Command Shell, Android Reverse HTTP Stager

Spawn a piped command shell sh. Tunnel communication over HTTP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager include Msf::Payload::Android...

Android Meterpreter, Android Reverse HTTPS Stager

Run a meterpreter server in Android. Tunnel communication over HTTPS This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager include...

Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow

This module abuses a buffer overflow vulnerability to trigger a Denial of Service of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability exists in the handling of malformed log packets, with an unexpected long level field. The root cause of the vulnerability is a...

Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow

This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability exists in the service BKBCopyD.exe when handling specially crafted packets. This module has been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3. This module requires...

Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow

This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability exists in the service BKHOdeq.exe when handling specially crafted packets. This module has been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3 and Windows 2003 SP2. This...

Reflective DLL Injection, Reverse HTTP Stager Proxy

Inject a DLL via a reflective loader. Tunnel communication over HTTP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 665 include Msf::Payload::Stager include Msf::Payload::Windows...

VNC Server (Reflective Injection), Reverse HTTP Stager Proxy

Inject a VNC Dll via a reflective loader staged. Tunnel communication over HTTP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 665 include Msf::Payload::Stager include...

Windows Meterpreter (Reflective Injection), Reverse HTTP Stager Proxy

Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Tunnel communication over HTTP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModu...

HP Data Protector Backup Client Service Remote Code Execution

This module abuses the Backup Client Service OmniInet.exe to achieve remote code execution. The vulnerability exists in the EXECBAR operation, which allows to execute arbitrary processes. This module has been tested successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2...

Safari User-Assisted Download and Run Attack

This module abuses some Safari functionality to force the download of a zipped .app OSX application containing our payload. The app is then invoked using a custom URL scheme. At this point, the user is presented with Gatekeeper's prompt: "APPNAME" is an application downloaded from the internet. A...

ALLPlayer M3U Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in ALLPlayer 5.8.1, caused by a long string in a playlist entry. By persuading the victim to open a specially-crafted .M3U file, a remote attacker could execute arbitrary code on the system or cause the application to crash. This...

MantisBT Admin SQL Injection Arbitrary File Read

Versions 1.2.13 through 1.2.16 are vulnerable to a SQL injection attack if an attacker can gain access to administrative credentials. This vuln was fixed in 1.2.17. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework clas...

SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write

This module exploits a remote arbitrary file write vulnerability in SolidWorks Workgroup PDM 2014 SP2 and prior. For targets running Windows Vista or newer the payload is written to the startup folder for all users and executed upon next user logon. For targets before Windows Vista code execution...

ibstat $PATH Privilege Escalation

This module exploits the trusted $PATH environment variable of the SUID binary "ibstat". This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'ibstat $PATH Privilege Escalation', 'Description' = %q...

Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow

This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability occurs opening malformed Settings.ini file e.g. "C:\Program Files\Total Video Player". This module has been tested successfully on Windows WinXp-Sp3-EN, Windows 7, and Windows 8. This module requires Metasploit:...

Linux Reboot

A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 32 include...

GE Proficy CIMPLICITY gefebt.exe Remote Code Execution

This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in shared resources. An attacker can abuse this behavior to execute a malicious BCL and drop an arbitrary EXE. The last o...

Symantec Endpoint Protection Manager /servlet/ConsoleServlet Remote Command Execution

This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager versions 11.0, 12.0 and 12.1. When supplying a specially crafted XML external entity XXE request an attacker can reach SQL injection affected components. As xpcmdshell is enabled in the included database...

Apache Commons FileUpload and Apache Tomcat DoS

This module triggers an infinite loop in Apache Commons FileUpload 1.0 through 1.3 via a specially crafted Content-Type header. Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50 and 8.0.0-RC1 through 8.0.1...

Linksys WRT120N tmUnblock Stack Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in the WRT120N Linksys router to reset the password of the management interface temporarily to an empty value. This module has been tested successfully on a WRT120N device with firmware version 1.0.07. This module requires Metasploi...

Windows Command Shell, Hidden Bind TCP Inline

Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not coming from the IP defined in AHOST. This way the port will appear as "closed" helping us to hide the shellcode. This module requires Metasploit:...

Windows Gather Group Policy Preference Saved Passwords

This module enumerates the victim machine's domain controller and connects to it via SMB. It then looks for Group Policy Preference XML files containing local user accounts and passwords and decrypts them using Microsofts public AES key. Cached Group Policy files may be found on end-user devices ...

Linksys E-Series TheMoon Remote Command Injection

Some Linksys E-Series Routers are vulnerable to an unauthenticated OS command injection. This vulnerability was used from the so-called "TheMoon" worm. There are many Linksys systems that are potentially vulnerable, including E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,...

Firefox Exec Shellcode from Privileged Javascript Shell

This module allows execution of native payloads from a privileged Firefox Javascript shell. It places the specified payload into memory, adds the necessary protection flags, and calls it, which can be useful for upgrading a Firefox javascript shell to a Meterpreter session without touching the...

Audiotran PLS File Stack Buffer Overflow

This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4. An attacker must send the file to victim and the victim must open the file. Alternatively, it may be possible to execute code remotely via an embedded PLS file within a browser when the PLS extension is registered to...

