Hashicorp Consul Remote Command Execution via Services API

This module exploits Hashicorp Consul's services API to gain remote command execution on Consul nodes. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Hashicorp Consul Remote Command Execution...

Hashicorp Consul Remote Command Execution via Rexec

This module exploits a feature of Hashicorp Consul named rexec. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Hashicorp Consul Remote Command Execution via Rexec", 'Description' = %q This...

Serve DLL via webdav server

This module simplifies the rundll32.exe Application Whitelisting Bypass technique. The module creates a webdav server that hosts a dll file. When the user types the provided rundll32 command on a system, rundll32 will load the dll remotly and execute the provided export function. The export...

OS X Display Apple VNC Password

This module shows Apple VNC Password from Mac OS X High Sierra. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OS X Display Apple VNC Password', 'Description' = %q This module shows Apple VNC...

Apache Spark Unauthenticated Command Execution

This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API. It uses the function CreateSubmissionRequest to submit a malious java class and trigger it. This module requires Metasploit: https://metasploit.com/download Curre...

cgit Directory Traversal

This module exploits a directory traversal vulnerability which exists in cgit 'cgit Directory Traversal', 'Description' = %q This module exploits a directory traversal vulnerability which exists in cgit 'CVE', '2018-14912', 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1627',...

Windows Net-NTLMv2 Reflection DCOM/RPC

Module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. Currently the module does not spawn as SYSTEM, however once achieving a shell, one can easily use incognito to impersonate the token. This module requires Metasploit:...

Microsoft Windows Defender Evasive Executable

This module allows you to generate a Windows EXE that evades against Microsoft Windows Defender. Multiple techniques such as shellcode encryption, source code obfuscation, Metasm, and anti-emulation are used to achieve this. For best results, please try to use payloads that use a more secure...

Path Traversal in Oracle GlassFish Server Open Source Edition

This module exploits an unauthenticated directory traversal vulnerability which exists in administration console of Oracle GlassFish Server 4.1, which is listening by default on port 4848/TCP. This module requires Metasploit: https://metasploit.com/download Current source:...

Java JMX Server Insecure Endpoint Code Execution Scanner

Detect Java JMX endpoints This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/java/serialization' class MetasploitModule 'Java JMX Server Insecure Endpoint Code Execution Scanner', 'Description' = 'Detect Jav...

Cisco ASA Directory Traversal

This module exploits a directory traversal vulnerability in Cisco's Adaptive Security Appliance ASA software and Firepower Threat Defense FTD software. It lists the contents of Cisco's VPN web service which includes directories, files, and currently logged in users. This module requires Metasploi...

IEC104 Client Utility

This module allows sending 104 commands. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'IEC104 Client Utility', 'Description' = %q This module allows sending 104 commands. , 'Author' = 'Michae...

SMB Login Check Scanner

This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. This module requires Metasploit: https://metasploit.com/downloa...

WordPress Responsive Thumbnail Slider Arbitrary File Upload

This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "WordPre...

PhpMyAdmin Login Scanner

This module will attempt to authenticate to PhpMyAdmin. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/loginscanner/phpmyadmin' require 'metasploit/framework/credentialcollection' class...

Dicoogle PACS Web Server Directory Traversal

This module exploits an unauthenticated directory traversal vulnerability in the Dicoogle PACS Web Server v2.5.0 and possibly earlier, allowing an attacker to read arbitrary files with the web server privileges. While the application is java based, the directory traversal was only successful...

VLC Media Player MKV Use After Free

This module exploits a use after free vulnerability in VideoLAN VLC = 'VLC Media Player MKV Use After Free', 'Description' = %q This module exploits a use after free vulnerability in VideoLAN VLC = 2.2.8. The vulnerability exists in the parsing of MKV files and affects both 32 bits and 64 bits. I...

Vtiger CRM - Authenticated Logo Upload RCE

Vtiger 6.3.0 CRM's administration interface allows for the upload of a company logo. Instead of uploading an image, an attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. This module was tested against vTiger CRM v6.3.0. This module...

CMS Made Simple Authenticated RCE via File Upload/Copy

CMS Made Simple allows an authenticated administrator to upload a file and rename it to have a .php extension. The file can then be executed by opening the URL of the file in the /uploads/ directory. This module has been successfully tested on CMS Made Simple versions 2.2.5 and 2.2.7. This module...

rc.local Persistence

This module will edit /etc/rc.local in order to persist a payload. The payload will be executed on the next reboot. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'rc.local Persistence',...

Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability

This module exploits a vulnerability in a statement in the system programming guide of the Intel 64 and IA-32 architectures software developer's manual being mishandled in various operating system kerneles, resulting in unexpected behavior for DB excpetions that are deferred by MOV SS or POP SS...

Axis Network Camera .srv-to-parhand RCE

This module exploits an auth bypass in .srv functionality and a command injection in parhand to execute code as the root user. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Axis Network Camer...

QNAP Q'Center change_passwd Command Execution

This module exploits a command injection vulnerability in the changepasswd API method within the web interface of QNAP Q'Center virtual appliance versions prior to 1.7.1083. The vulnerability allows the 'admin' privileged user account to execute arbitrary commands as the 'admin' operating system...

IPTABLES rules removal

This module will be applied on a session connected to a shell. It will remove all IPTABLES rules. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'IPTABLES rules removal', 'Description' = %q Thi...

