshadowed passwd files from Unix/Linux systems. The module will only crack MD5, BSDi and DES implementations by default. However, it can also crack Blowfish and SHA256/512, but it is much slower...

Password Cracker: Webapps

This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from various web applications. Atlassian uses PBKDF2-HMAC-SHA1 which is 12001 in hashcat. PHPass uses phpass which is 400 in hashcat. Mediawiki is MD5 based and is 3711 in hashcat. Apache Superset, some...

Password Cracker: AIX

This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from passwd files on AIX systems. These utilize DES hashing. DES is format 1500 in Hashcat. This module requires Metasploit: https://metasploit.com/download Current source:...

Password Cracker: Databases

This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from the mssqlhashdump, mysqlhashdump, postgreshashdump, or oraclehashdump modules. Passwords that have been successfully cracked are then saved as proper credentials. Due to the complexity of some of t...

LibreNMS addhost Command Injection

This module exploits a command injection vulnerability in the open source network management software known as LibreNMS. The community parameter used in a POST request to the addhost functionality is unsanitized. This parameter is later used as part of a shell command that gets passed to the pope...

FreeBSD rtld execl() Privilege Escalation

This module exploits a vulnerability in the FreeBSD run-time link-editor rtld. The rtld unsetenv function fails to remove LD environment variables if findenv fails. This can be abused to load arbitrary shared objects using LDPRELOAD, resulting in privileged code execution. This module has been...

Unix Command Shell, Reverse UDP (/dev/udp)

Creates an interactive shell via bash's builtin /dev/udp. This will not work on circa 2009 and older Debian-based Linux distributions including Ubuntu because they compile bash without the /dev/udp feature. This module requires Metasploit: https://metasploit.com/download Current source:...

IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution

This module exploits untrusted serialized data processed by the WAS DMGR Server and Cells. NOTE: There is a required 2 minute timeout between attempts as the neighbor being added must be reset. This module requires Metasploit: https://metasploit.com/download Current source:...

Oracle Application Testing Suite WebLogic Server Administration Console War Deployment

This module abuses a feature in WebLogic Server's Administration Console to install a malicious Java application in order to gain remote code execution. Authentication is required, however by default, Oracle ships with a "oats" account that you could log in with, which grants you administrator...

Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE

This module exploits a php object instantiation vulnerability that can lead to RCE in Shopware. An authenticated backend user could exploit the vulnerability. The vulnerability exists in the createInstanceFromNamedArguments function, where the code insufficiently performs whitelist check which ca...

Oracle Application Testing Suite Post-Auth DownloadServlet Directory Traversal

This module exploits a vulnerability in Oracle Application Testing Suite OATS. In the Load Testing interface, a remote user can abuse the custom report template selector, and cause the DownloadServlet class to read any file on the server as SYSTEM. Since the Oracle application contains multiple...

Mac OS X Feedback Assistant Race Condition

This module exploits a race condition vulnerability in Mac's Feedback Assistant. A successful attempt would result in remote code execution under the context of root. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86

This exploit takes advantage of a use after free vulnerability in Google Chrome 72.0.3626.119 running on Windows 7 x86. The FileReader.readAsArrayBuffer function can return multiple references to the same ArrayBuffer object, which can be freed and overwritten with sprayed objects. The dangling...

GetSimpleCMS Unauthenticated RCE

This module exploits a vulnerability found in GetSimpleCMS, which allows unauthenticated attackers to perform Remote Code Execution. An arbitrary file upload PHPcode for example vulnerability can be triggered by an authenticated user, however authentication can be bypassed by leaking the cms API...

ptrace Sudo Token Privilege Escalation

This module attempts to gain root privileges by blindly injecting into the session user's running shell processes and executing commands by calling system, in the hope that the process has valid cached sudo tokens with root privileges. The system must have gdb installed and permit ptrace. This...

Applocker Evasion - .NET Framework Installation Utility

This module will assist you in evading Microsoft Windows Applocker and Software Restriction Policies. This technique utilises the Microsoft signed binary InstallUtil.exe to execute user supplied code. This module requires Metasploit: https://metasploit.com/download Current source:...

GTP Echo Scanner

This module sends UDP GTP GTP-U echo requests to the target RHOSTS and reports on which ones respond, thus identifying General Packet Radio Service GPRS servers. This module does not support scanning with SCTP. This module requires Metasploit: https://metasploit.com/download Current source:...

Oracle Weblogic Server Deserialization RCE - AsyncResponseService

An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host. This module requires Metasploit: https://metasploit.com/download Current source:...

Ruby On Rails DoubleTap Development Mode secret_key_base Vulnerability

This module exploits a vulnerability in Ruby on Rails. In development mode, a Rails application would use its name as the secretkeybase, and can be easily extracted by visiting an invalid resource for a path. As a result, this allows a remote user to create and deliver a signed serialized payload...

ABRT sosreport Privilege Escalation

This module attempts to gain root privileges on RHEL systems with a vulnerable version of Automatic Bug Reporting Tool ABRT configured as the crash handler. sosreport uses an insecure temporary directory, allowing local users to write to arbitrary files CVE-2015-5287. This module uses a symlink...

SystemTap MODPROBE_OPTIONS Privilege Escalation

This module attempts to gain root privileges by exploiting a vulnerability in the staprun executable included with SystemTap version 1.3. The staprun executable does not clear environment variables prior to executing modprobe, allowing an arbitrary configuration file to be specified in the...