Sub Encoder (optimised)

Encodes a payload using a series of SUB instructions and writing the encoded value to ESP. This concept is based on the known SUB encoding approach that is widely used to manually encode payloads with very restricted allowed character sets. It will not reset EAX to zero unless absolutely necessar...

VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager

Inject a VNC Dll via a reflective loader staged. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. This module requires Metasploit: https://metasploit.com/download Current source:...

Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager

Inject a DLL via a reflective loader. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager

Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. This module requires Metasploit:...

Android Browser and WebView addJavascriptInterface Code Execution

This module exploits a privilege escalation issue in Android 4.2's WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and...

Dexter (CasinoLoader) SQL Injection

This module exploits a vulnerability found in the command and control panel used to control Dexter Point of Sale malware. This is done by accessing the PHP page used by bots to report in gateway.php which does not sanitize input. Input is encrypted and encoded, but the key is supplied by the bot...

Easy CD-DA Recorder PLS Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in Easy CD-DA Recorder 2007 caused by an overlong string in a playlist entry. By persuading the victim to open a specially-crafted PLS file, a remote attacker can execute arbitrary code on the system or cause the application to cras...

Windows TrackPopupMenuEx Win32k NULL Page

This module exploits a vulnerability in win32k.sys where under specific conditions TrackPopupMenuEx will pass a NULL pointer to the MNEndMenuState procedure. This module has been tested successfully on Windows 7 SP0 and Windows 7 SP1. This module requires Metasploit: https://metasploit.com/downlo...

Powershell Base64 Command Encoder

This encodes the command as a base64 encoded command for powershell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework include Msf::Post::Windows class MetasploitModule 'Powershell Base64 Command Encoder', 'Description'...

Windows Command Shell, Reverse TCP (via Powershell)

Connect back and create a command shell via Powershell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 1588 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions...

MediaWiki Thumb.php Remote Command Execution

MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote unauthenticated users to execute arbitrary commands via shell metacharacters. If no target file is specified this module will attempt to log in with the...

KingScada kxClientDownload.ocx ActiveX Remote Code Execution

This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada. The ProjectURL property can be abused to download and load arbitrary DLLs from arbitrary locations, leading to arbitrary code execution, because of a dangerous usage of LoadLibrary. Due to the natu...

Kloxo SQL Injection and Remote Code Execution

This module exploits an unauthenticated SQL injection vulnerability affecting Kloxo, as exploited in the wild on January 2014. The SQL injection issue can be abused in order to retrieve the Kloxo admin cleartext password from the database. With admin access to the web control panel, remote PHP co...

PocketPAD Login Bruteforce Force Utility

This module scans for PocketPAD login portal, and performs a login bruteforce attack to identify valid credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'PocketPAD Login Bruteforce...

DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials

This module will extract user credentials from DoliWamp - a WAMP packaged installer distribution for Dolibarr ERP on Windows - versions 3.3.0 to 3.4.2 by hijacking a user's session. DoliWamp stores session tokens in filenames in the 'tmp' directory. A directory traversal vulnerability in...

Windows Command Shell Upgrade (Powershell)

This module executes Powershell to upgrade a Windows Shell session to a full Meterpreter session. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Command Shell Upgrade Powershell',...

Windows Gather SmarterMail Password Extraction

This module extracts and decrypts the sysadmin password in the SmarterMail 'mailConfig.xml' configuration file. The encryption key and IV are publicly known. This module has been tested successfully on SmarterMail versions 10.7.4842 and 11.7.5136. This module requires Metasploit:...

SkyBlueCanvas CMS Remote Code Execution

This module exploits an arbitrary command execution vulnerability in SkyBlueCanvas CMS version 1.1 r248-03 and below. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SkyBlueCanvas CMS Remote Co...

Apache Tomcat Manager Authenticated Upload Code Execution

This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on...

Oracle Forms and Reports Remote Code Execution

This module uses two vulnerabilities in Oracle Forms and Reports to get remote code execution on the host. The showenv url can be used to disclose information about a server. A second vulnerability that allows arbitrary reading and writing to the host filesystem can then be used to write a shell...

DNS Amplification Scanner

This module can be used to discover DNS servers which expose recursive name lookups which can be used in an amplification attack against a third party. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Pandora FMS Remote Code Execution

This module exploits a vulnerability found in Pandora FMS 5.0RC1 and lower. It will leverage an unauthenticated command injection in the Anyterm service on port 8023/TCP. Commands are executed as the user "pandora". In Pandora FMS 4.1 and 5.0RC1 the user "artica" is not assigned a password by...

A10 Networks AX Loadbalancer Directory Traversal

This module exploits a directory traversal flaw found in A10 Networks Soft AX Loadbalancer version 2.6.1-GR1-P5/2.7.0 or less. When handling a file download request, the xml/downloads class fails to properly check the 'filename' parameter, which can be abused to read any file outside the virtual...

ManageEngine Support Center Plus Directory Traversal

This module exploits a directory traversal vulnerability found in ManageEngine Support Center Plus build 7916 and lower. The module will create a support ticket as a normal user, attaching a link to a file on the server. By requesting our own attachment, it's possible to retrieve any file on the...

Apache Struts 2 Developer Mode OGNL Execution

This module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execute arbitrary Java code. This...