Native DNS Spoofing module

This module will be applied on a session connected to a shell. It will redirect DNS Request to remote DNS server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Native DNS Spoofing module',...

Docker Server Version Scanner

This module attempts to identify the version of a Docker Server running on a host. If you wish to see all the information available, set VERBOSE to true. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

phpMyAdmin Authenticated Remote Code Execution

phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion, which can be exploited post-authentication to execute PHP code by application. The module has been tested with phpMyAdmin v4.8.1. This module requires Metasploit: https://metasploit.com/download Current source:...

HP VAN SDN Controller Root Command Injection

This module exploits a hardcoded service token or default credentials in HPE VAN SDN Controller 'HP VAN SDN Controller Root Command Injection', 'Description' = %q This module exploits a hardcoded service token or default credentials in HPE VAN SDN Controller = 2.7.18.0503 to execute a payload as...

SonicWall Global Management System XMLRPC set_time_zone Unauth RCE

This module exploits a vulnerability in SonicWall Global Management System Virtual Appliance versions 8.1 Build 8110.1197 and below. This virtual appliance can be downloaded from http://www.sonicwall.com/products/sonicwall-gms/ and is used 'in a holistic way to manage your entire network security...

MicroFocus Secure Messaging Gateway Remote Code Execution

This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway. An unauthenticated user can execute a terminal command under the context of the web user. One of the user supplied parameters of API endpoint is used by the application without input...

GitList v0.6.0 Argument Injection Vulnerability

This module exploits an argument injection vulnerability in GitList v0.6.0. The vulnerability arises from GitList improperly validating input using the php function 'escapeshellarg'. This module requires Metasploit: https://metasploit.com/download Current source:...

Wordpress Arbitrary File Deletion

An arbitrary file deletion vulnerability in the WordPress core allows any user with privileges of an Author to completely take over the WordPress site and to execute arbitrary code on the server. This module requires Metasploit: https://metasploit.com/download Current source:...

ManageEngine Exchange Reporter Plus Unauthenticated RCE

This module exploits a remote code execution vulnerability that exists in Exchange Reporter Plus 'ManageEngine Exchange Reporter Plus Unauthenticated RCE', 'Description' = %q This module exploits a remote code execution vulnerability that exists in Exchange Reporter Plus MSFLICENSE, 'Author' =...

Boxoft WAV to MP3 Converter v1.1 Buffer Overflow

This module exploits a stack buffer overflow in Boxoft WAV to MP3 Converter versions 1.0 and 1.1. By constructing a specially crafted WAV file and attempting to convert it to an MP3 file in the application, a buffer is overwritten, which allows for running shellcode. This module requires...

Monstra CMS Authenticated Arbitrary File Upload

MonstraCMS 3.0.4 allows users to upload Arbitrary files which leads to remote command execution on the remote server. An attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. This module was tested against MonstraCMS 3.0.4. This module...

FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow

This module exploits a buffer overflow in the FTPShell client 6.70 Enterprise edition allowing remote code execution. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'FTPShell client 6.70...

HTTP SickRage Password Leak

SickRage 'HTTP SickRage Password Leak', 'Description' = %q SickRage 'Sven Fassbender', EDB POC 'Shelby Pace' Metasploit Module , 'License' = MSFLICENSE, 'References' = 'CVE', '2018-9160', 'EDB', '44545' , 'DisclosureDate' = '2018-03-08' registeroptions OptString.new'TARGETURI', true, 'Optional pa...

Quest KACE Systems Management Command Injection

This module exploits a command injection vulnerability in Quest KACE Systems Management Appliance version 8.0.318 and possibly prior. The downloadagentinstaller.php file allows unauthenticated users to execute arbitrary commands as the web server user www. A valid Organization ID is required. The...

Pseudo-Shell Post-Exploitation Module

This module will run a Pseudo-Shell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'readline' class MetasploitModule Msf::Post include Msf::Post::File include Msf::Post::Unix include Msf::Post::Linux::System...

MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+

EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya The exploit might FAIL and CRASH a target system depended on what is overwritten The exploit support only x64 target Tested on: - Windows 2012 R2 x64 - Windows 8.1 x64 - Windows 10 Pro Build 10240 x64 - Windows 10 Enterprise...

Httpdasm Directory Traversal

This module allows for traversing the file system of a host running httpdasm v0.92. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Httpdasm Directory Traversal', 'Description' = %q This module...

phpMyAdmin Authenticated Remote Code Execution

phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the pregreplace aka eval modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table...

Multi Manage the screensaver of the target computer

This module allows you to turn on or off the screensaver of the target computer and also lock the current session. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Manage the screensaver o...

Open a file or URL on the target computer

This module will open any file or URL specified with the URI format on the target computer via the embedded commands such as 'open' or 'xdg-open'. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

Linux Command Shell, Reverse TCP Inline (IPv6)

Connect back to attacker and spawn a command shell over IPv6 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 158 include Msf::Payload::Single include...

Linux Meterpreter, Reverse TCP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1061912 include...

Linux Meterpreter, Reverse HTTP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1516524 include...

Linux Meterpreter, Reverse HTTPS Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1516524 include...

Linux Meterpreter, Reverse HTTP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1061912 include...

Linux Meterpreter, Reverse TCP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1516524 include...